cliang – Page 7 – The SECOND Advisories Limited

Insider #2

18th August 202118th August 2021 By cliangNo Comments

Physical access requires substantial resources while visual accessibility is anywhere Industrial Control Systems (ICS) in a plant are now modernized using commodity hardware and software with networking capability to enhance overall efficiency, business analytics and to standardize skillset in plant operation plus support. With network, remote diagnostic and support are also possible to cut down the turn around time without waiting for engineer on site. Some cybersecurity practitioners put focus only on the cyber portion of the plant. This is not wrong provided that the physical aspects are equally considered at the compatible level. This is because the ICS is just a portion of the entire plant. The physical and mechanical plant conditions must also be secured. If background check is deemed necessary for O&M teams to reduce insider threat, this should also extend to the service crews (e.g. delivery, janitor), physical security guard service, contractors, vendors or even management. Most often, management level is by default granted with...

Onion Approach

5th August 20215th August 2021 By cliangNo Comments

Information protection is usually via layered defence, sometimes refers as the "onion approach". In physical world, protected contents are placed inside secure facility thru multiple control points with access granularity like site level, particular zone(s) in the site, building, equipment room and cabinet before reaching the target. When things are changed accessible from network, reliance on physical access is still required but there are added controls to the cyber portion. Layered protection counterparts are: network firewall, application firewall, middleware gateway, RBAC, multi-factor authentication. Latest concept is zero-trust (ZT): user identity (and the authorized roles), request originated from which device (and platform), via trusted or untrusted network, type of application raising the request, types of contents for access, industry compliance and latest threat intelligence are all the variables in determining the permission for access. The same onion approach applies except more complexity in setting up and maintenance of these dynamic parameters. ...

Rule or Ruler

23rd July 202123rd July 2021 By cliangNo Comments

As a security practitioner, providing advice in securing the organization cyber assets is the expected responsibilities and everyone in the organization has such expectation. In commercial world, resources are limited and there are always risks in business operations. Therefore, risk management is needed in an organization to prioritize resources in consistently dealing with the risks. A risk-based approach to deploy appropriate controls must be in place, i.e. objectively per organization risk matrix rather than subjectively per individual perception. After all, there won't be zero-risk business in this world. I come across a situation that a security practitioner demands uplifting the criticality of a target system just by personal feeling while the consequence does not exceed the threshold guideline per the official organization risk matrix. The escalated criticality of consequence could be legitimate because business environment or threat landscape have changed. Then the correct attitude is to revise the organization risk matrix which serves the foundation for consistent assessment. We must...

Transformation

13th July 202113th July 2021 By cliangNo Comments

Due to rapid technology advancement, business operations are always undergone transformation. A phone kiosk becomes legacy as the use case is approaching to zero. While transformation creates new jobs, it also makes other jobs extinct. Imagine when there is no need to deploy phone kiosk, job functions regarding the manufacturing line, its supply chain, sales, installation, regular maintenance are no longer needed. Therefore, the transformation shall not only viewed at the business model but also the workforce development and the mentality to accept changes are part of life. Transformation also integrates cybersecurity as part of the job function except the demand of scale and skill might be different. Never complain cybersecurity is none of your business. The positive attitude is to look into the appropriate training to adapt and manage such new challenge. ...

Deep Packet Inspection (DPI) Firewall

2nd July 20213rd July 2021 By cliangNo Comments

No doubt, the technology is secure. But without assessing the situation holistically, this is inconclusive. Rulesets might be wrongly set or firewall is wrongly configured, then the DPI firewall is insecure. If the connecting components are in a restricted and lock down environment, a DPI firewall is overkill and won't contribute to enhance more security. By the same token, media always exaggerate cyber threats. We must judge if such threat scenarios are likely in our environment rather than blindly doing unnecessary lock down on existing systems. An example is the ransomware attack via inactive user account thru VPN without 2-factor authentication, or authenticated users via PrintNightmare exploit. Something must be done but not to complete today. Security enhancement must be assessed, managed rather than in a piecemeal manner. The latter might even create more problems after blindly applying the counter-measures. Remember - action without plan is nightmare; plan without action is day dream. ...

Policy #9

21st June 202121st June 2021 By cliangNo Comments

When writing policies, positive logic shall be adopted. It eases readers understand what is allowed rather than spending time to evaluate the allowed exception. In the illustration, the first impression: no entry is applied to the named vehicle types and need a second thought to locate the word "except". A wrongly communicated message might then cause different outcome. This should be avoided in written directives. ...

Privacy

9th June 20219th June 2021 By cliangNo Comments

We have a lot of personal data exposed in the cyber world in our daily life. To name a few, the "intrusive components" are: Electronic pass for toll road: where you are heading to, or even your entire journey if throughout the itinerary, there are traffic cameras and auto toll collection pointsCCTV: inside building, public areas, dashcam in vehicles nearbyCredit card: traces back to your identify, location, amount consumed, commodity purchasedHealth monitoring device: you wear in your body to capture your health data continuously, share in the technology provider's community if you wishOperating System: sharing the diagnostic data with the technology vendor when problem occurs or during online trouble shootingWeb site cookies: IP address to geo-location of your web surfing location, your web preferenceDigital photo: modern cameras are equipped with geo-tagging The most intrusive device is your cell phone. You carry it almost all the time. It exposes your geo-location from which cell towers your phone is connecting to. What should...

Declassification

26th May 202126th May 2021 By cliangNo Comments

Confidential information is costly to maintain. Imagine all the 3 data states (data-in-motion, data-at-rest, data-in-use) will require technology and the underlying process to manage the authorized access and usage while denying otherwise. Most often except a few, sensitive information will diminish its value or impact overtime. An example of the "few" is the formula of a soft drink that remains as trade secret to standout the products from its competitors. Other than technical controls like encryption or multi-factors authentication access for digital information, there are simply regulations to protect artist work copyrights, alogrithm patent etc. that are published in public domain. Secret government documents also have expiry date to release for public interests. The declassification together with destruction process are therefore an important stage in the information lifecycle management process. Without these, the burden to maintain secrecy will increase over time and become unmanageable. ...

Discovery

13th May 2021 By cliangNo Comments

This is widely adopted in various process like: Asset discovery: to scan the network and take inventory of the components connected in the networkElectronic document discovery: to scan the network resources for automatic information classification and privacy complianceForensic eDiscovery: to collect cyber activities from the designated equipment uncovering the sequence of events No matter which application, the essential aspect is the correct use of the tool. Otherwise, incorrect or inaccurate information is captured that could incur undesirable consequence where decision will base upon. Training or certification for the competent person running the process will be the key. ...

100% Cyber Secure #2

30th April 202115th September 2021 By cliangNo Comments

Worry about breaching GDPR or PCIDSS? The most effective means is to avoid capturing these info that need protection. Accepting cash addresses the problem statement. However, the restaurant must not forget if they accept reservation with name and contact number, then it is also a channel of GDPR breach. Accepting cash will introduce risk of being robbed. The is typical pitfall that most security practitioners overlook. Implementing new cybersecurity protection also incurs other new risks. Therefore, holistic assessment is always required in any business risk identification and mitigation. Further, a fresh-eye review is necessary to eliminate any "blind spots". ...