Jym Cheong

Research & Translation Specialist, Info-Security, ST Engineering

With the convergence of IT and OT networks, critical infrastructures and commercial enterprises are in a constant rat race or worse at the mercy of dynamic cyber threats. To combat these cyber threats, companies deploy more and more tools and solutions, increasing the complexity of their network and systems. What many do not know is the more touch points are created, their systems become more susceptible to cyber attacks. Hear from our Research & Translation specialist, Jym Cheong, on his perspective to combat social engineering attacks:

Q: What is your overall approach to information security?

I devised what I termed as Attack-Life-Cycle2 approach to Cyber-Physical (or CP) Security. The approach starts with the necessary & sufficient conditions of any CP attacks:

Just like fire, CP attacks need a set of conditions to succeed. To mitigate the risk of combustion, we need to disrupt or remove one or more of the three conditions stated in the Combustion Triangle. Similarly, disrupting one or more of the three conditions of CP attacks will lower the risks of successful attacks. Of these conditions, I will put my focus on Threat Accessibility because:

Systems Will Always be Flawed

This is not to advocate “No need to patch system vulnerabilities”, but don’t depend your life on just patching systems. There’s no way to get rid of System Susceptibility. Even tech-companies worth billions-of-dollars can’t get it right, let alone smaller organisations & companies.

Threat Actors Have the Upper-Hand in terms of Tools, Techniques & Resources

The amount of FREE tools, techniques & resources (including source-codes) creates an unfavourable imbalance against defenders who have to get it right all the time with high cost, but attackers only need to get it right once with low-cost.

Early Disruption, Containment & Detection of Threat Access Attempts are possible

Better technical controls like Remote Browser Isolation not only disrupts malware delivery & phishing attempts, but increases the attack-effort to control an infected endpoint.

Malicious websites that deliver payloads are contained within an ephemeral Remote Browser containment. Even if backdoors were to somehow get into endpoints by other means (eg. USB sticks), establishing the usual malware Command & Control will be harder since there’s no direct Internet access. We should free up budgets from ineffective controls (eg. Firewalls & Anti-Virus) to repurpose for better controls that disrupt a broad set of offensive methods. We need to detect infiltrations early with Deception technologies, traditional rule-base detection development will never catch up with agile & motivated Threat Actors.

Q: How do you convince C-suite that it is not possible to keep the organisation 100% cyber secure?

In my opinion, there is no such thing as 100 percent cybersecurity. Even powered-off equipments can be stolen under our watch (eg. harddisk “replaced” from your Multi- Functional Printer). We can at best minimise risks by exercising risk management.

Reinforcing the above point by drawing reference to an example close to our hearts – most drivers know that without a seat belt, the chances of survival is low for higher-speed automotive accidents. Even with seat belts, there is still no such thing as 100% survival since there are other road-users who could be careless or reckless.

Q: How can CISOs/Leaders better understand a business’ needs?

Practise empathy; put yourself into users’ shoes. It is best to learn it first hand from users who are part of the business. When they can’t do their job due to various pain-points related to technical controls, it usually follows that the business will suffer. Or it could be worse, users start to introduce Shadow IT or take risky approaches just to overcome their pain- points. To share a real-world example, after Singapore’s SingHealth breach incident3, Multi-Factor Authentication or MFA became a mandate for all IT administrators4 & high- risk endpoints are to be equipped for MFA. Consider a sterile Operating Room setting, imposing MFA for health-care staff is challenging due to the aseptic requirements, especially for authentication methods that require typing.

Cyber Security Agency of Singapore took the lead to consolidate various issues faced by Critical Information Infrastructure stake-holders, specified into requirements & arranged a number of “Call-for-Solutions” engagements with both academia & vendors to work out innovative solutions. I believe all CISOs/Leaders should play such roles within the context of their respective organisations.

Q: Ransomware and phishing are among the risks that have threatened all industries recently. From your perspective, how should companies mitigate these risks and what has worked for you?

Limit your exposure to the Internet because most payloads are delivered via the Internet. Install OpenEDR which is free & open-source. It blocks 100% of executable file-based malware without the need for signature-database & mitigates commonly abused “Fileless” offensive techniques based on Microsoft-Office macros & scripting to deliver Ransomware & malware alike.

Q: How do you predict the future of authentication?

The future of authentication is Password-less. Passwords are liability. Offensive methods come in the forms of dirt-cheap fake login interfaces to even “CrackingPassword-as-a- Service”. Passwords are no longer effective as a control & offer very poor usability. We can end up losing our “Digital Identity” over one password because it is hard for users to remember so many passwords, such that users end up reusing the same ones for different digital services.

Authentication needs to be secure & user-friendly at the same time. It should be a low- friction framework or service that supports MFA for both users & service-providers. As of now, I am putting my bets on FIDO Alliance.

Q: How important is information sharing within the sector to keep abreast of new threats and cybersecurity best practices?

It depends on the quality & timing of the information that is being shared.

Is the information relevant & actionable?

For instance, receiving a technical workaround to mitigate certain system vulnerability before an official vendor patch is available. But suppose a company is a pure Microsoft-Windows shop, then information related to Linux vulnerabilities are irrelevant.

Is it timely?

The official patch may already be out earlier than the information for the workaround.

Do you have staff to answer the earlier two questions?

This is usually the primary challenge for most organisation. Many don’t have man-power or “bandwidth” to deal with such information which can be in volumes. As shared earlier, it is possible to achieve early disruption, containment & detection of attacks if we repurpose budgets for better controls & drop ineffective ones. With the “new normal” of working from home due to the current pandemic, Threat Accessibility becomes even more concerning because organisational assets are now within the home network that could already be compromised. These networks are not within your control, Threat Actors can pivot into organisational networks through

VPNs, especially when it is poorly configured to allow dual zones; accessing Internet & Intranet at the same time.

1 https://github.com/jymcheong/OpenEDR/wiki

2 https://attacklifecycle.github.io

3  https://graphics.straitstimes.com/STI/STIMEDIA/Interactives/2018/07/sg-cyber-breach/index.html

4 https://www.straitstimes.com/singapore/slew-of-new-measures-to-strengthen-public-healthcare-systems-unveiled- following-singhealth

Professional Background

Jym is currently a Research & Translation specialist with ST Engineering Info-Security Pte. Ltd. He is also the principle author of Open Endpoint Defense & Response (OpenEDR), an open-source security platform1. He has more than a decade of industry experience accumulated from various roles in Product R&D, Evaluation & Large-Scale systems deployment & delivery. Some of his achievements include the design & development of low-cost passport scanners for nation-wide deployments, technical leadership for delivering ST-Engineering Security Operation Center & two government-agencies SOCs. He spear headed capability-building of a Test-&-Evaluation group to ascertain the efficacy of existing & emerging security products. Beyond his technical roles, he advises C-suite Executives who are in turn advisors for their respective boards & forums.

Enquire for more information at cybersecurity@stengg.com

Subscribe for notifications

Fill in the particular below to receive notifications of new insights and articles, delivered directly into your inbox.