Ryan Ng's Blog

Who has responsibility to ensure Information Security?

Who has responsibility to ensure Information Security?

Ryan Ng's photo
Ryan Ng
·

8 min read

In this day and age, we tend to ask these questions frequently: "Who has responsibility to ensure Information Security?" and "What is secure?"

It is often difficult to determine what software and hardware is secured and to what measure or extent, since security is not physically or virtually quantifiable, given the scale of devices and software to secure. The definition ultimately differs from each individual to the next, and likewise for organizations. Security is often taken as an afterthought in many companies. After all, it does not contribute to Return on Investment (ROI), if any at all significant.

On the contrary, it is seen as an arm of the organization to be first placed on the chopping board when a downturn occurs. As a result, PMET jobs in Security are considered high-risk, high-reward and stability of such jobs are considerably volatile when compared to careers in Engineering or Business.

Most individuals have a mindset favouring convenience and intuitive design over privacy and confidentiality. Until recently, most governments have not taken actionable and concrete measures to secure their technological devices and (critical) information assets and shore up their defences against Cyber Attacks.

Principles and Pillars in Security

Before we understand who is responsible for security, let us take a look at the core principles of security.

Security is built upon 3 core pillars (or the "CIA" triad), as so often detailed in many Computer Security resources:

  • Confidentiality: Is the information/data (in part or whole) only accessible by those intended / those authorized to view or modify it (the author and the authorized recipients)?
  • Integrity: Has the information/data been modified or altered during its transportation/transit across networks and transit nodes on its way to the recipient (and has it been preserved and intact as a whole)?
  • Availability: Is the information/data accessible to the authorized parties as needed?

Unfortunate to say, availability is often neglected to fulfil the first two pillars. Ultimately, you can't have the best of all worlds, am I right? This is an ongoing issue I have observed in my four years in this field and there currently seems to be no real solution in sight, with security teams worldwide understaffed and overworked (and often underpaid too).

One of my teachers used to describe his version of the "CIA" triad, with more elements than what is usually documented (as above):

  • Privacy: Similar to the definition of Confidentiality, but privacy concerns more than one individual, which is contrary to the usual connotation of keeping one's secrets secret.
  • Authentication & Availability: For the former, it refers to determine if a user is indeed who he/she says he/she really is.
  • Integrity: see above
  • Non-repudiation: If one carries out an action, it must be ensured that the action is traceable back to him/her and he/she cannot deny carrying out such an action.

The acronym for this version is PAIN. In order to achieve T in PAINT, trust by the end-user, P-A-I-N is first required in whichever services, hardware or software that have been provisioned by organizations.

Security Companies' Responsibility

Security Companies/Vendors are those organizations which provide hardware and software services to clients (which may be individuals, businesses, NGOs or governments -- more generally termed "consumers").

It is in consumer's right to demand products to be built with security in mind. As such, providers or suppliers have a responsibility in guaranteeing CIA or PAIN will be achieved by doing their due diligence in product security evaluations.

For physical tech products and software (which includes software security products IoT and Industrial Control/SCADA systems), this can be accomplished through regular and routine testing of the device, its operating system (if devices are provisioned), or more generally the application or software purchased by consumers. Software updates (including drivers/BIOS), technical support and on-site maintenance/inspections (for devices) should also be made readily available by the product vendors.

For products such as outsourced security operations (SOCs), remote cloud infrastructure and audit/compliance divisions, the relevant certifications should be obtained to run and operate such systems on behalf of the companies/consumers. Employees of such divisions should also undergo stringent background checks to ensure that they do not pose a 3rd party threat to organizations and individuals. Companies should also be capable and abide to any Service Level Agreements (SLA) between them and their customers (i.e. consumers). On the other hand, if they are incompetent in doing so, they should notify and re-negotiate the SLAs with the consumer if necessary.

All companies should also have a sound and up-to-date risk management strategy (which should scale according to their size) to reflect the practices and procedures they are putting into place to enhance their resilience against attacks.

Even though it might not be a seemingly important and profit-making arm of modern enterprises, security should not be left as an afterthought, but rather instilled in organizational culture, products and services.

User Responsibility

Consumers need to be educated and practice good cyber hygiene on their end. All it takes is one vulnerability -- be it irrational human behaviour (through social engineering or lack of personal operational security), software bugs or major firmware issues that could lead to an open attack surface.

Some good practices (and why you should do so) include:

  1. Not reusing passwords across multiple sites and using a password manager. Use your native language (something like 汉语拼音, some dialect or a combination of words etc.) so that they do not get easily cracked.
    • Black Hat Hackers or Cyber Criminals can easily buy passwords on the dark web. Short and un-complex passwords are usually victims of dictionary/brute-force attacks. By prolonging password length and increasing password complexity, hackers would require more computational power and time to crack your passwords (sometimes it's just not worth their time to crack a long and complex password).
  2. Using 2FA or MFA (different from 2-Step Authentication) on Social Media (and other important, if not all) accounts.
    • If your password/PIN gets leaked (more common so recently), at least this second layer of "What you have" or "What you are" can save your a** or give you some recovery time away from the attacker.
  3. Using an email relay (like Firefox relay) to reduce phishing instances.
    • Got phished multiple times, using a relay now so I can better keep track of which newsletters are likely to give my spam and other c**p. You can turn off relay addresses as and when you please.
  4. Not having a Single Point of Failure (SPOF) -- a.k.a. Backup with the 3-2-1 principle in mind (offsite and online).
    • Backup. Backup. Backup. In case your computer gets fried, water or coffee gets onto it somehow (?), or worse, Ransomware... and you need your files. Better now than never. Doesn't strictly have to follow the 3-2-1, but you get what I mean.
  5. Staying in touch with major Cyber Incidents like Microsoft RCEs, Log4j.
    • You don't have to refresh "The Hacker News" or "Bleeping Computer" every hour, but keeping in touch with the bare minimum (usually major incidents or 0-days) would do you good and enhance your posture of what to patch, what you can do to mitigate risk or how to recover from a hack etc.
  6. Being wary and careful of who you trust.
    • Social Engineering is a billion-dollar industry. From phishing to scams, the list continues. When it sounds too good to be true, or probably not true (You have a PayPal/Venmo refund blah blah), it probably is not worth your time. (P.S. You can forward a spam email to NCSC UK if you have the time. Just takes 5 seconds: report@phishing.gov.uk)
  7. Patch where possible.
    • Self-explanatory.


Some practices recommended by others which are find are b***s**t:

  1. https=secure (alt: http makes a website secure). Yes, its somewhat more secure than http as the traffic is encrypted. However, as long as one is using a http website without keying in sensitive information, that should not be of any concern. (P.S. I sometimes use http sites to read up on security research as the website owners probably couldn't be bothered to get an SSL Certificate).
  2. "You are dead if you click on a phishing link". That is not always true, unless there's a direct malware download (which usually comes as a second or third stage). Just submit the link to something like VirusTotal (provided you have redacted any sensitive information or embedded cookies/keys) and don't go there ever again, LOL.
  3. "I have to patch immediately once an update is available". Nope and good luck to you should things go sour. Especially not for unstable Operating Systems... 👀 Windows. For browsers, generally I would recommend to install the patch where available, particularly Chrome (the 0-day infested browser).

Consumers, being a large group, have a vital role to play in securing their data and devices and keeping themselves aware of tactics used by cyber criminals.

Governments and Regulator's Responsibility

Governments and key regulators play a role in security too. They regulate and impose sanctions on parties which do not uphold good practices and encourage compliance with legislation and standards. Governments and regulatory bodies need to strike a balance in their resource allocation for talent development, education, auditing security practices, certifying and maintaining high standards across the board and be proactive rather than reactive in managing major incidents and hunting down and serving justice to threat actors/cyber criminals.

Conclusion and TL;DR

All 3 Stakeholders play a vital role in ensuring Information is Secure. Peace out.