Sunday, August 16, 2020

The pitfalls of cyber threat management - the basic

Before we go any further, lets look at the current challenges IT department faces in a large MNC environment and some of you might find these familar.

1. Zones in the network

For some folks, its quite common to pick up DMZ, Extranet, Internet, Corporate network, and so forth. For best practices in some courses of Microsoft certification, one might even suggest to separate HR, payroll, and accounts from one another and have their own silos. Further, when you have isolated network within the corporate network, how does one ensure completeness of your SIEM when the firewall is doing its job, i.e. blocking the traffic? 

2. IT Asset Inventory

HP XXXX $YYY

IBM XXX $YYY

OEM XXX $YYY

How useful are these information on Finance's invoices? Familiar? Even if these invoices are fed to the engineer responsible to perform data entry into the IT asset inventory, he will need time to gather more information such as IP addresses, department user, system owner, information owner, and the list goes on. For legacy records, its a headache because the tagging often comprises of "guess work" or wall to wall check against MAC addresses. Imagine doing wall to wall check during covid19 situation or another pandemic similar situation. Hence, we thought maybe its time for businesses to consider barcode scanning and usage of drones within the physical data centre.

3. Impatient management - "The XXX invested millions and I don't have time to wait!"

You have already implement the solution into production network, why is it not operationally ready?

We have spent millions and this thing can't even catch a thing?

Why are you guys still spending time and renewing licenses of the older appliances? 

Management tend to jump the gun because they spent millions and during a pandemic, it just doesn't help because CFO and FCs are looking at cost optimizations and budgets get cut or transferred to other parts of the operation to meet the ends. Hence, lots of justifications are needed. However, it is important to know that cuts must be in line with the revenue or customer base else threat actors would love to see CFO or FCs performing such cuts because that is going to make their recon much easier.

 Coming up next:

  • Bring your own device (BYOD)
  • Threat actors are human
  • Human behaviours are dynamic
  • Rules are static and machine learning takes time



Saturday, April 25, 2020

Risk management and Covid19

April is coming to an end, since beginning of the year, Covid19  had rampage the world for approximately 4 months. The virus was first discovered in a part of China, Wuhan in December 2019 and months after, there have yet to have a confirmation over the source and where it could have start, i.e. we have not clearly identify the zero patient. Some argued that it was a Chinese disease, some claimed that it was a lab-released mistakes. We tend to believe none of these are true but understanding how nature has always behave, this is an evolution. If humans can innovate, what is stopping other forms of life beings to evolve? How much have we truly understood the micro organsm? These questions probably best answered by scientists.

Before Covid19, the threat landscape was focusing on digitalisation, cybercrimes, cloudsecurity, Internet of things (IoT). On the health front, WHO released the following list of 10 threats in Jan 2019:

1. Air pollution and climate change
2. Noncommunicable diseases
3. Threat of a global influenza pandemic
4. Fragile and vulnerable settings, such as regions affected by drought and conflict
5. Antimicrobial resistance
6. Ebola and high-threat pathogens
7. Weak primary care
8. Vaccine hesitancy
9. Dengue
10. HIV

On 15 Jan 2020, WHO released the following list of 10 threats:

1. Climate crisis
2. Health care delivery in areas of conflict and crisis
3. Health care equity
4. Access to treatments
5. Infectious disease prevention
6. Epidemic preparedness
7. Unsafe products
8. Underinvestment in health workers
9. Adolescent safety
10. Improving public trust of health care workers

Infectious disease prevention, epidemic preparedness, access to treatments, underinvestment in health workers, were less threatening than climate crisis which had stayed at No.1 for 2019 and 2020 assessments. However, after Covid19, I supposed the threat landscape on technology would probably heightened while the no.1 threat on WHO now could be "Global Influenza pandemic" follow by Vaccine Hesitancy, Weak primary care, Fragile and vulnerable settings instead of climate crisis or air pollution. These being said, risk management is about relativity.

The virus is more threatening because it had showed its impact to the global economy and had expedite the oikcrisis because of #stayhome, #lockdown, #cruiseships, #airline, #financialindustry. Along with it, cybercrime could get rampant due to public stability and social impacts of #stayhome, #lockdown and the lack of entertainment or security resources. On the flipside, digitalisation could speed up because of the sudden surge demand on remote office, remote socialisation, virtual teams, virtual coffee place, and the list goes on. Some of the more obvious changes are video conferencing technology like Zoom, Skype, Microsoft teams which had already used widely by educators, students, public speakers, corporate enterprise. What are the associated risks to these technology?

1. Data Loss incidents could escalate
2. Cybercrimes over the intellectual property (information shared via these technologies)

Hence, I felt that information risk practitioners need to reassess their administrative controls such as  information classifications, information security during BCP, systems availability and recovery, software management controls to technical controls such as antivirus preventive controls, firewall rules and packets inspection.


Wednesday, April 22, 2020

Stay home - work from home - better security? - Part one Data Loss

Many of us liked the idea of working from home because that means getting up later and doing your work at your own pace, away from the gossips and distractions you once face at work. But, think again, is working from home really good?

Risk of data loss
For centuries, organizations regardless of nations learned that intelligence is crucial and important in the competitive environment. As the digital space gets heavier with content, more data are available for harvesting to gain insights. In the past 20 odd years, countries started enacting on data protection regulations, some worked on cross border data exchange, some decides to tag data to a nationality. There are simply many ways to prevent data being abused. However, none would consider data usage during a pandemic situation like COVID19.

Working from home means either you brought home your corporate laptop or you start to work off your personal computer.

Working from home using your personal computer

In the enterprise environment, network is usually monitored and secured with multiple devices. IPS, IDS, firewall, network access control appliances and so forth, are just a few that ensure your network is secured. However, working from home means, you have an internet router/modem that either connects you to a wireless or wired network. That is really a concern because your device that connects you to the internet could be obsolete to protect you from the latest security threat or a remote access attack. Your wireless network could be setup with a weak security control such as WEP or MAC filtering. Your router might also be running an old firmware with a bunch of remote access vulnerability waiting to be exploited. Next, the anti virus software on your personal computer could be obsoleted too, then the operating system might be running on Windows XP. The list of danger goes on.

Hence, there should be an easy checklist to assess if it is security feasible to allow one to work from home especially in the event of a data entry operator having the access to all customers' information.

Wednesday, January 15, 2020

What is cybersecurity?

Someone asked me this question few months ago, "Can you tell me in simple words, what is cybersecurity?". At that point, I thought everyone already had an idea what is cybersecurity. Hence, i went on to describe, cybersecurity is a human behaviour. It is nothing more than bringing this behaviour to social media platform and behave in a rather malicious manner. Because of this behaviour, usage of mobile phones are susceptible to data leakages, unauthorised access, identity compromised, and the list goes on. That person was confused and he went further to ask, is this nothing more than IT general controls then? My response was both Yes and No. I went on to elaborate that cybersecurity maybe found in ITGC or ITAC but it is much more because ITGC does not dictate how a person should behave with his personal devices and the same goes to ITAC.

In this post, I like to post my view of cybersecurity and cybersecurity as found in the google results - unauthorised access to any computing devices or being damaged or made unavailable. Using this definition, Cybersecurity comprise of "Confidentiality, Integrity and Availability" types of risks. Technology on the other hand, is really a risk on availability and less on confidentiality or integrity. But does that mean cybersecurity is a technology risk because it impacts availability? I believe many organization today have somehow figured that cybersecurity is and should be a business risk. However does that mean Chief Security Officers today should also be cybersecurity-skilled? The answer remains largely unknown but awareness of cybersecurity and its relevant cycles (threat, cyber kill chain) should be required.

In my personal opinion, Cybersecurity is Technology risk elevated or a product of evolved Web 5.0. Technology since its early days had began to consolidate time and space. Work pace has become faster due to technological improvements. Prior electronic mail, postal mail was the fastest known method to transmit large block of messages. Today, we have chat groups and gigs of data are transmitted daily. The presence of time and space have become blurred. Official work timing existed merely as a notational value to to calculate the salary cost entitled to an individual for exchanging his/her time to work. This simply means, everyone is network-ed and it is this network that enables cybersecurity to take place and causing wide impact. Consider the botnet network and the fundamental requirement is -> Network. Without magnitude of connections, botnet doesn't work as expected.

Hence business today must embed a cybersecurity function in its business process to ensure that the kill chain is stopped timely before an event take place. Why is this so? Because each cyber event has the potential to wipe off the entire assets of the business, considering that today's network transfer speed, in the past transferring 1GB of data takes hours. Today, its probably 1 minute. How much of money can be transferred in 1minute? :) Swift connection do its transaction in seconds. Hence, be ready for cybersecurity and it is no longer meant for gigs.

It is about YOU and ME.