Technology – Page 7 – The SECOND Advisories Limited

Access Control #2

30th November 2018 By cliangNo Comments

Access control is intended to allow only authorized subject to reach the protected resources. A comprehensive assessment including penetration test (network and physical), or Red Team Testing, is necessary to evaluate the effectiveness of the control and identify weaknesses like: Misconfiguration System defaults Normal operations run via high system privileges Unpatched systems or components Inherent back door Staff lack of awareness Phishing victim Unattended equipment Unattended login session Insecure entry points (both network and physical) via brute force ...

The Past

28th November 201821st December 2018 By cliangNo Comments

Earlier, I talked about network anomaly detection. It is the kind of technology based on the past activities to predict if your network is healthy and normal. Key considerations to evaluate for deployment: The "past" activities must be correctly understood by the technology in the first place as the baseline reference Using a typical life cycle management concept, the algorithm must be intelligent enough to manage the entire suite of new, change, delete use cases of network traffic without too much false negative nor false positive Predict "new" traffic deviated from the baseline with different severity level per intention Whether the algorithm is equipped with deep packet inspection (or even better with machine learning capability) to inspect expected connections with different payload from baseline Report missing traffic from baseline that could be sign of malfunctioned field device(s) to the host or controller Challenges are: Competency and capability of the deployment team to understand your environment Criteria to sign off as project completion from...

Automation

26th November 2018 By cliangNo Comments

Everyday, we rely so much on automation ... be seen or behind the scene: rice cooker, temperature control of air conditioner, TV program recorder, garage entry, escalator, fire alarm system, traffic light, public lighting, vehicle, train, vessel, cargo terminal, electric grid, etc. Are we ready to bear with the failure in any of these automation? Or how long we can tolerate with degraded service? These are the basis to derive the alternate processing model to resume service though it might not be up to the expected service quality. Shortening the unplanned outage time or increasing service quality during outage will be materialized into substantial monetary terms. Cybersecurity practitioner can only facilitate the thought process but the ultimate decision is from business - risk taking between optimal or optional investment to meet the business target....

Tunnel

14th November 2018 By cliangNo Comments

"Digital" tunnel is common in the cyber world. The TLS (Transport Layer Security) technology is widely deployed: email server initial handshaking before start of communication, SSL (Secure Socket Layer, or https) for web browser to web server, VPN (Virtual Private Network) for point to point (or site to site) connection. All these are for the unique purpose - protect the sensitive information submitted thru untrusted network. Two key learning: Don't expect SSL is secure. Some Internet gateway might have web-proxy in between breaking the SSL connection to intercept SSL for content inspection. This happens in certain organizations, public free access points or regions with Internet control. Like firearms in the physical world, the usage of encryption (TLS) is a matter of for good or evil purpose: defensive or offensive. It's the organization policies, laws & regulations to govern the proper usage. ...

Clock

12th November 2018 By cliangNo Comments

Clock displays time of day. Time is invisible and exists virtually. Everyone of us has the same amount of time, no matter you're rich or not. You can't save up time for later use, borrow time from others, nor go back in time. Everything in this universe is influenced by time - living individual getting aged, machines getting wear and tear, cutoff point in trading like stock, FX or bidding, project deadline, return of investment, interests etc. Time is also regarded as the 4th dimension. In cyber world, time has its own unique characteristics. In central computing like mainframe, time signal orchestrates tasks coordination across components - data fetched from storage via data bus to processor for manipulation then sent to next destination. In decentralized computing with networked computers, time stamps the sequence of system events for trouble shooting and digital forensic. It is therefore important to maintain the clock synchronization in the network. There are various considerations: Clock source: National lab, or...

Tracking

10th November 2018 By cliangNo Comments

In cyber world, logging is fundamental to track electronic activities for problem shooting or digital forensics. With device proliferation especially in the IoT domain, substantial logging volume is generated making log review a hard time. The SIEM (Security Information Event Management) technology has surfaced to relax this tedious task. It consolidates and associates event logs and picks out "interesting" scenarios for automated action or human alert. The challenges are: What types (or level, e.g. brief, detail, info, warning, critical) of logging are available and required: platform, infrastructure, application ... Context of log data: time of day, time zone, IP address, user identities, machine names, machine address ... How to ships the logs from different network zones to the central SIEM without breaking network zoning Clock source to sync across all these network zones Algorithm of event correlation (human define or machine learning) Criteria to automate alert with confidence (false negative or false positive will ruin the trust) Most importantly, logging must comply with...

Aurora

8th November 20188th November 2018 By cliangNo Comments

In physical world, it is beautiful scenery. In cyber world, Aurora vulnerability refers cyber attack resulting into damage of physical components (the generator) in the electric grid. When the threat actor is able to reach the control network, repeatedly sending command for rapidly open and close a generator's circuit breakers out of phase will cause it explode. For such critical asset with severe consequence when failed, necessary cybersecurity controls shall include but not limited to these measures: Incorporate security at design stage Isolate automation components from external connections Zone components within control system network Apply least privilege principle Control physical access to critical asset Conduct regular cyber maintenance (protection updates Validate incident detection and respond readiness Equip support personnel skill set Execute periodic assessment for assurance Refresh end of life components Manage insider threat ...

Grade of Protection #2

4th November 2018 By cliangNo Comments

Certain hotels provide safe for customers storing valuables during their stay. It is somewhat physically robust from brute force opening the door. The door is locked with customer chosen numeric digits each time when closing. This code will then be used to open the safe. There are lots of articles shared in the Internet how to bypass the codes to open the safe door. In summary, lessons learned from these articles are: Improper configuration (default master access code unchanged) Lack of physical protection (because it is accessible semi-public to explore tampering opportunity; drop at a moderate height will open the door after flipping the lock handle several times) Likely come with factory console port as backdoor but intention is for good purpose to help customer unlock safe due to forgotten code The safe there is better than none but customer should be advised to use at own risk. The latter clause shall be posted in conjunction with the safe usage instructions to disclaim...

Resilience

2nd November 2018 By cliangNo Comments

How much resilience is sufficient: single, dual, triple, quadruple or more? You need to understand what is the consequence of system component failure to the committed service per agreement. It is the kind of balancing risk for optimal investment. Even if there is penalty clause for breaching the committed service level, the amount paid out might be much less than the TCO (Total Cost of Ownership) of investing a robust infrastructure and the recurring running cost. Nevertheless, intangible loss like brand name or reputation damage need to be considered....

Perimeter

31st October 2018 By cliangNo Comments

The key difference between physical and cyber perimeters is visibility. To augment physical perimeter limitations, surveillance cameras (probably with video analytic to detect intruder) and guard patrol are required. For cyber perimeter, threat actors need to understand what are behind the Internet-facing entry point (web, remote login etc.) in order to reach the internal cyber assets. Their first step is to conduct reconnaissance. See Lockheed Martin, the Cyber Kill Chain® framework. Organizations nowadays must have a web presence in doing business. The hard part is to minimize the cyber footprint. It's a matter how well the Internet-facing entry points are configured per best practices (least privileges, exclusion from search engine, scrutinize data input, enforce server-side logic etc.) and sustaining the protection (security patches, version upgrade, hot fixes etc.). Further, regular validation via black box, white box penetration tests are necessary for assurance....