Identify

By cliangNo Comments
Most often, vendors are proposing security solution in a basket of features. They claim for security suite with unified console and dashboard. It is necessary to assess and identify the baseline security in business requirements what are the necessary protection. Otherwise, it will cost more, and more to manage in terms of support, maintenance, skillset, user experience. Some guiding questions are to facilitate the decision. The answers are situation and organization specific. Taking remote access as an illustration here. Who are the users accessing the infrastructure or system: From own organization?From business partners (vendor or contractor)?General public? When is this service needed? This will decide: Resilence arrangementMaintenance windowBusiness continuityDisaster recoveryRecovey Time ObjectiveService level pledge What service needed after connection established Infrastructure (e.g. storage, email, intranet)?Business applications? Where do users access Within organization network (due to network segmentation)From business partners networkInternetOrganization device or any device? Why this remote access is needed This is the business justification, for exampleSpeedy vendor support without traveling to siteEnhancing productivity especially in COVID-19 to keep physical distance How...
Read More

Visibility #3

By cliangNo Comments
Below the iceberg, there is a large portion that is out of sight. That's why it is dangerous for vessels when approaching an iceberg. You need to keep a safe distance from it to avoid hitting it. The iceberg is often used to illustrate the dark web. The visible part is WWW (World Wide Web), below is the deep web then further down the dark web. The general perception on dark web is bad or associated with cyber criminals. However like penetration test tools, the tools can be misused to attack other computers but also to serve as a means to uncover infrastructure weakness for cybersecurity enhancement. The difference is between unauthorized and authorized intention. In the case of dark web, the usefulness might be Understand how the underground market business model operate, what are on sales such that you will revisit how to secure these cyber assets in your own environmentUncover if your or corporate information is there for sales ...
Read More

Governance #2

By cliangNo Comments
Successful cybersecurity posture in an organization requires effective cyber protection of its cyber assets. There is a broad interpretation on cyber protection. In certain extreme cases, people put focus on technical controls and how are these controls implemented sometimes down to specific technology brand name or even model per personal preference. This doesn't hurt as long as Providing transparency on the rationale of the chosen technology vendorPublishing the standard for reference rather than hiding inside one's mindFacilitating end users to procure those specific brandsCommunicating with Teams involved to raise awareness of the requirement That said, it falls into one of the organization governance roles as cybersecurity standarization. The merits are reducing learning curve to manage the control, partnership with vendor for better support and purchase discount, technology roadmap and life cycle management. Like any other tools, it is subject to misuse and then resulting into internal politics. ...
Read More

Defeated Control

By cliangNo Comments
Detective control is blocked (defeated) When designing security controls, it is necessary to determine if the controls can be executed effectively. Somehow due to unexpected situation, controls are defeated. To avoid this pitfall, holistic assessment is required during: Design stage if intended control function is effective without being circumvented, the design effectiveness reviewO&M stage if the control can be operated as per design, the operation effectiveness review The entire life cycle of digital solution shall be: Identify the business value at initiation such that necessary and optimal controls are in place to minimize the business impact; this acts as procurement requirementDetermine proposed controls during design if they are effective and if not, develop necessary compensating controls. A typical example is the guard patrol to validate if CCTV are still operating properlyValidate controls before system goes live; rectify any deviations in the deployed solution from designAssess if controls are effective to combat new threats during O&M regularlyDispose controls securely at retirement of the digital...
Read More

Connection

By cliang1 Comment
The cyber world is built up by connecting different systems and devices via information highway. Therefore, the key cybersecurity element is to establish the perimeter. In physical world, port control is the location perimeter. You need to go thru immigration, bag scanning at custom before you and your accompanied goods are permitted for entry. Some countries also require going thru immigration before exit. This is easily visualized. In cyber world, controls at the network perimeter will need precise directives (or policies) such that adding new components or functions shall comply with the rules accordingly. That said, the policy must be precise. Most often, "connection" is unclear and need clarity. Using ISO 7 layer concept, network cables are always physically connected to the network devices. For certain cases if network based IPS or IDS is deployed, it will need collecting mirrored traffic from all over the network devices even if these network segments are zoned by design. ...
Read More

Accountability

By cliangNo Comments
To run a business, there are always business risks. It is a matter of how much risk acceptance is comfortable. Say, shoplifter will incur revenue loss of a supermarket. Therefore, protection decision is against high value goods, e.g. adding RFiD anti-theft tag. Even CCTV and guards are deployed, there might still be a chance of incidental slipping thru on goods not protected by anti-theft tag. This is risk acceptance. The business owner is fully accountable to manage these risks. That said, there should be parties with different knowledge domains to help business owner understand the inherent risks and the ultimate risk acceptance is the business owner. For risks involving regulatory compliance, these must be addressed or else putting the organization into civil or criminal offence, temporary or even permanent suspension of business license. An example is the taxi business that needs to have vehicle license for passenger, compulsory vehicle inspection, public liability insurance, emission control of exhausted...
Read More

Visibility

By cliangNo Comments
In physical world, this creates uncertainties for moving forward. In the cyber world, this means even more. From business perspective, vast amount of information that data analystic is needed to derive management insight in understanding customer profile, product popularity, performance etc. to align with business planning In cybersecurity perspective, this can be considered in various use cases Asset inventory: provides the components in the information processing infrastructure such that prompt reaction to incident and new threats plus properly managing technology obsolescence are possibleSystem events: feeds into SIEM to locate potential threats that has been persistentNetwork traffic: detects traffic flow to detect or block potential malicious activitiesVulnerability: itemizes known technical vulnerabilities to develop counter-measuresPerformance dashboard: provide cybersecurity KPI to drive improvement ...
Read More

Risk Taking

By cliangNo Comments
We can't have 100% secure solution in the course of business. We need to evalate risk and reduce to acceptable level to achieve our mission. The hard part is an objective assessment of risk with predicted likelihood and the associated value tied with the consequence. The decision support is to review the business outcome values vs the cost to reduce the likelihood. For cyber risk, it is more challenging since when new threats are uncovered, they become immediate impacts. The frequency cannot be predicted using traditional approach. At worst, be prepared bad thing happens with reasonable efforts to recover instead to prevent any KNOWN threats, because there are so many unknowns beyond imagination. ...
Read More

Policy #5

By cliangNo Comments
If you are asked to formulate corporate cybersecurity policies, here are some advices: Identify key stake holders that will be affected by the to-be directivesGet support from senior management to setup a task force with the representatives from stake holdersEstablish ground rules for all members such that the policy context is consistency because the members are from different background with different interestsThe organization business environment and priorities must be clearly understood because the policies are to apply optimal controls to protect the businessThe policies must be achievable (otherwise immediately causing non-compliance or requiring permanent exception)Must also be enforceable or else just a document in the bookshelfReview if the stated measures will really make the system/infrastructure more secure or just copying academic template?Avoid ambiguity, make the context precise in the way precise generic and precise specific; Sound contradicting?Example: only organization devices are allowed to connect to the organization networkPrecise specific: organization devices ... not BYOD, not business partners'Precise generic: devices … could...
Read More

When Security System Fails

By cliangNo Comments
Security function of the business or physical process is protected by security system. Specific security system for the latter is the SIS (Safety Instrumented System). When security system fails, its intended function fails too. It could be lost of view, view being manipulated, sub-standard product produced, high value asset damage, environment pollution and most seriously human fatality. When assessing business impacts, we must not forget to assess the entire ecosystem including these auxiliary systems. ...
Read More