cliang – Page 2 – The SECOND Advisories Limited

Policy and Usability

29th June 202330th June 2023 By cliangNo Comments

I came across certain cybersecurity practitioners who are obsessive with technical controls and insist a strict binary decision in determining policy compliance. Otherwise, so-called non-compliance process needs to be initiated with necessary executive signature as acceptance. Even worst, the policy is badly written and lack of precise generic as well as precise specific at the appropriate scenarios. Such mentality is not securing the business but an major obstacle in digital transformation and competitiveness with peers. As competent cybersecurity practitioners, our roles is to explain what are protection in place to neutralize the published cyber threats rather than creating FUD to management. Sometimes, a management directive with disciplinary action for non-compliance is far much cost-effective than technical controls. Example is password complexity and MFA, this only make password sharing harden but not impossible. Education is another domain why we should not doing so. More technical controls means complexity. Complexity doesn't make it more secure but user will try to evade or circumvent the...

Safety and Cybersecurity

18th June 202321st July 2023 By cliangNo Comments

In any field work, safety is the most important thing. Yet, we cannot totally eliminate the likelihood of fatality no matter which types of organization. What we can do is to demonstrate that there is safety system, culture, management committment, user education, pre-work assessment to reduce the likelihood. Likewise, there no 100% cyber secure business. Do not introduce unnecessary controls or else more chance of human error, technology failure that all these will impact the business outcome rather adding protection. Think also the likelihood of exploit from physical aspect rather than just drill down in the cyber aspect. The best strategy is to ensure resilience to resume business operation because there are too many threats in the wild that we don't know. We can only protect what we know and that is worth to protect. ...

Container or Content

5th June 20236th June 2023 By cliangNo Comments

When installing controls, you have to understand what is the protection objective. Don't just apply textbook knowledge for the sake of having controls. Understand the business environment and the consequence to determine the optimal controls. Sometimes, controls are really unnecessary because the consequence is acceptable by common sense. If you put the wrong focus, the protection doesn't make any sense and wasting valuable resources. Don't just insist for policy compliance because policy could be written incorrectly. Apply your professonal judgment as we are hired to do so. If not, you are neither competent for the job nor having common sense. ...

Dual Home

19th May 202319th May 2023 By cliangNo Comments

Certain cybersecurity practitioners have no knowledge of the implication when writing policy statement even with help from external subject matter experts. A typical example is that host with "dual home" connection must not be allowed. There are some rationales that this network setup will incur cybersecurity risks but only on particular scenarios. It is risky if one network interface card (NIC) lands on trusted zone while the other NIC lands on a "dirty" zone. The host is then acting as a network firewall that might not be robust as a dedicated network firewall device capabilities. But if the host (especially in control systems) needs this setup to be managed by computer management system (e.g. domain controller) in one network while the other network manages the controllers, sensors and the design is certified by the manufacturer, blindly changing this to non-dual home setup will affect the intended operational capabilities. Lesson learned: don't write something that causes your business immediately falling into...

FUD #2

6th May 20236th May 2023 By cliangNo Comments

Things outside your comfort zone or knowledge will generate FUD. There are always news exaggreating cyber risks causing severe consequence to certain organizations. Sometimes cyber threats are even just based on perspection with assumption threat actor has gained complete knowledge or your environment and yet skill to achieve this is very complex. As competent cybersecurity practitioner, we must assess the threat situation, what are controls in place and provide management comfort rather than spending unnecessary resources to protect something that does not harm much. Every business exposes to risks and we cannot eliminate all risks but to prioritize the limited resources to maximize protected values. ...

Patches

19th April 202319th April 2023 By cliangNo Comments

One of the key activities in cybersecurity is to deploy security patches on regular basis. This is intended to upkeep cyber protection strength of the ICT or ICS infrastructure, platform and application. Certain cybersecurity practitioners are just blindly follow text book knowledge to mandate missing patches are policy violation and need to follow exception process. The cyber protection has undergone various strategical changes over the years: from prevention to detection and now resilience because there are a lot of unknowns to make prevention nor detection effective; from physical location centric to context-based because data are everywhere. Bottom line is to apply patches according to the specific business environment via assessing likelihood of exploitation. If the system is isolated from the Internet with strong physical access control and removable media control, there is no urgency to deploy so-called zero-day vulnerability patch. Follow the now, next or never philosophy because some patches are not even needed like the log4j that has been over-amplified to incur...

Consequence

6th April 20236th April 2023 By cliangNo Comments

Certain cybersecurity practitioners are obsessive on technical controls. They overlook the consequence due to cyber or other non-cyber causes will be the same. Let's look at the illustration. Supposed if the truck has insecure network connection. It might be controlled remotely by threat actors. The adverse consequence might cause the truck hit any target or spill off the load. The same adverse consequence could be due to faults in the brake, fatigue of the chain, improper driving attitude … So, there should be a balance of cyber protection rather than creating many unnecessary technical controls to overkill the usage. More controls means more complex and more human errors will be resulted. ...

Information Security

24th March 202324th March 2023 By cliangNo Comments

It is the early term in this domain. It covers everything under the sun regarding information.As time goes by, information containers are moving into digital and seldom in hardcopies making it cyber nature and then cybersecurity becomes a fashion and buzzword. We have already replaced fax machine by email or secure electronic communication, carrying thumb drive instead of bundle of hardcopies, balance in stock account replacing the stock certificates. It is true for most of the cases but there are still information in hardcopy forms like birth certificate, marriage certificate, dealth certificate, passport, deed of assignment, legal documents in court etc. Therefore, these are outside the "cyber" sense and we must not forget the necessary protection to secure these kinds of information. The challenge is the "backup" which will require certified true copy issued by authenticated body. Sometimes, you can only have the original copy without backup like passport. Safekeeping the information container in possession is the prime protection. ...

Policy #10

10th March 202310th March 2023 By cliangNo Comments

In an organization, policy affects the culture and work practices. A good policy is practically achievable, acceptable and having buy-in with all levels why they have to follow these directives. In contrast, badly written policies will create conflict, politics and non-compliance because auditors will point out you are not doing the work according to the policies. Even worst in cybersecurity, certain cybersecurity practitioners micro-manage the protection technology down to brand name but no published standard is available. Everything is just in their mind with word slipping out from their mouth as recommendation. We must always bear in mind that cybersecurity is to help running business securely and don't overkill with unnecessary controls. There are lots of threats outside the cyber domains affecting business. The bottom line is to adopt resilience approach for prompt recovery rather than adding protection because you never know the threats outside your knowledge domain. Protections will require overheads to sustain their effectiveness too. ...

Infected

26th February 20234th March 2023 By cliangNo Comments

A leaft in a plant is infected. Saving the plant should contain and neutralize the infected from spreading to other peers. Similarly if a computer in a Plant system is compromised, the recovery is to contain, neutralize and rectify it to avoid affecting the neighouring nodes. On a strategic approach, if the ingress/egress points with external systems including removable media are tightly controlled and the O&M activities are strictly following the administrative controls, the likelihood of being compromised if rare to none; even security patching is not in regular fashion. This is the common practice in industrial automation control systems. However, certain cybersecurity practitioners always believe the same maintenance practice including technical controls as if in IT should be adopted. This will definitely consume unnecessary resource and likely break things causing severe damage to the plant. ...