Access Path

By cliangNo Comments
A path is required at the barrier or perimeter for a number of reasons: reachability to/from destination with legitimate needs such as logistics, transport etc. In cyber world, network perimeter device protects the inside zone from outside but "holes" are still required. A common example is the access to the web site from outside. How do we stay secure? It requires orchestration from different aspects: configuration hardening, access control to resources, incident respond, resilience, regular security updates, situation awareness and most important an achievable cyber security policy to mandate all these are in place. ...
Read More

Control #4

By cliangNo Comments
The "Exit" has demonstrated various types of control to secure the physical perimeter while enable a "kill switch" to emergency situation. The door lock acts as preventive control in normal circumstance. Inbound entry to the hall is prohibited by civilians (not stopping armed force). The lock bar can be pushed out to evacuate people in case emergency inside. It must be easily activated. To guard against abuse by malicious actor, CCTV camera is monitoring the scene. However, detective control must be supported by administrative control or else it won't be enforceable. Let's say, putting another notice there to indicate improper use will be subject to fine or imprisonment per bylaw clause so and so. Furthermore, security system is the first target to attack for disabling its surveillance function such that "improper" activities can be conducted without being caught. Altogether, this are the typical people, process, technologies, policies aspects that should be considered in formulating the use case, security and safety. ...
Read More

Shared Responsibility

By cliangNo Comments
Source AWS Security Day 2025 I saw some awareness posters that cyber security is a shared responsibility. No doubt each of us plays a different and important roles to protect the cyber space. But putting a slogan like this without any elaboration will be unwise. We never know who to do what and eventually no one takes accountability. The shared responsibility must be well defined somewhere with easy access from audience. Examples are: Senior Management supports and sponsors necessary cybersecurity resources Technical Teams secure the digital assets throughout their life cycle General Users follow the good practices published by reputable internal subject matter expert The AWS model is a good example. [ [Disclaimer: Not recommendation, critique, nor having association, affiliation with AWS.] ...
Read More

Ice Road

By cliangNo Comments
This is seasonal - only happened a short while during winter time when lake or river is frozen with thickness that can support vehicles riding on it. What is the insight? We face a lot of changes in business environment, make adoption to stay competitiveness while deploying cost-effective protection measures against new threats. Examples are continuous digitization or disruptive technologies that business cannot escape from except cope with these. As standard practice, conduct a comprehensive risk assessment with the right Subject Matter Expert to guide thru the stakeholders to reimagine the new targeting operating model to understand threats and consequence and this decide level of risk acceptance. As always, we have to take risks. Here in the ice road, the risk contributors are the load of the vehicle, vehicle fitness, weather condition at time of crossing and the skillset of the vehicle driver. The prime objective (business outcome) is to stay alive crossing the ice road with the load to reach the destination. ...
Read More

Emergency vs Privacy

By cliangNo Comments
It is common to leave contact information in passport, contact card in wallet such that under emergency situation, others could notify your family member or significant half. This will be helpful if you are travelling alone, or aged. But how do we eliminate scam? Our contact information (email, phone number) is perhaps widely shared when register for web service as 2-step authentication, product registration for warranty, leave as call back for inquiry results, or our friends' devices carrying our contacts are compromised. There is a little trick to beat against scammer by establishing a one-way trust. Put a preset phase in the emergency contact card. Pre-arrange this with your contact(s) the caller must quote this preset phase to prove the contact info is obtained from this emergency contact card but not elsewhere. ...
Read More

Bag Tag

By cliangNo Comments
It is common practice to tag your checked bag or even hand carried bag with a tag. How are you going to fill the info there? In old days, mobile communication device is rare. If you cannot find the bag at baggage claim area, you rely on transportation service provider to contact you and deliver the bag per the stated address even though you report them about lost bag. Therefore, you have to provide the accurate address and contact information. Now, the scenario is reversed. If you cannot find your checked bag, you contact the transportation service provider to locate the lost bag with ticket number assigned at check in and tell them where to send to and how to reach you. Therefore, the bag tag shall only serve an identification means and avoid putting too much privacy information (address, contact number, email) there. In addition, the tag attached to the checked bag has RFiD to track its routing through out the entire...
Read More

Renewable Energy

By cliangNo Comments
It is one of the decarbonization means. Investment involves initial plant setup and then recurring operating cost. There is no need for fuel except resources to manage the plant properly. The entire ecosystem will need site survey, i.e. how many days with sufficient wind are there in a year and the strength, physical security from sabotage of the plant and then digital security against cyber attack - bring down the grid, damage the equipment, scheduled plant maintenance. This shall best have a Hazard and Operability (HAZOP) exercise that include everything that most cybersecurity practitioners are only focusing on cybersecurity, or technical controls. If they do, they are incompetent for the job. ...
Read More

Administrative Control #2

By cliangNo Comments
SSSS (or 4S) is Smart Site Safety System. It consists of server, workstation, mobile network, end point devices (CCTV, smart watch, RFiD helmet, other sensors) to monitor construction site and workforce situation for safety hazards alert. For client project involving civil works, equipment installation etc, contractor will bring their own 4S to ensure and compliance with safety rules and regulations. 4S is not a project deliverable but a tool during construction. I see some cybersecurity practitioners have incorrect understanding. They demand contractor 4S compliance with own organization cybersecurity policies. No doubt 4S might capture client site specific condition, coincidental inclusion of personnel other than contractor workforce causing privacy concerns. We must not forget there are administrative controls in the contractual obligation to comply with laws & regulation plus non-disclosure agreement. We shall not bother the how's in technical aspects. Otherwise, this is overkilled. This something like you walk into a mall, using the ATM - there are CCTV everywhere but you won't question...
Read More

Risk Taking #2

By cliangNo Comments
Each one is fully responsible for the consequence by own act no matter in physical or cyber worlds. In physical world, the worst consequence is fatality if waring sign is ignored. In cyber world, it could be files are locked by ransomware, identity theft leading to financial loss or criminal offence if abused by threat actor. The hard part is there won't be obvious warning sign because attacks are stealthy or via deepfake. Education, situation awareness are the essential elements to secure the human aspect. ...
Read More

Address

By cliangNo Comments
There is a key difference between physical and cyber worlds. In physical world, addresses for non-military areas are public. You have to label your apartment properly so that mail from postage service or goods from courier will not miss the destination. Major map service providers have the information online for public accessibility. In cyber world, IP address is sensitive information and securely protected in document, electronic information transfer. This is because if threat actor has landed in the internal network, the first thing is to conduct reconnaissance in understanding what are network nodes present, then trying to reveal its OS footprint in deciding what could be exploited. If IP address (and even worst with the host information, like in network diagram) are disclosed, it will save threat actor substantial amount of work in the discovery phase. However, whatever protections are imposed, it is just a matter of making the penetrating more difficult. There are always new threats, vulnerable OS, vulnerable software...
Read More