Tag: Protect

Another practice in physical world is adopted in cyber world - least privilge principle. However, we must bear in mind that privileges could be elevated or circumvented due to system weakness or unmanaged vulnerabilities. Therefore, regular assessment for assurance is required to validate if controls are still effective....

Many cyber practices are actually adopted from physical world. Zoning is an example. Main purpose is to isolate object path (incoming / outgoing) to secure the port control. Authentication (immigration) and inspection (security screening) are added measures....

Cybersecurity and convenience are always contradictory.  The Touch ID is a convenient means to unlock the device and deemed secure because fingerprints are supposed unique. But if we give further thoughts, there are several pitfalls. The Touch ID only protects the data-at-rest scenario. It can't secure your data if your phone is unlocked (data-in-use) nor you submitting sensitive data across the network (data-in-motion). Frequent use of Touch ID will make you tend to forget the text base password, affecting availability in situation you need to provide password Text base password is secure over biometric in a special case: if you are under duress, attacker can force you to unlock your device from your biometric attributes ... even if you are dead; but text base password cannot be extracted from a dead person's mental memory. An example is the locked iPhone from the Boston bomber that evolved into court case to debate national security vs data privacy. This is a matter of expectation...

The general belief is that security technologies will secure the asset. Make sure the controls are designed, deployed and sustained properly. Control weakness might be uncovered via security assessment, penetration test or peer review....