Rule or Ruler

By cliangNo Comments
As a security practitioner, providing advice in securing the organization cyber assets is the expected responsibilities and everyone in the organization has such expectation. In commercial world, resources are limited and there are always risks in business operations. Therefore, risk management is needed in an organization to prioritize resources in consistently dealing with the risks. A risk-based approach to deploy appropriate controls must be in place, i.e. objectively per organization risk matrix rather than subjectively per individual perception. After all, there won't be zero-risk business in this world. I come across a situation that a security practitioner demands uplifting the criticality of a target system just by personal feeling while the consequence does not exceed the threshold guideline per the official organization risk matrix. The escalated criticality of consequence could be legitimate because business environment or threat landscape have changed. Then the correct attitude is to revise the organization risk matrix which serves the foundation for consistent assessment. We must...
Read More

Policy #9

By cliangNo Comments
When writing policies, positive logic shall be adopted. It eases readers understand what is allowed rather than spending time to evaluate the allowed exception. In the illustration, the first impression: no entry is applied to the named vehicle types and need a second thought to locate the word "except". A wrongly communicated message might then cause different outcome. This should be avoided in written directives. ...
Read More

Declassification

By cliangNo Comments
Confidential information is costly to maintain. Imagine all the 3 data states (data-in-motion, data-at-rest, data-in-use) will require technology and the underlying process to manage the authorized access and usage while denying otherwise. Most often except a few, sensitive information will diminish its value or impact overtime. An example of the "few" is the formula of a soft drink that remains as trade secret to standout the products from its competitors. Other than technical controls like encryption or multi-factors authentication access for digital information, there are simply regulations to protect artist work copyrights, alogrithm patent etc. that are published in public domain. Secret government documents also have expiry date to release for public interests. The declassification together with destruction process are therefore an important stage in the information lifecycle management process. Without these, the burden to maintain secrecy will increase over time and become unmanageable. ...
Read More

Enforcement #3

By cliangNo Comments
At certain situations, enforcement of policy relies on administrative control when technical controls are not feasible. But how do we ensure no offender? No, we can't. The only thing we can do is to establish consequence-based deterrent enforced by laws & regulations. The most severe deterrent is death sentence. A traffic sign prohibits vehicle longer than 10m or over 10 tones on left turn as illustrated. There is no stopping you to do so but if your truck exceeds this limit and still turning left, your truck might be trapped in the road curve blocking other road users, crashing vehicle in the opposite lane, or damaging any other third party properties. Then you are fully accountable for civil offence if negligence or criminal offence if deliberately doing so. Similarly, management always talks about how to stop insider threats in dealing with cybersecurity. The same philosophy applies - discrepancy action for employees or contractual obligation for business partners with...
Read More

Governance, Risk & Compliance

By cliangNo Comments
GRC is the typical jargon when we talk about the cybersecurity posture in an organization. Risks, no matter in terms of cyber, technology, operational, financial or political domains always exist and they are all co-related. There is no zero risk business operation except how to reduce the likelihood effectively and optimally. Then, the compliance part plays. This refers following the organization written policy to run the business reasonably in the risk reduction manner. Finally, the governance is the capability in the organization to adminster and enforce that all the business activities will follow the written policy, or else the policy is just a document in the bookshelf. The entire GRC framework is dynamce. Written policies will need refresh To adopt new way of doing business (e.g. use of social media for point of presence or customer relation in the cyber space)Facilitate changing business environment (say, work from home due to pandemic situation, provide guest Wi-Fi for visitors)And most importantly, address the emerging cyber threat landscape. ...
Read More

Grade of Protection #3

By cliangNo Comments
The commodities (toys) are encapsulated in the vending machine (plastic containers). All containers share the same Point of Sales (PoS) device - the Octopus sensor. Upon successful payment, the outlet valve is released to pass out the selected item. You might wonder if these vending machines are securely protected as they are placed in open area and unattended. This is a typical scenario for cybersecurity practitioner in recommending business people the appropriate level of protection. There are CCTV in the arcade to record people accessing the vending machine. Physical brute force attack will be recorded. And for vending machine like this, physical is far more effective over cyber attack to collect the toys. Having recorded footage of physical attack won't be useful without the laws & regulations coming into place. The deterrent is that offender will be caught and prosecuted for criminal act. Last but not least, consider the total value of the commodities plus the equipment itself. If...
Read More

Policy #8

By cliangNo Comments
We face many "policies" (directives) everyday - whether in real world or in the cyber space. And we are told to comply with these policies for keeping ourselves safe or secure in both domains. Sometimes, don't blindly follow the policy because policy makers could make mistake: lack of field experience, don't understand the subject matter well, having implicit assumption causing incorrect interpretation or putting something that is even not practically achievable. As an user, you need to think, contribute or challenge policy makers. There isn't perfectness in this world. Things always need continuous improvement. Policy makers are expected Solicit opinions objectivelyListen feedbacksResolve ambiguityAddress incorrectness If they don't, they simply fail. ...
Read More

Enforcement

By cliangNo Comments
Enforcement Having policy as written document isn't enough. If there is violation, it must be enforced thru correctional approach. In real world, this is done by disciplinary action, imposing fine or even imprisonment depending on severity of violation. This will reinforce the attitude for policy compliance. An example is jumping the light detected by traffic camera. At best if there is no traffic accident, impose fine and deduct marks to remind this act will hurt other road users. At worst this misbehavior has triggered traffic accident, it might be resulted in criminal offence for imprisonment. In cyber world, the situation is similar. Stipulate the cybersecurity directive (policy) and indicate what is the protection objectiveEstablish policy exception processDefine the levels of correctional action per violation natureAnd most importantly, raise awareness to educate all levels why the policy must be complied for what purpose and consequence of violation ...
Read More

Assumption #3

By cliangNo Comments
DO NOT ACROOS - implicitly applied to vehicles only When we develop written directive, there might be chance that certain elements are assumed and be implicit. It is essential to engage stakeholders, listen to feedbacks and address opinions rather than dictate what should be done. If you do, you deem to be failed to develop a good policy. ...
Read More

Taxonomy #2

By cliangNo Comments
I have seen cybersecurity directive regarding applicability is to protect OT (Operational Technology) system so as to minimize cyber attacks to energy production. Renewable energy like solar panel or consumer grade wind turbine at household are producing energy with certain OT systems for control. Unfortunately, that organization also markets these equipment. Confusion arises if these OT systems should be under the same set of protection principles unless a precise specific taxonomy is specified in the directive. ...
Read More