Security

Note-to-self: CCSK vs CCSP

Just for easy, future reference… the difference between CSA CCSK and (ISC)² CCSP, quickly explained:

https://blog.cloudsecurityalliance.org/2018/04/24/ccsk-vs-ccsp-unbiased-comparison/

http://www.confidis.co/cloud-security-certifications-ccsk-vs-ccsp/

 

Advertisements

Microsoft MVP for another year: Thank you!

Just a few hours ago, I got the confirmation that I was awarded the 2019-2020 Microsoft Most Valuable Professional (MVP) award.

It’s a yearly award granted by Microsoft to community leaders and influencers who passionately share their knowledge and drive the MS community.

For some it’s the ultimate goal to get in the MVP program, but as the reward is granted year after year again, based on your impact of last year, it’s never sure you’re in for the next round.
It’s not about the award, but about the drive and mindset to build community. You can’t simply keep up if you don’t have the drive.

But more important, you simply can’t keep up without support.

So I’m proud to receive this award.

And I’m utterly grateful that lots of people around support me in this, very close and very far.

Thank you, my dearest wife and kids to keep me alive.

Thank you, dearest Microsoft TechNet Wiki Geeks (TOO MANY to list here), you keep me going.

Thank you, Ed Price, the greatest Wiki Wizz Kid,

Thank you Tina for supporting the MVP BeNelux and Nordic Community manager.

And many many others, … without you I could not do this!
I dedicate this award to you.

Thank you.

CCSK – DOMAIN 4 (Compliance and Audit Management) reference material

CCSK

Preparation tool kit (with registration): https://cloudsecurityalliance.org/artifacts/ccskv4_exam_prep_kit

Separate downloads:

(ISC)² Belux Chapter

2019-04-04 meeting presentation on CCSP-CCSK

ISC2-Belux-Chapter-20190404-Event

Additional Reading

PCI-DSS

Download PCI-DSS  without registration: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

Documentation library: https://www.pcisecuritystandards.org/document_library

SOC1/SOC2/SOC3

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

Microsoft Azure – Cloud Security Compliance (Trust center)

https://www.microsoft.com/en-us/trustcenter/compliance/compliance-overview

Documents download: https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3

https://servicetrust.microsoft.com/ViewPage/MSComplianceGuide

Regional & country compliance: https://www.microsoft.com/en-us/trustcenter/compliance/regional-country-compliance

Google Cloud Security Compliance

Google Cloud security compliance – general

ISO27001: https://cloud.google.com/security/compliance/iso-27001/

CSA STAR

ISO Standards

ISO27001

ISO27002

ISO27017 (Cloud security)

ISO27018 (Personal data)

ISO27032 (Cybersecurity)

CSA STAR

https://cloudsecurityalliance.org/star/#_overview

Other

Interesting collection of documents & references on compliance and standards: here,  including, HIPAA, PCI-DSS, ISO27001/27002, …

 

 

 

RGPD, GDPR, AVG, … et les jeux de mots linguistiques… ou confusions?

Au niveau de RGPD (réf. Art. 5.2), il y a une différence importante pour les francophones et les anglophones.
Téléchargez les versions ici: https://ffwd2.me/gdpr

 

Le GDPR en anglais, fait référence à “accountability

Le RGPD (FR) parle de « responsabilité » (personnel) seulement.

 

En fait, “accountability” (EN) = rendre compte (FR)

Mais “responsability” en anglais est aussi traduit en “responsabilité” (général) en français.

Pour la bonne compréhension, il est important de savoir qu’il y a une différence.

 

“accountability” en anglais,

  • veut dire “responsabilité personnel/individuelle”, rendre compte
  • s’applique typiquement
    • sur 1 personne,
    • Après les faits
  • Réf. au tribunal/juge

“responsability” en anglais,

  • Veut dire “responsabilité générale”
  • S’applique
    • Sur un group, plusieurs personnes
    • Qui planifie et prend soin des tâches, en avance/pendant

 

En plus, au niveau de GDPR, il y a une 2ème différence important expliqué dans GDPR considérant (4)

  • Privacy (EN) / vie privée (FR), versus/par contre
  • Personal data (EN) / données à caractère personnel= “données personnelles” (FR)

 

Si on parle de “vie privée”, on fait référence au droits fondamentaux, et “le respect de la vie privée et familiale, du domicile et des communications …”

Si on parle des données personnelles, on fait référence à l’info et les attributs qui identifient ou peuvent identifier quelqu’un.

Donc, dans la protection des données, on devrait parler de “données personnelles”.

Et l’histoire est identique pour le néerlandophones… (NL <> FR) 😉

GDPR word games, differences in EN/FR language versions and interpretation

Did you ever compare the different language versions of the GDPR?
Have a check at : https://ffwd2.me/gdpr

On the level of GDPR (ref. Art. 5.2), there is an important difference between French (FR) and English (EN). Same thing for Dutch, by the way

The GDPR (EN)  references “accountability”(EN). In FR (RGPD), they ONLY reference “responsabilité”.

In fact, “accountability” (EN) means “rendre compte” in French.

But “responsibility” (EN)  is translated to “responsabilité” in French TOO!

So, for clear understanding, it’s important to know that there IS a difference.

“accountability” (EN) means,

“responsability” (EN),

  • is rather “general” responsibility
  • applies to
    • a group of, or multiple, persons
    • who plan or execute tasks, in advance or during activities

Furthermore, on the level of GDPR, there is a 2nd important difference, explained in GDPR recital (4)

  • Privacy (EN) / vie privée (FR), versus
  • Personal data (EN), données à caractère personnel= “données personnelles” (FR)

If we talk about privacy / vie privée (FR) in GDPR, it’s about “fundamental rights” and «respect for private and family life, home and communications … »

If you talk about personal data, you refer to the information and attributes who identify (“identified”)or can identify an individual (“identifiable”).

So, in data protection (EN), protection des données” (FR) for GDPR, we should refer to personal data (EN), “données personnelles” (FR).

Using SPF to block mail account spoofing

Introduction

Did you ever got a mail from yourself, but you’re sure you did not send it?

This week I got that mail from a mail alias I’m using, so it’s actually not a native mailbox, but a mail forwarder address, which makes the claim that “the mailbox is hacked” pretty silly…

But if you got this message from a native mailbox, it does sound scary, isn’t it?

I already had some similar symptoms on other mail addresses in the same domain.

Symptoms

You get a mail from your own mail address… which is called mail spoofing.
And it looks like:

mailspoof

Spoofed mail message content

Hi!

As you may have noticed, I sent you an email from your account.
This means that I have full access to your account.

I’ve been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited.

If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.

I also have access to all your contacts and all your correspondence.

Why your antivirus did not detect malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.

I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this video to all your emails and contacts on social networks.
I can also post access to all your e-mail correspondence and messengers that you use.

If you want to prevent this,
transfer the amount of $778 to my bitcoin address (if you do not know how to do this, write to Google: “Buy Bitcoin”).

My bitcoin address (BTC Wallet) is: 1GoWy5yMzh3XXBiYxLU9tKCBMgibpznGio

After receiving the payment, I will delete the video and you will never hear me again.
I give you 48 hours to pay.
I have a notice reading this letter, and the timer will work when you see this letter.

Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.

If I find that you have shared this message with someone else, the video will be immediately distributed.

Best regards!

Root cause

The DNS setting of your domain is missing SPF records, that counter mail spoofing (an unauthorized mail server, user or hacker sending mail as “you”)…

Troubleshooting

When looking at the mail properties it’s pretty difficult (if not impossible) to find out who actually has sent the mail….

Solution

Basic domain settings

Add an SPF record to your domain DNS settings.

To get started, look up your mail provider or hosting provider’s name + SFP.

FYI, I’m hosting my domains at one.com, they’ve got some straight forward advise to configure the DNS. For any other domain, at any other provider it’s similar.

Office 365

When you buy a domain, but host your mail on O365, there are some additional settings to configure. But Office 365 will explain.

The easy part, logon to your O365 tenant, and check your domain health (see video below)

For more info, check these documents:

References

SPF tooling

Other security options

See also

Hotmail/Outlook.com Solving Mass Mailing Delivery Issues

Short URL: Http://aka.ms/outlook.com/help

While SPF is the first step, you should also consider DMARC and DKIM.