Protect – Page 4 – The SECOND Advisories Limited

Administrative Control

24th April 20221st June 2022 By cliangNo Comments

Certain cybersecurity practitioners insist to impose technical controls to secure the infrastructure/system. To some degrees yes, basic technical controls will prohibit human error or low skill attacks. Adding technical controls will never secure the infrastructure/system more. At some points, more controls will even degrade the security due to a number of issues: People will find ways to circumvent controls because affecting productivity (writing down complex password)New control might introduce new system weaknessExtra efforts are required to sustain the control effectiveness (upgrade, backup, other housekeeping tasks: patch, patch, patch ...) These are always the neglected elements. Sometimes, exercise administrative control will enforce discipline internally while externally relying laws & regulations. ...

Competency

26th March 202226th March 2022 By cliangNo Comments

Incompetency to react with changing environment will lead to fatality Recently I gave a talk to a local university students about cyber survivability. At the end of the session, it's Q&A. One of the students asked "There are lots of challenges in the cyber space. Among them, what's the most serious challenges that you have met?". I told them people is the serious challenge. Decades ago, the human aspect is considered as the weakest link in cybersecurity. Over times, this remains. It's just a matter the focus has shifted. Now, general users are well aware of cyber deception in the cyber space like phishing and scam, be cautious of unknown requests and things too good to be true. Why is the human aspect still applied? It's about the cybersecurity practitioners. They are supposed the leader in cybersecurity of an organization. They are hired to provide professional judgment in enabling a secure business environment, steer in the right direction....

Enforcement #4

28th February 202228th February 2022 By cliangNo Comments

A directive must come with sensible enforcement Cybersecurity policy establishment and cybersecurity policy enforcement are usually executed independently in an organization. Normally, policy authors are more knowledgeable to stipulate the rationale behind whether explicitly or implicitly why protection are required to secure the cyber space of the organization. Enforcement team simply follow the book to provide advisories or perform compliance check. The world is not perfect and situation will drive decision if it is a policy exception or the inadequacy of policy for revision. As cybersecurity practitioner, we must exercise our professional judgment to advise pragmatic approach in helping business for policy compliance rather than just a zero or one decision. After all, a "cyber court" in an organization is uncommon where the "cyber judge" will have the final ruling. Certain cybersecurity practitioners even have mal-practice to involve Senior Management for approval without taking up professional responsibility. Senior Management should be in the informed role rather than an approval role. ...

Spare Capacity

7th February 20227th February 2022 By cliangNo Comments

Roof needs to cater for extra loading due to different weather conditions Availability is one of the protection objectives in cybersecurity. When deploying new systems, the design must cater for spare capacity. Usage patterns need to be understood too as this will surge capacity demand instantaneously. Capacity refers to bandwidth, storage, processing speed. This must be estimated in the next 3-5 years with the projected growth rate plus the peak demand, setting threshold to trigger alert to resolve the capacity issue. It can be adding more storage, or archiving historical records offline, or deleting records per corporate retention policy. It is part of system management to maintain a healthy cyber environment to run business. Otherwise, business services will be interrupted. ...

Surrealism

22nd January 202222nd January 2022 By cliangNo Comments

It is easy to for artists to draw something or writers compose fictions beyond imagination. Such creation even stimulates innovation that when putting into practice disrupting the industry and our life. However when writing cybersecurity policies, the directives must be pragmatically achievable and effectively enforceable. After all, policies are the internal company rules for every level to comply with. If the rules cannot be achieved, nor enforced, these rules are just a document in the bookshelf. Follow what the industry or the peers do rather than inventing something high-sounding but cannot be landed on the ground. Non-compliance will be the outcome. ...

Purpose of control

8th January 20228th January 2022 By cliangNo Comments

When we deploy control, we always have to understand what we are trying to achieve. In the illustration, if the purpose is just to prevent accidential openning of the cabinet door hurting nearby pedestrian, then something fixes the door in position suffices. There is no need to apply a lock because it will involve key management. Without proper key management, accessing the cabinet inside will be affected. As such, don't impose unnecessary and excessive controls. It won't improve but complicate the use case. ...

Dead End

24th December 202124th December 2021 By cliangNo Comments

Can't turn left nor right and no pass thru ahead Good cybersecurity policies (management directives) should avoid incorrect interpretation nor perception. Further down the road, if policies is not precise generic nor precise specific for just-right coverage - many "policy exceptions" will be resulted. The most incorrect approach is to ask the senior management to approve such exception. The whole game should be the cybersecurity Subject Matter Expert (SME) assesses the area where policies cannot be complied with. The SME shall recommend pragmatic compensating controls and grant temporary approval while senior management is in the role of being informed. We, cybersecurity practitioners, must help senior management to understand cyber risks (mostly perception), how the risks could be exploited n own specific business environment. Like the recent Log4Shell zero-day vulnerability, understand what it is rather than blindly to push applying patches, assess the likelihood of exploitability and stand firm to explain why this is not severe if there are cyber threats intelligence...

We are all just prisoners here, of our own device …

2nd December 20213rd December 2021 By cliangNo Comments

The lyrics from "Hotel California": the song was recorded in 1976 and the prediction is so true Disruptive technologies and their rapid advancement have changed the way we live. With proliferation of Internet hotspot (mostly free) & powerful mobile device (smaller size, powerful processor, larger storage), now everyone is able to get connected from casual reading email, browsing the web, sharing status in social media, chatting via instant message to checking flight status, exchange rates, performing critical decision like confirming high value transactions. With so much convenience, we rely heavily on this tiny device to keep our memories (contact info, photos, reminders), credentials (digital wallet, second factor authenticator) and get connected. We can't afford to lose it nor have it malfunctioned. Otherwise, we shall be handicapped in the physical world. We are now the prisoner of our device … ...

Excessive and Unnecessary Control

19th November 202119th November 2021 By cliangNo Comments

So many locks Adding control won't give you more security. I came across advices from other cybersecurity practitioner that overkills. Indeed, the insecure WiFi is part of this. The whole story is that critical system (simply the Target) is isolated from the Internet. To update the Target with security patches, new anti-malware definition, removable media (simply USB thereafter) is used to transfer the required files obtained from OEM into the Target environment. No doubt there is risk to use USB. A dedicated kiosk scanning station (simply Kiosk thereafter) is established to check for malware clearance before plugging the USB into the Target. So far, everything looks good and sensible. Because the Target using the USB is far away from the Kiosk, the cybersecurity practitioner has an innovation thought to ENSURE the USB must just been scanned by the Kiosk but not inserting a different one by human mistake. In other word, USB must be validated before loading to...

ROAM

7th November 20217th November 2021 By cliangNo Comments

Remote Office Access Method (inspired by ISAM, VSAM in old days) has undergone significant changes over the past decades due to technology advancement. The need arises to provide better efficiency for system support especially if expertise is required from overseas. In early days, when remote access is required via dumb terminal with dial up connection, call back is required to authenticate the pre-registered phone number. With routable network, 2-factor authentication via secure token is required to permit the remote session from Virtual Private Network (VPN) connection. This requires complex pre-registration of the user identity associated with the token in generating the one-time password (OTP). The evolution continues into 2-step authentication with OTP in different form factors: SMS, apps in consumer mobile device or designated email. Enrollment becomes easier with guided self-service making admin-less. Access technology is also evolving from full tunnel VPN to split tunnel VPN through Transport Layer Security (TLS) via web browser or apps in workstation with rich desktop experience as if...