Enforcement #3

By cliangNo Comments
At certain situations, enforcement of policy relies on administrative control when technical controls are not feasible. But how do we ensure no offender? No, we can't. The only thing we can do is to establish consequence-based deterrent enforced by laws & regulations. The most severe deterrent is death sentence. A traffic sign prohibits vehicle longer than 10m or over 10 tones on left turn as illustrated. There is no stopping you to do so but if your truck exceeds this limit and still turning left, your truck might be trapped in the road curve blocking other road users, crashing vehicle in the opposite lane, or damaging any other third party properties. Then you are fully accountable for civil offence if negligence or criminal offence if deliberately doing so. Similarly, management always talks about how to stop insider threats in dealing with cybersecurity. The same philosophy applies - discrepancy action for employees or contractual obligation for business partners with...
Read More

Enforcement #2

By cliangNo Comments
Durnig pandemic situation, InfraRed body temperature detection technology is great - contactless, accurate, multi-persons processing, seamlessly and transparent to customers. But the illustrated scenario lacks of enforcement - persons with detected abnormal body temperature are still able to go in. A policy statement (notice at entrance) must be established to deny visit of persons with abnormal body temperature. Further, a security guard or so needs to watch the outcome of measured body temperature to enforce such policy. Without enforcement, deploying great technology doesn't make sense. This applies to cybersecurity domain as well. ...
Read More

Concealment

By cliangNo Comments
Two lanes but 3 traffic signs. Is the middle lane hidden? Information concealment is one of the techniques to hide important content. There are many tools that comes with steganographic processing. Usually, media files are chosen as the host file to store the secret data but their native usage (viewing photo, watching video with associated apps) are unaffected even with secret data injected. Media files are the popular host because photo, audio or video are basically having larger size. The objective is let secret message stored there and staying low profile without being caught. Yet, this technique is aimed at hiding small amount of data (like passcode, geo-location) because too much data might increase the host size that is unproportionable to its original form. ...
Read More

Choke Point

By cliangNo Comments
In physical world, it is a geographical critical and strategic passage. Armed force is able to control what is allowed and what is not for passing thru. In cyber world, similar concept is deployed in network perimeter controlling data traffic what is allowed and what is not in reaching the destination node(s). Source ports don't matter. The camera aperture is the good metaphor. Light sources don't matter. What matter is to control the incoming lights from whatever directions to reach the camera senor for composing an ideal photo. I came across a cybersecurity practitioner who is so innovative to request controls of the network source ports in the firewall as well. This involves application logic and configuration changes yet the effectiveness to enhance cybersecurity is really in doubt. ...
Read More

Grade of Protection #3

By cliangNo Comments
The commodities (toys) are encapsulated in the vending machine (plastic containers). All containers share the same Point of Sales (PoS) device - the Octopus sensor. Upon successful payment, the outlet valve is released to pass out the selected item. You might wonder if these vending machines are securely protected as they are placed in open area and unattended. This is a typical scenario for cybersecurity practitioner in recommending business people the appropriate level of protection. There are CCTV in the arcade to record people accessing the vending machine. Physical brute force attack will be recorded. And for vending machine like this, physical is far more effective over cyber attack to collect the toys. Having recorded footage of physical attack won't be useful without the laws & regulations coming into place. The deterrent is that offender will be caught and prosecuted for criminal act. Last but not least, consider the total value of the commodities plus the equipment itself. If...
Read More

DeMilitarized Zone (DMZ)

By cliangNo Comments
DMZ becomes the de facto standard for network segmentation. It is used to control network traffic across trust and untrusted network zones. Network traffic is used instead of network connection because the latter is not precise. A network cable is connected across components but what does matter is the traffic flowing thru. The network zoning is typically implemented by network firewall. More functions like anti-malware protection, site filtering, application requests screening are adding to the network firewall making it the so-called next generation (NG) firewall. To enhance customer confidence, there are 3rd party accredition for firewall cybersecurity. No matter how secure the component is manufactured and deployed, the important aspects to maintain a secure network perimeter are: Proper design, i.e. placing the firewall(s) at the correct network nodeProper configuration, i.e. device management and least privilege firewall rulesPeriodic assessment, i.e. validate if the configuration is still valid (don't retain the associated firewall rules when system has retired)Proper maintenance, i.e. update firmware...
Read More

Reinforcement

By cliangNo Comments
Sometimes, security protection needs reinforcement to avoid deterioration of effectiveness over time. This can easily be visualized in real world. Screws are used to tighten the wheels. Multiple screws are used for resilience. You add further clamp on to limit the screws from spin off. In dealing with cyber protection, the easiest deteriorating stack is the human factor. You have policy published and communicated. You still need to reinforce the situation awareness to bring back attention. An example is the phishing email. It is the common cyber attack vector resulting into infect ransomware to hijack all systems, install backdoor to corporate network, infiltrate sensitive information etc. Other than regular communication, launch phishing test campaign to validate how many in the organization will fall into the trap. Through repeated exercise, the awareness to combat against phishing attack will be reinforced. ...
Read More

Suspicious

By cliangNo Comments
It is common to see such directive in subway, airport, key facilities, incident respond playbook etc. The problem is different people have different interpretation of "suspicious". Take phishing attack as an example. Email is apparently sent from the one you know. Should it be suspicious? If so, there won't be so many successful cyber attacks originated from phishing to launch ransomware, data exfiltration or remote access trojan (RAT). Therefore, more needs to be done to elaborate what is "suspicious" to raise situational awareness. Of course, it is a challenge to include so many information in a sign board. If the facility is so critical, each personnel (staff, visitor, contractor) should be briefed the threat scenario (like the safety rules before the aircraft departure) while the signage is just a reminder of what has been briefed. ...
Read More

Cyber …

By cliangNo Comments
Early days in the industry, we are talking about information security to protect the information so as to minimize the impact due to unnecessary disclosure, unauthorized modification or unplanned downtime. It covers every information taxonomy under the sun. Suddenly, cybersecurity comes into the place. And adding cyber as prefix becomes a fashion. Vendors are trying to convince customers their products or services are addressing the market needs with hi-tech. To me, cybersecurity is a subset of information security. At least the hardcopy information container is excluded from the cyber perspective though hardcopy becomes less and in diminished usage. There are many cyber stuffs: cyber workforce, cyber maintenance, cyber hygiene, cyber insurance, cyber warfare, cyber defense, cyber range etc. Pick cyber insurance as an illustration. This becomes a focus area in the industry and relevant standards are being developed such that work practices are consistent. However, cyber insurance isn't bullet proof. If your infrastructure has weakness, repeated cyber attacks are possible. The sole value of...
Read More

Information Integrity

By cliangNo Comments
Why buying 2? Sometimes, a small mistake will invite question if the information processing facilities are producing accurate result without malicious tempering. The illustrated sales price might be just input manually, or generated from system as per scheduled price promotion. No matter which scenario, either a broken business process (lack of review, approval to publish) exists, or automated consistency check is missing. With such small mistake goes into publicity, it will require a lot of PR effort to reassure this is an isolated case and not affecting the other back office application like customer data, staff personal data, financial records etc. ...
Read More