note-to-self

Image by mohamed Hassan from Pixabay

Note-to-self: KopieID (to blur your ID card fotocopy)

Source:

As explained here (in Dutch) and here (Dutch), it’s a terrible ID (sorry, idea), to copy your identity card and hand over the unprotected copy to someone….

Therefore it’s highly interesting to protect the photocopy against abuse, in the ultimate case you need a photocopy of your identity card…

KopieID NL

In the Netherlands the government has provided an app for your mobile phone, to take a photo of your ID and then blur the redundant information and to add a remark / watermark to indicate the purpose limitation.

Check it out here:

They also provide an interesting video explanation:

KopieID BE

In Belgium, there is a website (without app) that does the same, see here:

References

Source articles:

Reference material from the articles:

Picture credits: Image by mohamed Hassan from Pixabay 

Image source: https://pixabay.com/illustrations/hack-fraud-card-code-computer-3671982/

Note-to-self: SOC2 mapping to ISO27001

Just in case you get into SOC2 and want to know how to map it to existing information security implementation, whatever it may be, GDPR, ISO27001, NIST, … check this page

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/mappingsrelevanttothesocsuiteofservices.html

It includes:

These links have nice XLS format sheets, with a bidirectional comparison between the frameworks.

Info on SOC1/SOC2/SOC3

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

SOC and SOX?

 SOC reports refer to an audit of internal controls to ensure data security, minimal waste, and shareholder confidence; SOX relates to government-issued record keeping and financial information disclosure standards law. In other words, one is about keeping information safe, and the other is about keeping corporations in check.

https://immedis.com/blog/what-are-the-key-differences-between-soc-and-sox/

https://www.logicgate.com/blog/a-comparison-of-soc-and-sox-compliance/

Also

https://linfordco.com/blog/soc-2-security-vs-iso-27001-certification/

(braindump article, still in progress)

Note-to-Self: workaround for bcc (blind copy) of meeting requests in Outlook


This article has also been posted on Microsoft Wiki, feel free to add suggestions and extra information.

Outlook Quick Tip: workaround for bcc (blind copy) of meeting requests

Issue

For meeting requests in Microsoft Outlook, the program does not have a bcc (aka Blind copy) option to add participants to a meeting, without publishing all personal data (mail addresses) to the other participants. 

Microsoft is aware of the issue, but hasn’t fixed the option yet.

Still you can request to have this option or request this function in Outlook, via Windows Feedback hub (hit the W10 Windows button, and type feedback) of via Microsoft Tech Community or Microsoft Q&A.

Visibility of participants to other participants

When you add participants to the “Required” or “Optional” section, they can see each others mail addresses. For smaller groups of people, that probably know each other, it’s not a big thing.

But for public events, this might be an issue. And certainly for large groups of participants, this is an overload of information.

And additionally, it might be considered as an inconvenience (or even a data breach) to publish data of other participants in a large group.

Limiting visibility to other participants

For matters of data protection it would be very handy to send the invite to the participants without exposing too much data.

Work around

As the bcc: option is missing, you can add people to the “Resources” option.

Steps

Create a new meeting request.

In the meeting options select, the “Required” or “Optional” button.

Then in the resources option, add the contacts or mail addresses of the participants.

Then add the required information to the invite, including online meeting options (Teams, …) and send the mail.

Alternative option : using iCAL file option via mail

Another option is

  1.  to create an meeting in your agenda,
  2. add the required meeting details (including teams invite)
  3. Save the meeting as iCAL file
  4. Create a mail,
    1. add the iCAL file
    2. add the the participants in bbc

References

More information can be found in these articles:

Resource option

Reddit

iCAL Option

Slipstick

RocketIT


Excel Security and Not Excel security, that’s the question

Executive overview

Excel has various levels of protection.
Many people use worksheet protection.  This feature is designed as a simple blocker to avoid unwanted edits to your sheet. Users can open and use the file without the protection password.

By design, Excel sheet protection is NOT a security measure, to keep data secret or to hide IP or formulas from unauthorized parties. The worksheet protection password is fairly easy to remove as explained below.

If you want actual protection in your Excel sheet, you need to use the encryption feature, but then every user will be forced to enter a password to open the file.  Which is difficult from usability point of view. And you need to apply security for each user separately.

Applies to

This discussion actually applies to the latest version of Excel in the Office 365 version. Some options or features might not be available or might not apply to previous/older versions of MS office.

Introduction

If you spend a lot of time to build a smart calculations or data management solutions in Excel, it’s very likely that you want to protect your hard word, or the smart layout or the intelligence behind your calculations. Or simply avoid any accidents crippling the nice layout.

Most people will first think about worksheet protection to achieve this, but there are some more options.

Excel Security options

If you create or open an Excel sheet (in current version of Office 365), you can add security via the menu “FIle” then choose the “Info” option.

Then click the “Protect Workbook” option.

Worksheet protection

In short: Worksheet protection is not intended to be a security feature.

And that’s documented at: https://support.microsoft.com/office/protect-a-worksheet-3179efdb-1285-4d49-a9c3-f4ca36276de6

From the Microsoft support document, the security impact of the protection features is explained as (quote):

Important: 

  • Worksheet level protection is not intended as a security feature. It simply prevents users from modifying locked cells within the worksheet.
  • Protecting a worksheet is not the same as protecting an Excel file or a workbook with a password. See below for more information:

Even with worksheet protection, the formulas are stored in the file as this is what allows you to later modify the formulas and for the cells to update their values. Because the file is not encrypted, a user could inspect the file contents to determine what the formulas are.

For advanced Excel users:

  • There are mechanisms that allow you to remove formulas from the workbook while keeping the cell values the same. When this is done, these cell values no longer update as they no longer have a formula.
  • If you want to strip out a formula that refers to another workbook, you can use the break link feature for external links (Data tab > Queries and Connections section > Edit Links > Break Link) – this keeps the current value of the cell and removes the formula referencing the external workbook.
  • If you want to strip out a formula regardless of where it refers to, the easiest way to do this is to copy the cell and paste as value to the same cell.

Implementing worksheet protection

Implementing worksheet security using encryption

Managing cell security

Before you activate worksheet protection, you need to consider unblocking cells to allow edit when protection is activated. Right click the target cells, you want to leave unprotected.

In the cell format options, “Locked” is enabled by default. Uncheck if you want to edit after password lock.

Next, to activate worksheet protection, right click the worksheet tab (below) and click the Protect sheet option.

You  can select which kind of protection you need on the level of the sheet and cells.

You need to enter the password and then reconfirm, of course.

Now, when you try to edit the cells that are blocked, you’ll get an error.

The actual Excel security: sheet encryption

To implement actual security, you need to encrypt the file.
When you want to use encryption, go back to the file menu and workbook protection, as explained earlier.

Choose the encryption option

When you save the file and try to reopen it, you’ll get a password prompt.

In one of the next chapters below, I’ll show what happens with the file security, and if you can hack it… or not.

Hacking Excel worksheet protection

The actual reason for this article, is that the worksheet protection is NOT a security feature and more important, the worksheet protection can be broken in a matter of seconds.

You’ll find a lot of password cracking tools, brute force password guessing or macro scripts to crack the passwords. Don’t bother if you simply want to remove the password protection.

The worksheet protection is embedded in the XLSX file, as XML. And you should consider the XLS sheet as a compressed/zipped dossier/file collection of config files containing the hashed password.

And that’s exactly the easy shortcut to remove the password, remove the password hash.
I won’t go in detail on the steps, but it’s about renaming the XLS file to zip, opening the zip, removing the pasword hash, saving the file, rename to XLS and open your sheets without password protection.

The method is explained over here: http://www.excelsupersite.com/how-to-remove-an-excel-spreadsheet-password-in-6-easy-steps/

Hacking encryption? (Nope!)

Using the XLS to Zip rename, you can inspect the file content of the encrypted file.

When you try the same technique, removing the encryption info…you’ll notice that the “EncryptionInfo” is not allowing to save. And you can’t remove the encryption (at least not this way, here we stop… )

When you try to remove the encryption tag, including the cipher and password hash, you’ll notice it won’t work.

Reporting security issues to Microsoft

If you think or suspect to have found a security issue in a Microsoft product, don’t hesitate to report it.

To report a vulnerability in a Microsoft product or service, got to the Microsoft Security Response Center (MSRC) website at : https://www.microsoft.com/msrc.

You can track the status of your report as the MSRC team will work with you to investigate and resolve the issue. Or confirm that a suspected behaviour is not a security issue, but a light-weight protection to avoid layout incidents.

Note-to-self: Reference Articles on eID, privacy & GDPR

Following list of articles is a memory help and quick reference to interesting and useful articles from regarding the use of eID (Belgian Identity Card), related to privacy, data protection and GDPR.

This article will be updated regularlywhen interesting items are discussed or noted on workshops, discussions or other social media like LinkedIn.

eID

GBA Advisory on photocopy identity card

https://www.gegevensbeschermingsautoriteit.be/sites/privacycommission/files/documents/aanbeveling_03_2011.pdf

LinkedIN articles

Denk 2 keer na voor je een fotokopie laat maken van je identiteitskaart

(Think twice before you let someone photocopy your identity card)

https://www.linkedin.com/pulse/denk-2-keer-na-voor-je-een-fotokopie-laat-maken-van-peter-geelen-/

Het gebruik van uw identiteitskaart als waarborg? (Using your identity card as waranty. NOT.)

https://www.linkedin.com/pulse/het-gebruik-van-uw-identiteitskaart-als-waarborg-peter-geelen/

Direct Marketing

Direct marketing and protection of personal data

Interesting cases & decisions

See other post: collecting interesting cases and decisions by the Belgian DPA:

https://identityunderground.wordpress.com/2020/06/11/note-to-self-interesting-dpa-decisions-court-cases-regarding-gdpr-it-security/

€750.000 per year for some onepager PDF, you can do that too.

scam-3933004_1920

(Image Credits: mohamed Hassan via Pixabay)

Dear Annie BG Mathews,

Dear CIO Applications Europe,

(quote, feb 2020) “I am Annie from CIO Applications Europe magazine and it is my pleasure to inform you that we have pre-screened the top players who have carved a niche in the Information Security arena and have shortlisted them to be featured as one of the “Top 10 Information Security Consulting/Service Companies 2020”, <…> being one of them.”

(quote, apr 2020) “I am Annie from CIO Applications Europe magazine, and it is my pleasure to inform you that we have pre-screened the top players who have carved a niche in the GDPR arena and have shortlisted them to feature as one of the “Top 10 GDPR Consulting/Service Companies 2020”, <…> being one of them.”

Did you also get the same mail  from “CIO Applications Europe”, with their fabulous “Top 10” marketing, asking a small fee of €2500,- to be featured as top-player in the <see below> field, for which you get a fabulous … eh.. 1 single pager PDF. And using their top 10 logo in your marketing.

Top, you make me feel so special!

Just.. ehm… radio couloir says lots of my sector contacts and LinkedIn network contacts got the exact same mail.. So, top 10, my @§§.

Marvelous quick win

Just a bit of 12y-old math says: that is a smart turnover of 25.000 EUR per top 10 published. Knowing that they have published roughly 30 of their “top 10” articles for 2019, this means a quick win of €750.000 on one-pagers only.

The categories they have listed last year:

(Look it up yourself: https://www.google.be/search?q=inurl:cioapplicationseurope.com+%22Top+10%22+%22-+2019%22)

  • Agile Technology, Asset management, Automotive, Blockchain, Blockchain Solutions, Business Intelligence, CEM solution, Contact center, Cognitive consulting, ERP, FinTech Solution, GDPR Solutions, GDPR consulting, IBM Solution, Information Security, IoT solution, IT services management, Legal technology, Mar tech, Microsoft solution, Microsoft Consulting, Procurement, Proptech, Salesforce, Smart City Tech,…

Forgive me if  I forgot another €25.000,- in the 30x Top 10 of 2019 they listed.

But some important categories missing, so you can do that too, some ideas below.

If the “Top 10” on GDPR is completed, you create new categories like “GDPR consulting”, “GDPR legal advice”, “GDPR breach specialist”, “GDPR expert”, “GDPR Services”, that’s another 125K of revenue, easy deal to fill the 1 million bucket.

So, you can buy yourself a list in the Top 10.

So here’s the deal, for 2499 EUR, you can get listed in the 2020 Top 10 spam and scam companies, you get a full A6 print page (special 7pt Wingdings font) with a 3 minute made-up interview with your CSSO. (Chief Spam’n Scam Officer.)

Legit business??

For €2499,- you get an interview, a one pager and a logo for display.

I quote: “We want to work with you towards a single page article after an interview with the senior management projecting the unique story of your company. For a nominal amount of 2,500 Euros, you will own complete print and digital rights to use the pdf of profile in your process of acquiring new clients along with many other prominent benefits like rights to use the Top 10 logo in your communications, single page complimentary advertisement placement and many more which I would love to explain when we connect.

It’s not forbidden to make you a ridiculous offer, but do you really want to sponsor this scam and spam practice and keep it alive?

Fact is, this is not ‘just a spam’ campaign.. It’s setup as legitimate business, at first sight.

You can still ask yourself why CIO Applications “EUROPE” would have a phone number in the US.

#GDPR!

It’s not only about the scam, they are using personal data without notification.

And you can argue they can use “legitimate interest”. Yes, for sure. But still they need to apply article 13 and 14, when collecting personal data. Their privacy notice (https://www.cioapplicationseurope.com/privacy-policy/) is not mentioned in the mail communication, it does not mention how they collect my data and how the process it. Neither do they refer to the required legal GDRP mentions (like DPA contact and so on…).

There is no reference how to file a subject-data access request… you can always spam their marketing department as mentioned in their privacy notice.

So, this could even be a valid reason for contacting your DPA and file a complaint.

I don’t want to unsubscribe to spam mail, because I don’t want to give you just more information if you don’t respect me from the beginning.

What’s the real problem then?

What do you think of a “Top-10” ranking, that is only based on the fee you pay? The first 10 that pay, are in the top 10. Number 11, bad luck. Oh wait, we’ll setup another top 10.

This feels like bribery. And mental pressure.

They send out the requests to new companies, struggling to conquer the market. They make your feel important, but it’s only about the money.

This type of practice puts other legitimate rankings in such a bad daylight… the smell of money on a “Top 10 …something”. This destroys the reputation of other communities, value papers and IT or security sectors. It’s not isolated to this one bad apple.

Be smart

Think. If it doesn’t feel right, it is not right. For a bare €2499,- you can achieve a lot more than a single page PDF and a top 10 logo.

For the same money and the support of a real marketing specialist, and some smart channel management, you can create real impact.

But most important of all, do what you do best. Create impact. Create great stuff, create buzz, let customers tell your story…

Stay out of the pile of bad apples.

#justthinking

Note-to-self: MNM van KSZ (Minimale normen – Sociale Zekerheid)

Minimale Normen / Normes Minimales van de KSZ (Kruispuntbank van de Sociale Zekerheid) gebaseerd op de ISO27001/ISO27002

“De toepassing van de minimale normen informatieveiligheid en privacy is verplicht voor instellingen van sociale zekerheid overeenkomstig artikel 2, eerste lid, 2° van de wet van 15 januari 1990 houdende oprichting en organisatie van een Kruispuntbank van de Sociale Zekerheid (KSZ). Bovendien moeten de minimale normen informatieveiligheid en privacy eveneens toegepast worden door alle organisaties die deel uitmaken van het netwerk van de sociale zekerheid overeenkomstig artikel 18 van deze wet. Tenslotte kan het sectoraal comité van de sociale zekerheid en van de gezondheid de naleving van de minimale normen informatieveiligheid en privacy ook opleggen aan andere instanties dan de hogervermelde.  ”

Bookmark:

(NL) https://www.ksz-bcss.fgov.be/nl/gegevensbescherming/informatieveiligheidsbeleid

(FR) https://www.ksz-bcss.fgov.be/fr/protection-des-donnees/politique-de-securite-de-linformation

(edit)

Opmerking: voor alle duidelijkheid, op zich zijn deze documenten geen nieuwigheid maar buiten de SZ zijn deze normen minder gekend… vandaar dat het toch nuttig is om ze bij te houden als geheugensteun en referentie. Je komt er sneller mee in contact als je denkt…

Note-to-self: logging policy considerations

Few days ago I got a question from a security officer for guidance on event and system logging.

What I can recommend: a good guideline and indication is this from OWASP.
You know OWASP is THE reference for software security …. with their OWASP top 10 etc.

Check this: https://owasp.org/www-project-cheat-sheets/cheatsheets/Logging_Cheat_Sheet

Another reference from NIST see below, very handy.

These are fairly complete in terms of guideline.

What you should pay special attention to from a policy point of view is

Special accounts

  •  Sensitive accounts
    • Highly priviliged accounts
    • Admin accounts
    • Service accounts
  • Sensitive systems
    • Domain controllers
    • Application servers
  • Sensitive data
    • HR data
    • Finance data
    • Legal data

Regarding the classification of accounts, check these:

For the users you also have to think carefully about events

  • Large volume of failed logons from sensitive users, may indicate
    • Attack
    • Denial of service
    • Hacking
  • Attack on the password database, large volumes of password change attempts …
    •  Smart password ‘testers’ will stay just below the blocking limit ..
  • Successful logons from special accounts at abnormal places or times
  • Changing the rights of sensitive accounts
    • Promotion of regular users to admins or other sensitive accounts in AD or central database

CLASSIFICATION

Make sure you have a data, user and system classification policy.
Define roles and / or categories.
Which objects are “not important”, “not sensitive”, sensitive, important, critical.
The protection must be tailored to the category type.

STORAGE

In addition, you should also write a policy on saving data.
This often poses a logistical problem with disk space.

If you know that sometimes attacks are only detected after 200-300 days, you should be able to do a forensic investigation in that period.
But that does not have to be on live data, if it is in backup, that is also good.

In terms of operational data you have to decide how much should be available immediately, for immediate consultation.
For example, that can be 1 month. (if the system can save so much)

BACKUP

Ensure that a backup can be guaranteed for a year (combination of full / differential and / or incremental backups or virtual snapshots …)
This is not a fixed period, but depending on risk management this may be more or less.

IMPORTANT: Time synchronization

Also make sure that you require NTP time synchronization, so that the clocks are exactly matched to each other on all systems.
Log analysis is impossible without correct timing.

SECURITY

Ensure that logs on source systems cannot be deleted by administrators.
Ensure that the logs following are shielded from system owners;
Ideally, you are obliged to store logs centrally (for example in a SIEM system).

Secure backups

Consider managed encryption of data and backups (not ransomware or malware).

Healthy logging and healthy backups

Make sure to test backups and restores!

Check the logs and backup for malware.

LOG CENTRALIZATION

Store logs centrally with sufficient storage capacity, security and backup.

LOG MANAGEMENT

A good management process and regular inspection must become mandatory.
Ensure monitoring for special events or special trends (sudden growth or sudden decrease or disappearance of logs)

Arrange forensic surveillance / detention if a burglary or data breach may need to be reported to the government / DPA / police.

The NIST documentation below provides useful hints and tips about the type of systems, routers, switches, firewalls, servers …

LEGISLATION

Take into account legislation such as GDPR or ePrivacy or others that impose your obligations (legal, judicial, international, fed gov, …)

EXPERIENCE

View and learn from past incidents and known use cases or accidents, which give a clear hint of what protect first.

PDCA – plan-do-check-act

Require a regular review of the policy and the rules, ensure that the guidelines are updated to the requirements and changing situations.

It is difficult if you find out after the facts that your log is not working properly.

Other references

And this is also a reference (NIST)

Note-to-self: Word function for sample text

I’ve posted this on LinkedIn before, but I couldn’t find it right away.
So a blogpost helps as external memory and should make it easier to find.

If you want to quickly fill a word document with intelligent rubbish. Type =lorem(p,l) P is the number of paragraphs you need, and l the number of lines.

There is more, also random text is possible, but full explanation is here: https://support.microsoft.com/en-us/help/212251/how-to-insert-sample-text-into-a-document-in-word

And it still works in the O365/Office 2016 version…

Updated:2020-12-29

Note-to-self: prepping for CSA CCSK v4 upgrade

Note-to-self: extended reprint of a LinkedIn post…

I might have mentioned it already, but if you have passed the CCSK exam before, better logon to your CCSK profile on the CSA website and check if you still have an exam token left.

By default you get 2 tokens each exam registration, so…

If you pass your exam the first time, the “second try” backup token is left unused in your profile.

And (if not yet expired) you can use it to upgrade your CCSK to v4.

Tokens stay valid for 2 years after purchase.

More info: https://ccsk.cloudsecurityalliance.org/en/faq

On that page you can also find the required study material for the exam.

You can download the CCSK v4 prep kit from : https://downloads.cloudsecurityalliance.org/ccsk/CCSKv4_Exam_Preparation_Kit.zip

It’s an online exam and thus open book exam, using the below reference guides.

But realise:  60 questions in 90 minutes still is hard work, so better do some prep work up front to maximize your chances.

Once you pass this one, you can go for the (ISC)² CCSP with more confidence…