Security

CCSK – DOMAIN 4 (Compliance and Audit Management) reference material

CCSK

Preparation tool kit (with registration): https://cloudsecurityalliance.org/artifacts/ccskv4_exam_prep_kit

Separate downloads:

(ISC)² Belux Chapter

2019-04-04 meeting presentation on CCSP-CCSK

ISC2-Belux-Chapter-20190404-Event

Additional Reading

PCI-DSS

Download PCI-DSS  without registration: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

Documentation library: https://www.pcisecuritystandards.org/document_library

SOC1/SOC2/SOC3

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

Microsoft Azure – Cloud Security Compliance (Trust center)

https://www.microsoft.com/en-us/trustcenter/compliance/compliance-overview

Documents download: https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3

https://servicetrust.microsoft.com/ViewPage/MSComplianceGuide

Regional & country compliance: https://www.microsoft.com/en-us/trustcenter/compliance/regional-country-compliance

Google Cloud Security Compliance

Google Cloud security compliance – general

ISO27001: https://cloud.google.com/security/compliance/iso-27001/

CSA STAR

ISO Standards

ISO27001

ISO27002

ISO27017 (Cloud security)

ISO27018 (Personal data)

ISO27032 (Cybersecurity)

CSA STAR

https://cloudsecurityalliance.org/star/#_overview

Other

Interesting collection of documents & references on compliance and standards: here,  including, HIPAA, PCI-DSS, ISO27001/27002, …

 

 

 

Advertisements

RGPD, GDPR, AVG, … et les jeux de mots linguistiques… ou confusions?

Au niveau de RGPD (réf. Art. 5.2), il y a une différence importante pour les francophones et les anglophones.
Téléchargez les versions ici: https://ffwd2.me/gdpr

 

Le GDPR en anglais, fait référence à “accountability

Le RGPD (FR) parle de « responsabilité » (personnel) seulement.

 

En fait, “accountability” (EN) = rendre compte (FR)

Mais “responsability” en anglais est aussi traduit en “responsabilité” (général) en français.

Pour la bonne compréhension, il est important de savoir qu’il y a une différence.

 

“accountability” en anglais,

  • veut dire “responsabilité personnel/individuelle”, rendre compte
  • s’applique typiquement
    • sur 1 personne,
    • Après les faits
  • Réf. au tribunal/juge

“responsability” en anglais,

  • Veut dire “responsabilité générale”
  • S’applique
    • Sur un group, plusieurs personnes
    • Qui planifie et prend soin des tâches, en avance/pendant

 

En plus, au niveau de GDPR, il y a une 2ème différence important expliqué dans GDPR considérant (4)

  • Privacy (EN) / vie privée (FR), versus/par contre
  • Personal data (EN) / données à caractère personnel= “données personnelles” (FR)

 

Si on parle de “vie privée”, on fait référence au droits fondamentaux, et “le respect de la vie privée et familiale, du domicile et des communications …”

Si on parle des données personnelles, on fait référence à l’info et les attributs qui identifient ou peuvent identifier quelqu’un.

Donc, dans la protection des données, on devrait parler de “données personnelles”.

Et l’histoire est identique pour le néerlandophones… (NL <> FR) 😉

GDPR word games, differences in EN/FR language versions and interpretation

Did you ever compare the different language versions of the GDPR?
Have a check at : https://ffwd2.me/gdpr

On the level of GDPR (ref. Art. 5.2), there is an important difference between French (FR) and English (EN). Same thing for Dutch, by the way

The GDPR (EN)  references “accountability”(EN). In FR (RGPD), they ONLY reference “responsabilité”.

In fact, “accountability” (EN) means “rendre compte” in French.

But “responsibility” (EN)  is translated to “responsabilité” in French TOO!

So, for clear understanding, it’s important to know that there IS a difference.

“accountability” (EN) means,

“responsability” (EN),

  • is rather “general” responsibility
  • applies to
    • a group of, or multiple, persons
    • who plan or execute tasks, in advance or during activities

Furthermore, on the level of GDPR, there is a 2nd important difference, explained in GDPR recital (4)

  • Privacy (EN) / vie privée (FR), versus
  • Personal data (EN), données à caractère personnel= “données personnelles” (FR)

If we talk about privacy / vie privée (FR) in GDPR, it’s about “fundamental rights” and «respect for private and family life, home and communications … »

If you talk about personal data, you refer to the information and attributes who identify (“identified”)or can identify an individual (“identifiable”).

So, in data protection (EN), protection des données” (FR) for GDPR, we should refer to personal data (EN), “données personnelles” (FR).

Using SPF to block mail account spoofing

Introduction

Did you ever got a mail from yourself, but you’re sure you did not send it?

This week I got that mail from a mail alias I’m using, so it’s actually not a native mailbox, but a mail forwarder address, which makes the claim that “the mailbox is hacked” pretty silly…

But if you got this message from a native mailbox, it does sound scary, isn’t it?

I already had some similar symptoms on other mail addresses in the same domain.

Symptoms

You get a mail from your own mail address… which is called mail spoofing.
And it looks like:

mailspoof

Spoofed mail message content

Hi!

As you may have noticed, I sent you an email from your account.
This means that I have full access to your account.

I’ve been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited.

If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.

I also have access to all your contacts and all your correspondence.

Why your antivirus did not detect malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.

I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this video to all your emails and contacts on social networks.
I can also post access to all your e-mail correspondence and messengers that you use.

If you want to prevent this,
transfer the amount of $778 to my bitcoin address (if you do not know how to do this, write to Google: “Buy Bitcoin”).

My bitcoin address (BTC Wallet) is: 1GoWy5yMzh3XXBiYxLU9tKCBMgibpznGio

After receiving the payment, I will delete the video and you will never hear me again.
I give you 48 hours to pay.
I have a notice reading this letter, and the timer will work when you see this letter.

Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.

If I find that you have shared this message with someone else, the video will be immediately distributed.

Best regards!

Root cause

The DNS setting of your domain is missing SPF records, that counter mail spoofing (an unauthorized mail server, user or hacker sending mail as “you”)…

Troubleshooting

When looking at the mail properties it’s pretty difficult (if not impossible) to find out who actually has sent the mail….

Solution

Basic domain settings

Add an SPF record to your domain DNS settings.

To get started, look up your mail provider or hosting provider’s name + SFP.

FYI, I’m hosting my domains at one.com, they’ve got some straight forward advise to configure the DNS. For any other domain, at any other provider it’s similar.

Office 365

When you buy a domain, but host your mail on O365, there are some additional settings to configure. But Office 365 will explain.

The easy part, logon to your O365 tenant, and check your domain health (see video below)

For more info, check these documents:

References

SPF tooling

Other security options

See also

Hotmail/Outlook.com Solving Mass Mailing Delivery Issues

Short URL: Http://aka.ms/outlook.com/help

While SPF is the first step, you should also consider DMARC and DKIM.

 

Risk treatment options parody

The orginal meme on risk analysis is around for a while on the internet.

(sorry, can’t find the original credits, feel free to claim and prove the credit, happy to comply)

risk classification

But risk management is only complete with risk treatment.

(original quality below)

risk_treatment_options.png

Note-to-self: Blocking ‘Promoted’ feed from your LinkedIn page (with Adblock Plus for Edge, Firefox, Chrome… not IE)

Do you also get these annoying ‘Promoted’ advertisement posts on your LinkedIn feed?
I managed to configure AdBlock Plus to kick out the ‘Promoted’ advertisements on LinkedIn… works on FireFox, Chrome, a bit slow on Edge, … (forget about IE…)

I know from the AdBlock forums, it’s not always easy to get it working. It might change with updates to the adblocker or the way the websites work, … so I hope it’s worth sharing it.

The filter configuration might have some duplicates, but at least it works.

Essentially, it’s hiding the ‘Promoted’ ads in your newsfeed and it’s hiding the “Promoted” right hand side of the LinkedIn page…

This is the filter to use in your AdBlock Plus.

linkedin.com#?#.feed-shared-update:-abp-contains(Promoted)
linkedin.com##.ad-banner
linkedin.com#?#.feed-shared-update-v2:-abp-contains(Promoted)
linkedin.com##iframe[src=”about:blank”]

How to configure?

First install AdBlock Plus

Install AdBlock Plus…. for Edge, Chrome, Firefox… (v3+)
Just FYI, the version for IE (1.6) is not supporting the advanced custom filters, AFAIK.

Configure AdBlock Plus

adblockplus1

Then click the ‘Advanced’ settings / Edit Filters, then paste the filter text mentioned above.

adblockplus2

Done.