130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • Executive Summary
  • Introduction
  • Threat Landscape Overview
  • Establish a Information Security Center
  • ISC Functions
  • ISC Team Structure
  • Outsourcing Strategy
  • Budget Request
  • Conclusion

Was this helpful?

  1. Cyber Security
  2. Cyber Security Centre (CSC)

HRMC Executive Paper

PreviousOutsource StrategyNextDetection and Response

Last updated 5 months ago

Was this helpful?

Executive Summary

In recent times, cybersecurity threats have escalated in frequency and sophistication. The ransomware attack on Hong Kong's tech hub, Cyberport, which exposed 400GB of sensitive data, underscores the critical need for robust cybersecurity measures. To safeguard our assets, data, and reputation, I propose the establishment of a Information Security Center (ISC). This initiative aims to enhance our cybersecurity posture, streamline our defenses, and ensure our readiness against evolving threats.

Introduction

The threat landscape for our company has evolved significantly over recent years, with an increase in the frequency and sophistication of cyber attacks. This paper aims to provide a comprehensive analysis of the current threats and vulnerabilities we face, using the NIST Cybersecurity Framework as a guide.

Threat Landscape Overview

The recent cybersecurity incidents in Hong Kong highlight the urgent need for a comprehensive Information Security Center (ISC). The ransomware attack on the Hong Kong Institute of Bankers (HKIB) exposed personal data of over 13,000 members and 100,000 non-members, including names, identity card numbers, and credit card details (). Additionally, phishing attacks have become increasingly sophisticated, accounting for nearly 46% of the 18,000 cybersecurity attacks reported to the Hong Kong police in the first three months of 2024 ().

Establish a Information Security Center

Information Security is not just a technical requirement but a strategic necessity for our organization. The increasing sophistication and frequency of cyber threats demand a proactive and comprehensive approach to protect our assets, data, and reputation. Therefore, I propose the establishment of a Information Security Center to enhance our cybersecurity posture, streamline our defenses, and ensure our readiness against evolving threats.

ISC Functions

The ISC will focus on several key functions:

  • Monitoring and Incident Response: Continuous monitoring of security events and incidents, with rapid response to detected threats. This includes real-time threat detection and response capabilities.

  • Vulnerability Management: Regular scanning and assessment of vulnerabilities are essential. Prioritizing and remediating identified weaknesses will prevent exploitation and reduce the risk of cyberattacks.

  • Application Security: Implementing security measures in the software development lifecycle and conducting static and dynamic application security testing (SAST and DAST) will protect against data breaches and ensure the integrity of our applications.

  • Network Security: Managing firewalls, intrusion detection systems, and DDoS protection will ensure network integrity, availability, and confidentiality. This will prevent external attacks and maintain operational continuity.

  • Threat Intelligence: Gathering and analyzing threat data to anticipate and neutralize potential threats is essential. Integrating threat intelligence into the overall security strategy will enhance our ability to stay ahead of emerging threats.

ISC Team Structure

The ideal team size for the ISC is four staff members, each focusing on specific areas. These roles are essential for ensuring comprehensive cybersecurity coverage and effective response to threats.

  1. Security Operations Analyst: Focuses on monitoring, incident response, threat detection, and network security. Oversees the SIEM (Security Information and Event Management) system, monitors security alerts, and responds to incidents. Manages the WAF (Web Application Firewall) and DDoS protection systems to safeguard against network-based attacks.

  2. Vulnerability and Application Security Specialist: Responsible for vulnerability management, application security, and penetration testing. Conducts regular vulnerability scanning and assessments, performs static and dynamic application security testing (SAST and DAST), and provides guidance on secure coding practices.

  3. Network and Security Operations Engineer: Oversees the deployment, configuration, and management of network security devices such as firewalls, routers, and VPNs. Implements DDoS protection strategies and manages related tools, ensuring network availability during attacks. Provides incident response support, particularly for network and web security incidents.

  4. Cybersecurity Tools and Technology Operations Specialist: Manages and maintains all cybersecurity tools, ensuring they are up-to-date and functioning effectively. Handles system integration, implements automation and orchestration solutions, and coordinates with outsourced service providers for vulnerability assessments, penetration testing, and threat intelligence.

Outsourcing Strategy

Certain functions will be outsourced to ensure comprehensive security coverage without overburdening the internal team. These include:

  • Vulnerability Scanning and Penetration Testing: Engaging specialized security firms, establishing clear SLAs, and scheduling regular reporting and follow-ups.

  • Security Awareness and Training: Partnering with training providers (e.g., KnowBe4, SANS Security Awareness) to customize training modules and conduct regular assessments.

  • 24/7 Security Monitoring and Incident Response: Partnering with Managed Security Service Providers (MSSPs) and defining SLAs for timely detection and response.

  • Threat Intelligence Gathering and Analysis: Subscribing to threat intelligence services (e.g., Recorded Future, FireEye) and integrating feeds with the SIEM system for enhanced threat detection.

  • Compliance and Audit: Conducting audits and compliance assessments with third-party auditors and compliance specialists, scheduling regular reviews, and implementing necessary improvements.

Budget Request

To establish the ISC, we request an initial budget allocation to cover the following areas:

  • Staff Salaries: Competitive compensation packages for four full-time cybersecurity professionals.

  • Security Tools and Systems: Acquisition and licensing of necessary security tools and platforms.

  • Outsourced Services: Engaging with external service providers for vulnerability assessments, penetration testing, training, monitoring, and threat intelligence.

  • Training and Development: Ongoing training programs and certifications for ISC staff.

  • Incident Response and Recovery: Resources for incident response planning, simulation exercises, and recovery processes.

  • Infrastructure and Office Setup: Physical and digital infrastructure required to set up the ISC, including secure workstations, network configurations, and collaboration tools.

Conclusion

The establishment of a Information Security Center (ISC) is a strategic imperative for our organization. The budget request outlined above reflects the necessary investment to safeguard our assets, data, and reputation against increasingly sophisticated cybersecurity threats. By mitigating risks, ensuring regulatory compliance, protecting assets, and enhancing customer trust, the ISC will provide significant value to our organization. I recommend the Board of Management approve the establishment of the ISC and allocate the necessary budget to ensure our continued resilience and success in the digital landscape.

PCPD Investigation Report
SCMP Article