Commentary: Implement Internet separation? Let’s learn from industry best practices
We should consider other advanced measures already in the market that can improve security without compromising usability, says one cyber security expert.
(Updated: )
Christopher Bong
Internet separation is not rocket science but just common sense. Several companies are already doing so. So much for wanting to be a Smart nation.
Justice Boa
Well said. You can have the best anti-cyber security system, but people is the weakest link.
Green ICT Technology Sharing
Smart City team are lead by GovTech and leadership team mostly from public sectors, who have no sense & knowledge of real ICT for bizs and relevant to public. Basic design of where the doors "network security" to be place are not even in place. Internet seperation is a norm in industrial. For 2 decade in our private sectors indus had protected citizen data without fail. Look like local security breaches from GLCs, Security setup Slas, edu inst, GovTech : Sloppy and too complacent. How to be good governance - if don't know how to protect basic.
Christopher Bong
Instead of pushing for smart nation, the government must get their house in order. Again, no heads will roll, no accountability except outright denial.
Ricky Lim
Perhaps we should consider other industry standard techniques already in the market that can improve security without compromising usability.
Most advanced digitalised companies, for example, employ secure IT architecture design in their systems.
A secure IT architecture system defines a rigorous set of protocols, process and technical controls that define how information flows across systems within a company
For example, the architecture would specify encryption standards and firewalls that guard against unauthorised access to private networks connected to the Internet. This allows frontline users to still use the Internet, without being afraid that their actions online might compromise the entire company.
Furthermore, secure IT architecture systems adhere to a list of guiding security principles that have been endorsed by leading industry players.
There are internationally recognised standards that companies can adhere to in order to build a robust system — ISO 27001, for example, helps companies identify, analyse and address its information risks.
IEC 27033 gives companies a manual to create a secure network architecture in day-to-day business dealings, such as securing communications between networks through gateways and firewalls.
Finally, the US National Institute of Standards and Technology cloud computing security standards help companies design a secure reference architecture even if their operations requires processing information in the open cloud.
These standards try to assist companies to build secure systems without necessarily clamping down on Internet access or compromising the usability of the systems.
LOOK AT THE ECOSYSTEM, NOT JUST THE CYBERATTACKS
Perhaps the issue here is that cyber incidents are all too often seen as a problem of dealing with cyberattacks. If we similarly framed health issues as viral infections, we could miss out more fundamental solutions which address the root cause, such as boosting patients’ immune systems or adjustments to their lifestyles.
But if we reframe the issue of cyber-attacks by looking at our current security and protection systems, we can have targeted initiatives to improve cybersecurity “lifestyles” rather than be fixated with specific viral events.
Such measures might require deeper and heavier fundamental investments, but let us not be penny-wise and ultimately pound foolish.
Most advanced digitalised companies, for example, employ secure IT architecture design in their systems.
A secure IT architecture system defines a rigorous set of protocols, process and technical controls that define how information flows across systems within a company
For example, the architecture would specify encryption standards and firewalls that guard against unauthorised access to private networks connected to the Internet. This allows frontline users to still use the Internet, without being afraid that their actions online might compromise the entire company.
Furthermore, secure IT architecture systems adhere to a list of guiding security principles that have been endorsed by leading industry players.
There are internationally recognised standards that companies can adhere to in order to build a robust system — ISO 27001, for example, helps companies identify, analyse and address its information risks.
IEC 27033 gives companies a manual to create a secure network architecture in day-to-day business dealings, such as securing communications between networks through gateways and firewalls.
Finally, the US National Institute of Standards and Technology cloud computing security standards help companies design a secure reference architecture even if their operations requires processing information in the open cloud.
These standards try to assist companies to build secure systems without necessarily clamping down on Internet access or compromising the usability of the systems.
LOOK AT THE ECOSYSTEM, NOT JUST THE CYBERATTACKS
Perhaps the issue here is that cyber incidents are all too often seen as a problem of dealing with cyberattacks. If we similarly framed health issues as viral infections, we could miss out more fundamental solutions which address the root cause, such as boosting patients’ immune systems or adjustments to their lifestyles.
But if we reframe the issue of cyber-attacks by looking at our current security and protection systems, we can have targeted initiatives to improve cybersecurity “lifestyles” rather than be fixated with specific viral events.
Such measures might require deeper and heavier fundamental investments, but let us not be penny-wise and ultimately pound foolish.
Like · Reply · 3m
Ricky Lim
Based on the writing above, this writer has a misconception that the Internet front-end facing is completely separated from the back-end process and database.
Ricky Lim
Based on the writing above, this writer has a misconception that the Internet front-end facing is completely separated from the back-end process and database.
This is not correct.
(1) If it is so, how does public users access all the Government online services, eCommerce, online purchases, banking transactions - if eTransaction from Internet is physically separated from the back-end apps process and database?
(1) If it is so, how does public users access all the Government online services, eCommerce, online purchases, banking transactions - if eTransaction from Internet is physically separated from the back-end apps process and database?
Like · Reply · 1m
Ricky Lim
In fact, the whole slew of secured IT infrastructure and ecosystem to enable a Smart Nation is already in place without compromising usability --- as what this author is describing - for without which - public users will not be able to conduct online transaction.
Pse note the following secured infrastructure eco-system (in which the author is describing - which is already in place - else how the Smart Nation works?)
Posted on:- 20 Jul 2018
Ricky Lim
Protecting IT resources to minimise hacking are not that scary.
1. IT design to segregate back-end oob (out of band) mgt from front end internet fronting (in band) will definitely minimise internet hacking attack of such scale. The reason being, front end (in-band) is internet facing, out-of-band (back end) is segregated from front-end (inband) - and when hackers attack from front-end (in-band) - it cannot get into the back end (out-of-band) as the front end network is separated from back-end network. Breaching the front probably may get access to one or the most a few transactions --- but will not be able to do a mass copy of data - using backend admin with powerful rights.
2. Proactive security incidents and event management of all critical information infrastructure online real-time will trigger alarms and alerts the moment when stealth hacking occurs. Even stealth reconnaissance, the beginning of hacking by probing through network discovery, tcp port scanning, icmp ping, traceroute etc will be picked up.
3. APT advanced persistence threat or maybe dlp (data loss protection) protection can be put in place to filter known, unknown, zero day attack, virtual patching and sandbox unknown but anomaly threat.
4. 2 FA authentication for administrator to be installed for login before allowing management of network device, software, database. Hackers may be able to steal the admin id and password, but without 2FA, hackers cannot administer and manage network device, edit software, access data in database.
5. Remove all remote access by hardening and removing or shutting down all remote access capability to all network devices, software and database. Lockdown and identify dedicated jump host to administer all network devices, software, database by local access workstation or virtual machine that are securely protected. Any other workstation that are not identified as jump host for administration are not allowed to manage and administer supervisor function over the network devices, software and database. Remote management must be disallowed. By doing so, hacker compromising a weak front end workstation will not be able to mass copy the database - as it is not a dedicated jump host and will not be allowed to do so - also a security alarm and alert will be triggered to the sms and email to administrator that can quickly respond to the hacking.
6. Encryption of data storage, encryption key management and encryption of database maybe required. This ensure that even when the data is mass copied by the hackers, the data are encrypted and hackers will take a hard time to decrypt the data.
The above measures are recommended on top and above the below:-
(Assuming that all traditional security measures are put in place like firewall, segregration of web, apps, database, network IPS, host IPS, WAF - web application firewall, vpn ipsec, digital cert, encryption, authentication, directory service, desktop security features like personal firewall, anti-virus, latest security patches etc that have undergone security posture assessment such as BYOD, port authentication, secured shell for admin management, ssl etc have been put in place).
Pse note the following secured infrastructure eco-system (in which the author is describing - which is already in place - else how the Smart Nation works?)
Posted on:- 20 Jul 2018
Ricky Lim
Protecting IT resources to minimise hacking are not that scary.
1. IT design to segregate back-end oob (out of band) mgt from front end internet fronting (in band) will definitely minimise internet hacking attack of such scale. The reason being, front end (in-band) is internet facing, out-of-band (back end) is segregated from front-end (inband) - and when hackers attack from front-end (in-band) - it cannot get into the back end (out-of-band) as the front end network is separated from back-end network. Breaching the front probably may get access to one or the most a few transactions --- but will not be able to do a mass copy of data - using backend admin with powerful rights.
2. Proactive security incidents and event management of all critical information infrastructure online real-time will trigger alarms and alerts the moment when stealth hacking occurs. Even stealth reconnaissance, the beginning of hacking by probing through network discovery, tcp port scanning, icmp ping, traceroute etc will be picked up.
3. APT advanced persistence threat or maybe dlp (data loss protection) protection can be put in place to filter known, unknown, zero day attack, virtual patching and sandbox unknown but anomaly threat.
4. 2 FA authentication for administrator to be installed for login before allowing management of network device, software, database. Hackers may be able to steal the admin id and password, but without 2FA, hackers cannot administer and manage network device, edit software, access data in database.
5. Remove all remote access by hardening and removing or shutting down all remote access capability to all network devices, software and database. Lockdown and identify dedicated jump host to administer all network devices, software, database by local access workstation or virtual machine that are securely protected. Any other workstation that are not identified as jump host for administration are not allowed to manage and administer supervisor function over the network devices, software and database. Remote management must be disallowed. By doing so, hacker compromising a weak front end workstation will not be able to mass copy the database - as it is not a dedicated jump host and will not be allowed to do so - also a security alarm and alert will be triggered to the sms and email to administrator that can quickly respond to the hacking.
6. Encryption of data storage, encryption key management and encryption of database maybe required. This ensure that even when the data is mass copied by the hackers, the data are encrypted and hackers will take a hard time to decrypt the data.
The above measures are recommended on top and above the below:-
(Assuming that all traditional security measures are put in place like firewall, segregration of web, apps, database, network IPS, host IPS, WAF - web application firewall, vpn ipsec, digital cert, encryption, authentication, directory service, desktop security features like personal firewall, anti-virus, latest security patches etc that have undergone security posture assessment such as BYOD, port authentication, secured shell for admin management, ssl etc have been put in place).
Like · Reply · 1m
Ricky Lim
Note:- Separating (out-of-band management) back-end from front-end (Internet facing) - is not physical separation, they are logical separation - protected by strong slew of security devices and logical separation.
But :-
Ricky Lim
Most important, ensure that in-band (front-end) network must not be routable to the out-of-band (back-end) network.
Internet Public DMZ coming in from Internet - to process online transaction to hit web-apps-database are still in place and routable but strongly and securely protected --- else how eTransaction takes place?
Ensure this mistake must not be made - else 佛都保不到你。。。。。
But :-
Ricky Lim
Most important, ensure that in-band (front-end) network must not be routable to the out-of-band (back-end) network.
Internet Public DMZ coming in from Internet - to process online transaction to hit web-apps-database are still in place and routable but strongly and securely protected --- else how eTransaction takes place?
Ensure this mistake must not be made - else 佛都保不到你。。。。。
Like · Reply · 1m
Ricky Lim
But to do so securely, we must be mindful of the below :-
Posted on:-20 Jul 2018
Ricky Lim
Freddy Chin - I don't speak on behalf of the cybersecurity professionals nor for the senior management.
To implement those security gadgets will easily cause a bomb - if individually built.
There is a need to aggregate resources to bring down the cost.
Also you will need talents with an overview of the full spectrum of the IT needs - not everyone have the knowledge of the full spectrum.
By benchmarking the corporate security deployment versus what is stated here - will know that many will have fall short.
Those mentioned above is not all encompassing, as there could be some specific security needs that some will need and some don't.
eg. those with proliferation of mobile devices - will require different ways of securing mobile access.
eg. those with proliferation of wireless - will need wireless security
eg. those who are using cloud - will require cloud security
eg. those who use mainly remote access - will require remote access security
eg. those who use Voice Over IP, IP telephony - will require Voip security.
eg. those who use video conferencing - will require VC security.
eg. those who use email - will require email security.
etc etc etc ...... endless ...... seriously can cover so many things ?????????
Like · Reply · 2m
Ricky Lim
Eg. briefly
(1) Mobile device security - will have talk about MDM (mobile device management), BYOD (Bring Your Own Device), Port authentication, Device posture assessment, authenticated VLANs, Quarantine VLANs, Captive Web Portal etc.
(2) Wireless LAN security - will talk about 802.1x port authentication, EAP (Extensible Authentication Protocol), IEEE802.11i, WPA (Wireless Protected Access), AES, 3DES encryption, SSID, WLAN controller etc...
(3) Remote access security - will have talk about SSL VPN or IPSec VPN gateway and SSL VPN clients.
(4) VoIP, IT telephone - will have to talk about securing VoIP protocols such as SIP (Session Initiation Protocol) - encryption between Call Manager and end phones, voice vlan segregated from data vlan.
etc.
All these are not mention in the above infrastructure security.
So do we have talents to cover so many things .... and i have not mention cloud security that will have secured VM (virtual machines), bare metal, cloud firewall, cloud load balancers etc.
Posted on:-20 Jul 2018
Ricky Lim
Freddy Chin - I don't speak on behalf of the cybersecurity professionals nor for the senior management.
To implement those security gadgets will easily cause a bomb - if individually built.
There is a need to aggregate resources to bring down the cost.
Also you will need talents with an overview of the full spectrum of the IT needs - not everyone have the knowledge of the full spectrum.
By benchmarking the corporate security deployment versus what is stated here - will know that many will have fall short.
Those mentioned above is not all encompassing, as there could be some specific security needs that some will need and some don't.
eg. those with proliferation of mobile devices - will require different ways of securing mobile access.
eg. those with proliferation of wireless - will need wireless security
eg. those who are using cloud - will require cloud security
eg. those who use mainly remote access - will require remote access security
eg. those who use Voice Over IP, IP telephony - will require Voip security.
eg. those who use video conferencing - will require VC security.
eg. those who use email - will require email security.
etc etc etc ...... endless ...... seriously can cover so many things ?????????
Like · Reply · 2m
Ricky Lim
Eg. briefly
(1) Mobile device security - will have talk about MDM (mobile device management), BYOD (Bring Your Own Device), Port authentication, Device posture assessment, authenticated VLANs, Quarantine VLANs, Captive Web Portal etc.
(2) Wireless LAN security - will talk about 802.1x port authentication, EAP (Extensible Authentication Protocol), IEEE802.11i, WPA (Wireless Protected Access), AES, 3DES encryption, SSID, WLAN controller etc...
(3) Remote access security - will have talk about SSL VPN or IPSec VPN gateway and SSL VPN clients.
(4) VoIP, IT telephone - will have to talk about securing VoIP protocols such as SIP (Session Initiation Protocol) - encryption between Call Manager and end phones, voice vlan segregated from data vlan.
etc.
All these are not mention in the above infrastructure security.
So do we have talents to cover so many things .... and i have not mention cloud security that will have secured VM (virtual machines), bare metal, cloud firewall, cloud load balancers etc.
Like · Reply · 1m
Ricky Lim
Ricky Lim
Furthermore, Internet separation may not be applicable to many situations. Just consider the cyberattacks on four local universities uncovered earlier this year where unsuspecting users directed to a phishing website were found to be the cause.
It would be untenable and unproductive to get students to use separate devices for school work.
---
As for the above phishing website attack :-
Can take reference from below :-
Posted on :- 26 Jul 2018
Look like the hackers can compromise web sites to steal data such as using :-
(1) SQL injection - that can bypass web authentication and do sql search on relational database to steal data.
(2) X-scripting - that can redirect users to a hacker web page and trick user to supply their userid and password and then steal them.
(3) Botnet capturing of userid
Thought WAF/IPS (Web Application Firewall, IPS) - should be able to stop such web vulnerabilites.
Of course good web programming with strong validation should also stop such attacks.
--- minimally programmers should adhere to the industry security best practices and hardening guidelines - that will have help programmers to cover most if not all vulnerabilities -- and this also need times and budget to produce a good QC programming codes.
--- and cannot disregard the facts that the students from the 4 local universities maybe trick by hackers sending them phishing email with malware or URL linking to hacker website.
By clicking on the URL or running the malware will have trick students to supply personal information and cause hacking.
It would be untenable and unproductive to get students to use separate devices for school work.
---
As for the above phishing website attack :-
Can take reference from below :-
Posted on :- 26 Jul 2018
Look like the hackers can compromise web sites to steal data such as using :-
(1) SQL injection - that can bypass web authentication and do sql search on relational database to steal data.
(2) X-scripting - that can redirect users to a hacker web page and trick user to supply their userid and password and then steal them.
(3) Botnet capturing of userid
Thought WAF/IPS (Web Application Firewall, IPS) - should be able to stop such web vulnerabilites.
Of course good web programming with strong validation should also stop such attacks.
--- minimally programmers should adhere to the industry security best practices and hardening guidelines - that will have help programmers to cover most if not all vulnerabilities -- and this also need times and budget to produce a good QC programming codes.
--- and cannot disregard the facts that the students from the 4 local universities maybe trick by hackers sending them phishing email with malware or URL linking to hacker website.
By clicking on the URL or running the malware will have trick students to supply personal information and cause hacking.
Like · Reply · 1m
Ricky Lim
Health Minister Gan Kim Yong has announced, for now, that the solution to making the hospital more secure is through implementing Internet separation.
As a tool to limit the inflow and outflow of data, Internet separation will certainly reduce the number of potential entry points into a system, giving information assets slightly better protection than before.
It may help to improve data security within the hospital, as Deputy Prime Minister Teo Chee Hean has pointed out.
However, Internet separation is not a “one size fits all” solution for all Internet breaches.
Firstly, Internet separation creates usability challenges that may be sub-optimal. Asking a doctor to toggle between computers or systems would hinder the doctor’s ability to process consultations faster and potentially hurt doctor-patient interactions.
Internet separation, on the other hand, potentially presents a rapid fix post-hack that can quickly stop the bleeding and get business back to normal as soon as possible.
--
There are networks that are highly secured.
But not all networks are that secured.
It is correctly pointed out by the author that :- "Internet separation, on the other hand, potentially presents a rapid fix post-hack that can quickly stop the bleeding and get business back to normal as soon as possible."
Securing less secured networks takes time, cost alot of money, need expertise to fix vulnerabilities and put security in place - it can't be done overnight - as it involved millions of hardware, software, system, infra, database, security etc.
If don't do physical separation of internet surfing from back-end - then how to do a Superman fix or "Magical touch" - one touch everything solve already?
As a tool to limit the inflow and outflow of data, Internet separation will certainly reduce the number of potential entry points into a system, giving information assets slightly better protection than before.
It may help to improve data security within the hospital, as Deputy Prime Minister Teo Chee Hean has pointed out.
However, Internet separation is not a “one size fits all” solution for all Internet breaches.
Firstly, Internet separation creates usability challenges that may be sub-optimal. Asking a doctor to toggle between computers or systems would hinder the doctor’s ability to process consultations faster and potentially hurt doctor-patient interactions.
Internet separation, on the other hand, potentially presents a rapid fix post-hack that can quickly stop the bleeding and get business back to normal as soon as possible.
--
There are networks that are highly secured.
But not all networks are that secured.
It is correctly pointed out by the author that :- "Internet separation, on the other hand, potentially presents a rapid fix post-hack that can quickly stop the bleeding and get business back to normal as soon as possible."
Securing less secured networks takes time, cost alot of money, need expertise to fix vulnerabilities and put security in place - it can't be done overnight - as it involved millions of hardware, software, system, infra, database, security etc.
If don't do physical separation of internet surfing from back-end - then how to do a Superman fix or "Magical touch" - one touch everything solve already?
Posted on:-26 Jul 2018
Ricky Lim
Now to answer question (2) why Without warning.
This one I will not blame alot on the organization - unless the organization have very fat budget, good talents and resources, experiences and good knowledge. (To be honest, even big foreign MNCs and security organizations also got hacked.......)
Why is it so?
An analogy, if a plastic bag fill with water, just 1 small hole (water will start dripping until the whole plastic bag of water is completely leak and dry).
A balloon cannot have even one small microscopic hole, because air will slowly leaked and if the hole is too big --- it will burst.
IT security is similar to the above. All you need is that out of millions of hardware, software - all you need is just one vulnerabilites - like in this case 1 vulnerabilities in 1 input field in one web page or in singhealth hack, just 1 weak workstation - is sufficient for a State Sponsored Hackers to hack through.
IT security need to be 滴水不漏 !
Because skilful hackers are not easy to tackle.
Worst for APT - Advanced Persistent Threat hackers (State Sponsored One)
---- organization will have to put in alot of security safeguard to ensure hacking will not succeed.
This will easily cost a bomb.
Thus aggregation of National Resource Infra, Security, System, Software talents & resources - to defend against State Sponsor Hacking will be required.
The initiative by CSA SOC CII monitoring initiative started in 2015 to cover 11 critical economic sectors to protect the CII (Critical Information Infrastructure) will be a more focus, National pooling of resources, expertise and knowledge to ensure State Sponsor Hacking will be extremely difficult to succeed.
To put in layman term - you need to field an Army to square off with another Army invasion.
You can't send an IT division of 30 soldier (a platoon) to defend against an Army with full range resources and soldiers isn't it?
IT defends is a virtual battlefield or a virtual war - via the computer infrastructure.
You need Virtual Generals, soldiers, specialists etc to defend your Fortress.
Ricky Lim
Now to answer question (2) why Without warning.
This one I will not blame alot on the organization - unless the organization have very fat budget, good talents and resources, experiences and good knowledge. (To be honest, even big foreign MNCs and security organizations also got hacked.......)
Why is it so?
An analogy, if a plastic bag fill with water, just 1 small hole (water will start dripping until the whole plastic bag of water is completely leak and dry).
A balloon cannot have even one small microscopic hole, because air will slowly leaked and if the hole is too big --- it will burst.
IT security is similar to the above. All you need is that out of millions of hardware, software - all you need is just one vulnerabilites - like in this case 1 vulnerabilities in 1 input field in one web page or in singhealth hack, just 1 weak workstation - is sufficient for a State Sponsored Hackers to hack through.
IT security need to be 滴水不漏 !
Because skilful hackers are not easy to tackle.
Worst for APT - Advanced Persistent Threat hackers (State Sponsored One)
---- organization will have to put in alot of security safeguard to ensure hacking will not succeed.
This will easily cost a bomb.
Thus aggregation of National Resource Infra, Security, System, Software talents & resources - to defend against State Sponsor Hacking will be required.
The initiative by CSA SOC CII monitoring initiative started in 2015 to cover 11 critical economic sectors to protect the CII (Critical Information Infrastructure) will be a more focus, National pooling of resources, expertise and knowledge to ensure State Sponsor Hacking will be extremely difficult to succeed.
To put in layman term - you need to field an Army to square off with another Army invasion.
You can't send an IT division of 30 soldier (a platoon) to defend against an Army with full range resources and soldiers isn't it?
IT defends is a virtual battlefield or a virtual war - via the computer infrastructure.
You need Virtual Generals, soldiers, specialists etc to defend your Fortress.
Like · Reply · 1m
Ricky Lim
This author is making alot of noise because if Internet is really physically separated from the National Intranet ---- his IoT project cannot work as his IoT will require backend access as it may required database access, sensors may have feedback alot of data to be stored in the database.
Don't worry --- 我们有金宝。。。
Posted on:- 23 Jul 2018
Ricky Lim
There are ways to ensure all IoT public infrastructure such as the lighting sensors - can be secured without compromising National infrastructure where compromised IoT device can be taken over by Internet hackers :-
(1) A secured dedicated private network tunnel is build for IoT devices.
Eg. of such tunnel are IoT-VRF (virtual routing forwarding tunnel)
(2) All IoT devices are put into this IoT-VRF - no other public intranet devices should share the same private tunnel used by IoT.
(3) IoT Servers to collected Big Data from IoT devices will sit in the same IoT-VRF for Big Data Analytic.
(4) Firewall use Access control list to prevent any data from IoT going out to Internet (thus there are no ways for hackers in Internet to collect spy data from compromised IoT).
(5) IoT servers can share the Big Data collected from IoT and route out to public infrastructure VRF by VRF router - without compromising the public infrastructure VRF.
or to be doubly safe, confirm plus chop ----- export all big data from IoT servers as batch file.
Then public infra server import the IoT batch files for processing........ this is real physical separation processing - sure 100% no security breach. ----- double confirm plus double chop....
Don't worry --- 我们有金宝。。。
Posted on:- 23 Jul 2018
Ricky Lim
There are ways to ensure all IoT public infrastructure such as the lighting sensors - can be secured without compromising National infrastructure where compromised IoT device can be taken over by Internet hackers :-
(1) A secured dedicated private network tunnel is build for IoT devices.
Eg. of such tunnel are IoT-VRF (virtual routing forwarding tunnel)
(2) All IoT devices are put into this IoT-VRF - no other public intranet devices should share the same private tunnel used by IoT.
(3) IoT Servers to collected Big Data from IoT devices will sit in the same IoT-VRF for Big Data Analytic.
(4) Firewall use Access control list to prevent any data from IoT going out to Internet (thus there are no ways for hackers in Internet to collect spy data from compromised IoT).
(5) IoT servers can share the Big Data collected from IoT and route out to public infrastructure VRF by VRF router - without compromising the public infrastructure VRF.
or to be doubly safe, confirm plus chop ----- export all big data from IoT servers as batch file.
Then public infra server import the IoT batch files for processing........ this is real physical separation processing - sure 100% no security breach. ----- double confirm plus double chop....
Like · Reply · 1m · Edited
Ricky Lim
Note :- This author who is fronting IoT project will definitely don't like the idea of :-
"or to be doubly safe, confirm plus chop ----- export all big data from IoT servers as batch file.
Then public infra server import the IoT batch files for processing........ this is real physical separation processing - sure 100% no security breach. ----- double confirm plus double chop...."
Because to the author - physical separation of Internet (with sensor) from backend Intranet - will be a "Big pain for him".
So use the above recommendation of IoT-VRF lah ..............
But to be doubly safe, secure, double confirm plus double chop - so that the backend infra will not be compromised by APT, State Sponsor hackers ---- will have to be secured with strong dose of security gadgets and equipment :-
eg. :-
Firewall with strong ACL (Access Control List)
APT (Advanced Persistent Threat) protection
DLP (Data Loss Protection) protection
IPS (Intrusion Prevention System) protection
WAF (Web Application Firewall) protection
Proxy protection
SIEMs (Security Incidents and Events Management) monitoring, detection, response, protection, forensic
OOB (Out-Of-Band) management segregation
Remove remote access management
Secured authentication of 2FA (Factor Authentication) with OTP (One Time Password)
Encrypted tunneling, access, traffic flow and management (eg. VRF, VPN IPsec, SSL VPN, SSH etc)
Digital cert, strong encryption key, strong encryption algorithm
Multi-layered segregation of web-apps-database by firewall segregation
Encryption of storage and/or database
Proper 2FA authentication of front-end devices and encrypted access.
Secured desktop, wireless devices, mobile devices - eg. through port-authentication 802.1x, quarantine VLANs, authenticated VLANs, BYOD, VDI, VM clients, Secured Posture Assessment.
"or to be doubly safe, confirm plus chop ----- export all big data from IoT servers as batch file.
Then public infra server import the IoT batch files for processing........ this is real physical separation processing - sure 100% no security breach. ----- double confirm plus double chop...."
Because to the author - physical separation of Internet (with sensor) from backend Intranet - will be a "Big pain for him".
So use the above recommendation of IoT-VRF lah ..............
But to be doubly safe, secure, double confirm plus double chop - so that the backend infra will not be compromised by APT, State Sponsor hackers ---- will have to be secured with strong dose of security gadgets and equipment :-
eg. :-
Firewall with strong ACL (Access Control List)
APT (Advanced Persistent Threat) protection
DLP (Data Loss Protection) protection
IPS (Intrusion Prevention System) protection
WAF (Web Application Firewall) protection
Proxy protection
SIEMs (Security Incidents and Events Management) monitoring, detection, response, protection, forensic
OOB (Out-Of-Band) management segregation
Remove remote access management
Secured authentication of 2FA (Factor Authentication) with OTP (One Time Password)
Encrypted tunneling, access, traffic flow and management (eg. VRF, VPN IPsec, SSL VPN, SSH etc)
Digital cert, strong encryption key, strong encryption algorithm
Multi-layered segregation of web-apps-database by firewall segregation
Encryption of storage and/or database
Proper 2FA authentication of front-end devices and encrypted access.
Secured desktop, wireless devices, mobile devices - eg. through port-authentication 802.1x, quarantine VLANs, authenticated VLANs, BYOD, VDI, VM clients, Secured Posture Assessment.
Like · Reply · 1m
Ricky Lim
To Summarise in layman term:-
(1) The Singapore Government IT Infrastructure ---- is already using industry best practices for its Smart Nation currently for all online eTransactions - using advanced measures already in the market that can improve security without compromising usability. Else many current online eTransactions will not work.
(2) Implementing Internet separation - is for those doing Internet surfing as well as for those enterprises with IT infra that is not so secured or not so ready.
(1) The Singapore Government IT Infrastructure ---- is already using industry best practices for its Smart Nation currently for all online eTransactions - using advanced measures already in the market that can improve security without compromising usability. Else many current online eTransactions will not work.
(2) Implementing Internet separation - is for those doing Internet surfing as well as for those enterprises with IT infra that is not so secured or not so ready.
Like · Reply · 1m
Ricky Lim
Notice that this author Benjamin Goh is a passionate technologist and co-author of IEEE.
IEEE is the World technical standard for IT technologies which defined almost all IT based technologies standards for interoperability eg.
- IEEE802.3 ethernet
- IEEE802.1
- SIP
etc
So Benjamin Goh do speak with authority and expert knowledge.
IEEE is the World technical standard for IT technologies which defined almost all IT based technologies standards for interoperability eg.
- IEEE802.3 ethernet
- IEEE802.1
- SIP
etc
So Benjamin Goh do speak with authority and expert knowledge.
Like · Reply · 1m
Ricky Lim
BTW, come back to the IoT-VRF --- some security experts may say IoT-VRF is a good idea to provide a private tunnel for IoT deployment for a Smart Nation.
But afraid that though VRF is a private dedicated tunnel - it many still not secured enough because it is encypted. If hackers is so "POWEDERFUL", they maybe able to break into the private dedicated tunnel and all the data and network traffic is in the clear.
(As good as saying breaking into Telecommunication MPLS VPN - private network allocated to each enterprise customers).
Well don't worry - 我们有金宝。。。。
A solution call the "encrypted tunnel over the private dedicated tunnel" can be used.
What is this technique neh?
Well in an IoT-VRF dedicated private tunnel, can tunnel another VPN IPsec encrypted tunnel inside - to transport IoT data - that can be routed by VPN gateway and then VRF router.
This type of security - will be "double confirm, double chop....".
But there is a catch......... "got to ponder carefully......".
Some IoT devices are latency sensitve and require real-time, very fast response with minimal delay.
For eg. driverless car IoT may require sensor to require realtime response running on say 5G network (to ensure jitter, latency sensitive, fast response - cannot be compromised).
If the sensor cannot response fast enough with the driverless car via 5G network - then the driverless car may bang into some car or some people - causing accident.
Using IoT-VRF routed by a VRF-router - has very fast response time with minimum latency - in terms of sub-milliseconds. Thus will be able to support the IoT requirement.
But if use "encrypted tunnel into pivate dedicated tunnel" using VPN IPsec into IoT-VRF - VPN IPsec need to do encryption and de-cryption by VPN gateways - which will have high latency and delay.
Those doing driverless IoT car project - will have to test this thoroughly to ensure the "double tunnel" works and will not cause an accident.
If works, VPN-IPsec tunnel into IoT-VRF will be the recommended solution for IoT.
If not, have to consider IoT-VRF.
But afraid that though VRF is a private dedicated tunnel - it many still not secured enough because it is encypted. If hackers is so "POWEDERFUL", they maybe able to break into the private dedicated tunnel and all the data and network traffic is in the clear.
(As good as saying breaking into Telecommunication MPLS VPN - private network allocated to each enterprise customers).
Well don't worry - 我们有金宝。。。。
A solution call the "encrypted tunnel over the private dedicated tunnel" can be used.
What is this technique neh?
Well in an IoT-VRF dedicated private tunnel, can tunnel another VPN IPsec encrypted tunnel inside - to transport IoT data - that can be routed by VPN gateway and then VRF router.
This type of security - will be "double confirm, double chop....".
But there is a catch......... "got to ponder carefully......".
Some IoT devices are latency sensitve and require real-time, very fast response with minimal delay.
For eg. driverless car IoT may require sensor to require realtime response running on say 5G network (to ensure jitter, latency sensitive, fast response - cannot be compromised).
If the sensor cannot response fast enough with the driverless car via 5G network - then the driverless car may bang into some car or some people - causing accident.
Using IoT-VRF routed by a VRF-router - has very fast response time with minimum latency - in terms of sub-milliseconds. Thus will be able to support the IoT requirement.
But if use "encrypted tunnel into pivate dedicated tunnel" using VPN IPsec into IoT-VRF - VPN IPsec need to do encryption and de-cryption by VPN gateways - which will have high latency and delay.
Those doing driverless IoT car project - will have to test this thoroughly to ensure the "double tunnel" works and will not cause an accident.
If works, VPN-IPsec tunnel into IoT-VRF will be the recommended solution for IoT.
If not, have to consider IoT-VRF.
Like · Reply · 1m
Goo Hiong Gwee
"Asking a doctor to toggle between computers or systems.."
Why would a doctor need to toggle between internet and non internet systems during consultation? Shldnt Singhealth's system be sufficient?
"Similarly, in our desire to implement driverless cars, it would be prohibitively expensive to institute a separate network for them and still expect them to function effectively."
Huh?? These are autonomous vehicles, they not expected to be network tethered and especially not to the internet.
Imagine someone in Afghanistan being able to access and potentially hack into these driverless cars?
Is the author sane?
Advocating using standards security protocols? Where security patches are published every other day? No way.
Teow Hin where are you?
Best is still internet separation and live with the inconvenience.
This author first job was in NCB ( now IDA) in early 80s and participated in the CSCP, civil service computerisation program..
Why would a doctor need to toggle between internet and non internet systems during consultation? Shldnt Singhealth's system be sufficient?
"Similarly, in our desire to implement driverless cars, it would be prohibitively expensive to institute a separate network for them and still expect them to function effectively."
Huh?? These are autonomous vehicles, they not expected to be network tethered and especially not to the internet.
Imagine someone in Afghanistan being able to access and potentially hack into these driverless cars?
Is the author sane?
Advocating using standards security protocols? Where security patches are published every other day? No way.
Teow Hin where are you?
Best is still internet separation and live with the inconvenience.
This author first job was in NCB ( now IDA) in early 80s and participated in the CSCP, civil service computerisation program..
Like · Reply · 1h
Ricky Lim
"Why would a doctor need to toggle between internet and non internet systems during consultation? Shldnt Singhealth's system be sufficient?""
----
Doctors no need to toggle between internet and intranet --- because all hospital resources are within intranet (not internet).
Even cross hospital information - are through WAN (Wide Area Network) - MPLS intranet - no need to access Internet.
Public hospitals if need to talk to overseas health expert --- may have dedicated private links - for video conferencing --- then still in Intranet (no need to go via Internet).
But if hospitals need to talk to overseas health expert ---- without dedicated private link --- then will need to go over Internet.
For public users who need to book consultation with public hospitals or use health systems --- will need to access Internet.
I believe now with Internet and Intranet physical separation, public access via Internet may come with "delay response" - eg. make enquiry via Internet, public hospital response maybe 1 day later (need to mount a batch file with the correct information, then dismount).
----
Doctors no need to toggle between internet and intranet --- because all hospital resources are within intranet (not internet).
Even cross hospital information - are through WAN (Wide Area Network) - MPLS intranet - no need to access Internet.
Public hospitals if need to talk to overseas health expert --- may have dedicated private links - for video conferencing --- then still in Intranet (no need to go via Internet).
But if hospitals need to talk to overseas health expert ---- without dedicated private link --- then will need to go over Internet.
For public users who need to book consultation with public hospitals or use health systems --- will need to access Internet.
I believe now with Internet and Intranet physical separation, public access via Internet may come with "delay response" - eg. make enquiry via Internet, public hospital response maybe 1 day later (need to mount a batch file with the correct information, then dismount).
Reply · 1h
Ricky Lim
Huh?? These are autonomous vehicles, they not expected to be network tethered and especially not to the internet.
Imagine someone in Afghanistan being able to access and potentially hack into these driverless cars?
----
For IoT sensors and devices implementation --- there will be 2 sides of the coin.
Should IoT devices be on Internet or National Intranet?
It depends.
If IoT devices are public infrastructure - then it is possible to ride on the National Intranet --- where dedicated Telecom networks (such as MPLS VPN) can be specifically dedicated to the IoT devices.
I believe IoT devices of such could be :-
- CCTV security surveillance cameras used by the Police
- maybe IoT sensors mounted on lighting street lamp for survey of climatic conditions, car traffic flow, human traffic flow, road blockage etc.
- water sensors to detect flooding.
- rail sensors to monitor rail fault.
- etc etc
For non-public IoT devices -- not sure should it be hosted in National Intranet or should it be Internet.
--- not sure should private driverless car be in Internet or National Intranet?
--- not sure should private drones be in Internet or National Intranet?
--- not sure should be commercial home IoT like fridge, TV, air-con control etc etc be in Internet or National Intranet?
----- reasons being, if these private IoTs meant for consumer consumption are mounted into public infrastructure CII (Intranet) such as IoT-VRF --- it may not be securely protected and can be compromised by botnets or malware - and can mount attacks into National Intranet that host public and Government Infrastructure.
---- so policy decision makers will have to ponder and consider all these in the Smart Nation IT policies.
--
As of now, all these IoT thingy are in a pilot phase - still testing - still in sandbox (even if detonate) - it is still in a control environment.
But can take the above comments into consideration --- when deploying IoT enmass --- come the days when IoT are ready for deployment to support the Smart Nation initiatives.
Imagine someone in Afghanistan being able to access and potentially hack into these driverless cars?
----
For IoT sensors and devices implementation --- there will be 2 sides of the coin.
Should IoT devices be on Internet or National Intranet?
It depends.
If IoT devices are public infrastructure - then it is possible to ride on the National Intranet --- where dedicated Telecom networks (such as MPLS VPN) can be specifically dedicated to the IoT devices.
I believe IoT devices of such could be :-
- CCTV security surveillance cameras used by the Police
- maybe IoT sensors mounted on lighting street lamp for survey of climatic conditions, car traffic flow, human traffic flow, road blockage etc.
- water sensors to detect flooding.
- rail sensors to monitor rail fault.
- etc etc
For non-public IoT devices -- not sure should it be hosted in National Intranet or should it be Internet.
--- not sure should private driverless car be in Internet or National Intranet?
--- not sure should private drones be in Internet or National Intranet?
--- not sure should be commercial home IoT like fridge, TV, air-con control etc etc be in Internet or National Intranet?
----- reasons being, if these private IoTs meant for consumer consumption are mounted into public infrastructure CII (Intranet) such as IoT-VRF --- it may not be securely protected and can be compromised by botnets or malware - and can mount attacks into National Intranet that host public and Government Infrastructure.
---- so policy decision makers will have to ponder and consider all these in the Smart Nation IT policies.
--
As of now, all these IoT thingy are in a pilot phase - still testing - still in sandbox (even if detonate) - it is still in a control environment.
But can take the above comments into consideration --- when deploying IoT enmass --- come the days when IoT are ready for deployment to support the Smart Nation initiatives.
Like · Reply · 1m
Ricky Lim
If it deem that private or commercial IoTs such as driverless cars, commercial drones, home appliances etc are to be too dangerous to be hosted in National Intranet, then it will need to be hosted in the Internet with "special protection" - so that they will not be hack by international hackers - take control of driverless cars, drones, home appliances and cause accidents or havoc.
Then how to host commercial or private IoTs in Internet with "special protection"?
(1) All Telecom ISPs who offer Internet services for this private or commercial IoTs must take part.
(2) All Telecom ISPs will have to :-
(a) Carve out a Internet-VRF-IoT - and allow VRF routing by Internet routers.
(b) Tunnel VPN-IPsec to Internet-VRF-IoT (optional - as this is additional security, additional cost, and also need to pilot, test and sandbox whether the commercial or private IoTs can tolerate the double encrypted tunnel into the private tunnel - in terms of latency, delay and response time).
Most important
****(c) Block international internet access from these Internet-VRF-IoT - by Internet routers (very tedious job) or using Firewall ACLs or Proxies.
This will ensure that international hackers cannot receive any data transmitted by these commercial or private IoTs to the hacker servers.
At the same time, international hackers cannot take control of the commercial or private IoTs or load malware into the IoTs to launch attack on the internal network.
Local internet IoT providers can make use of local internet to support their IoT projects without the needs to create another nationwide network - save cost.
Local users can also can get access to or control or manage the private and commerical IoTs - via the local internet - using their smartphone mobile apps, laptop, notebooks, tablets, workstation, desktops etc.
With the above private tunnel &/or encrypted tunnel, firewall, proxies etc - security is assured -- and if inside job want to hack the private and commercial IoTs --- hackers will have to be very skilful and can be caught easily --- because Telecom ISPs will have logged all local access and can pinpoint local hackers.
Then how to host commercial or private IoTs in Internet with "special protection"?
(1) All Telecom ISPs who offer Internet services for this private or commercial IoTs must take part.
(2) All Telecom ISPs will have to :-
(a) Carve out a Internet-VRF-IoT - and allow VRF routing by Internet routers.
(b) Tunnel VPN-IPsec to Internet-VRF-IoT (optional - as this is additional security, additional cost, and also need to pilot, test and sandbox whether the commercial or private IoTs can tolerate the double encrypted tunnel into the private tunnel - in terms of latency, delay and response time).
Most important
****(c) Block international internet access from these Internet-VRF-IoT - by Internet routers (very tedious job) or using Firewall ACLs or Proxies.
This will ensure that international hackers cannot receive any data transmitted by these commercial or private IoTs to the hacker servers.
At the same time, international hackers cannot take control of the commercial or private IoTs or load malware into the IoTs to launch attack on the internal network.
Local internet IoT providers can make use of local internet to support their IoT projects without the needs to create another nationwide network - save cost.
Local users can also can get access to or control or manage the private and commerical IoTs - via the local internet - using their smartphone mobile apps, laptop, notebooks, tablets, workstation, desktops etc.
With the above private tunnel &/or encrypted tunnel, firewall, proxies etc - security is assured -- and if inside job want to hack the private and commercial IoTs --- hackers will have to be very skilful and can be caught easily --- because Telecom ISPs will have logged all local access and can pinpoint local hackers.
Like · Reply · 1m
Goo Hiong Gwee
Ricky Lim IOT is in its infancy , ill defined and may just go the way of ISDN. Autonomous cars are NOT IOTs in whatever form. One does not mount sensor on AC for the sake of making them available. In any case, one must never make the controls of AC available via internet. In the case of tunnelling etc, they only make the channel safe. Password stealing trojan will break them if either side is available to internet. Man in the middle is only one form of attack. Public emails with trojans attached and websites with trojans will break security sooner or later. One way to be detached from internet.
Ricky Lim
Goo Hiong Gwee -
(1) I have very little knowledge about driverless car nor am I involved in driverless car sandbox trial or pilot.
I only based on this author's narrative "Similarly, in our desire to implement driverless cars, it would be prohibitively expensive to institute a separate network for them and still expect them to function effectively."
(2) I feel a bit strange why driverless cars need to access network - because a car (whether driverless or not) should be locally controlled by those inside the car.
Once in a network, whether hackers with bad intent or even good guys with good intent (may misconfigure or mis-remotely managed) - without knowing the road condition - causing the driverless car to crash or cause an accident.
What is worst is that hackers or trojan may - remotely take control over the driverless car - and perform terror attack by crashing it into a crowd.
I agreed that trojan can be implanted - as long as they are in Internet - as all sorts of malicious software is floating around in the Internet - even if in local internet - as they not controlled or subject to security screening.
Similarly, trojan can also be implanted - even when they are in Intranet - if device security is not foolproof or virus signature is not updated or if face with zero day attack with unknown virus signature - when some users introduced a trojan into the intranet causing problem to the driverless car. However, malicious virus infection through Intranet are very much remote as compared to the Internet due to higher security screening and security updates.
As for driverless car sensors, I thought they are needed for the car to travel on the road and navigate through obstacles such as GPS, thermal sensors, motion sensor, sound sensors, radar, 5G wireless, sonar etc?
These sensors that work like the "eyes and ears" of the cars - even if locally fixed onto the driverless cars to navigate the roads ---- will also be subjected to hacking attacks - as 5G wireless, GPS etc - can also be remotely attack when near its vicinity - eg. hackers hiding on the road or nearby building to take control of the driverless car wirelessly.
(1) I have very little knowledge about driverless car nor am I involved in driverless car sandbox trial or pilot.
I only based on this author's narrative "Similarly, in our desire to implement driverless cars, it would be prohibitively expensive to institute a separate network for them and still expect them to function effectively."
(2) I feel a bit strange why driverless cars need to access network - because a car (whether driverless or not) should be locally controlled by those inside the car.
Once in a network, whether hackers with bad intent or even good guys with good intent (may misconfigure or mis-remotely managed) - without knowing the road condition - causing the driverless car to crash or cause an accident.
What is worst is that hackers or trojan may - remotely take control over the driverless car - and perform terror attack by crashing it into a crowd.
I agreed that trojan can be implanted - as long as they are in Internet - as all sorts of malicious software is floating around in the Internet - even if in local internet - as they not controlled or subject to security screening.
Similarly, trojan can also be implanted - even when they are in Intranet - if device security is not foolproof or virus signature is not updated or if face with zero day attack with unknown virus signature - when some users introduced a trojan into the intranet causing problem to the driverless car. However, malicious virus infection through Intranet are very much remote as compared to the Internet due to higher security screening and security updates.
As for driverless car sensors, I thought they are needed for the car to travel on the road and navigate through obstacles such as GPS, thermal sensors, motion sensor, sound sensors, radar, 5G wireless, sonar etc?
These sensors that work like the "eyes and ears" of the cars - even if locally fixed onto the driverless cars to navigate the roads ---- will also be subjected to hacking attacks - as 5G wireless, GPS etc - can also be remotely attack when near its vicinity - eg. hackers hiding on the road or nearby building to take control of the driverless car wirelessly.
No comments:
Post a Comment