Policies – Page 6 – The SECOND Advisories Limited

Born or Made

1st May 2019 By cliangNo Comments

Cybersecurity vulnerabilities are broadly categorized into 2 types: [a] Inherent weakness in the component, protocol (e.g. PLC, ftp) that is insecure by design [b] Improper deployment causes a secure component (e.g. FIPS-140-2 Level-4 certified crypto module) into insecure due to lack the required surrounding elements (likely broken business process or human negligence) Type [a] can be overcome at time of procurement to specify requirement. Type [b] can be identified via vulnerability assessment of the deployed solution in people, process and technology perspectives...

Direction

21st April 201922nd April 2019 By cliangNo Comments

Establishing cyber directives (policies) is challenging. On one hand, the language must be chosen not too specific for flexibility but on contrary too loose will be difficult to enforce practically. The bottom line is to establish organization specific directive per its line of business based on commonly recognized best practices and industry regulations (e.g. CIP, PCIDSS, HIPAA, SOX, GDPR). Over time, regular review among stake holders is required to fine tune the language based on experience of adoption to address any limitations. And this regular review process shall also be specified in the directive itself as part of the compliance....

Big or Small

5th April 20195th April 2019 By cliangNo Comments

Cyber assets, no matter big or small, must be managed via the same practice and same maintenance regarding cybersecurity as long as they are hosted in the same ecosystem. Zoning might make certain difference but things could be broken due to many reasons. Defense-in-depth must be adopted. ...

Point of Attraction

27th February 201927th February 2019 By cliangNo Comments

Everything has multiple perspectives. A point of attraction could become the point of attack. Example is setting up web site for presence in the cyber world. The business people wish to have high hit rates of the web site to enhance brand visibility, collect surfer behaviors for analytics, thus pushing the right level of promotion and adjust market strategy. All these are to prove the ROI for web site TCO. The technical people wish to lock down the web site to avoid being defaced or being planted with malicious codes for persistent threats. All these will inevitably affect certain functionalities or incurred extra cost. Such investment is to prove avoidance cost rather than ROI because people generally expect cyber secure - rather than by investing $X, $Y will be gained. Bridging the gap will require cyber governance at the top level to set out cyber directives within an organization, resolve issues and have a final say for conflicts arising,...

Policies #4

23rd January 2019 By cliangNo Comments

In stipulating policies (written management directives), the hard part is in the language for having specific objective with flexibility and without ambiguity - balance between specific and generic descriptions. The applicability of policies is another challenge. For the illustration "No trespassing", where is applied: thru the path or go over the fence? ...

Operation Risk #2

20th January 201920th January 2019 By cliangNo Comments

Part of the critical infrastructure is in close proximity for public access. Two main types of attacks causing service interruption. Cyber attack takes advantage of launching behind the scene anywhere. Contributors for successful attack include but not limited to: Lack of cyber protection including detectionVulnerable systems and applications using configuration defaults or outdated versionInsufficient control over remote access However, the facility is also subject to physical attack because of the "weak" perimeter. Prevention is not effective but relying detection to respond, sufficient resilience to maintain service. Therefore, the asset owner needs to Firstly identify or categorize the value and impact of the asset The next is to deploy effective counter-measures and the protection focus should not be just in cyber sense though this is always hot topic exaggerated by media and mostly exploited by vendors to create FUD in convincing asset owner to adopt their solutionsPhysical security, equipment faults, general tear-and wear are equally important to consider ...

Masking

16th January 201916th January 2019 By cliangNo Comments

Like any types of tools in both physical and cyber worlds, this can be used for legitimate or evil purposes. Examples are illustrated below. Legitimate purpose Content masking: required to protect privacy information in meeting regulatory compliance or certain industry requirements.Penetration test tools: cybersecurity assessment to uncover weakness of the target of evaluation for strengthening Evil purpose Identity masquerading: the usual trick for phishing or social attacks.Without the asset owner authorization, use of penetration test tools is considered as malicious purposes to launch cyber attack and subject to disciplinary action, civil or criminal litigation. Who judges the proper use? It's set out by Corporate policies (if internal matters)Laws & regulations (when externally involving different entities) ...

Big Picture

30th December 201830th December 2018 By cliangNo Comments

Common pitfalls in conducting risk assessment are Controls in place are not explicitly stated as assumptionLack of big picture A holistic view on the target of evaluation (ToE) as well as its surrounding is vital. We should not just look at the ToE only. We need to think and assess Risks due to compromised components around ToESimilarly risks affecting them due to insecure ToE ...

Protocol

27th December 201827th December 2018 By cliangNo Comments

The road is clear and why are these pedestrians waiting for? This is because all road users need to observe the protocol in the road system to keep alive. Similarly, we need to observe protocol in the cyber world to keep secure. Examples are: Maintain access credential secret and renew regularlyActivate 2-step authentication if identity provider supportsBeware of emails that appear legitimate requesting for sensitive or personal informationBe alert for too good to be true rewardsAvoid using shared computers in the public that anyone can accessAvoid plugging into USB power ports in public to charge your portable devices (cell phone, tablet)etc. ...

Policies #3 (From Directive to Enforcement)

24th December 201824th December 2018 By cliangNo Comments

1. Use case Authenticate the user of parking is "Aliens" status, a yes/no decisionGrant usage durationDisclaim loss/damage responsibilities 2. Enforcement If yes: allowIf not: rejectIf violate: consequence 3. Somehow, vulnerabilities exist: Identity provider is compromised Method of authentication is circumventedResult of authentication is manipulatedBarrier to the authorized resource (parking lot) fails and being bypassed without authentication 4. Consequence: False negative: non-alien is mistaken as alien for fraudulent useFalse positive: genuine alien is mistaken as non-alien resulting into denial of service 5. Counter-measure: Protect identity providerSecure communication from end point to identity providerEnsure authentication result integrityConduct periodic system health-checkPerform regular patrol of parking lotPost terms of use and consequence of violation (e.g. tow away at vehicle owner's expense) ...