Assumption #3

By cliangNo Comments
DO NOT ACROOS - implicitly applied to vehicles only When we develop written directive, there might be chance that certain elements are assumed and be implicit. It is essential to engage stakeholders, listen to feedbacks and address opinions rather than dictate what should be done. If you do, you deem to be failed to develop a good policy. ...
Read More

Taxonomy #2

By cliangNo Comments
I have seen cybersecurity directive regarding applicability is to protect OT (Operational Technology) system so as to minimize cyber attacks to energy production. Renewable energy like solar panel or consumer grade wind turbine at household are producing energy with certain OT systems for control. Unfortunately, that organization also markets these equipment. Confusion arises if these OT systems should be under the same set of protection principles unless a precise specific taxonomy is specified in the directive. ...
Read More

Landscape

By cliangNo Comments
Some cybersecurity practitioners only drill down to the level of details of network diagram or even wiring diagram to identify adequacy of cyber protection. The system landscape or architecture is no doubt an element to look at but just part of it. The holistic approach shall look like these: What is the purpose of the systemHow is information used - control machine, information for decision making of critical operation or solely display as-isWhat is the consequence if compromisedWhat is the tolerable down timeWhat are options to bring up service within this unplanned down time windowHow to strike the balance for freezing the compromised system for digital forensic vs system recovery in meeting service pledge With these in mind, these diagrams are only useful to assess the attack path and the optimal countermeasures. And don't criticize insufficient information in the diagrams without setting a reference standard - this should be objective rather than subjective. ...
Read More

Taxonomy

By cliangNo Comments
In policy development, it is essential the coverage of the rule is sufficient and precise to avoid ambiguity. A living creature could be animals, birds, fishes, reptiles and human beings for full coverage. A targeted group might be stipulated as non-human living creatures, or even specific as reptiles when certain situations need more precision. Policy maker needs to understand clearly the scenario when formulating the directive just right in meeting practical implementation. ...
Read More

Suspicious

By cliangNo Comments
It is common to see such directive in subway, airport, key facilities, incident respond playbook etc. The problem is different people have different interpretation of "suspicious". Take phishing attack as an example. Email is apparently sent from the one you know. Should it be suspicious? If so, there won't be so many successful cyber attacks originated from phishing to launch ransomware, data exfiltration or remote access trojan (RAT). Therefore, more needs to be done to elaborate what is "suspicious" to raise situational awareness. Of course, it is a challenge to include so many information in a sign board. If the facility is so critical, each personnel (staff, visitor, contractor) should be briefed the threat scenario (like the safety rules before the aircraft departure) while the signage is just a reminder of what has been briefed. ...
Read More

Blind Spot

By cliangNo Comments
Can the bird be detected? When designing controls, we must understand what to protect. There might be blind spot that the intended controls are ineffective or even void. For inherent design weakness, retrofit would be costly and sometimes not possible without rebuilt from scratch. As a good practice, a design review to assess the control effectiveness before build will avoid such pitfall. Either a peer review or engaging independent subject matter expert will help to spot weakness with fresh eyes. ...
Read More

Policy #7

By cliangNo Comments
The illustrated directive is unclear. Drone, also known as unmanned aerial vehicle, has different form factors. If the sign comes without the icon, then it's pretty clear. With the icon there, it becomes only this type of drone is not allowed. This happens exactly in typical policy statement for network connection where cybersecurity practitioners have implicit assumptions. The issue has been elaborated in earlier blog for network connection. In nutshell, the precise directive is to secure the network with the appropriate controls of layer 3 to layer 7 data flow. ...
Read More

Cyber …

By cliangNo Comments
Early days in the industry, we are talking about information security to protect the information so as to minimize the impact due to unnecessary disclosure, unauthorized modification or unplanned downtime. It covers every information taxonomy under the sun. Suddenly, cybersecurity comes into the place. And adding cyber as prefix becomes a fashion. Vendors are trying to convince customers their products or services are addressing the market needs with hi-tech. To me, cybersecurity is a subset of information security. At least the hardcopy information container is excluded from the cyber perspective though hardcopy becomes less and in diminished usage. There are many cyber stuffs: cyber workforce, cyber maintenance, cyber hygiene, cyber insurance, cyber warfare, cyber defense, cyber range etc. Pick cyber insurance as an illustration. This becomes a focus area in the industry and relevant standards are being developed such that work practices are consistent. However, cyber insurance isn't bullet proof. If your infrastructure has weakness, repeated cyber attacks are possible. The sole value of...
Read More

Information Integrity

By cliangNo Comments
Why buying 2? Sometimes, a small mistake will invite question if the information processing facilities are producing accurate result without malicious tempering. The illustrated sales price might be just input manually, or generated from system as per scheduled price promotion. No matter which scenario, either a broken business process (lack of review, approval to publish) exists, or automated consistency check is missing. With such small mistake goes into publicity, it will require a lot of PR effort to reassure this is an isolated case and not affecting the other back office application like customer data, staff personal data, financial records etc. ...
Read More

Distance #2

By cliangNo Comments
Keeping distance on the road avoids accidents causing injuiry or fatality due to sudden situation changes. Keeping social distance avoids pandemic spreading among group of people. Similarly, keeping network distance will be cyber safer as it makes cyber attack harder. Network distance is established via defence layers between untrusted network and the target resources so as to drop or neutralize unintended traffic. The more layers, the more network distance that network traffic has to go thru to reach the destination. Layers, for example, are: Network perimeter (firewall, proxy, IPS, IDS)Application gateway (reverse proxy, DPI)Platform hardening (folder permissiom, white list/black list, no unused modules nor system sevices)System application hardening (change default setting, deny unauthenticated request)Business application hardening (observe good coding practices) While adding layers, don't forget to assess if network latency will be introduced affecting specific applications. Last but not least, all these layers shall have latest version and apply least privilege to combat threat actors as much as possible. ...
Read More