Deception

By cliangNo Comments
Everything on earth has good or evil perspectives, same for deception in cyber world. We heard a lot about phishing or scam that is the evil side of deception. However, there is the need for good deception in the cyber space.  To understand how threat actors penetrate or launch attacks, honeypots are established to let them take the bait.  Honeypots can be vulnerable web sites, decoy email address or decoy social network identity that are under monitoring. For vulnerable systems, researchers are able to understand the behaviors and TTP of threat actors from reconnaissance, access, ex-filtrate data, cover the track. Effective counter-measures can be developed in the cyber kill chain. For phishing, researchers are able to spot if new exploits are deployed in content rich email or attachment to masquerade the malicious attempts then alert the community. Scams from social network could also be traced to inform law enforcement agency to take down the malicious identities....
Read More

If Not Now, When?

By cliangNo Comments
It has been used in S4x13 theme. This blog is part 1 of 2. Most often, security technology sales send security alerts to top management to demonstrate their value preposition. Top management is likely forward this "intel" to cybersecurity management team simply with "Please handle" to relieve their obligations from getting intel but do nothing. Cybersecurity management team obtains this directive, then drives the ICT/ICS workforce to apply the recommended work around (change system configuration, apply security patch) and compiles a dashboard for reporting completion status. The ICT/ICS workforce dare not to say no but to accommodate such executive order at extra work load from routine work. This isn't an effective cybersecuruty management. The proper means is to assess the threat, current protection and business consequence. The "Now, Next, Never" in S4x19 best describes the correct attitude. So, if not now, could be next or even never....
Read More

Supporting System

By cliangNo Comments
Mostly, people put focus cybersecurity on critical infrastructure. We must not forget the cybersecurity for supporting systems are equally important as they are also network connected for information exchange or control from the control center. These systems automate protection for the core system. Examples are those commonly known like facility management (or FM such as fire fighting, CRAC, access control, UPS), SIS (Safety Instrumented Systems). If these systems fail, it will impact to the core systems. There is recent incident for cyber attack on SIS. Imagine, if the FM fails, the information processing facility will fail too. More severe impact is the SIS failure, it will affect environment or human safety....
Read More

Penetration

By cliangNo Comments
Cybersecurity is becoming commodity skill and therefore same terminology will have different interpretation by different parties. Pick penetration test (pTest) as an example. For beginners they simply pick up automated scanner then scan the network and hosts. Whatever reported in the scanner and recommendations are their findings and that's all. A more skillful pTester will review the reported finding, validate its applicability with owner for a practical and achievable follow up before reporting. A professional pTester will go beyond further. Before engagement Understand what is the target of evaluation Advise owner the risk of doing automated scan rather than blindly perform the scan because others say so Agree on approach of execution to set expectation Agree on picking representable samples to manage resources (for both sides) Determine where to place the scanner - before or behind any network perimeter Before execution Load scanner with updated signature and agree on types of test (brute force password attack? DoS test?) Validate target node is accessible ...
Read More

Threat Hunting

By cliangNo Comments
Suddenly, new market jargon "threat hunting" is spreading around under cybersecurity domain. It is a kind of proactive measure to uncover if your environment has already been penetrated and critical info are being exfiltrated. This kind of exercise is best executed by 3rd party periodically, because: If this is due to insider threat, it won't be surfaced In-house workforce might have assumption for certain things that won't go wrong Periodic check is for assurance because the threat hunting only spots situation at a particular point in time and its past, it cannot predict the future A more holistic approach is to augment this threat hunting exercise with workforce and business process strengthening to identify vulnerabilities for effective risk reduction....
Read More

Spam

By cliangNo Comments
Everything in the world is relative. For some, spam mails are annoying and try to filter them off the mailbox as spams usually associate with unsolicited sales or phishing attack. But for others, spam are considered as valuable resources. Honeypots are setup to collect spams, analyze and understand the trend, the TTP (Tactics, Techniques, and Procedures) of phishers in order to bring up awareness and counter-measures....
Read More

ROI

By cliangNo Comments
Return On Investment (ROI) is the typical approach to justify the spending to acquire asset. For the sample solar renewable energy illustrated, this is simple: One-off cost like equipment purchase & installation Recurring cost like maintenance, insurance, administrative (if trading to grid is involved) In a 5 or 10 years total cost model, how much energy charges could be saved, or how much revenue is generated if energy is sold back to the grid vs how much expense to paid. However, there are risks that might affect the net gain: Sufficiency of sun light intensity Weather condition at the location Physical security of equipment against theft or sabotage In cyber protection technology, stake holders normally expect cyber-security is the baseline and integrated with the asset. Adding extra cost won't be seen as ROI.  A slightly adjusted model is to calculate the avoidance cost of a single cyber-security incident vs investment.  Therefore, the justification is to be: If we invest $X, then we could avoid spending...
Read More

Network

By cliangNo Comments
Network exists in both physical and cyber worlds. Both have physical portion and content portion. Even in cyber perspective, both the physical media and the info exchange are required to protect but most focus is on the content part. If the adversary is able to access network equipment physically, then all those secured configuration will become insecure. Therefore, in any security assessment, physical aspect must not be forgotten....
Read More

Born or Made

By cliangNo Comments
Cybersecurity vulnerabilities are broadly categorized into 2 types: [a] Inherent weakness in the component, protocol (e.g. PLC, ftp) that is insecure by design [b] Improper deployment causes a secure component (e.g. FIPS-140-2 Level-4 certified crypto module) into insecure due to lack the required surrounding elements (likely broken business process or human negligence) Type [a] can be overcome at time of procurement to specify requirement. Type [b] can be identified via vulnerability assessment of the deployed solution in people, process and technology perspectives...
Read More

Direction

By cliangNo Comments
Establishing cyber directives (policies) is challenging. On one hand, the language must be chosen not too specific for flexibility but on contrary too loose will be difficult to enforce practically. The bottom line is to establish organization specific directive per its line of business based on commonly recognized best practices and industry regulations (e.g. CIP, PCIDSS, HIPAA, SOX, GDPR). Over time, regular review among stake holders is required to fine tune the language based on experience of adoption to address any limitations. And this regular review process shall also be specified in the directive itself as part of the compliance....
Read More