Incident Respond

By cliangNo Comments
Organizations usually invest substantially to manage and mitigate cyber attack with the detection technologies like log correlation and SOC (Security Operation Center) establishment plus comprehensive process of detailed respond to cyber threat scenarios with surprised drills etc. Not doubt, this will uplift the organization capacity and demonstrate due diligence has been exercised to deal with cyber attacks to stakeholders. On the other hand, cyber is just one of the failure or attack scenarios.  Like fire incident, it might be due to human negligence (left burning cigarette unattended), natural disaster (strike by lightning) or cyber attack (S01E04 Fire Code - vulnerable printer firmware).  No matter how, isolation to contain threat and promptly recovery to resume are required whether cyber or not. Resource (both skill set and manpower) in real life is always limited and should be put on recovery then drive from this end what is required for service resumption meeting recovery time objective.  And don't forget the TCO (Total Cost Ownership) involved to sustain...
Read More

Cryptography

By cliangNo Comments
Example in real world for cyber world. There are 2 salient points in cryptography: Algorithm (or how it works) is publicly known, source codes are even published (mechanism of the combination lock is known) Key is secret, this is the only way to access the cipher text (the combination code you have chosen to unlock) Therefore, never invent your own crypto algorithm no matter how much obfuscation you have made in the codes.  It is just security through obscurity. Of course, even a recognized (or certified) crypto will be subject to attack (online or offline) due to technology advancement over time.  Essentially, counter-measures are to increase the time attacker needs to get thru: regular password change, complex password, 2FA, adding salt and pepper in the stored hash etc....
Read More

Misplaced Control

By cliangNo Comments
Security technologies are secure but if deployed incorrectly, the intended protection will be in vain. It is necessary to have a design review and configuration check to minimize this type of issue.  Preferably, this should be done by 3rd party for independence as well as from fresh eyes. Of course, a reasonable scope of coverage has to be defined.  That's why security accreditation is at component level (e.g. encryption module) to set the boundary because how it is deployed has many variables....
Read More

USB Port Misconception

By cliangNo Comments
Most often, people said blocking USB port is a control in the company but somehow there is exception process to "authorize" company USB storage device to connect due to business reason. Two mistakes: 1. USB ports are standard I/O interface now.  There are different needs like keyboard, mouse, IP phone device using USB connection.  They cannot be blocked as a blanket directive.  The proper way to say is to manage removable media. 2. The protection objective is not clear. What is this technical control for: Limit importing malware Limit data leakage Something else With an "authorized" company USB storage device, it will be in vain for any of these cases as long as that company device is shared with other non-company computers.  This is totally outside technical control. The reality is that file exchange is always legitimate business needs.  Providing a means to facilitate secure file exchange will eliminate the use of removable media as well as getting user buy-in. The ultimate control relies on management...
Read More

Cyber Risk Likelihood #2

By cliangNo Comments
In physical world, public touch points are not hygiene.  The more people touch it, the more "dirty" it will be. In cyber world, if a network node has exposured as a public touch point, e.g. accessible elsewhere in the internet, it will become more vulnerable and cyber attack is highly increased. The "distance" to access the network node will influence the cyber risk likelihood rather than prediction based on historical occurrence.  The different layers of protection in between will reduce this cyber risk likelihood. Last but not least, don't forget to secure the physical access path....
Read More

Myths of DLP

By cliang1 Comment
The cybersecurity industry commonly names DLP as Data Leakage Prevention.  It lacks of qualifier because the technology just tries to detect/prevent human mistake nor broken business process.  In that sense, DLP is likely capable. There are always many means to exfiltrate data as there are many "holes" in the infrastructure.  The fencing is good to block trespasser but not getting materials thru the fence. Use of DLP or other technology just makes data exfiltration harder, or takes longer time to do so.  Imagine, all of us have cell phone that is an effective tool to beat DLP.  How many organizations will demand surrendering cell phone before: Coming to attend confidential discussion (e.g. the movie "Salt") Accessing sensitive information at workplace Disabling remote access The term shall therefore be rephrased as Data Leakage Protection and set the proper expectation what can be done and what are limitations....
Read More

Least Privilege

By cliangNo Comments
Another practice in physical world is adopted in cyber world - least privilge principle. However, we must bear in mind that privileges could be elevated or circumvented due to system weakness or unmanaged vulnerabilities. Therefore, regular assessment for assurance is required to validate if controls are still effective....
Read More

Zoning

By cliangNo Comments
Many cyber practices are actually adopted from physical world. Zoning is an example. Main purpose is to isolate object path (incoming / outgoing) to secure the port control. Authentication (immigration) and inspection (security screening) are added measures....
Read More

The 4C of cybersecurity

By cliangNo Comments
Cautious - understand cybersecurity is important but need to explore how to execute or manage Conformance - doing things adhere to the cybersecurity requirements Compliance - having 3rd party review and certified for cybersecurity assurance of a selected scope Committment - every aspect takes care of cybersecurity For the illustration, it is solely BS1363 compliance for the scope of the AC plug itself.  Though there is metal earth pin, it is just dummy and cannot achieve the intended protection (end-to-end security)...
Read More

Give and Take

By cliangNo Comments
Cybersecurity and convenience are always contradictory.  The Touch ID is a convenient means to unlock the device and deemed secure because fingerprints are supposed unique. But if we give further thoughts, there are several pitfalls. The Touch ID only protects the data-at-rest scenario. It can't secure your data if your phone is unlocked (data-in-use) nor you submitting sensitive data across the network (data-in-motion). Frequent use of Touch ID will make you tend to forget the text base password, affecting availability in situation you need to provide password Text base password is secure over biometric in a special case: if you are under duress, attacker can force you to unlock your device from your biometric attributes ... even if you are dead; but text base password cannot be extracted from a dead person's mental memory. An example is the locked iPhone from the Boston bomber that evolved into court case to debate national security vs data privacy. This is a matter of expectation...
Read More