Access Control #2

By cliangNo Comments
Access control is intended to allow only authorized subject to reach the protected resources. A comprehensive assessment including penetration test (network and physical), or Red Team Testing, is necessary to evaluate the effectiveness of the control and identify weaknesses like: Misconfiguration System defaults Normal operations run via high system privileges Unpatched systems or components Inherent back door Staff lack of awareness Phishing victim Unattended equipment Unattended login session Insecure entry points (both network and physical) via brute force ...
Read More

Neighborhood

By cliangNo Comments
As if in physical world, mutual support and care are important to maintain safety in the cyber world. Unlike physical world, we might not "see" our neighbors nor their houses.  But the merit is that even if we are far away physically, we can still take care of our cyber neighbors. Things like these we can do: Notifying our cyber neighbor when that cyber identity is likely compromised and launch phishing attack Sharing near-miss cyber incident to alert others from falling into the same scam Not forwarding threat info received from untrusted sources in creating unnecessary network traffic or panic ...
Read More

Tunnel

By cliangNo Comments
"Digital" tunnel is common in the cyber world.  The TLS (Transport Layer Security) technology is widely deployed: email server initial handshaking before start of communication, SSL (Secure Socket Layer, or https) for web browser to web server, VPN (Virtual Private Network) for point to point (or site to site) connection. All these are for the unique purpose - protect the sensitive information submitted thru untrusted network. Two key learning: Don't expect SSL is secure.  Some Internet gateway might have web-proxy in between breaking the SSL connection to intercept SSL for content inspection.  This happens in certain organizations, public free access points or regions with Internet control. Like firearms in the physical world, the usage of encryption (TLS) is a matter of for good or evil purpose: defensive or offensive.  It's the organization policies, laws & regulations to govern the proper usage. ...
Read More

Clock

By cliangNo Comments
Clock displays time of day.  Time is invisible and exists virtually.  Everyone of us has the same amount of time, no matter you're rich or not.  You can't save up time for later use, borrow time from others, nor go back in time. Everything in this universe is influenced by time - living individual getting aged, machines getting wear and tear, cutoff point in trading like stock, FX or bidding, project deadline, return of investment, interests etc.  Time is also regarded as the 4th dimension. In cyber world, time has its own unique characteristics.  In central computing like mainframe, time signal orchestrates tasks coordination across components - data fetched from storage via data bus to processor for manipulation then sent to next destination.  In decentralized computing with networked computers, time stamps the sequence of system events for trouble shooting and digital forensic. It is therefore important to maintain the clock synchronization in the network.  There are various considerations: Clock source: National lab, or...
Read More

Aurora

By cliangNo Comments
In physical world, it is beautiful scenery.  In cyber world, Aurora vulnerability refers cyber attack resulting into damage of physical components (the generator) in the electric grid. When the threat actor is able to reach the control network, repeatedly sending command for rapidly open and close a generator's circuit breakers out of phase will cause it explode. For such critical asset with severe consequence when failed, necessary cybersecurity controls shall include but not limited to these measures: Incorporate security at design stage Isolate automation components from external connections Zone components within control system network Apply least privilege principle Control physical access to critical asset Conduct regular cyber maintenance (protection updates Validate incident detection and respond readiness Equip support personnel skill set Execute periodic assessment for assurance Refresh end of life components Manage insider threat ...
Read More

Grade of Protection #2

By cliangNo Comments
Certain hotels provide safe for customers storing valuables during their stay. It is somewhat physically robust from brute force opening the door.  The door is locked with customer chosen numeric digits each time when closing.  This code will then be used to open the safe.  There are lots of articles shared in the Internet how to bypass the codes to open the safe door. In summary, lessons learned from these articles are: Improper configuration (default master access code unchanged) Lack of physical protection (because it is accessible semi-public to explore tampering opportunity; drop at a moderate height will open the door after flipping the lock handle several times) Likely come with factory console port as backdoor but intention is for good purpose to help customer unlock safe due to forgotten code The safe there is better than none but customer should be advised to use at own risk.  The latter clause shall be posted in conjunction with the safe usage instructions to disclaim...
Read More

Perimeter

By cliangNo Comments
The key difference between physical and cyber perimeters is visibility. To augment physical perimeter limitations, surveillance cameras (probably with video analytic to detect intruder) and guard patrol are required. For cyber perimeter, threat actors need to understand what are behind the Internet-facing entry point (web, remote login etc.) in order to reach the internal cyber assets.  Their first step is to conduct reconnaissance.  See Lockheed Martin, the Cyber Kill Chain® framework. Organizations nowadays must have a web presence in doing business.  The hard part is to minimize the cyber footprint.  It's a matter how well the Internet-facing entry points are configured per best practices (least privileges, exclusion from search engine, scrutinize data input, enforce server-side logic etc.) and sustaining the protection (security patches, version upgrade, hot fixes etc.).  Further, regular validation via black box, white box penetration tests are necessary for assurance....
Read More

Access Control

By cliangNo Comments
In physical world, access control is done by certain barrier that this barrier will be disabled for entry by authenticated individual. The same applies in cyber world. Access control in both worlds are to manage "honest" users but not malicious users intentionally bypassing the barrier(s).  The laws & regulations are the last resort to stop offenders....
Read More

Design & Build

By cliangNo Comments
Secure by design of ICS (Industrial Control System) is just part of the ICS life cycle.  If design is insecure, retrofit sometimes is not possible and need to rebuild from scratch again. Next is the ongoing sustainability of the cybersecurity because the ICS is only secure at that particular point in time of commissioning.  Addressing new vulnerabilities and continuous strengthening are required to keep staying cyber secure. Of course, identify the business outcomes and acceptable risks then translate into ICS cybersecurity requirements in the procurement specification is the very first step....
Read More

FUD

By cliangNo Comments
Fear, Uncertainty, Doubt (FUD) is the tactic vendors are trying to sell you their cybersecurity solution. Typically, this is done via several stages: Share damages for cyber incidents in the public like substantial fines by the Court or huge claims from customers, loss in reputation, drop in stock price, revenue loss due to business operation interruption plus other fees like investigation, containment and recovery How your other peers are doing Market share and strength of their solution from  independent analyst's ranking How their solution is able to help and protect you Certainly, having cybersecurity protection deployed is better than none but what you need to know: Limitation of the solution as there is no bullet proof protection technology Total Cost of Ownership (TCO) to operate including competent skill set and extra resources Understand how effective the protection to limit the risks and threat actors that the organization is facing because each organization has its own business priority, people and culture issues Most importantly,...
Read More