Control #4

By cliangNo Comments
The "Exit" has demonstrated various types of control to secure the physical perimeter while enable a "kill switch" to emergency situation. The door lock acts as preventive control in normal circumstance. Inbound entry to the hall is prohibited by civilians (not stopping armed force). The lock bar can be pushed out to evacuate people in case emergency inside. It must be easily activated. To guard against abuse by malicious actor, CCTV camera is monitoring the scene. However, detective control must be supported by administrative control or else it won't be enforceable. Let's say, putting another notice there to indicate improper use will be subject to fine or imprisonment per bylaw clause so and so. Furthermore, security system is the first target to attack for disabling its surveillance function such that "improper" activities can be conducted without being caught. Altogether, this are the typical people, process, technologies, policies aspects that should be considered in formulating the use case, security and safety. ...
Read More

In The Cloud

By cliangNo Comments
We always hear people telling everything is now in the Cloud. Precisely, this is somehow incorrect. Even though there are IaaS, PaaS, SaaS etc., there are physical equipment on SOMEBODY's premise to serve the client. It is just the client has only a very slim footprint - likely a physical device with web browser connecting to the Internet for all the services (infrastructure, platform, software) required in the Cloud. When we develop written directives, don't be influenced by jargons. We need to have a holistic view to stipulate precise generic while certain situation precise specific rather than putting a case-by-case assessment. This will end up no policy at all. ...
Read More

Perimeter #3

By cliangNo Comments
One of the key controls in cyber world is the ingress/egress points to the network. Without sufficient control, threat actors are able to penetrate inside causing system or service disruption anywhere anytime. On top of network aspect, controlling of physical access to the equipment is also important. In physical world, establishing physical perimeter is far more challenging than that in the cyber world. Three are "proper" means to reach a region and multiple "improper" means to do the same. Effective control is proper policy for "illegal" entry. ...
Read More

Shared Responsibility

By cliangNo Comments
Source AWS Security Day 2025 I saw some awareness posters that cyber security is a shared responsibility. No doubt each of us plays a different and important roles to protect the cyber space. But putting a slogan like this without any elaboration will be unwise. We never know who to do what and eventually no one takes accountability. The shared responsibility must be well defined somewhere with easy access from audience. Examples are: Senior Management supports and sponsors necessary cybersecurity resources Technical Teams secure the digital assets throughout their life cycle General Users follow the good practices published by reputable internal subject matter expert The AWS model is a good example. [ [Disclaimer: Not recommendation, critique, nor having association, affiliation with AWS.] ...
Read More

Policy #12

By cliangNo Comments
In the illustration, there is implicit EXCEPT WITH PERMIT in real life. However, the bilingual "except's" are inconsistent.The Chinese version is except just bi-cycles. The English version is cycles. There are variations of "cycles": bi-cycle, tri-cycle, motor-cycle. This will create confusion for enforcement and compliance. A better version should be "Except non-motor vehicles". So, bi-cycle, tri-cycle, trolley, scroller are all allowed. This is precise generic. ...
Read More

Isolation #2

By cliangNo Comments
In pandemic disease era, facemask is a effective means to protect being infected via airborne transmission. This is usually voluntary but in extreme situation, facemask is mandated by authority for presence in the public. Facemask serves two-folded protection: (a) protecting an individual from infected or (b) containing an infected individual from spreading the disease. In cyber world, similar protection philosophy applies. A device has platform protection (like host firewall) from being attacked by compromised device in the network, or limits its attack to other network neighborhood, if compromised. Further peer isolation in the network, usually enforced in wireless network, will enhance this protection. When formulating protection, we need to think in all perspectives. ...
Read More

Policies #11

By cliangNo Comments
Policies are rules. They stipulate what are allowed and what not. Good policies must be practically achievable and enforceable, not too strict and not too loose - this is the hard part. Too strict will incur policy exception and too loose will make the policy a decorative statement in the sign board. Writing good cybersecurity policies will require these as foundation: The policy maker must understand the business model, what outcomes to be delivered What are the risk appetite the organization willing to take, after all, there won't be 100% secure business in the world How the requirement shall enable the business securely but not prohibit innovations, we are living in digital transformation era and everything is going inside cyber What are peers or the industry doing, is the bar setting too high or too low That said, don't just apply textbook knowledge but listen to business units what will work and what not. Strike the right balance with 80/20 rule. ...
Read More

Administrative Control #2

By cliangNo Comments
SSSS (or 4S) is Smart Site Safety System. It consists of server, workstation, mobile network, end point devices (CCTV, smart watch, RFiD helmet, other sensors) to monitor construction site and workforce situation for safety hazards alert. For client project involving civil works, equipment installation etc, contractor will bring their own 4S to ensure and compliance with safety rules and regulations. 4S is not a project deliverable but a tool during construction. I see some cybersecurity practitioners have incorrect understanding. They demand contractor 4S compliance with own organization cybersecurity policies. No doubt 4S might capture client site specific condition, coincidental inclusion of personnel other than contractor workforce causing privacy concerns. We must not forget there are administrative controls in the contractual obligation to comply with laws & regulation plus non-disclosure agreement. We shall not bother the how's in technical aspects. Otherwise, this is overkilled. This something like you walk into a mall, using the ATM - there are CCTV everywhere but you won't question...
Read More

The Forgotten Place #5

By cliangNo Comments
It is self-explanatory. There are similar faults posted previously. Risk of consequence must be understood before deploying information automation tool. If the display is for information of the mall, failure does not matter much and at most the reputation of the management office. But if the display shows real time high value trading, failure will cause substantial direct and indirect financial impacts. Direct is the loss of opportunity to conduct transaction by the users of the display. Indirect could be claims thru litigation by users of the display causing their direct loss due to this failure. Technically, multi-displays are deployed for resilience. From policy perspective, users must sign usage agreement to undertake consequence due to machine failure and disclaim the service provide for any direct or indirect losses. ...
Read More