Crowdsourcing

By cliangNo Comments
Landlord: "Tell me your monthly sales amount." Tenant: "No way, this is confidential business information." With a little trick, such confidential information can be collected. Giving certain incentive, customers will queue up and surrender the sales receipts to the concierge of the mall. Free parking is one of the incentive models.  For in-mall spending over certain amount, concierge validates the parking ticket and captures the receipt details.  But this is less granular because not every customer comes to the mall with own vehicle. A more advanced model is to establish royalty membership to earn points per the spending amount in the mall.  This is still not accurate because not every customer will join the royalty scheme but more granular than the free parking model. Then, confidential sales information could be captured from the crowd for analytics....
Read More

Grade of Protection #2

By cliangNo Comments
Certain hotels provide safe for customers storing valuables during their stay. It is somewhat physically robust from brute force opening the door.  The door is locked with customer chosen numeric digits each time when closing.  This code will then be used to open the safe.  There are lots of articles shared in the Internet how to bypass the codes to open the safe door. In summary, lessons learned from these articles are: Improper configuration (default master access code unchanged) Lack of physical protection (because it is accessible semi-public to explore tampering opportunity; drop at a moderate height will open the door after flipping the lock handle several times) Likely come with factory console port as backdoor but intention is for good purpose to help customer unlock safe due to forgotten code The safe there is better than none but customer should be advised to use at own risk.  The latter clause shall be posted in conjunction with the safe usage instructions to disclaim...
Read More

Resilience

By cliangNo Comments
How much resilience is sufficient: single, dual, triple, quadruple or more? You need to understand what is the consequence of system component failure to the committed service per agreement. It is the kind of balancing risk for optimal investment.  Even if there is penalty clause for breaching the committed service level, the amount paid out might be much less than the TCO (Total Cost of Ownership) of investing a robust infrastructure and the recurring running cost. Nevertheless, intangible loss like brand name or reputation damage need to be considered....
Read More

Perimeter

By cliangNo Comments
The key difference between physical and cyber perimeters is visibility. To augment physical perimeter limitations, surveillance cameras (probably with video analytic to detect intruder) and guard patrol are required. For cyber perimeter, threat actors need to understand what are behind the Internet-facing entry point (web, remote login etc.) in order to reach the internal cyber assets.  Their first step is to conduct reconnaissance.  See Lockheed Martin, the Cyber Kill Chain® framework. Organizations nowadays must have a web presence in doing business.  The hard part is to minimize the cyber footprint.  It's a matter how well the Internet-facing entry points are configured per best practices (least privileges, exclusion from search engine, scrutinize data input, enforce server-side logic etc.) and sustaining the protection (security patches, version upgrade, hot fixes etc.).  Further, regular validation via black box, white box penetration tests are necessary for assurance....
Read More

Boundary

By cliangNo Comments
Typically, the boundary defines a clear demarcation of accountability in the case of ICT or ICS system landscape.  It also confines the work scope in any professional engagement activities to ease managing the work product expectation. However, as a cybersecurity practitioner, we must look further beyond to strike for a holistic view in order not to miss out any inherent threats.  It's just a matter of fact how far and how detail we are comfortable to go beyond, or simply include a scope statement for the "limited vision"....
Read More

Mistaken Identity

By cliangNo Comments
This is to attack trust based on some one you know. In physical world, this is harder as you will recognize the person by appearance unless via impersonation like those in "Mission Impossible". In cyber world, email and social network ID are easier for spoofing, not-to-mention compromised identity are on sales in the dark web. Therefore, Part-1: protect your cyber identity.  Even if you consider such cyber identity doesn't harm yourself, it could cause collateral damage to those who know you Part-2: now, you are cautious about your cyber identity.  Establish preparedness to manage the situation when you suspect your cyber identity is compromised for malicious intention Part-3: from a 3rd party perspective, when you receive "unusual" request(s) from cyber identity for those you know or appeared as legitimate, validate their request(s) via other trusted communication channels (like phone call, or official web link) ...
Read More

Access Control

By cliangNo Comments
In physical world, access control is done by certain barrier that this barrier will be disabled for entry by authenticated individual. The same applies in cyber world. Access control in both worlds are to manage "honest" users but not malicious users intentionally bypassing the barrier(s).  The laws & regulations are the last resort to stop offenders....
Read More

Design & Build

By cliangNo Comments
Secure by design of ICS (Industrial Control System) is just part of the ICS life cycle.  If design is insecure, retrofit sometimes is not possible and need to rebuild from scratch again. Next is the ongoing sustainability of the cybersecurity because the ICS is only secure at that particular point in time of commissioning.  Addressing new vulnerabilities and continuous strengthening are required to keep staying cyber secure. Of course, identify the business outcomes and acceptable risks then translate into ICS cybersecurity requirements in the procurement specification is the very first step....
Read More

FUD

By cliangNo Comments
Fear, Uncertainty, Doubt (FUD) is the tactic vendors are trying to sell you their cybersecurity solution. Typically, this is done via several stages: Share damages for cyber incidents in the public like substantial fines by the Court or huge claims from customers, loss in reputation, drop in stock price, revenue loss due to business operation interruption plus other fees like investigation, containment and recovery How your other peers are doing Market share and strength of their solution from  independent analyst's ranking How their solution is able to help and protect you Certainly, having cybersecurity protection deployed is better than none but what you need to know: Limitation of the solution as there is no bullet proof protection technology Total Cost of Ownership (TCO) to operate including competent skill set and extra resources Understand how effective the protection to limit the risks and threat actors that the organization is facing because each organization has its own business priority, people and culture issues Most importantly,...
Read More

Operation Risk

By cliangNo Comments
Unlike IT application, ICS (Industrial Control System) involves direct physical process that will affect human safety and impose environment impacts. When we conduct ICS risk assessment, we must not just limited thoughts to cyber risks.  Cyber risk is just one of the causes that affect the stability, manageability and operability of the ICS. For impacts caused by cyber issues, are these due to general equipment fault rather than cyber attack?  What about other physical damages like communication lines fails due to natural disaster, or machinery break down from wear and tear?  The counter-measures shall then also address non-cyber issues for a comprehensive business continuity arrangement....
Read More