baseline

You expect a phishing test… and then the real stuff kicks in… some quick tips to block evasion techniques

I see more and more phishing exercise fatigue kicking in at my customers…

But it’s more than ever required to be vigilant for new techniques that try to circumvent the typical URL blocking and the other protection layers you put in place.

You’re the best firewall.

What is going on?

You know, these companies that first announce a #phishing test…

which go unnoticed because they are caught by the 𝐬𝐩𝐚𝐦 𝐟𝐢𝐥𝐭𝐞𝐫…

And a few weeks later you get the 𝐫𝐞𝐚𝐥 𝐬𝐭𝐮𝐟𝐟 𝐢𝐧 𝐲𝐨𝐮𝐫 𝐢𝐧𝐛𝐨𝐱 from the same company.

With ridiculous worse quality than the actual test… but still its in the inbox ready to click (DON’T!).

You assume phase 2 of the phishing test…another round, right? (you think: “yeah, right, not me.”).

Because the new mail comes with ridiculous bad quality (⚠️1) than the actual test…

Nowadays you expect smart mails from these criminals…

But still it doesn’t feel OK …you start to realize that this might the real stuff…

Checking for some more phishing indicators (⚠️)

A mail with you in bcc…. (⚠️2)

Addressed to a very strange (New-Zealand) mail address (⚠️3)

with a PDF alike icon image embedded (⚠️4)

via a google drive link (⚠️5)….

SPOILER: I crippled the link mentioned in previous screenshot to avoid any accidents…

SPOILER 2: DO NOT, EVER CLICK these links…

Still, If you can’t control your curiosity, you might peek into the link via alternative methods (see later).

The display of unrelated content, with payment instructions (⚠️6), isn’t really what you would expect.

Because if you even dare to click the links you get another link (⚠️7)… and this time the browser malware detection (Smartscreen filtering) kicks in .. at last… so I’ll stop the curiosity here…

Why is this an issue?

The main issue here is: the phishing links are pointing to well-known (like Google drive, Microsoft OneDrive, Dropbox…) for hosting malware, which usually escape or bypass the malware URL detection…

Security tips

Rule nr 1: Don’t click links in unexpected mails

Curiosity kills the cat: Please withstand the urge to click the links to satisfy your curiosity….

If you don’t expect the mail, be very cautions, don’t click the links.

Control your curiosity: test the links in isolated mode

If you can’t control your curiosity, don’t ever click the links on your main computer.

But copy the link and open it

  • in a Windows sandbox
  • virtual machines or test machine… not your production machine
  • mobile device

Use Windows Sandbox

Since Windows 10 (Pro) you can use Windows Sandbox (free), that is a virtual, isolated environment. So you can test some interesting things without damaging your production host machine.

By stopping the Sandbox, the machine forgets all settings and returns to default state, pristine.

More info: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview

Run a quarantined client in virtual machine

Use Microsoft Hyper-V (free) or Oracle Virtual box (free) and install a client OS in the virtual machine.
Snapshot the machine before the test, perform the test, return to snapshot to avoid any left overs of malware.

Run the link on a mobile phone

Less secure, but better than running malware on your most important machine, is running the link on a browser on your mobile device. There is lower risk of infection and less impact than loosing your primary working machine, although… be aware, there is still a small risk of infection even for smartphones…

Additional security measures

To permit some stupidity and protect against accidents, please make sure

  • to implement all the latest OS security updates, patch on a continuous basis
  • have an anti-malware and anti-virus that is updated continuously
  • keep the default OS security features enabled including local system firewall and malware detection
  • consider a paid antivirus subscription, it’s worth the money and keep it up to date every hour
  • get a mail protection against malware, tracking, phishing and ransomware (like Windows defender for 365) have regular backups (1 online and 1 offline) and test the restores
  • use cookie/tracking/advertisement blockers
  • use a DNS blackhole system to protect your network from accessing suspicious URLs (including tracking and phishing websites, advertisements, C&C Command and control malware domains, …)

You’re the best firewall

Don’t get caught.

Don’t be curious.

Suspect everything you don’t expect.

Don’t click the links.

And if you’re curious, keep it safe and secure.

Note-to-self: free download of interesting guides for SME from DigitalSME.eu

Jean-Luc Allard pointed out to a #free#download of interesting guides for #SME on implementing the #informationsecurity basics we all need:

Freshly published: Essential controls for SMEs to protect user’s #privacy and data and ensure #GDPR compliance (based on new #ISO27002)
https://lnkd.in/epridtnY

Direct download of PDF: https://lnkd.in/en8rVMBY

And also: The #ISO27001 standard made easy for SMEs:
https://lnkd.in/eiaBbdmp
Direct PDF access: https://lnkd.in/eFR2yjp

And there is more on the website of European DIGITAL SME Alliance (website: https://www.digitalsme.eu/)

#smebusiness#smesupport#smallbusiness

Note-to-self: 2020 IDG Security priorities study

Source: https://f.hubspotusercontent40.net/hubfs/1624046/2020_Security%20Priorities%20Executive%20Summary_final.pdf

End 2020 IDG published a study on Security priorities, and it provides important guidelines to the priorities of securing yourself and your company

  1. Protection of confidential and sensitive data
  2. End-user awareness
  3. Corporate resilience
  4. Enhance access control
  5. Understand external threats
  6. Application security
  7. Plan for unexpected risks

This pretty much confirms that your customers, stakeholder’s and staff interest in protecting personal data is driving security from business perspective.

If you see the increase of cyberattacks and ransomware hitting the business, it’s pretty obvious that Business Continuity Management and Disaster recovery must be on top of your priority list.
You need to have a tested plan against successful cyberattacks and ransomware, to avoid extended business damage and massive (ransom) costs … afterwards.

To put a plan together, you need to understand who is your adversary and what the current state of cybersecurity is.
And this study is a simple but smart guide to define your priorities.

The better you prepare, the less it will cost.
But you’ll only be able to tell when it goes wrong.

Don’t get caught by surprise, be ready.

Cyber security challenge voor het weekend: Hoeveel #phishing indicators kun je identificeren in de onderstaande mail?

(English version of article published on LinkedIN: https://www.linkedin.com/pulse/cybersecurity-challenge-finding-phishing-indicators-peter-geelen/)

De uitdaging

Vind zoveel mogelijk phishing-indicatoren in de e-mail die ik onlangs heb ontvangen. Screenshot hieronder.

Hoeveel indicatoren kun je vinden?

Het nummer om te verslaan is 12.

Kun je ze vinden, of kan je het beter doen? (zo ja, twijfel niet om de indicatoren die je vond te melden in een commentaar).

Tip: Stop met verder te scrollen als je de uitdaging wilt aangaan, voordat ik hieronder de oplossing verklap.

Snelle oplossing: overzicht van de indicatoren

  1. Belangrijk: De bizarre (onverwachte) naam van de afzender
  2. Belangrijkste: Het e-mailadres van de afzender komt niet overeen met de naam
  3. Heel belangrijk: Spelfouten
  4. Zeer belangrijk: Slechte grammatica
  5. Belangrijk: Verkeerde leestekens
  6. Belangrijke fouten in het ontwerp / de lay-out
  7. Uiterst belangrijk: URL komt niet overeen en wijst naar een phishing-website
  8. Belangrijk: Gevoel van dringendheid: “Wachtwoord verloopt binnen (0) dagen”
  9. Verdachte instructies (contra-intuïtief)
  10. Productfouten
  11. Verkeerde bedrijfsreferenties
  12. E-mail voettekst ontbreekt (of afmeldlink ontbreekt of privacynote ontbreekt)

En aan het einde: een bonus (die is niet weergegeven in (en niet van toepassing op) het huidige voorbeeld screenshot).

De aanpak voor een gedetailleerde analyse

Over het algemeen zijn er 4 niveaus van indicatoren waar je op moet letten

  • het gemakkelijke deel, duidelijke zichtbare fouten
  • verborgen indicatoren, gemakkelijk te vinden (bijv. muisaanwijzer over de links, ZONDER te klikken!)
  • geavanceerde onderdelen, waarvoor je een beetje kennis nodig hebt
  • deskundige kennis / ervaring vereist

Ten eerste, het makkelijke deel.

De gemakkelijkst te vinden en meest zichtbare #phishing  indicatoren

1. Belangrijk: De bizarre (onverwachte) naam van de afzender

In dit specifieke geval wordt de naam van de afzender gevormd uit:

  1. het ontvangerdomein dat als voorvoegsel wordt gebruikt (ALARM!)
  2. onvolledig e-maildomein achtervoegsel (ALARM!)

Taak: controleer de naam van de afzender.

Evaluatie: gealarmeerd zijn, als

  1. de naam van de afzender heeft een vreemd, abnormaal formaat (
  2. de afzender is niet bij u bekend,
  3. de post wordt niet verwacht, een verrassing uit het niets

2. Het belangrijkste: Het e-mailadres van de afzender komt niet overeen

Het eenvoudige deel is om te controleren of de naam van de afzender overeenkomt met het e-mailadres van de afzender.

Dit is niet altijd zichtbaar, zeker niet op smartphones.

Taak: controleer expliciet het volledige e-mailadres.

Evaluatie: gealarmeerd zijn, als

  1. de naam van de afzender komt niet overeen met het volledige e-mailadres

3. Heel belangrijk: Spelfouten

Hoewel phisher steeds meer “professioneel” wordt, zijn spelfouten een belangrijke indicator. Marketingbedrijven besteden (meestal) enige tijd om de grammatica goed te krijgen.

4. Zeer belangrijk: Slechte grammatica

In de voorbeeldmail ziet u de instructie “Gebruik hieronder om te bewaren” (EN: “Use below to keep…”)

Wat gebruiken??

Een goed gebruik van grammatica zou zijn: “Gebruik onderstaande link om uw wachtwoord te behouden.”

5. Belangrijk: Verkeerde leestekens

Naast slechte grammatica zijn verkeerde leestekens (spaties, stippen, komma’s, …) een belangrijke indicator voor spam, hoewel spammers tegenwoordig de neiging hebben om betere zorg te gebruiken om inhoud te bouwen.

6. Belangrijke fouten in het slechte ontwerp / lay-out

Controleren op belangrijke lay-outproblemen of HTML-fouten

De gevaarlijkste

7. Uiterst belangrijk: URL komt niet overeen en wijst naar een phishing-website

Een veel voorkomende phishing-techniek om u op malwarelinks te laten klikken.

Taak: controleer zorgvuldig de bron-URL door met de muis over de koppeling te gaan en de bron-URL weer te geven. Maar KLIK NIET op de link.

Taak: Controleer ALTIJD de bron-URL.

Evaluatie, moet u gealarmeerd zijn als

  • de URL komt niet overeen met het e-mailadresdomein van de afzender
  • de URL is een volledig onbekend domein

De phisher gebruikt mentale druk om je te laten klikken

8. Gevoel van urgentie: “Wachtwoord verloopt binnen (0) dagen”

De phisher probeert je hersenen te verkorten en dringt er bij je op aan om op de phishing-link te klikken, door het bericht zeer dringend te maken, waardoor je onmiddellijk actie moet ondernemen.

Niet doen.

NIET KLIKKEN, NIET HAASTEN.

Neem de tijd, een mail NEVER is urgent (denk aan het netiquette principe van het reageren op mail binnen 24 of 48 uur…).

Volwassen, openbare systemen sturen je ver van tevoren een heleboel meldingen. En “Wachtwoord verloopt binnen (0) dagen” is de verkeerde manier om u te vertellen “Wachtwoord is verlopen”.

9. Verdachte instructies

Denkt u echt dat een bedrijf u zou vragen om uw wachtwoord???

Integendeel, u wordt vaak gevraagd om uw wachtwoord te wijzigen of extra beveiligingsfuncties toe te voegen, zoals MFA.

Deze hebben wat meer onderzoek nodig

10. Productfout

Een tijdje geleden verplaatste Microsoft de Office online suite van “Office 365” naar “Microsoft 365″… dus de gebruikte productreferentie, is verkeerd. Microsoft verwijst in de huidige communicatie niet naar ‘Office 365’.

Toch kunnen sommige meldingen verwijzen naar Office 365… dit is dus niet altijd duidelijk of gemakkelijk te detecteren.

11. Verkeerde bedrijfsreferentie

Niet altijd te gemakkelijk te detecteren, maar in de e-mailvoettekst verwijst Microsoft niet naar zichzelf als gewoon “(C) 2021 Microsoft”, maar het moet “Microsoft Corporation” zijn en heeft een link naar de privacyverklaring en / of afmeldopties

Er is meer

12. Mail footer ontbreekt

Wat u van een gerespecteerd bedrijf kunt verwachten, is een e-mailvoettekst met aanvullende instructies, zoals privacyverklaring, afmeldfunctie, raadpleeg uw profiel of open de beheerdersinterface om uw profiel en beveiliging te beheren.

Enkele voorbeelden:

E-mails van het Microsoft 365-beheercentrum eindigen op :

Wanneer het e-mailreputatiesysteem u helpt…

Mail wordt in de spam folder gestoken

  • wanneer de e-mail is gedetecteerd als spam, als gevolg van een slechte e-mailreputatie van het afzender- of afzenderdomein, zal uw e-mailsysteem (server/client) de e-mail markeren als spam. Ter informatie gebruikt Microsoft de e-mailclient, Microsoft smartscreen en defender intelligence om e-mails te markeren voor spam.
  • controleer beter de e-mails in de spammap, omdat deze vals-positief kunnen zijn (legitieme e-mails gemarkeerd als spam)

Antimalware tagt de e-mail als [spam]

  1. veel anti-malware / anti-virus programma’s hebben een spam / phishing-controle, die de e-mail als verdacht markeert en naar spam verplaatst. Deze programma’s gebruiken de virus-/spamdefinities van de leverancier.

Wat moet je doen met phishing mail?

ZORG ER ZEKER VOOR dat

  • je de mail aangeeft bij lokale cyberautoriteiten (bv. in België, stuur verdachte post door naar SafeOnWeb, via  suspicious@safeonweb.be)
  • je de e-mail markeert als spam in uw e-mailclient of antivirusprogramma’s (zodat Microsoft of uw antivirusprogramma de e-mail kan analyseren om hun spamdefinities bij te werken.)
  • je jouw contacten/afzenders waarschuwt als ze u spam- of phishingmails sturen. Hun systeem kan geïnfecteerd of gehackt zijn.
  • verwijder de mail zo snel als mogelijk

NOOIT

  • de e-mail doorsturen naar uw contactpersonen
  • klikken op links in de mail

Referenties

Engelse versie van het article: https://www.linkedin.com/pulse/cybersecurity-challenge-finding-phishing-indicators-peter-geelen/

PECB MS : Building your data protection foundation by using the ISO/IEC 27701 core components

I had a great opportunity working with PECB MS, writing an article on building a #dataprotection foundation, using #ISO27701,.. perfectly fit for small business #SMB/#smebusiness.

Your data protection is a very strong #marketing tool to become the #trustedpartner of your customers.

No doubt: Get started! Doing nothing will cost you.

You can find the article over here:

Enjoy!

And even better, get in touch if you want to have a chat building your data protection.

Extended mapping of CIS Controls to ISO27001 security controls

Introduction

The CIS (Center for Information Security) Controls list is a very well known list of security measures to protect your environment against cyberattacks.
The Center for Information Security provides a handy XLS sheet for download to assist in your exercise.

Here is the link: https://www.cisecurity.org/controls/cis-controls-list/

Many companies use this controls list already, but also require to map their CIS security controls to ISO27001, for various reasons.

Implementing security controls with regards to the NIS directive, is one of them, eg when you’re implementing OT…

ISO27001 controls mapping

For that purpose the CIS provided a XLS mapping between the CIS controls and ISO27001.

You can download the sheet from the CIS website: https://learn.cisecurity.org/controls-sub-controls-mapping-to-ISO-v1.1.a

Security note for the security freaks, apparently the document is hosted on the pardot(dot)com Salesforce website, which might be blocked by Adlist domain blockers as it’s used for marketing campaigns, you might need to unblock it, or use Tor browser…)

Alternatively, it’s available from the CIS Workbench community at: https://workbench.cisecurity.org/files/2329 (registration might be needed to access the download)

FYI, the previous version (2019, v1) of the mapping had quite some gaps. Therefor I’ve submitted a suggestion for an updated CIS-ISO27001 mapping.
And after review, a new version (1.1) with updates has been published on the CIS workbench.

Direct download for version 1.1 available at: https://workbench.cisecurity.org/files/2329/download/3615

Still some gaps

You’ll notice that the update (1.1) version has still some gaps. And I’ll leave to the discretion of the CIS review work group to argument these gaps.


But I’m convinced you can map the CIS controls for 100% to ISO27001, in one way or another, meaning use ALL ISO27001 controls in certain extent (sometimes a subset, equally or a superset of it, combining controls.)

But the license for use of the CIS controls mapping does not allow redistribution of modified materials…

Disclaimer (the small print)

Here’s the License from the mapping file:

Their work (quote) “is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode

To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to (http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of CIS® (Center for Internet Security, Inc.).”

So I CANNOT distribute the XLS as modified material (Why not?).

Extending the mapping

If you still want to build an extended version of the mapping on your own, you download the 1.1 version and add these items to the list:

CIS sectionCoverageISO27001 Control
2.2=A.12.5.1
2.5=A.8.1.1
2.8small subsetA.12.5.1
2.10small supersetA.9.4.1/A.8.2
3.1small subsetA.12.6.1
3.2small subsetA.12.6.1
3.4small subsetA.12.6.1
3.5small subsetA.12.6.1
3.6small subsetA.12.6.1
4.1small supersetA.8.1.1/A.9.2.3 
6.5small subsetA.12.4.1 
6.6small subsetA.12.4.1 
6.8small subsetA.12.4.1 
7.3small subsetA.12.2.1
7.5small supersetA.8./A.13.1.1
7.6small subsetA.13.1.1
8.3small subsetA12.2.1
9.5small subsetA.13.1.1
10.2small subsetA.12.3.1
10.5=A.12.3.1
11.1small subsetA.13.1.1
11.2small subsetA.13.1.1
11.6small subsetA.13.1.1
12.1small subsetA.13.1.1
12.5small subsetA.13.1.1
12.10small subsetA.13.1.1
13.2small subsetA.11.2.5
14.7small subsetA.8.2.3
16.2small subsetA.9.3.1
16.3small subsetA.9.3.1
16.9small subsetA.9.2.1
16.10small subsetA.9.2.1
16.12A.12.4.1
16.13A.12.4.1
17.1=Clause 7.2
18.3=A.12.5.1
18.4A.12.5.1
18.7A.14.2.9
18.10small subsetA.14.2.5 
18.11small subsetA.14.2.5 
19.3small subsetA16.1.1
19.6small subsetA16.1.2
19.7small subsetA16.1.1
19.8small subsetA16.1.4
20.1small subsetA18.2.3
20.2small subsetA18.2.3
20.3small subsetA18.2.3
20.4small subsetA18.2.3
20.5small subsetA18.2.3
20.6small subsetA18.2.3
20.7small subsetA18.2.3
20.8small subsetA18.2.3

Planning for ISO Certification using CIS Controls?

When you look at it from a different angle and you would like to build a plan to certify your ISO27001 implementation, we need to turn around the mapping, and look for the gaps in the ISO27001 security controls AND CLAUSES, when doing the CIS control mapping.


And then you’ll notice the explicit difference in approach between CIS controls and ISO27001 controls.
CIS controls are focusing on technical implementation to harden your cybersecurity, while ISO27001 is a management system that needs these controls, but requires a management layer to support these technical controls. CIS controls are lacking this management layer.
If you compare both systems in a table the story gets clear:

The “red” areas require extra work to make it ISO27001 compliant.

And as always, if you have suggestions of feedback to improve this article, let me know, I’ll fix it on the fly.

A quick walk-through of the new ISO29184 – Online Privacy notices and consent

Source and download: https://www.iso.org/standard/70331.html

With the publication of the GDPR in 2016, it quickly became clear that it would massively impact the direct marketing sector, simply because direct marketing runs on personal data.

On 25 may 2018, the GDPR came into force, changing the global mindset on data protection (and privacy by extension).

Anno 2020, 2 years after the publication, many enterprises, large and small still struggle to apply the data protection regulation and best practices.

And for the direct marketing companies, this is a particular difficult topic, after 4 years.

So, maybe, the newly (june 2020) published standard can provide a practical help to implement consent management. Please remind that the GDPR is a regulation/law… not a best practice with hints and tips.

For hints & tips and practical advice on GDPR, check the EDPB (previously known as WP29) website: https://edpb.europa.eu/our-work-tools/general-guidance_en (Check the Our Work & Tools menu).

While there has been a lot of guidance, communication & education on implementing a direct marketing that is compliant with GDPR and ePrivacy/eCommunication regulation and directives.

Even, for other markets than direct marketing where managing personal data is optional (meaning, not part of core business), you can use this guide to manage privacy or data protection notices for your newsletters and website.

Side note

The ISO 29184 is strictly and only about privacy notices and consent, it’s not an in depth guide for direct marketing, but it’s an essential part of it.

If you need more information on the EU ePrivacy/eCommunications directive , see here: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32002L0058

ISO 29184 content walk through

Document structure

After the mandatory basic chapters (Foreword, 1. Scope), the document hints to ISO 29100 in chapter 2 (Normative References) and 3. (Terms and definitions.

Important note here is that the definition of “explicit consent” has been updated to match the GDPR requirement for unambiguous affirmative consent.

Chapter 5 contains the “general requirements and recommendations”.

A major requirement (and typical for ISO compliance like in ISO9001 and ISO27001) is that you need to document the implementation of each control in this standard.

The content is structured in 5 chapters (Level 2)

  1. Overall objective
  2. Notice
  3. Contents of notice
  4. Consent
  5. Change of conditions

To read the full details, you know what to do,…

But it’s interesting to see the technical/operations controls required in this standard

General conditions on privacy notice

  • Provide information to all interested parties about your privacy practices, including
    • the identity and registered address of the data controller, and
    • contact points where the subject (in this standard the subject is called “PII principal”)
  • Provide clear and easy to understand information
    • with regards the target audience,
    • which are usually NOT lawyers or data protection specialists),
    • taking care of the expected language of your audience
  • You must determine and document the appropriate time for providing notice
    • Remember the Art. 13 and Art 14 definitions in GDPR
    • By preference, you should notify the subject immediately before collecting PII (and/or consent)
  • You must provide notices in a appropriate way
    • by preference in more than 1 way,
    • to make sure the subject can find and consult the notices,
    • digitally and in a easy accessible method
    • also after initial contact
    • As also defined in many GDPR guidelines, the consent standard refers to a multilayer approach (avoiding to provide too much information at the same time, but provide the details when needed)
  • Make sure that the privacy notice is accessible all the time.

Notice content

  • make sure you’re absolutely clear, honest and transparent about your personal data processing
  • Define, document and describe clearly
    • the processing purpose
    • each element of the processing (remember the processing definitions defined in Art. 4 of GDPR)
    • the identification of the data controller
    • the data collection details, incl
      • methods used
      • details of data collected
      • type of collection (direct, indirect, observation, inference…)
      • timing and location of collection
    • use of data, including
      • direct use without data transformation
      • reprocessing data
      • combining, like enrichment
      • automated decision making
      • transfer of data to 3rd party
      • data retention (incl backup)
    • data subject rights
      • access request
      • authentication to provide access
      • timelines
      • any fees that apply
      • how to revoke consent
      • how to file a compliant
      • how to submit a inquiry
    • Evidence about consent provided (and changed) by the subject
    • the legal basis for processing PII/personal data
    • the risks related with the data and the plausible impact to the subject privacy

Consent management

  • Identify if whether consent is appropriate
    • Remember that there are other purposes and reasons for processing data, which usually have a more stable, more solid background, like
      • contracts
      • compliance with legal obligations and regulations
      • vital interest,
      • public interest
      • (legitimate interest, which is usually way more difficult to enforce or to convince the subject)
    • Informed and freely given consent
      • how do you guarantee that the subject is providing consent without any feeling of coercing, force, conditions, …
      • Independence from other processing or consent
        • Remember the GDPR guidelines where you CANNOT force consent as
    • Inform the subject which account this processing is related to
      • provide a clear description of the identifier (userID, mail, login, …)

ISO29184 also introduces the consent lifecycle, meaning that is it’s not sufficient to provide notice at first contact with the subject, but you also need to maintain, to update and to renew it on a regular basis, taking into account that the conditions of consent might change (or might have changed after initial consent).

The last part of the ISO 29184 are annexes with interesting user interface examples.

The perfect document set

To make the online privacy and consent management work, this ISO/IEC 29184 will not do on itself as the standard links to the following documents:

  • (FREE, EN – FR) ISO 27000: ISMS vocabulary
  • (*) ISO27001: ISMS, Information Security Management Systems
  • (*) ISO27002: Code of practice for ISO 27001)
  • ISO27701: PIMS, Privacy Information Management System, the privacy or data protection extension of ISO27001
  • (FREE, EN – FR) ISO29100: Privacy framework
  • ISO29151: Code of Practices – Privacy Framework (the ISO27002 version of ISO29100)
  • ISO29134: PIA, Privacy Impact Assessment (foundation of the DPIA in GDPR)

References

Free downloads

ISO Public documents: https://ffwd2.me/FreeISO

If not available for free download, then you’ll need to purchase the ISO standards documents from the ISO e-shop or from the national standards organisation (like NBN for Belgium, NEN for Netherlands, …)

Note-to-self: MNM van KSZ (Minimale normen – Sociale Zekerheid)

Minimale Normen / Normes Minimales van de KSZ (Kruispuntbank van de Sociale Zekerheid) gebaseerd op de ISO27001/ISO27002

“De toepassing van de minimale normen informatieveiligheid en privacy is verplicht voor instellingen van sociale zekerheid overeenkomstig artikel 2, eerste lid, 2° van de wet van 15 januari 1990 houdende oprichting en organisatie van een Kruispuntbank van de Sociale Zekerheid (KSZ). Bovendien moeten de minimale normen informatieveiligheid en privacy eveneens toegepast worden door alle organisaties die deel uitmaken van het netwerk van de sociale zekerheid overeenkomstig artikel 18 van deze wet. Tenslotte kan het sectoraal comité van de sociale zekerheid en van de gezondheid de naleving van de minimale normen informatieveiligheid en privacy ook opleggen aan andere instanties dan de hogervermelde.  ”

Bookmark:

(NL) https://www.ksz-bcss.fgov.be/nl/gegevensbescherming/informatieveiligheidsbeleid

(FR) https://www.ksz-bcss.fgov.be/fr/protection-des-donnees/politique-de-securite-de-linformation

(edit)

Opmerking: voor alle duidelijkheid, op zich zijn deze documenten geen nieuwigheid maar buiten de SZ zijn deze normen minder gekend… vandaar dat het toch nuttig is om ze bij te houden als geheugensteun en referentie. Je komt er sneller mee in contact als je denkt…

Note-to-self: logging policy considerations

Few days ago I got a question from a security officer for guidance on event and system logging.

What I can recommend: a good guideline and indication is this from OWASP.
You know OWASP is THE reference for software security …. with their OWASP top 10 etc.

Check this: https://owasp.org/www-project-cheat-sheets/cheatsheets/Logging_Cheat_Sheet

Another reference from NIST see below, very handy.

These are fairly complete in terms of guideline.

What you should pay special attention to from a policy point of view is

Special accounts

  •  Sensitive accounts
    • Highly priviliged accounts
    • Admin accounts
    • Service accounts
  • Sensitive systems
    • Domain controllers
    • Application servers
  • Sensitive data
    • HR data
    • Finance data
    • Legal data

Regarding the classification of accounts, check these:

For the users you also have to think carefully about events

  • Large volume of failed logons from sensitive users, may indicate
    • Attack
    • Denial of service
    • Hacking
  • Attack on the password database, large volumes of password change attempts …
    •  Smart password ‘testers’ will stay just below the blocking limit ..
  • Successful logons from special accounts at abnormal places or times
  • Changing the rights of sensitive accounts
    • Promotion of regular users to admins or other sensitive accounts in AD or central database

CLASSIFICATION

Make sure you have a data, user and system classification policy.
Define roles and / or categories.
Which objects are “not important”, “not sensitive”, sensitive, important, critical.
The protection must be tailored to the category type.

STORAGE

In addition, you should also write a policy on saving data.
This often poses a logistical problem with disk space.

If you know that sometimes attacks are only detected after 200-300 days, you should be able to do a forensic investigation in that period.
But that does not have to be on live data, if it is in backup, that is also good.

In terms of operational data you have to decide how much should be available immediately, for immediate consultation.
For example, that can be 1 month. (if the system can save so much)

BACKUP

Ensure that a backup can be guaranteed for a year (combination of full / differential and / or incremental backups or virtual snapshots …)
This is not a fixed period, but depending on risk management this may be more or less.

IMPORTANT: Time synchronization

Also make sure that you require NTP time synchronization, so that the clocks are exactly matched to each other on all systems.
Log analysis is impossible without correct timing.

SECURITY

Ensure that logs on source systems cannot be deleted by administrators.
Ensure that the logs following are shielded from system owners;
Ideally, you are obliged to store logs centrally (for example in a SIEM system).

Secure backups

Consider managed encryption of data and backups (not ransomware or malware).

Healthy logging and healthy backups

Make sure to test backups and restores!

Check the logs and backup for malware.

LOG CENTRALIZATION

Store logs centrally with sufficient storage capacity, security and backup.

LOG MANAGEMENT

A good management process and regular inspection must become mandatory.
Ensure monitoring for special events or special trends (sudden growth or sudden decrease or disappearance of logs)

Arrange forensic surveillance / detention if a burglary or data breach may need to be reported to the government / DPA / police.

The NIST documentation below provides useful hints and tips about the type of systems, routers, switches, firewalls, servers …

LEGISLATION

Take into account legislation such as GDPR or ePrivacy or others that impose your obligations (legal, judicial, international, fed gov, …)

EXPERIENCE

View and learn from past incidents and known use cases or accidents, which give a clear hint of what protect first.

PDCA – plan-do-check-act

Require a regular review of the policy and the rules, ensure that the guidelines are updated to the requirements and changing situations.

It is difficult if you find out after the facts that your log is not working properly.

Other references

And this is also a reference (NIST)

Note-to-self: 2019 …cost of a data breach…

Many InfoSec and data protection or privacy courses reference 3 authoritative yearly reports that show interesting numbers, statistics and trends about breaches year over year.

And these are extremely useful to talk about to your management…

Interesting to know they all have been updated for 2019.

1. Verizon DBIR

(The Verizon Data breach Investigations Report, DBIR)

https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf (click the view only option)

2. IBM-Ponemon – Cost of a data breach report 2019

https://www.ibm.com/downloads/cas/ZBZLY7KL

(You can always use the official link and give away your privacy…at https://www.ibm.com/security/data-breach)

3. IAPP-EY Annual Governance Report 2019

(IAPP members get it for free)

Hint: the IAPP link below also shows reports of previous years.

https://iapp.org/resources/article/iapp-ey-annual-governance-report-2019/

V2018 also available from the EY website: https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/financial-services/ey-iapp-ey-annual-privacy-gov-report-2018.pdf