Information Security

Multi-factor authentication (MFA) is generally available these days with popular services e.g. Facebook, Google, Amazon, etc. Even more traditional industries, such as banks, are also doing, slowly, the same. A good mention here for my previous employer, a credit union, that has implemented multi-factor authentication around 2019.

You finally decided to use cloud services for your organization? Great! There are definitely many advantages. Your objective was also to outsource the security to the provider? Sorry, not quite. The security of your information will always be your own responsibility.

We trust cloud services to keep our data secure. But we don’t always think about the impact in the event where the service would have some downtime. Even less in a situation where the provider would decide to disable the service.

There are more and more organizations interested in a penetration test, or simply a “pentest”, on their infrastructure. However, there is a requirement for specific skills and this expertise is not often available within most organizations. It is also a good idea to have an external opinion, someone who will be impartial and doesn’t know too much about the current configuration.

Many cloud providers are often criticized for the security provided with object storage services. Even more after the disclosure of private information that occurred in 2017 by using these services. These security breaches were also from well-known organizations such as Verizon, Accenture, Booz Allen Hamilton, Viacom, National Security Agency, National Credit Federation, Australian Broadcasting Corporation, Department of Defense, Republican National Committee, etc.

The NIST published last June the final version of the Digital Identity Guidelines also known as SP 800-63. This publication was a draft since 2016 and they even asked for comments from the community on GitHub during the summer 2016. All these comments were inputs for the final publication.

The data security breaches occurred/disclosed in October 2017. Disqus The popular commenting system was breached in 2012. Disqus got notified by Troy Hunt, a security expert, who obtained a copy of the data. According to the company, the data exposed are from 2007 and involve 17.

You probably already received one of these letters if you have registered a domain name in the past few years. The company behind these letters is Brandon Gray Internet Services Inc. The worst part is the fact this is a legitimate organization registered and operating in Canada (Markham, Ontario).

This post was published when this blog was also in French. This post is available in English. Septembre 2017 a été un mois intéressant pour plusieurs brèches importantes de sécurité. Nous avons tous appris la valeur de nos informations personnelles. À partir de maintenant, je vais publier un billet mensuel au sujet des brèches importantes de sécurité du mois précédent.

September 2017 has been an interesting month for many important security breaches. We all learned the value of our personal information. From now, I will publish a monthly post about the major security breaches from the previous month. Equifax Equifax is a consumer credit reporting agency and they had a recurrent unauthorized access to their systems from May 13th to July 30th.

This post was published when this blog was also in French. This post is available in English. Terminé. Cet examen de 6 heures avec ses 250 questions est enfin du passé. Eh oui, je parle bien du légendaire CISSP ou l’examen pour le “Certified Information Systems Security Professional” de ISC2.

Done. The 6-hour exam with its 250 questions is finally in the past. Yes, I am talking about the famous CISSP or the “Certified Information Systems Security Professional” exam from ISC2. This is the certification that most information security professionals will try to obtain at one point in their career.