Purpose of Control #2

By cliangNo Comments
When we deploy control, we must understand what is the purpose of the control. I came across certain cybersecurity practitioners that network firewall has to be deployed even in a standalone environment to further segregate the zones within the system just because the policies say so. There will not be material enhancement to cybersecurity but impose recurring maintenance overhead of the addition network components: regular firmware upgrade, end of life monitoring for technology refresh, log review, account/password changes etc. All these can be avoided if no firewall is deployed. In the illustration, the control is informative or advisory. It won't be able to withstand "brute force" bypass. There is also no point to impose. The consequence is the best control that if you go beyond this point, your life would be at risk and you take the sole (not shared) responsibility. ...
Read More

Access Path

By cliangNo Comments
A path is required at the barrier or perimeter for a number of reasons: reachability to/from destination with legitimate needs such as logistics, transport etc. In cyber world, network perimeter device protects the inside zone from outside but "holes" are still required. A common example is the access to the web site from outside. How do we stay secure? It requires orchestration from different aspects: configuration hardening, access control to resources, incident respond, resilience, regular security updates, situation awareness and most important an achievable cyber security policy to mandate all these are in place. ...
Read More

Control #4

By cliangNo Comments
The "Exit" has demonstrated various types of control to secure the physical perimeter while enable a "kill switch" to emergency situation. The door lock acts as preventive control in normal circumstance. Inbound entry to the hall is prohibited by civilians (not stopping armed force). The lock bar can be pushed out to evacuate people in case emergency inside. It must be easily activated. To guard against abuse by malicious actor, CCTV camera is monitoring the scene. However, detective control must be supported by administrative control or else it won't be enforceable. Let's say, putting another notice there to indicate improper use will be subject to fine or imprisonment per bylaw clause so and so. Furthermore, security system is the first target to attack for disabling its surveillance function such that "improper" activities can be conducted without being caught. Altogether, this are the typical people, process, technologies, policies aspects that should be considered in formulating the use case, security and safety. ...
Read More

In The Cloud

By cliangNo Comments
We always hear people telling everything is now in the Cloud. Precisely, this is somehow incorrect. Even though there are IaaS, PaaS, SaaS etc., there are physical equipment on SOMEBODY's premise to serve the client. It is just the client has only a very slim footprint - likely a physical device with web browser connecting to the Internet for all the services (infrastructure, platform, software) required in the Cloud. When we develop written directives, don't be influenced by jargons. We need to have a holistic view to stipulate precise generic while certain situation precise specific rather than putting a case-by-case assessment. This will end up no policy at all. ...
Read More

Perimeter #3

By cliangNo Comments
One of the key controls in cyber world is the ingress/egress points to the network. Without sufficient control, threat actors are able to penetrate inside causing system or service disruption anywhere anytime. On top of network aspect, controlling of physical access to the equipment is also important. In physical world, establishing physical perimeter is far more challenging than that in the cyber world. Three are "proper" means to reach a region and multiple "improper" means to do the same. Effective control is proper policy for "illegal" entry. ...
Read More

Shared Responsibility

By cliangNo Comments
Source AWS Security Day 2025 I saw some awareness posters that cyber security is a shared responsibility. No doubt each of us plays a different and important roles to protect the cyber space. But putting a slogan like this without any elaboration will be unwise. We never know who to do what and eventually no one takes accountability. The shared responsibility must be well defined somewhere with easy access from audience. Examples are: Senior Management supports and sponsors necessary cybersecurity resources Technical Teams secure the digital assets throughout their life cycle General Users follow the good practices published by reputable internal subject matter expert The AWS model is a good example. [ [Disclaimer: Not recommendation, critique, nor having association, affiliation with AWS.] ...
Read More

Policy #12

By cliangNo Comments
In the illustration, there is implicit EXCEPT WITH PERMIT in real life. However, the bilingual "except's" are inconsistent.The Chinese version is except just bi-cycles. The English version is cycles. There are variations of "cycles": bi-cycle, tri-cycle, motor-cycle. This will create confusion for enforcement and compliance. A better version should be "Except non-motor vehicles". So, bi-cycle, tri-cycle, trolley, scroller are all allowed. This is precise generic. ...
Read More

Isolation #2

By cliangNo Comments
In pandemic disease era, facemask is a effective means to protect being infected via airborne transmission. This is usually voluntary but in extreme situation, facemask is mandated by authority for presence in the public. Facemask serves two-folded protection: (a) protecting an individual from infected or (b) containing an infected individual from spreading the disease. In cyber world, similar protection philosophy applies. A device has platform protection (like host firewall) from being attacked by compromised device in the network, or limits its attack to other network neighborhood, if compromised. Further peer isolation in the network, usually enforced in wireless network, will enhance this protection. When formulating protection, we need to think in all perspectives. ...
Read More

Policies #11

By cliangNo Comments
Policies are rules. They stipulate what are allowed and what not. Good policies must be practically achievable and enforceable, not too strict and not too loose - this is the hard part. Too strict will incur policy exception and too loose will make the policy a decorative statement in the sign board. Writing good cybersecurity policies will require these as foundation: The policy maker must understand the business model, what outcomes to be delivered What are the risk appetite the organization willing to take, after all, there won't be 100% secure business in the world How the requirement shall enable the business securely but not prohibit innovations, we are living in digital transformation era and everything is going inside cyber What are peers or the industry doing, is the bar setting too high or too low That said, don't just apply textbook knowledge but listen to business units what will work and what not. Strike the right balance with 80/20 rule. ...
Read More

Administrative Control #2

By cliangNo Comments
SSSS (or 4S) is Smart Site Safety System. It consists of server, workstation, mobile network, end point devices (CCTV, smart watch, RFiD helmet, other sensors) to monitor construction site and workforce situation for safety hazards alert. For client project involving civil works, equipment installation etc, contractor will bring their own 4S to ensure and compliance with safety rules and regulations. 4S is not a project deliverable but a tool during construction. I see some cybersecurity practitioners have incorrect understanding. They demand contractor 4S compliance with own organization cybersecurity policies. No doubt 4S might capture client site specific condition, coincidental inclusion of personnel other than contractor workforce causing privacy concerns. We must not forget there are administrative controls in the contractual obligation to comply with laws & regulation plus non-disclosure agreement. We shall not bother the how's in technical aspects. Otherwise, this is overkilled. This something like you walk into a mall, using the ATM - there are CCTV everywhere but you won't question...
Read More