Author: Peter Geelen

https://be.linkedin.com/in/pgeelen - Peter Geelen is owner and managing consultant at Quest For Security. Over the years Peter built a strong experience in enterprise security, enterprise architecture, identity and access management, including information protection, cybersecurity, corporate security policies, security hardening and cloud security. Committed to continuous learning, Peter holds renowned security certificates as CCSK, CISSP, CISSP-ISSAP and CISA. Peter is also MCT (Microsoft Certified Trainer), MCSA, MCTS, MCSE:Security,and MCSA:Security, plus ITIL & PRINCE2 foundation certified. Since 2005 his technical focus is Microsoft identity and access solutions: MIIS, ILM, FIM 2010 and MIM 2016 and related platforms like PKI, UAG, ADFS, single sign-on & security solutions,… Peter strives to spend time on helping the Microsoft community both online as offline: - Taking care of Governance and administration of TechNet Wiki: http://aka.ms/wiki - TechNet Wiki Blog: http://aka.ms/wikiblog - Publishing articles and white papers at TN Wiki and TN Gallery: http://aka.ms/pgpage - Founder and community lead of the Belgian Microsoft Security User group (http://www.winsec.be) You can find his personal blog at http://blog.identityunderground.be. MVP Enterprise Mobility (Identity and Access) (2016) former Microsoft MVP on FIM (Forefront Identity Manager) (2008 - 2012) Living in Leuven

Free (ISC)² Exams flash cards all in one place (*)

(*) with respect for your privacy, no login, nor mail required for

CISSP

CSSLP

CCSP

SSCP

CAP

HCISSP

Sorry, (free) registration still required for:

CISSP-ISSAP:https://enroll.isc2.org/product?catalog=CISSP-ISSAP-FC

CISSP-ISSEP: https://enroll.isc2.org/product?catalog=CISSP-ISSEP-FC

CISSP-ISSMP:https://enroll.isc2.org/product?catalog=ISSMP-FC-2019

Signing a PDF with Belgian eID – step-by-step for beginners (a bit more then what they tell you on the official page)

On the website for the Belgian eID, you can find some basic hints & tips to sign PDF documents with the Belgian identity card and the Acrobat reader application….

But there are other PDF applications than Acrobat Reader DC and the guide on the eID signing doesn’t detail the prerequisites in the signing manual to make it work.

Technical tip: the tech prerequisites and how to validate them are explained in the technical manual (over here: https://eid.belgium.be/nl/technische-documentatie#7389)

Acrobat Reader DC may be the most prominent PDF reader, it’s certainly not the only one and certainly not the most performant one.

Furthermore, the document signing in Acrobat Reader is pretty confusing as you must select the “Certificates” module and NOT “Fill & Sign”.

Difference between Authentication & Signing

When you, as verified user, want to put a digital signature on documents, this is called “signing”, confirming the document content.

In this circumstances, the “authentication” part is not relevant. Authentication is used to prove your identity.

For your information: the Belgian eID is NOT designed to provide encryption (which is the 3rd option to use a certificate). So you cannot use the BE eID for encryption of documents, sadly enough.

More info (NL, also EN version available): https://eid.belgium.be/nl/aanmelden-met-eid#7559 (EN, https://eid.belgium.be/en/log-eid#7559)

Prerequisites

Certificates in user certificate store

You need to have the user certificates installed on your user account on the local pc (actually the personal user certificate store) to make the document signing work in the applications.

If you haven’t used the eID certificates before, or in the case of a new computer, you’ll need to install the user certificates on your computer.
The easiest and official way to install them, is using the eID viewer application.

eID Software

Note on Language

The eID website is supporting NL, FR, DE and EN as language, I’ll only refer to NL and EN as main languages but FR and DE are supported too.

Download

Download and install the eID software from this source: https://eid.belgium.be/nl (for NL. Also available: EN, FR and DE).
It includes the eID middleware and the eID viewer we’ll use to read and install the eID certificaties on your computer (actually your user account).

Install

The manual to install the eID software is here:

(NL) https://eid.belgium.be/nl/hoe-installeer-ik-de-eid-software

(EN) https://eid.belgium.be/en/technical-documentation

Verifying the presence of the user certificates (Signing)

When you use the certificates and/or the eID software, the certificates should be installed in the user certificates store automatically, but that is not always the case, depending the configuration and security of your computer.

Technical hint: there is a “Certificate Propagation Service” troubleshooting article on the eID website that helps you: https://eid.belgium.be/nl/technische-documentatie#7256

To sign PDF documents with a certificate, most PDF readers will check for certificates in the user certificate store on the local computer, not directly from the card reader.

Steps

1. MMC

Via the Windows button, run the mmc (Microsoft Management Console), you’ll need to run it in elevated mode (so consent the UAC popup)

2. Add snap in : Certificates

Via menu “File”, “Add/Remove Snap-in”, add the “Certificates” snap in.
Choose “My User Account” (as the eID certificates are injected in your user account, not your computer or service account)

Finish and click ok.

3. Open the personal certificate store

In the “certificates – current user” > Personal > Certificates, check the list of certificates available.

You should see something like:

If ok, then you’re ready to sign documents, using eID.

If NOT, then you’ll need to add the certificates manually.

Manual installation of the eID certs

1. Insert your eID

Attach a supported card reader and insert your eID smart card.

2. open the eID viewer > Certificates tab

Right click the “Signature” certificate (you can do the same for the Authentication certificate. Select “Detailed Information”.

Then, click the “install certificate…” button:

Then run the default option steps: click next, next next … next… finish.

Import the certificate to the current user certificate store

Click Finish and you should be set to go for signing documents.

Signing PDF docs

Adobe Acrobat DC

This is explained on the eID website:

(NL) https://eid.belgium.be/nl/digitale-handtekeningen#7261

(EN) https://eid.belgium.be/en/digital-signatures#7261

IMPORTANT

Select the “Certificates” module and NOT “Fill & Sign”.

The “Fill and Sign” is used for graphical signatures, replacing the manual signing of paper copies, and eliminates the need of rescanning.

eID is a “qualified” and legally support signature.

If your counterpart (the other signing party) doesn’t require a qualified signature, this is a good alternative for eID (as there is some sensitive data like social security number, incl birthday and gender mentioned in the eID signature)

Foxit PDF

Open the PDF file you want to sign.

Verify the presence of the Signature certificate

It should be popping up from the certificate store, which we fixed earlier. (if not present, go back and fix it)

Signing a document

When the certificate is correctly installed, go to the “Protect” menu, then click the “Sign & certify” button in the ribbon.

Then drag an area to mark a signing area and choose the signature options.

Done!

References

Digitale handtekeningen:

(NL) https://eid.belgium.be/nl/digitale-handtekeningen

(EN) https://eid.belgium.be/en/digital-signatures

And also

Add or remove a digital signature in Office files: https://support.microsoft.com/en-us/office/add-or-remove-a-digital-signature-in-office-files-70d26dc9-be10-46f1-8efa-719c8b3f1a2d

Note-to-self: Reference Articles on eID, privacy & GDPR

Following list of articles is a memory help and quick reference to interesting and useful articles from regarding the use of eID (Belgian Identity Card), related to privacy, data protection and GDPR.

This article will be updated regularlywhen interesting items are discussed or noted on workshops, discussions or other social media like LinkedIn.

eID

GBA Advisory on photocopy identity card

https://www.gegevensbeschermingsautoriteit.be/sites/privacycommission/files/documents/aanbeveling_03_2011.pdf

LinkedIN articles

Denk 2 keer na voor je een fotokopie laat maken van je identiteitskaart

(Think twice before you let someone photocopy your identity card)

https://www.linkedin.com/pulse/denk-2-keer-na-voor-je-een-fotokopie-laat-maken-van-peter-geelen-/

Het gebruik van uw identiteitskaart als waarborg? (Using your identity card as waranty. NOT.)

https://www.linkedin.com/pulse/het-gebruik-van-uw-identiteitskaart-als-waarborg-peter-geelen/

Direct Marketing

Direct marketing and protection of personal data

Interesting cases & decisions

See other post: collecting interesting cases and decisions by the Belgian DPA:

https://identityunderground.wordpress.com/2020/06/11/note-to-self-interesting-dpa-decisions-court-cases-regarding-gdpr-it-security/

Note-to-self: Interesting DPA decisions & Court cases regarding GDPR & IT Security

This is a memory help for quick references to interesting court cases and DPA decisions in regards to subject rights under GDPR.
This reference list will grow over time, but this saves on physical brain space.

BE – GBA (Privacy Commission References)

Mainframe vs Subject Rights

https://www.gegevensbeschermingsautoriteit.be/sites/privacycommission/files/documents/Be01-2019ANO.pdf#overlay-context=beslissingen-van-de-geschillenkamer

Mainframe part 2

Arrest in beroep

NL – GBA (Autoriteit persoonsgegevens)

NL – Justice

It-bedrijf moet schade door ransomware bij klant grotendeels vergoeden

https://www.security.nl/posting/660081/It-bedrijf+moet+schade+door+ransomware+bij+klant+grotendeels+vergoeden

Powershell starter – learning material

Just got a question for learning material for ramping up with powershell.

Some quick links below (and growing, update when finding more useful stuff…)

Microsoft Docs – Tech Reference & learning

https://docs.microsoft.com/en-us/powershell/scripting/getting-started/getting-started-with-windows-powershell?view=powershell-7

https://docs.microsoft.com/en-us/powershell/scripting/learn/understanding-important-powershell-concepts?view=powershell-7

https://docs.microsoft.com/en-us/powershell/scripting/learn/more-powershell-learning?view=powershell-7

Powershell Starter guide

http://powershelltutorial.net/

https://github.com/PowerShell/PowerShell/blob/master/docs/learning-powershell/powershell-beginners-guide.md

https://blog.netwrix.com/2018/02/21/windows-powershell-scripting-tutorial-for-beginners/

https://www.guru99.com/powershell-tutorial.html

Technet Wiki

https://social.technet.microsoft.com/wiki/contents/articles/19425.powershell-voor-beginners-nl-nl.aspx

Latest version of Powershell (Powershell 7)

https://devblogs.microsoft.com/powershell/announcing-powershell-7-0/

Free
learning sources : Microsoft Learning

https://docs.microsoft.com/en-us/search/?search=powershell&category=All

https://docs.microsoft.com/en-us/learn/browse/?term=powershell

Azure
powershell (Cloud)

https://docs.microsoft.com/en-us/learn/modules/automate-azure-tasks-with-powershell/

Powershell community

Free Resources

Books

http://freecomputerbooks.com/Mastering-PowerShell.html

https://powershell.org/category/books/

Ebooks

https://leanpub.com/u/devopscollective

Microsoft Blog archive: ebooks Give-Away

Videos

Youtube

https://www.youtube.com/powershellorg

Channel 9

https://channel9.msdn.com/Search?term=PowerShell&sortBy=top-rated&lang-en=true

https://channel9.msdn.com/Blogs/MVP-Windows-and-Devices-for-IT/PowerShell-for-Beginners

Linkedin

https://www.linkedin.com/posts/alex-rodrick-60330b123_powershell-for-beginners-ugcPost-6672878146351620096-yIQw

From MS Technet Gallery to Github

As Microsoft TechNet is about to be deprecated (june 2020), I’ve completed the move of my documents and scripts gallery to Github.

Major advantage is that Github can be managed from a desktop client….

You’ll find some (35+) interesting links and downloads of

  • various powershell scripts to manage
    • AD
    • Microsoft Identity manager (FIM & MIM)
    • HTML
    • Technet Wiki
  • sql scripts
  • Word templates
  • XLS templates and tools

Bookmark this link for easy memory: http://ffwd2.me/mygallery

 

Visio – PDCA cycle graphics (EN, FR, NL)

This visio has a editable version of the PDCA cycle hosted on Wiki pedia as image.

Source: https://en.wikipedia.org/wiki/PDCA

Text is available under the Creative Commons Attribution-ShareAlike License  this license applies to this work too.

Quoted from source:

PDCA (plan–do–check–act or plan–do–check–adjust) is an iterative four-step management method used in business for the control and continuous improvement of processes and products.[1] It is also known as the Deming circle/cycle/wheel, the Shewhart cycle, the control circle/cycle, or plan–do–study–act (PDSA). Another version of this PDCA cycle is OPDCA.[2] The added “O” stands for observation or as some versions say: “Observe the current condition.” This emphasis on observation and current condition has currency with the literature on lean manufacturing and the Toyota Production System.[3] The PDCA cycle, with Ishikawa’s changes, can be traced back to S. Mizuno of the Tokyo Institute of Technology in 1959.[4]  

Download available on my Github library: Visio – PDCA cycle graphics

€750.000 per year for some onepager PDF, you can do that too.

scam-3933004_1920

(Image Credits: mohamed Hassan via Pixabay)

Dear Annie BG Mathews,

Dear CIO Applications Europe,

(quote, feb 2020) “I am Annie from CIO Applications Europe magazine and it is my pleasure to inform you that we have pre-screened the top players who have carved a niche in the Information Security arena and have shortlisted them to be featured as one of the “Top 10 Information Security Consulting/Service Companies 2020”, <…> being one of them.”

(quote, apr 2020) “I am Annie from CIO Applications Europe magazine, and it is my pleasure to inform you that we have pre-screened the top players who have carved a niche in the GDPR arena and have shortlisted them to feature as one of the “Top 10 GDPR Consulting/Service Companies 2020”, <…> being one of them.”

Did you also get the same mail  from “CIO Applications Europe”, with their fabulous “Top 10” marketing, asking a small fee of €2500,- to be featured as top-player in the <see below> field, for which you get a fabulous … eh.. 1 single pager PDF. And using their top 10 logo in your marketing.

Top, you make me feel so special!

Just.. ehm… radio couloir says lots of my sector contacts and LinkedIn network contacts got the exact same mail.. So, top 10, my @§§.

Marvelous quick win

Just a bit of 12y-old math says: that is a smart turnover of 25.000 EUR per top 10 published. Knowing that they have published roughly 30 of their “top 10” articles for 2019, this means a quick win of €750.000 on one-pagers only.

The categories they have listed last year:

(Look it up yourself: https://www.google.be/search?q=inurl:cioapplicationseurope.com+%22Top+10%22+%22-+2019%22)

  • Agile Technology, Asset management, Automotive, Blockchain, Blockchain Solutions, Business Intelligence, CEM solution, Contact center, Cognitive consulting, ERP, FinTech Solution, GDPR Solutions, GDPR consulting, IBM Solution, Information Security, IoT solution, IT services management, Legal technology, Mar tech, Microsoft solution, Microsoft Consulting, Procurement, Proptech, Salesforce, Smart City Tech,…

Forgive me if  I forgot another €25.000,- in the 30x Top 10 of 2019 they listed.

But some important categories missing, so you can do that too, some ideas below.

If the “Top 10” on GDPR is completed, you create new categories like “GDPR consulting”, “GDPR legal advice”, “GDPR breach specialist”, “GDPR expert”, “GDPR Services”, that’s another 125K of revenue, easy deal to fill the 1 million bucket.

So, you can buy yourself a list in the Top 10.

So here’s the deal, for 2499 EUR, you can get listed in the 2020 Top 10 spam and scam companies, you get a full A6 print page (special 7pt Wingdings font) with a 3 minute made-up interview with your CSSO. (Chief Spam’n Scam Officer.)

Legit business??

For €2499,- you get an interview, a one pager and a logo for display.

I quote: “We want to work with you towards a single page article after an interview with the senior management projecting the unique story of your company. For a nominal amount of 2,500 Euros, you will own complete print and digital rights to use the pdf of profile in your process of acquiring new clients along with many other prominent benefits like rights to use the Top 10 logo in your communications, single page complimentary advertisement placement and many more which I would love to explain when we connect.

It’s not forbidden to make you a ridiculous offer, but do you really want to sponsor this scam and spam practice and keep it alive?

Fact is, this is not ‘just a spam’ campaign.. It’s setup as legitimate business, at first sight.

You can still ask yourself why CIO Applications “EUROPE” would have a phone number in the US.

#GDPR!

It’s not only about the scam, they are using personal data without notification.

And you can argue they can use “legitimate interest”. Yes, for sure. But still they need to apply article 13 and 14, when collecting personal data. Their privacy notice (https://www.cioapplicationseurope.com/privacy-policy/) is not mentioned in the mail communication, it does not mention how they collect my data and how the process it. Neither do they refer to the required legal GDRP mentions (like DPA contact and so on…).

There is no reference how to file a subject-data access request… you can always spam their marketing department as mentioned in their privacy notice.

So, this could even be a valid reason for contacting your DPA and file a complaint.

I don’t want to unsubscribe to spam mail, because I don’t want to give you just more information if you don’t respect me from the beginning.

What’s the real problem then?

What do you think of a “Top-10” ranking, that is only based on the fee you pay? The first 10 that pay, are in the top 10. Number 11, bad luck. Oh wait, we’ll setup another top 10.

This feels like bribery. And mental pressure.

They send out the requests to new companies, struggling to conquer the market. They make your feel important, but it’s only about the money.

This type of practice puts other legitimate rankings in such a bad daylight… the smell of money on a “Top 10 …something”. This destroys the reputation of other communities, value papers and IT or security sectors. It’s not isolated to this one bad apple.

Be smart

Think. If it doesn’t feel right, it is not right. For a bare €2499,- you can achieve a lot more than a single page PDF and a top 10 logo.

For the same money and the support of a real marketing specialist, and some smart channel management, you can create real impact.

But most important of all, do what you do best. Create impact. Create great stuff, create buzz, let customers tell your story…

Stay out of the pile of bad apples.

#justthinking

Note-to-self: MNM van KSZ (Minimale normen – Sociale Zekerheid)

Minimale Normen / Normes Minimales van de KSZ (Kruispuntbank van de Sociale Zekerheid) gebaseerd op de ISO27001/ISO27002

“De toepassing van de minimale normen informatieveiligheid en privacy is verplicht voor instellingen van sociale zekerheid overeenkomstig artikel 2, eerste lid, 2° van de wet van 15 januari 1990 houdende oprichting en organisatie van een Kruispuntbank van de Sociale Zekerheid (KSZ). Bovendien moeten de minimale normen informatieveiligheid en privacy eveneens toegepast worden door alle organisaties die deel uitmaken van het netwerk van de sociale zekerheid overeenkomstig artikel 18 van deze wet. Tenslotte kan het sectoraal comité van de sociale zekerheid en van de gezondheid de naleving van de minimale normen informatieveiligheid en privacy ook opleggen aan andere instanties dan de hogervermelde.  ”

Bookmark:

(NL) https://www.ksz-bcss.fgov.be/nl/gegevensbescherming/informatieveiligheidsbeleid

(FR) https://www.ksz-bcss.fgov.be/fr/protection-des-donnees/politique-de-securite-de-linformation

(edit)

Opmerking: voor alle duidelijkheid, op zich zijn deze documenten geen nieuwigheid maar buiten de SZ zijn deze normen minder gekend… vandaar dat het toch nuttig is om ze bij te houden als geheugensteun en referentie. Je komt er sneller mee in contact als je denkt…

Cybersecurity voor vrijeberoepen en KMO (Webinar bij VLAIO)

Afgelopen vrijdag 21 februari, organiseerde Agentschap Innoveren & Ondernemen een praktisch webinar over Cybersecurity.

We toonden een vernieuwende aanpak die de zelfredzaamheid en veerkracht bij KMO’s inzake cybersecurity helpt vergroten.

Cybersecurity wordt beschouwd als één van de grootste bekommernissen in het huidige ondernemerschap. De veiligheid van (klanten)gegevens is een topprioriteit en een beleid hieromtrent uitwerken is noodzakelijk. Als adviseur zult u wel vaker de vraag krijgen van uw klanten over hoe ze hiermee aan de slag moeten gaan.

Hartelijk dank Melissa Gasthuys als gastvrouw en Eveline Borgermans voor de perfecte begeleiding en opname bij Agentschap Innoveren & Ondernemen

Hier de link naar de slides

De link naar de opname:

En je kan altijd nog even gaan kijken op cybervoorkmo.be voor meer tips en hints.