100% Cyber Secure

By cliangNo Comments
Are you kidding?  Yes, there is.  These computers are 100% secure from cyber-attack, but ... What about physical threat? Are they still serving the intended purposes? Once these computers are power up (whether connect to network or not), there will be different degrees of cyber risk imposed. So, never expect a 100% cyber risk free solution....
Read More

Control #3

By cliangNo Comments
Controls are necessary to reduce likelihood of risks.  But excessive controls shall have adverse effects: Degrade productivity Push back from user Circumvent control Risk assessment is required to design optimal and effective controls.  Change (behavior) management and user awareness need to be well established too.  Essentially, Why is the control required What is this meant in daily works (WIIFM for the user) What is the consequence of violation (both organization and the offender) ...
Read More

Shadow IT

By cliangNo Comments
Gartner defines Shadow IT as IT devices, software and services outside the ownership or control of (IT) organizations. Given that information processing facilities or information containers are no longer centralized, the shadow IT is a common phenomenon.  Each one of us has a cellular phone that is indeed a powerful information processing facility and large storage device in the pocket. The extensive connectivity and cloud computing via access anywhere and any platform model further accelerate this situation.  Cyber risks are incurred to different degrees.  Various protection technologies are surfaced in the market: Mobile Device Management, end point lock down, cloud-based proxy, Data Leakage Protection, disk encryption and so forth; but they are never bullet proof. Organization needs to think about enablement (as well as empowerment) rather than prohibitive thru streamlined approach.  Policy formulation, usage guidance, risk management, user awareness and enforcement via disciplinary process are required to minimize the impacts....
Read More

Vulnerability Management

By cliangNo Comments
This is always a debating topic during audit or security assessment. Auditor: your control system lacks of the latest security patches installed and vulnerable to cyber attack Asset owner: security patches must be certified by OEM or else OEM will not be responsible for failure or damages due to non-certified changes made to the control system Whether patches are up to date isn't the key issue.  The bottom line is to understand if there is repeatable mechanism to manage security vulnerabilities.  After all, having all latest patches deployed doesn't mean the control system is secure while any missing patches doesn't mean control system is immediately at risk. The motto from VX Heaven gives a good inspiration: "Viruses don't harm, ignorance does!"...
Read More

The Forgotten Place

By cliang3 Comments
Most of the time, tight technical controls are deployed at infrastructure, network, platform, application or end points to address cybersecurity. A "misbehaved" device will ruin all these efforts.  Perhaps a written hard copy disclaimer should be posted at the bottom of the display to indicate the information or service is provided as-is, and disclaim responsibilities arising from any consequential or collateral damages due to information error or service interruption.  A comprehensive risk assessment should have picked up this....
Read More

Residual Risk

By cliangNo Comments
When deploying protection or counter-measure, it is necessary to understand If new risks are introduced? Will these new risks even exceed the consequence of do nothing? An example is DLP (Data Leakage Protection, not Prevention).  It requires "super" privileges to access every resource being monitored to alert sensitive information being shared improperly.  Even though this might be a system account, mis-configuration or process weakness could exploit the DLP to leak more sensitive information to unintended recipient....
Read More