In interesting set of reference material, that is regularly coming back in data protection, cybersecurity and information security discussions I lately had with peers and colleagues. May you can use it too…
Feel free to provide some feedback yourself, if you know additional pointers I should add.
You know where to find me.
Change history
2022-04-27 14:00: Added EDPB announcement to references section
2022-02: The Dutch Ministry of Justice and Security requested an analysis of US legislation in relation to the GDPR and Schrems II by GreenburgTraurig.
Switzerland
In a recent article (In French) by ICT journal, the Canton of Zurich published a
As explained here (in Dutch) and here (Dutch), it’s a terrible ID (sorry, idea), to copy your identity card and hand over the unprotected copy to someone….
Therefore it’s highly interesting to protect the photocopy against abuse, in the ultimate case you need a photocopy of your identity card…
KopieID NL
In the Netherlands the government has provided an app for your mobile phone, to take a photo of your ID and then blur the redundant information and to add a remark / watermark to indicate the purpose limitation.
Check it out here:
They also provide an interesting video explanation:
KopieID BE
In Belgium, there is a website (without app) that does the same, see here:
Just in case you get into SOC2 and want to know how to map it to existing information security implementation, whatever it may be, GDPR, ISO27001, NIST, … check this page
“ SOC reports refer to an audit of internal controls to ensure data security, minimal waste, and shareholder confidence; SOX relates to government-issued record keeping and financial information disclosure standards law. In other words, one is about keeping information safe, and the other is about keeping corporations in check.“
For meeting requests in Microsoft Outlook, the program does not have a bcc (aka Blind copy) option to add participants to a meeting, without publishing all personal data (mail addresses) to the other participants.
Microsoft is aware of the issue, but hasn’t fixed the option yet.
Still you can request to have this option or request this function in Outlook, via Windows Feedback hub (hit the W10 Windows button, and type feedback) of via Microsoft Tech Community or Microsoft Q&A.
Visibility of participants to other participants
When you add participants to the “Required” or “Optional” section, they can see each others mail addresses. For smaller groups of people, that probably know each other, it’s not a big thing.
But for public events, this might be an issue. And certainly for large groups of participants, this is an overload of information.
And additionally, it might be considered as an inconvenience (or even a data breach) to publish data of other participants in a large group.
Limiting visibility to other participants
For matters of data protection it would be very handy to send the invite to the participants without exposing too much data.
Work around
As the bcc: option is missing, you can add people to the “Resources” option.
Steps
Create a new meeting request.
In the meeting options select, the “Required” or “Optional” button.
Then in the resources option, add the contacts or mail addresses of the participants.
Then add the required information to the invite, including online meeting options (Teams, …) and send the mail.
Alternative option : using iCAL file option via mail
Another option is
to create an meeting in your agenda,
add the required meeting details (including teams invite)
Excel has various levels of protection. Many people use worksheet protection. This feature is designed as a simple blocker to avoid unwanted edits to your sheet. Users can open and use the file without the protection password.
By design, Excel sheet protection is NOT a security measure, to keep data secret or to hide IP or formulas from unauthorized parties. The worksheet protection password is fairly easy to remove as explained below.
If you want actual protectionin your Excel sheet, you need to use the encryption feature, but then every user will be forced to enter a password to open the file. Which is difficult from usability point of view. And you need to apply security for each user separately.
Applies to
This discussion actually applies to the latest version of Excel in the Office 365 version. Some options or features might not be available or might not apply to previous/older versions of MS office.
Introduction
If you spend a lot of time to build a smart calculations or data management solutions in Excel, it’s very likely that you want to protect your hard word, or the smart layout or the intelligence behind your calculations. Or simply avoid any accidents crippling the nice layout.
Most people will first think about worksheet protection to achieve this, but there are some more options.
Excel Security options
If you create or open an Excel sheet (in current version of Office 365), you can add security via the menu “FIle” then choose the “Info” option.
Then click the “Protect Workbook” option.
Worksheet protection
In short: Worksheet protection is not intended to be a security feature.
Even with worksheet protection, the formulas are stored in the file as this is what allows you to later modify the formulas and for the cells to update their values. Because the file is not encrypted, a user could inspect the file contents to determine what the formulas are.
For advanced Excel users:
There are mechanisms that allow you to remove formulas from the workbook while keeping the cell values the same. When this is done, these cell values no longer update as they no longer have a formula.
If you want to strip out a formula that refers to another workbook, you can use the break link feature for external links (Data tab > Queries and Connections section > Edit Links > Break Link) – this keeps the current value of the cell and removes the formula referencing the external workbook.
If you want to strip out a formula regardless of where it refers to, the easiest way to do this is to copy the cell and paste as value to the same cell.
Implementing worksheet protection
Implementing worksheet security using encryption
Managing cell security
Before you activate worksheet protection, you need to consider unblocking cells to allow edit when protection is activated. Right click the target cells, you want to leave unprotected.
In the cell format options, “Locked” is enabled by default. Uncheck if you want to edit after password lock.
Next, to activate worksheet protection, right click the worksheet tab (below) and click the Protect sheet option.
You can select which kind of protection you need on the level of the sheet and cells.
You need to enter the password and then reconfirm, of course.
Now, when you try to edit the cells that are blocked, you’ll get an error.
The actual Excel security: sheet encryption
To implement actual security, you need to encrypt the file. When you want to use encryption, go back to the file menu and workbook protection, as explained earlier.
Choose the encryption option
When you save the file and try to reopen it, you’ll get a password prompt.
In one of the next chapters below, I’ll show what happens with the file security, and if you can hack it… or not.
Hacking Excel worksheet protection
The actual reason for this article, is that the worksheet protection is NOT a security feature and more important, the worksheet protection can be broken in a matter of seconds.
You’ll find a lot of password cracking tools, brute force password guessing or macro scripts to crack the passwords. Don’t bother if you simply want to remove the password protection.
The worksheet protection is embedded in the XLSX file, as XML. And you should consider the XLS sheet as a compressed/zipped dossier/file collection of config files containing the hashed password.
And that’s exactly the easy shortcut to remove the password, remove the password hash. I won’t go in detail on the steps, but it’s about renaming the XLS file to zip, opening the zip, removing the pasword hash, saving the file, rename to XLS and open your sheets without password protection.
Using the XLS to Zip rename, you can inspect the file content of the encrypted file.
When you try the same technique, removing the encryption info…you’ll notice that the “EncryptionInfo” is not allowing to save. And you can’t remove the encryption (at least not this way, here we stop… )
When you try to remove the encryption tag, including the cipher and password hash, you’ll notice it won’t work.
Reporting security issues to Microsoft
If you think or suspect to have found a security issue in a Microsoft product, don’t hesitate to report it.
To report a vulnerability in a Microsoft product or service, got to the Microsoft Security Response Center (MSRC) website at : https://www.microsoft.com/msrc.
You can track the status of your report as the MSRC team will work with you to investigate and resolve the issue. Or confirm that a suspected behaviour is not a security issue, but a light-weight protection to avoid layout incidents.
Following list of articles is a memory help and quick reference to interesting and useful articles from regarding the use of eID (Belgian Identity Card), related to privacy, data protection and GDPR.
This article will be updated regularlywhen interesting items are discussed or noted on workshops, discussions or other social media like LinkedIn.
(quote, feb 2020) “I am Annie from CIO Applications Europe magazine and it is my pleasure to inform you that we have pre-screened the top players who have carved a niche in the Information Security arena and have shortlisted them to be featured as one of the “Top 10 Information Security Consulting/Service Companies 2020”, <…> being one of them.”
(quote, apr 2020) “I am Annie from CIO Applications Europe magazine, and it is my pleasure to inform you that we have pre-screened the top players who have carved a niche in the GDPR arena and have shortlisted them to feature as one of the “Top 10 GDPR Consulting/Service Companies 2020”, <…> being one of them.”
Version anno 2023, replace
Annie BG Mathews with “Nina Campbell”
“CIO Applications Europe” with “CIO Review Europe”
“2500 EUR”, now indexed to 3000 EUR for a a 2 pager,
“Top 10 Information Security Consulting/Service Companies” with “Top 10 Cyber Security Service Providers in Europe 2023” in the “Cyber Security” edition.
Did you also get the same mail from “CIO Applications Europe” or “CIO Review Europe”, with their fabulous “Top 10” marketing, asking a small fee of €2500,- (2023: 300 Euro’s) to be featured as top-player in the <see below> field, for which you get a fabulous … eh.. 1 single pager PDF. And using their top 10 logo in your marketing.
Top, you make me feel so special!
Just.. ehm… radio couloir says lots of my sector contacts and LinkedIn network contacts got the exact same mail.. So, top 10, my @§§.
Marvelous quick win
Just a bit of 12y-old math says: that is a smart turnover of 25.000 EUR per top 10 published. Knowing that they have published roughly 30 of their “top 10” articles for 2019, this means a quick win of €750.000 on one-pagers only.
Agile Technology, Asset management, Automotive, Blockchain, Blockchain Solutions, Business Intelligence, CEM solution, Contact center, Cognitive consulting, ERP, FinTech Solution, GDPR Solutions, GDPR consulting, IBM Solution, Information Security, IoT solution, IT services management, Legal technology, Mar tech, Microsoft solution, Microsoft Consulting, Procurement, Proptech, Salesforce, Smart City Tech,…
Forgive me if I forgot another €25.000,- in the 30x Top 10 of 2019 they listed.
But some important categories missing, so you can do that too, some ideas below.
If the “Top 10” on GDPR is completed, you create new categories like “GDPR consulting”, “GDPR legal advice”, “GDPR breach specialist”, “GDPR expert”, “GDPR Services”, that’s another 125K of revenue, easy deal to fill the 1 million bucket.
So, you can buy yourself a list in the Top 10.
So here’s the deal, for 2499 EUR, you can get listed in the 2020 Top 10 spam and scam companies, you get a full A6 print page (special 7pt Wingdings font) with a 3 minute made-up interview with your CSSO. (Chief Spam’n Scam Officer.)
Legit business??
For €2499,- you get an interview, a one pager and a logo for display.
I quote: “We want to work with you towards a single page article after an interview with the senior management projecting the unique story of your company. For a nominal amount of 2,500 Euros, you will own complete print and digital rights to use the pdf of profile in your process of acquiring new clients along with many other prominent benefits like rights to use the Top 10 logo in your communications, single page complimentary advertisement placement and many more which I would love to explain when we connect. “
It’s not forbidden to make you a ridiculous offer, but do you really want to sponsor this scam and spam practice and keep it alive?
Fact is, this is not ‘just a spam’ campaign.. It’s setup as legitimate business, at first sight.
You can still ask yourself why CIO Applications “EUROPE” would have a phone number in the US.
#GDPR!
It’s not only about the scam, they are using personal data without notification.
And you can argue they can use “legitimate interest”. Yes, for sure. But still they need to apply article 13 and 14, when collecting personal data. Their privacy notice (https://www.cioapplicationseurope.com/privacy-policy/) is not mentioned in the mail communication, it does not mention how they collect my data and how the process it. Neither do they refer to the required legal GDRP mentions (like DPA contact and so on…).
There is no reference how to file a subject-data access request… you can always spam their marketing department as mentioned in their privacy notice.
So, this could even be a valid reason for contacting your DPA and file a complaint.
I don’t want to unsubscribe to spam mail, because I don’t want to give you just more information if you don’t respect me from the beginning.
What’s the real problem then?
What do you think of a “Top-10” ranking, that is only based on the fee you pay? The first 10 that pay, are in the top 10. Number 11, bad luck. Oh wait, we’ll setup another top 10.
This feels like bribery. And mental pressure.
They send out the requests to new companies, struggling to conquer the market. They make your feel important, but it’s only about the money.
This type of practice puts other legitimate rankings in such a bad daylight… the smell of money on a “Top 10 …something”. This destroys the reputation of other communities, value papers and IT or security sectors. It’s not isolated to this one bad apple.
Be smart
Think. If it doesn’t feel right, it is not right. For a bare €2499,- you can achieve a lot more than a single page PDF and a top 10 logo.
For the same money and the support of a real marketing specialist, and some smart channel management, you can create real impact.
But most important of all, do what you do best. Create impact. Create great stuff, create buzz, let customers tell your story…
Stay out of the pile of bad apples.
#justthinking
Year
Company
Website
Contact
Award
2023
CIO Review Europe CIO Tech Outlook
cioreview.com ciotechoutlook.com
Nina Campbell
Top 10 Cyber Security Service Providers in Europe 2023
Minimale Normen / Normes Minimales van de KSZ (Kruispuntbank van de Sociale Zekerheid) gebaseerd op de ISO27001/ISO27002
“De toepassing van de minimale normen informatieveiligheid en privacy is verplicht voor instellingen van sociale zekerheid overeenkomstig artikel 2, eerste lid, 2° van de wet van 15 januari 1990 houdende oprichting en organisatie van een Kruispuntbank van de Sociale Zekerheid (KSZ). Bovendien moeten de minimale normen informatieveiligheid en privacy eveneens toegepast worden door alle organisaties die deel uitmaken van het netwerk van de sociale zekerheid overeenkomstig artikel 18 van deze wet. Tenslotte kan het sectoraal comité van de sociale zekerheid en van de gezondheid de naleving van de minimale normen informatieveiligheid en privacy ook opleggen aan andere instanties dan de hogervermelde. ”
Opmerking: voor alle duidelijkheid, op zich zijn deze documenten geen nieuwigheid maar buiten de SZ zijn deze normen minder gekend… vandaar dat het toch nuttig is om ze bij te houden als geheugensteun en referentie. Je komt er sneller mee in contact als je denkt…
Few days ago I got a question from a security officer for guidance on event and system logging.
What I can recommend: a good guideline and indication is this from OWASP.
You know OWASP is THE reference for software security …. with their OWASP top 10 etc.
For the users you also have to think carefully about events
Large volume of failed logons from sensitive users, may indicate
Attack
Denial of service
Hacking
Attack on the password database, large volumes of password change attempts …
Smart password ‘testers’ will stay just below the blocking limit ..
Successful logons from special accounts at abnormal places or times
Changing the rights of sensitive accounts
Promotion of regular users to admins or other sensitive accounts in AD or central database
CLASSIFICATION
Make sure you have a data, user and system classification policy.
Define roles and / or categories.
Which objects are “not important”, “not sensitive”, sensitive, important, critical.
The protection must be tailored to the category type.
STORAGE
In addition, you should also write a policy on saving data.
This often poses a logistical problem with disk space.
If you know that sometimes attacks are only detected after 200-300 days, you should be able to do a forensic investigation in that period.
But that does not have to be on live data, if it is in backup, that is also good.
In terms of operational data you have to decide how much should be available immediately, for immediate consultation.
For example, that can be 1 month. (if the system can save so much)
BACKUP
Ensure that a backup can be guaranteed for a year (combination of full / differential and / or incremental backups or virtual snapshots …)
This is not a fixed period, but depending on risk management this may be more or less.
IMPORTANT: Time synchronization
Also make sure that you require NTP time synchronization, so that the clocks are exactly matched to each other on all systems.
Log analysis is impossible without correct timing.
SECURITY
Ensure that logs on source systems cannot be deleted by administrators.
Ensure that the logs following are shielded from system owners;
Ideally, you are obliged to store logs centrally (for example in a SIEM system).
Secure backups
Consider managed encryption of data and backups (not ransomware or malware).
Healthy logging and healthy backups
Make sure to test backups and restores!
Check the logs and backup for malware.
LOG CENTRALIZATION
Store logs centrally with sufficient storage capacity, security and backup.
LOG MANAGEMENT
A good management process and regular inspection must become mandatory.
Ensure monitoring for special events or special trends (sudden growth or sudden decrease or disappearance of logs)
Arrange forensic surveillance / detention if a burglary or data breach may need to be reported to the government / DPA / police.
The NIST documentation below provides useful hints and tips about the type of systems, routers, switches, firewalls, servers …
LEGISLATION
Take into account legislation such as GDPR or ePrivacy or others that impose your obligations (legal, judicial, international, fed gov, …)
EXPERIENCE
View and learn from past incidents and known use cases or accidents, which give a clear hint of what protect first.
PDCA – plan-do-check-act
Require a regular review of the policy and the rules, ensure that the guidelines are updated to the requirements and changing situations.
It is difficult if you find out after the facts that your log is not working properly.
I’ve posted this on LinkedIn before, but I couldn’t find it right away.
So a blogpost helps as external memory and should make it easier to find.
If you want to quickly fill a word document with intelligent rubbish. Type =lorem(p,l) P is the number of paragraphs you need, and l the number of lines.
Identity Underground 
You must be logged in to post a comment.