Safety and Cybersecurity

By cliangNo Comments
In any field work, safety is the most important thing. Yet, we cannot totally eliminate the likelihood of fatality no matter which types of organization. What we can do is to demonstrate that there is safety system, culture, management committment, user education, pre-work assessment to reduce the likelihood. Likewise, there no 100% cyber secure business. Do not introduce unnecessary controls or else more chance of human error, technology failure that all these will impact the business outcome rather adding protection. Think also the likelihood of exploit from physical aspect rather than just drill down in the cyber aspect. The best strategy is to ensure resilience to resume business operation because there are too many threats in the wild that we don't know. We can only protect what we know and that is worth to protect. ...
Read More

Patches

By cliangNo Comments
One of the key activities in cybersecurity is to deploy security patches on regular basis. This is intended to upkeep cyber protection strength of the ICT or ICS infrastructure, platform and application. Certain cybersecurity practitioners are just blindly follow text book knowledge to mandate missing patches are policy violation and need to follow exception process. The cyber protection has undergone various strategical changes over the years: from prevention to detection and now resilience because there are a lot of unknowns to make prevention nor detection effective; from physical location centric to context-based because data are everywhere. Bottom line is to apply patches according to the specific business environment via assessing likelihood of exploitation. If the system is isolated from the Internet with strong physical access control and removable media control, there is no urgency to deploy so-called zero-day vulnerability patch. Follow the now, next or never philosophy because some patches are not even needed like the log4j that has been over-amplified to incur...
Read More

Information Security

By cliangNo Comments
It is the early term in this domain. It covers everything under the sun regarding information.As time goes by, information containers are moving into digital and seldom in hardcopies making it cyber nature and then cybersecurity becomes a fashion and buzzword. We have already replaced fax machine by email or secure electronic communication, carrying thumb drive instead of bundle of hardcopies, balance in stock account replacing the stock certificates. It is true for most of the cases but there are still information in hardcopy forms like birth certificate, marriage certificate, dealth certificate, passport, deed of assignment, legal documents in court etc. Therefore, these are outside the "cyber" sense and we must not forget the necessary protection to secure these kinds of information. The challenge is the "backup" which will require certified true copy issued by authenticated body. Sometimes, you can only have the original copy without backup like passport. Safekeeping the information container in possession is the prime protection. ...
Read More

Policy #10

By cliangNo Comments
In an organization, policy affects the culture and work practices. A good policy is practically achievable, acceptable and having buy-in with all levels why they have to follow these directives. In contrast, badly written policies will create conflict, politics and non-compliance because auditors will point out you are not doing the work according to the policies. Even worst in cybersecurity, certain cybersecurity practitioners micro-manage the protection technology down to brand name but no published standard is available. Everything is just in their mind with word slipping out from their mouth as recommendation. We must always bear in mind that cybersecurity is to help running business securely and don't overkill with unnecessary controls. There are lots of threats outside the cyber domains affecting business. The bottom line is to adopt resilience approach for prompt recovery rather than adding protection because you never know the threats outside your knowledge domain. Protections will require overheads to sustain their effectiveness too. ...
Read More

Infected

By cliangNo Comments
A leaft in a plant is infected. Saving the plant should contain and neutralize the infected from spreading to other peers. Similarly if a computer in a Plant system is compromised, the recovery is to contain, neutralize and rectify it to avoid affecting the neighouring nodes. On a strategic approach, if the ingress/egress points with external systems including removable media are tightly controlled and the O&M activities are strictly following the administrative controls, the likelihood of being compromised if rare to none; even security patching is not in regular fashion. This is the common practice in industrial automation control systems. However, certain cybersecurity practitioners always believe the same maintenance practice including technical controls as if in IT should be adopted. This will definitely consume unnecessary resource and likely break things causing severe damage to the plant. ...
Read More

Improper Control #2

By cliangNo Comments
The detection should be deployed on the "risky" lane at junction Technical control is just one of the security measures. There are much surrounding elements to take care in order to secure. This includes but not limited to: Understand the security objectiveDesign with optimal controlsDeploy with the viable measures (be it technical, administrative or management controls)Verify if controls are deployed per designSustain the effectiveness of the controls Most often, security practitioners are focusing on technical controls with micro management. They forget the bigger picture where the technology stands in the entire business landscape. ...
Read More

Stepping Stone #2

By cliangNo Comments
Jump hosts are typical used for remote access. These are controls: User accounts with multi-factor authenticationTime of day granted to this user accountRuleset to limit destination hosts when landed; and per login userSession monitoring On reasonable ground, some are mandatory while other extra measures depend. In extreme cases, multiple jump hosts are demanded that whether network latency, usability are at doubt. The optimal decision is to balance risk and usability with a hoslistic and objective assessment. Otherwise, it will be overkilled. ...
Read More

Access Control #4

By cliangNo Comments
From technology point of view of a discrete control, opening the bridge will disconnect the traffic across the sides. Is this barrier secure? It all depends how the entire protection system is run. The bridge will only block access via that land path. What about access is via air or water? By the same token, vulnerabilities in a computer platform or its underlying applications will not pose immediate cyber threat if it has its own surrounding effective electronic security perimeter. As professional cybersecurity practitioner, we have to reassure comfort to management rather than just follow text book knowledge to clear all known vulnerabilities. That is not practical to achieve. ...
Read More

Support Model

By cliangNo Comments
Peer "Support" Like any other information processing solutions, cyber protection technologies require ongoing support and maintenance to sustain their effectiveness. Otherwise, the protection strength will deteriorate over time. Example is the regular definition update of blacklisted codes (or malware). Other than technology vendor support, peer support is also essential. We are not just acting as an individual in the cyber world. What we do will affect others. Something goes wrong will not just impact to own self but also bring adverse effects to the connected peers in the cyber world. Example is social engineering attack using compromised identity against that identity contacts. Therefore, peers are important to provide a different support perspective. If peers see something unusual (IM, email from someone they know), contact that someone via trusted channel (say, a phone call) to verify. Sometimes, that someone might even not know the identity has been compromised and launching attack. ...
Read More

Physics #2

By cliangNo Comments
This is another great example to think deeper to balance cyber and physical world rather than just blindly putting unnecessary investment in cyber protection. There are researchers able to demonstrate remote control of the crane via a Casio watch. Is this scary? Without knowing the exploitation condition, management will be misinformed. We, as security practitioners, must analyze the situation, identify how this can be exploited before provide the correct message. The physical conditions of the crane must also be well under attention. Imagine a loosen bolt / nut, or erected at the improper foundation, incorrect procedure to extend the crane height could all result into the same catastrophic consequence. ...
Read More