corporate security

Free (ISC)² Exams flash cards all in one place (*)

(*) with respect for your privacy, no login, nor mail required for

CISSP

CSSLP

CCSP

SSCP

CAP

HCISSP

Sorry, (free) registration still required for:

CISSP-ISSAP:https://enroll.isc2.org/product?catalog=CISSP-ISSAP-FC

CISSP-ISSEP: https://enroll.isc2.org/product?catalog=CISSP-ISSEP-FC

CISSP-ISSMP:https://enroll.isc2.org/product?catalog=ISSMP-FC-2019

Note-to-self: MNM van KSZ (Minimale normen – Sociale Zekerheid)

Minimale Normen / Normes Minimales van de KSZ (Kruispuntbank van de Sociale Zekerheid) gebaseerd op de ISO27001/ISO27002

“De toepassing van de minimale normen informatieveiligheid en privacy is verplicht voor instellingen van sociale zekerheid overeenkomstig artikel 2, eerste lid, 2° van de wet van 15 januari 1990 houdende oprichting en organisatie van een Kruispuntbank van de Sociale Zekerheid (KSZ). Bovendien moeten de minimale normen informatieveiligheid en privacy eveneens toegepast worden door alle organisaties die deel uitmaken van het netwerk van de sociale zekerheid overeenkomstig artikel 18 van deze wet. Tenslotte kan het sectoraal comité van de sociale zekerheid en van de gezondheid de naleving van de minimale normen informatieveiligheid en privacy ook opleggen aan andere instanties dan de hogervermelde.  ”

Bookmark:

(NL) https://www.ksz-bcss.fgov.be/nl/gegevensbescherming/informatieveiligheidsbeleid

(FR) https://www.ksz-bcss.fgov.be/fr/protection-des-donnees/politique-de-securite-de-linformation

(edit)

Opmerking: voor alle duidelijkheid, op zich zijn deze documenten geen nieuwigheid maar buiten de SZ zijn deze normen minder gekend… vandaar dat het toch nuttig is om ze bij te houden als geheugensteun en referentie. Je komt er sneller mee in contact als je denkt…

Note-to-self: logging policy considerations

Few days ago I got a question from a security officer for guidance on event and system logging.

What I can recommend: a good guideline and indication is this from OWASP.
You know OWASP is THE reference for software security …. with their OWASP top 10 etc.

Check this: https://owasp.org/www-project-cheat-sheets/cheatsheets/Logging_Cheat_Sheet

Another reference from NIST see below, very handy.

These are fairly complete in terms of guideline.

What you should pay special attention to from a policy point of view is

Special accounts

  •  Sensitive accounts
    • Highly priviliged accounts
    • Admin accounts
    • Service accounts
  • Sensitive systems
    • Domain controllers
    • Application servers
  • Sensitive data
    • HR data
    • Finance data
    • Legal data

Regarding the classification of accounts, check these:

For the users you also have to think carefully about events

  • Large volume of failed logons from sensitive users, may indicate
    • Attack
    • Denial of service
    • Hacking
  • Attack on the password database, large volumes of password change attempts …
    •  Smart password ‘testers’ will stay just below the blocking limit ..
  • Successful logons from special accounts at abnormal places or times
  • Changing the rights of sensitive accounts
    • Promotion of regular users to admins or other sensitive accounts in AD or central database

CLASSIFICATION

Make sure you have a data, user and system classification policy.
Define roles and / or categories.
Which objects are “not important”, “not sensitive”, sensitive, important, critical.
The protection must be tailored to the category type.

STORAGE

In addition, you should also write a policy on saving data.
This often poses a logistical problem with disk space.

If you know that sometimes attacks are only detected after 200-300 days, you should be able to do a forensic investigation in that period.
But that does not have to be on live data, if it is in backup, that is also good.

In terms of operational data you have to decide how much should be available immediately, for immediate consultation.
For example, that can be 1 month. (if the system can save so much)

BACKUP

Ensure that a backup can be guaranteed for a year (combination of full / differential and / or incremental backups or virtual snapshots …)
This is not a fixed period, but depending on risk management this may be more or less.

IMPORTANT: Time synchronization

Also make sure that you require NTP time synchronization, so that the clocks are exactly matched to each other on all systems.
Log analysis is impossible without correct timing.

SECURITY

Ensure that logs on source systems cannot be deleted by administrators.
Ensure that the logs following are shielded from system owners;
Ideally, you are obliged to store logs centrally (for example in a SIEM system).

Secure backups

Consider managed encryption of data and backups (not ransomware or malware).

Healthy logging and healthy backups

Make sure to test backups and restores!

Check the logs and backup for malware.

LOG CENTRALIZATION

Store logs centrally with sufficient storage capacity, security and backup.

LOG MANAGEMENT

A good management process and regular inspection must become mandatory.
Ensure monitoring for special events or special trends (sudden growth or sudden decrease or disappearance of logs)

Arrange forensic surveillance / detention if a burglary or data breach may need to be reported to the government / DPA / police.

The NIST documentation below provides useful hints and tips about the type of systems, routers, switches, firewalls, servers …

LEGISLATION

Take into account legislation such as GDPR or ePrivacy or others that impose your obligations (legal, judicial, international, fed gov, …)

EXPERIENCE

View and learn from past incidents and known use cases or accidents, which give a clear hint of what protect first.

PDCA – plan-do-check-act

Require a regular review of the policy and the rules, ensure that the guidelines are updated to the requirements and changing situations.

It is difficult if you find out after the facts that your log is not working properly.

Other references

And this is also a reference (NIST)

Note-to-self: 2019 …cost of a data breach…

Many InfoSec and data protection or privacy courses reference 3 authoritative yearly reports that show interesting numbers, statistics and trends about breaches year over year.

And these are extremely useful to talk about to your management…

Interesting to know they all have been updated for 2019.

1. Verizon DBIR

(The Verizon Data breach Investigations Report, DBIR)

https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf (click the view only option)

2. IBM-Ponemon – Cost of a data breach report 2019

https://www.ibm.com/downloads/cas/ZBZLY7KL

(You can always use the official link and give away your privacy…at https://www.ibm.com/security/data-breach)

3. IAPP-EY Annual Governance Report 2019

(IAPP members get it for free)

Hint: the IAPP link below also shows reports of previous years.

https://iapp.org/resources/article/iapp-ey-annual-governance-report-2019/

V2018 also available from the EY website: https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/financial-services/ey-iapp-ey-annual-privacy-gov-report-2018.pdf

Using SPF to block mail account spoofing

Introduction

Did you ever got a mail from yourself, but you’re sure you did not send it?

This week I got that mail from a mail alias I’m using, so it’s actually not a native mailbox, but a mail forwarder address, which makes the claim that “the mailbox is hacked” pretty silly…

But if you got this message from a native mailbox, it does sound scary, isn’t it?

I already had some similar symptoms on other mail addresses in the same domain.

Symptoms

You get a mail from your own mail address… which is called mail spoofing.
And it looks like:

mailspoof

Spoofed mail message content

Hi!

As you may have noticed, I sent you an email from your account.
This means that I have full access to your account.

I’ve been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited.

If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.

I also have access to all your contacts and all your correspondence.

Why your antivirus did not detect malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.

I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this video to all your emails and contacts on social networks.
I can also post access to all your e-mail correspondence and messengers that you use.

If you want to prevent this,
transfer the amount of $778 to my bitcoin address (if you do not know how to do this, write to Google: “Buy Bitcoin”).

My bitcoin address (BTC Wallet) is: 1GoWy5yMzh3XXBiYxLU9tKCBMgibpznGio

After receiving the payment, I will delete the video and you will never hear me again.
I give you 48 hours to pay.
I have a notice reading this letter, and the timer will work when you see this letter.

Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.

If I find that you have shared this message with someone else, the video will be immediately distributed.

Best regards!

Root cause

The DNS setting of your domain is missing SPF records, that counter mail spoofing (an unauthorized mail server, user or hacker sending mail as “you”)…

Troubleshooting

When looking at the mail properties it’s pretty difficult (if not impossible) to find out who actually has sent the mail….

Solution

Basic domain settings

Add an SPF record to your domain DNS settings.

To get started, look up your mail provider or hosting provider’s name + SFP.

FYI, I’m hosting my domains at one.com, they’ve got some straight forward advise to configure the DNS. For any other domain, at any other provider it’s similar.

Office 365

When you buy a domain, but host your mail on O365, there are some additional settings to configure. But Office 365 will explain.

The easy part, logon to your O365 tenant, and check your domain health (see video below)

For more info, check these documents:

References

SPF tooling

Other security options

See also

Hotmail/Outlook.com Solving Mass Mailing Delivery Issues

Short URL: Http://aka.ms/outlook.com/help

While SPF is the first step, you should also consider DMARC and DKIM.

 

Risk treatment options parody

The orginal meme on risk analysis is around for a while on the internet.

(sorry, can’t find the original credits, feel free to claim and prove the credit, happy to comply)

risk classification

But risk management is only complete with risk treatment.

(original quality below)

risk_treatment_options.png

Note-to-self: prepping for CSA CCSK v4 upgrade

Note-to-self: extended reprint of a LinkedIn post…

I might have mentioned it already, but if you have passed the CCSK exam before, better logon to your CCSK profile on the CSA website and check if you still have an exam token left.

By default you get 2 tokens each exam registration, so…

If you pass your exam the first time, the “second try” backup token is left unused in your profile.

And (if not yet expired) you can use it to upgrade your CCSK to v4.

Tokens stay valid for 2 years after purchase.

More info: https://ccsk.cloudsecurityalliance.org/en/faq

On that page you can also find the required study material for the exam.

You can download the CCSK v4 prep kit from : https://downloads.cloudsecurityalliance.org/ccsk/CCSKv4_Exam_Preparation_Kit.zip

It’s an online exam and thus open book exam, using the below reference guides.

But realise:  60 questions in 90 minutes still is hard work, so better do some prep work up front to maximize your chances.

Once you pass this one, you can go for the (ISC)² CCSP with more confidence…

Microsoft resources for GDPR

The page below is a (growing) overview of resources for GDPR info and compliance by Microsoft. The page is updated with other sources I find on my quest for GDPR.

General Resources

Trust Center

Microsoft 365 Enterprise

Online

Assess your readiness for GDPR now

MS partner network

https://partner.microsoft.com/en-us/marketing/details/gdpr#/

Compliance manager

Learn more about Compliance Manager.  Read the Tech Community blog

Sign up for the Compliance Manager public preview program

Blogs

Videos

Tools

Downloads

Note-to-self: ISO27001 & ISO27002 downloads & tools

Just a quick note if you are looking in to ISO27001 documents, to implement IT security in a best-practices-way, bookmark these:

ISO27001 specific material

BTW: there is a very interesting GDPR-ISO27001 mapping example/exercise published on the ISO27001Security.com website: GDPR-ISO27k mapping

And as a surplus, have a read of the PCI-DSS, aka the ISO27001 for Banks

Check the free download section of the ISO standards organization at: ffwd2.me/FreeISO

GDPR: direct marketing vs natural/legal persons

Just a quick hint if you want to contain legal spam under GDPR.

Recital (14) “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person. ”

Recital (26) “The principles of data protection should apply to any information concerning an identified or identifiable natural person. ”

In short, GDPR only applies to natural persons (people breathing), not to legal person (like, the thing with a VAT number or company registration nr).

So: Companies/legal persons can be legally contacted or spammed.

Conclusion: use a general mail address (like info@ or company@) in all non-personal company registrations and contact details, white pages, yellow pages, VAT or government paperwork…

Make sure your official company registration DOES NOT refer to a personal address.

And as owner or delegate, keep your mail address for your personal professional communication, eg signature with personally identifiable contact details (mail, phone, mobile, skype, IM, …).

Because then your personal mail account is related to an identified and identifiable natural person, and covered by GDPR, protected from direct marketing violations. Should be.