Enforcement #3

By cliangNo Comments
At certain situations, enforcement of policy relies on administrative control when technical controls are not feasible. But how do we ensure no offender? No, we can't. The only thing we can do is to establish consequence-based deterrent enforced by laws & regulations. The most severe deterrent is death sentence. A traffic sign prohibits vehicle longer than 10m or over 10 tones on left turn as illustrated. There is no stopping you to do so but if your truck exceeds this limit and still turning left, your truck might be trapped in the road curve blocking other road users, crashing vehicle in the opposite lane, or damaging any other third party properties. Then you are fully accountable for civil offence if negligence or criminal offence if deliberately doing so. Similarly, management always talks about how to stop insider threats in dealing with cybersecurity. The same philosophy applies - discrepancy action for employees or contractual obligation for business partners with...
Read More

Enforcement #2

By cliangNo Comments
Durnig pandemic situation, InfraRed body temperature detection technology is great - contactless, accurate, multi-persons processing, seamlessly and transparent to customers. But the illustrated scenario lacks of enforcement - persons with detected abnormal body temperature are still able to go in. A policy statement (notice at entrance) must be established to deny visit of persons with abnormal body temperature. Further, a security guard or so needs to watch the outcome of measured body temperature to enforce such policy. Without enforcement, deploying great technology doesn't make sense. This applies to cybersecurity domain as well. ...
Read More

Concealment

By cliangNo Comments
Two lanes but 3 traffic signs. Is the middle lane hidden? Information concealment is one of the techniques to hide important content. There are many tools that comes with steganographic processing. Usually, media files are chosen as the host file to store the secret data but their native usage (viewing photo, watching video with associated apps) are unaffected even with secret data injected. Media files are the popular host because photo, audio or video are basically having larger size. The objective is let secret message stored there and staying low profile without being caught. Yet, this technique is aimed at hiding small amount of data (like passcode, geo-location) because too much data might increase the host size that is unproportionable to its original form. ...
Read More

Choke Point

By cliangNo Comments
In physical world, it is a geographical critical and strategic passage. Armed force is able to control what is allowed and what is not for passing thru. In cyber world, similar concept is deployed in network perimeter controlling data traffic what is allowed and what is not in reaching the destination node(s). Source ports don't matter. The camera aperture is the good metaphor. Light sources don't matter. What matter is to control the incoming lights from whatever directions to reach the camera senor for composing an ideal photo. I came across a cybersecurity practitioner who is so innovative to request controls of the network source ports in the firewall as well. This involves application logic and configuration changes yet the effectiveness to enhance cybersecurity is really in doubt. ...
Read More

Governance, Risk & Compliance

By cliangNo Comments
GRC is the typical jargon when we talk about the cybersecurity posture in an organization. Risks, no matter in terms of cyber, technology, operational, financial or political domains always exist and they are all co-related. There is no zero risk business operation except how to reduce the likelihood effectively and optimally. Then, the compliance part plays. This refers following the organization written policy to run the business reasonably in the risk reduction manner. Finally, the governance is the capability in the organization to adminster and enforce that all the business activities will follow the written policy, or else the policy is just a document in the bookshelf. The entire GRC framework is dynamce. Written policies will need refresh To adopt new way of doing business (e.g. use of social media for point of presence or customer relation in the cyber space)Facilitate changing business environment (say, work from home due to pandemic situation, provide guest Wi-Fi for visitors)And most importantly, address the emerging cyber threat landscape. ...
Read More

Grade of Protection #3

By cliangNo Comments
The commodities (toys) are encapsulated in the vending machine (plastic containers). All containers share the same Point of Sales (PoS) device - the Octopus sensor. Upon successful payment, the outlet valve is released to pass out the selected item. You might wonder if these vending machines are securely protected as they are placed in open area and unattended. This is a typical scenario for cybersecurity practitioner in recommending business people the appropriate level of protection. There are CCTV in the arcade to record people accessing the vending machine. Physical brute force attack will be recorded. And for vending machine like this, physical is far more effective over cyber attack to collect the toys. Having recorded footage of physical attack won't be useful without the laws & regulations coming into place. The deterrent is that offender will be caught and prosecuted for criminal act. Last but not least, consider the total value of the commodities plus the equipment itself. If...
Read More

Policy #8

By cliangNo Comments
We face many "policies" (directives) everyday - whether in real world or in the cyber space. And we are told to comply with these policies for keeping ourselves safe or secure in both domains. Sometimes, don't blindly follow the policy because policy makers could make mistake: lack of field experience, don't understand the subject matter well, having implicit assumption causing incorrect interpretation or putting something that is even not practically achievable. As an user, you need to think, contribute or challenge policy makers. There isn't perfectness in this world. Things always need continuous improvement. Policy makers are expected Solicit opinions objectivelyListen feedbacksResolve ambiguityAddress incorrectness If they don't, they simply fail. ...
Read More

DeMilitarized Zone (DMZ)

By cliangNo Comments
DMZ becomes the de facto standard for network segmentation. It is used to control network traffic across trust and untrusted network zones. Network traffic is used instead of network connection because the latter is not precise. A network cable is connected across components but what does matter is the traffic flowing thru. The network zoning is typically implemented by network firewall. More functions like anti-malware protection, site filtering, application requests screening are adding to the network firewall making it the so-called next generation (NG) firewall. To enhance customer confidence, there are 3rd party accredition for firewall cybersecurity. No matter how secure the component is manufactured and deployed, the important aspects to maintain a secure network perimeter are: Proper design, i.e. placing the firewall(s) at the correct network nodeProper configuration, i.e. device management and least privilege firewall rulesPeriodic assessment, i.e. validate if the configuration is still valid (don't retain the associated firewall rules when system has retired)Proper maintenance, i.e. update firmware...
Read More

Reinforcement

By cliangNo Comments
Sometimes, security protection needs reinforcement to avoid deterioration of effectiveness over time. This can easily be visualized in real world. Screws are used to tighten the wheels. Multiple screws are used for resilience. You add further clamp on to limit the screws from spin off. In dealing with cyber protection, the easiest deteriorating stack is the human factor. You have policy published and communicated. You still need to reinforce the situation awareness to bring back attention. An example is the phishing email. It is the common cyber attack vector resulting into infect ransomware to hijack all systems, install backdoor to corporate network, infiltrate sensitive information etc. Other than regular communication, launch phishing test campaign to validate how many in the organization will fall into the trap. Through repeated exercise, the awareness to combat against phishing attack will be reinforced. ...
Read More

Enforcement

By cliangNo Comments
Enforcement Having policy as written document isn't enough. If there is violation, it must be enforced thru correctional approach. In real world, this is done by disciplinary action, imposing fine or even imprisonment depending on severity of violation. This will reinforce the attitude for policy compliance. An example is jumping the light detected by traffic camera. At best if there is no traffic accident, impose fine and deduct marks to remind this act will hurt other road users. At worst this misbehavior has triggered traffic accident, it might be resulted in criminal offence for imprisonment. In cyber world, the situation is similar. Stipulate the cybersecurity directive (policy) and indicate what is the protection objectiveEstablish policy exception processDefine the levels of correctional action per violation natureAnd most importantly, raise awareness to educate all levels why the policy must be complied for what purpose and consequence of violation ...
Read More