CCSK – DOMAIN 4 (Compliance and Audit Management) reference material

CCSK

Preparation tool kit (with registration): https://cloudsecurityalliance.org/artifacts/ccskv4_exam_prep_kit

Separate downloads:

(ISC)² Belux Chapter

2019-04-04 meeting presentation on CCSP-CCSK

ISC2-Belux-Chapter-20190404-Event

Additional Reading

PCI-DSS

Download PCI-DSS  without registration: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

Documentation library: https://www.pcisecuritystandards.org/document_library

SOC1/SOC2/SOC3

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

Microsoft Azure – Cloud Security Compliance (Trust center)

https://www.microsoft.com/en-us/trustcenter/compliance/compliance-overview

Documents download: https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3

https://servicetrust.microsoft.com/ViewPage/MSComplianceGuide

Regional & country compliance: https://www.microsoft.com/en-us/trustcenter/compliance/regional-country-compliance

Google Cloud Security Compliance

Google Cloud security compliance – general

ISO27001: https://cloud.google.com/security/compliance/iso-27001/

CSA STAR

ISO Standards

ISO27001

ISO27002

ISO27017 (Cloud security)

ISO27018 (Personal data)

ISO27032 (Cybersecurity)

CSA STAR

https://cloudsecurityalliance.org/star/#_overview

Other

Interesting collection of documents & references on compliance and standards: here,  including, HIPAA, PCI-DSS, ISO27001/27002, …

 

 

 

Advertisements

Published on TNWIKI: .Net Framework 3.5 Troubleshooting: installation errors (Permission issue)

Published at: .Net Framework 3.5 Troubleshooting: installation errors (Permission issue)

Applies to

  • Window Server 2016

Issue

.Net Framework 3.5 installation fails on Windows Server 2016

Troubleshooting

Tried many solutions like below

.NET 3.5 Uninstall detected

See:
MIM 2016 Troubleshooting: The installation just hanging without error, warning, log, Event-log

Windows Feature installation

See:
Windows Server 2012 R2 Troubleshooting: .NET Framework 3.5 installation failure (Offline/Online)

GPO Setting

See:
.Net Framework 3.5 Troubleshooting: installation errors (GPO)

Hotfix issue

See:
SharePoint 2013 Troubleshooting: NET 3.5 framework add feature error (the source files could not be found)

Solution

Grant read permission to the Everyone group on the installation files.

Check:
https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features

 

Important

When you are installing feature files from a remote source, the source path or file share must
grant Read permissions either to the
Everyone group (not recommended for security reasons), or to the computer (local system) account of the destination server; granting user account
access is not sufficient.

Servers that are in workgroups cannot access external file shares, even if the computer account for the workgroup server has
Read permissions on the external share. Alternate source locations that work for workgroup servers include installation media, Windows Update, and VHD or WIM files that are stored on the local workgroup
server.

See also

References

 

Fresh on TNWiki: MIM 2016 Troubleshooting: The installation just hanging without error, warning, log, Event-log

Published on TNWIKI: MIM 2016 Troubleshooting: The installation just hanging without error, warning, log, Event-log

Credits

This issue was initially reported by
Guy Horn on LinkedIN, republished with permission.

(Guy Horn’s LinkedIn profile)

Issue

When you try to install MIM, it continuously fails.

You can’t  add .NET Framework 3.5.

Symptoms

The installation was just hanging without error, warning, log, Event-log

Root cause

The problem was that some features were removed from the Windows Server Image.

Solution

NetFx3 should be specified and not ‘Net-Framework-Core’.

After re-adding the feature just ‘Add-WindowsFeature Net-Framework-Core’.

Detecting the issue

Run this PowerShell command, to find the removed features

# This command shows removed items from the Windows Azure Server 2016 Datacenter image.

Get-WindowsFeature
| Where-Object
-FilterScript {($_.installstate
-like “Removed”)}

Solution

Restore the optional feature

# This command restores the optional feature, MyFeature, to the Online Windows image. If the files are not found in the source image, this command specifies not
to check Windows Update for the source files.

Enable-WindowsOptionalFeature
-Online -FeatureName
“NetFx3” -Source
f:\sources\sxs -LimitAccess
-All

Add .NET FW core

# Add the feature

Add-WindowsFeature
-name net-framework-core

Script

# This command shows removed items from the Windows Azure Server 2016 Datacenter image.

Get-WindowsFeature
| Where-Object
-FilterScript {($_.installstate
-like “Removed”)}

 

# This command restores the optional feature, MyFeature, to the Online Windows image. If the files are not found in the source image, this command specifies not
to check Windows Update for the source files.

Enable-WindowsOptionalFeature
-Online -FeatureName
“NetFx3” -Source
f:\sources\sxs -LimitAccess
-All

 

# Add the feature

Add-WindowsFeature
-name net-framework-core

 

 

RGPD, GDPR, AVG, … et les jeux de mots linguistiques… ou confusions?

Au niveau de RGPD (réf. Art. 5.2), il y a une différence importante pour les francophones et les anglophones.
Téléchargez les versions ici: https://ffwd2.me/gdpr

 

Le GDPR en anglais, fait référence à “accountability

Le RGPD (FR) parle de « responsabilité » (personnel) seulement.

 

En fait, “accountability” (EN) = rendre compte (FR)

Mais “responsability” en anglais est aussi traduit en “responsabilité” (général) en français.

Pour la bonne compréhension, il est important de savoir qu’il y a une différence.

 

“accountability” en anglais,

  • veut dire “responsabilité personnel/individuelle”, rendre compte
  • s’applique typiquement
    • sur 1 personne,
    • Après les faits
  • Réf. au tribunal/juge

“responsability” en anglais,

  • Veut dire “responsabilité générale”
  • S’applique
    • Sur un group, plusieurs personnes
    • Qui planifie et prend soin des tâches, en avance/pendant

 

En plus, au niveau de GDPR, il y a une 2ème différence important expliqué dans GDPR considérant (4)

  • Privacy (EN) / vie privée (FR), versus/par contre
  • Personal data (EN) / données à caractère personnel= “données personnelles” (FR)

 

Si on parle de “vie privée”, on fait référence au droits fondamentaux, et “le respect de la vie privée et familiale, du domicile et des communications …”

Si on parle des données personnelles, on fait référence à l’info et les attributs qui identifient ou peuvent identifier quelqu’un.

Donc, dans la protection des données, on devrait parler de “données personnelles”.

Et l’histoire est identique pour le néerlandophones… (NL <> FR) 😉

GDPR word games, differences in EN/FR language versions and interpretation

Did you ever compare the different language versions of the GDPR?
Have a check at : https://ffwd2.me/gdpr

On the level of GDPR (ref. Art. 5.2), there is an important difference between French (FR) and English (EN). Same thing for Dutch, by the way

The GDPR (EN)  references “accountability”(EN). In FR (RGPD), they ONLY reference “responsabilité”.

In fact, “accountability” (EN) means “rendre compte” in French.

But “responsibility” (EN)  is translated to “responsabilité” in French TOO!

So, for clear understanding, it’s important to know that there IS a difference.

“accountability” (EN) means,

“responsability” (EN),

  • is rather “general” responsibility
  • applies to
    • a group of, or multiple, persons
    • who plan or execute tasks, in advance or during activities

Furthermore, on the level of GDPR, there is a 2nd important difference, explained in GDPR recital (4)

  • Privacy (EN) / vie privée (FR), versus
  • Personal data (EN), données à caractère personnel= “données personnelles” (FR)

If we talk about privacy / vie privée (FR) in GDPR, it’s about “fundamental rights” and «respect for private and family life, home and communications … »

If you talk about personal data, you refer to the information and attributes who identify (“identified”)or can identify an individual (“identifiable”).

So, in data protection (EN), protection des données” (FR) for GDPR, we should refer to personal data (EN), “données personnelles” (FR).

Using SPF to block mail account spoofing

Introduction

Did you ever got a mail from yourself, but you’re sure you did not send it?

This week I got that mail from a mail alias I’m using, so it’s actually not a native mailbox, but a mail forwarder address, which makes the claim that “the mailbox is hacked” pretty silly…

But if you got this message from a native mailbox, it does sound scary, isn’t it?

I already had some similar symptoms on other mail addresses in the same domain.

Symptoms

You get a mail from your own mail address… which is called mail spoofing.
And it looks like:

mailspoof

Spoofed mail message content

Hi!

As you may have noticed, I sent you an email from your account.
This means that I have full access to your account.

I’ve been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited.

If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.

I also have access to all your contacts and all your correspondence.

Why your antivirus did not detect malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.

I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this video to all your emails and contacts on social networks.
I can also post access to all your e-mail correspondence and messengers that you use.

If you want to prevent this,
transfer the amount of $778 to my bitcoin address (if you do not know how to do this, write to Google: “Buy Bitcoin”).

My bitcoin address (BTC Wallet) is: 1GoWy5yMzh3XXBiYxLU9tKCBMgibpznGio

After receiving the payment, I will delete the video and you will never hear me again.
I give you 48 hours to pay.
I have a notice reading this letter, and the timer will work when you see this letter.

Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.

If I find that you have shared this message with someone else, the video will be immediately distributed.

Best regards!

Root cause

The DNS setting of your domain is missing SPF records, that counter mail spoofing (an unauthorized mail server, user or hacker sending mail as “you”)…

Troubleshooting

When looking at the mail properties it’s pretty difficult (if not impossible) to find out who actually has sent the mail….

Solution

Basic domain settings

Add an SPF record to your domain DNS settings.

To get started, look up your mail provider or hosting provider’s name + SFP.

FYI, I’m hosting my domains at one.com, they’ve got some straight forward advise to configure the DNS. For any other domain, at any other provider it’s similar.

Office 365

When you buy a domain, but host your mail on O365, there are some additional settings to configure. But Office 365 will explain.

The easy part, logon to your O365 tenant, and check your domain health (see video below)

For more info, check these documents:

References

SPF tooling

Other security options

See also

Hotmail/Outlook.com Solving Mass Mailing Delivery Issues

Short URL: Http://aka.ms/outlook.com/help

While SPF is the first step, you should also consider DMARC and DKIM.