Purpose of Control #2

By cliangNo Comments
When we deploy control, we must understand what is the purpose of the control. I came across certain cybersecurity practitioners that network firewall has to be deployed even in a standalone environment to further segregate the zones within the system just because the policies say so. There will not be material enhancement to cybersecurity but impose recurring maintenance overhead of the addition network components: regular firmware upgrade, end of life monitoring for technology refresh, log review, account/password changes etc. All these can be avoided if no firewall is deployed. In the illustration, the control is informative or advisory. It won't be able to withstand "brute force" bypass. There is also no point to impose. The consequence is the best control that if you go beyond this point, your life would be at risk and you take the sole (not shared) responsibility. ...
Read More

Access Path

By cliangNo Comments
A path is required at the barrier or perimeter for a number of reasons: reachability to/from destination with legitimate needs such as logistics, transport etc. In cyber world, network perimeter device protects the inside zone from outside but "holes" are still required. A common example is the access to the web site from outside. How do we stay secure? It requires orchestration from different aspects: configuration hardening, access control to resources, incident respond, resilience, regular security updates, situation awareness and most important an achievable cyber security policy to mandate all these are in place. ...
Read More

Control #4

By cliangNo Comments
The "Exit" has demonstrated various types of control to secure the physical perimeter while enable a "kill switch" to emergency situation. The door lock acts as preventive control in normal circumstance. Inbound entry to the hall is prohibited by civilians (not stopping armed force). The lock bar can be pushed out to evacuate people in case emergency inside. It must be easily activated. To guard against abuse by malicious actor, CCTV camera is monitoring the scene. However, detective control must be supported by administrative control or else it won't be enforceable. Let's say, putting another notice there to indicate improper use will be subject to fine or imprisonment per bylaw clause so and so. Furthermore, security system is the first target to attack for disabling its surveillance function such that "improper" activities can be conducted without being caught. Altogether, this are the typical people, process, technologies, policies aspects that should be considered in formulating the use case, security and safety. ...
Read More

In The Cloud

By cliangNo Comments
We always hear people telling everything is now in the Cloud. Precisely, this is somehow incorrect. Even though there are IaaS, PaaS, SaaS etc., there are physical equipment on SOMEBODY's premise to serve the client. It is just the client has only a very slim footprint - likely a physical device with web browser connecting to the Internet for all the services (infrastructure, platform, software) required in the Cloud. When we develop written directives, don't be influenced by jargons. We need to have a holistic view to stipulate precise generic while certain situation precise specific rather than putting a case-by-case assessment. This will end up no policy at all. ...
Read More

Perimeter #3

By cliangNo Comments
One of the key controls in cyber world is the ingress/egress points to the network. Without sufficient control, threat actors are able to penetrate inside causing system or service disruption anywhere anytime. On top of network aspect, controlling of physical access to the equipment is also important. In physical world, establishing physical perimeter is far more challenging than that in the cyber world. Three are "proper" means to reach a region and multiple "improper" means to do the same. Effective control is proper policy for "illegal" entry. ...
Read More

Shared Responsibility

By cliangNo Comments
Source AWS Security Day 2025 I saw some awareness posters that cyber security is a shared responsibility. No doubt each of us plays a different and important roles to protect the cyber space. But putting a slogan like this without any elaboration will be unwise. We never know who to do what and eventually no one takes accountability. The shared responsibility must be well defined somewhere with easy access from audience. Examples are: Senior Management supports and sponsors necessary cybersecurity resources Technical Teams secure the digital assets throughout their life cycle General Users follow the good practices published by reputable internal subject matter expert The AWS model is a good example. [ [Disclaimer: Not recommendation, critique, nor having association, affiliation with AWS.] ...
Read More

Policy #12

By cliangNo Comments
In the illustration, there is implicit EXCEPT WITH PERMIT in real life. However, the bilingual "except's" are inconsistent.The Chinese version is except just bi-cycles. The English version is cycles. There are variations of "cycles": bi-cycle, tri-cycle, motor-cycle. This will create confusion for enforcement and compliance. A better version should be "Except non-motor vehicles". So, bi-cycle, tri-cycle, trolley, scroller are all allowed. This is precise generic. ...
Read More

Ice Road

By cliangNo Comments
This is seasonal - only happened a short while during winter time when lake or river is frozen with thickness that can support vehicles riding on it. What is the insight? We face a lot of changes in business environment, make adoption to stay competitiveness while deploying cost-effective protection measures against new threats. Examples are continuous digitization or disruptive technologies that business cannot escape from except cope with these. As standard practice, conduct a comprehensive risk assessment with the right Subject Matter Expert to guide thru the stakeholders to reimagine the new targeting operating model to understand threats and consequence and this decide level of risk acceptance. As always, we have to take risks. Here in the ice road, the risk contributors are the load of the vehicle, vehicle fitness, weather condition at time of crossing and the skillset of the vehicle driver. The prime objective (business outcome) is to stay alive crossing the ice road with the load to reach the destination. ...
Read More

Isolation #2

By cliangNo Comments
In pandemic disease era, facemask is a effective means to protect being infected via airborne transmission. This is usually voluntary but in extreme situation, facemask is mandated by authority for presence in the public. Facemask serves two-folded protection: (a) protecting an individual from infected or (b) containing an infected individual from spreading the disease. In cyber world, similar protection philosophy applies. A device has platform protection (like host firewall) from being attacked by compromised device in the network, or limits its attack to other network neighborhood, if compromised. Further peer isolation in the network, usually enforced in wireless network, will enhance this protection. When formulating protection, we need to think in all perspectives. ...
Read More

Design & Build #3

By cliangNo Comments
Earlier, I talked about similar. When conducting a comprehensive assessment of a facility, we should not just look at the cyber aspects but also the reliability and safety of the facility. Those exposed pipelines could be essential supply of human nessasities or dischargs of waste. If they are physically damaged (intentionally or unintentionally), these facilities will be disrupted therefore affecting normal live or even life. Physical security is also importantly in protecting the cyber components of facilities. ...
Read More