Information Security

Are You Outsourcing Your Security With a Cloud Application?
August 1, 2018   |   Information Security

You finally decided to use cloud services for your organization? Great! There are definitely many advantages. Your objective was also to outsource the security to the provider? Sorry, not quite. The security of your information will always be your own responsibility. You will still have some shared responsibilities with the cloud provider. True, you will probably manage less technology controls but still many administrative ones. As with any partnerships, you have the responsibility to perform due diligence on your future business partners.

Continue Reading
Keeper Security and Random Deactivation
May 30, 2018   |   Information Security

We trust cloud services to keep our data secure. But we don’t always think about the impact in the event where the service would have some downtime. Even less in a situation where the provider would decide to disable the service. Well, I had the last situation with one provider, Keeper Security. Context All started in June 2017 when I subscribed to a 14-day trial period for the business edition. There is a sale representative who reached out to me toward the end of the trial period.

Continue Reading
Are You Really receiving a Penetration Test Report?
February 22, 2018   |   Information Security

There are more and more organizations interested in a penetration test, or simply a “pentest”, on their infrastructure. However, there is a requirement for specific skills and this expertise is not often available within most organizations. It is also a good idea to have an external opinion, someone who will be impartial and doesn’t know too much about the current configuration. Thus, it is often necessary to hire a security firm to accomplish this task.

Continue Reading
Cloud Security with Object Storage
January 5, 2018   |   Information Security

Many cloud providers are often criticized for the security provided with object storage services. Even more after the disclosure of private information that occurred in 2017 by using these services. These security breaches were also from well-known organizations such as Verizon, Accenture, Booz Allen Hamilton, Viacom, National Security Agency, National Credit Federation, Australian Broadcasting Corporation, Department of Defense, Republican National Committee, etc. There are often new organizations to add on this list but they are the main one from the last months.

Continue Reading
NIST and the Digital Identity Guidelines
November 21, 2017   |   Information Security

The NIST published last June the final version of the Digital Identity Guidelines also known as SP 800-63. This publication was a draft since 2016 and they even asked for comments from the community on GitHub during the summer 2016. All these comments were inputs for the final publication. Many posts on the Internet mention these changes. But I think it is still important to reiterate them since they are not necessarily well known by everyone who is not in information security.

Continue Reading
October 2017 : Security Breaches
November 5, 2017   |   Information Security

The data security breaches occurred/disclosed in October 2017. Disqus The popular commenting system was breached in 2012. Disqus got notified by Troy Hunt, a security expert, who obtained a copy of the data. According to the company, the data exposed are from 2007 and involve 17.5 million users. Among the user’s information stolen include email addresses, usernames, sign-up dates and last logins. However, about one third or approximately 5.8 million users, also got their passwords in the wild.

Continue Reading
iDNS: Scam Going On for More Than 15 Years
October 15, 2017   |   Information Security

You probably already received one of these letters if you have registered a domain name in the past few years. The company behind these letters is Brandon Gray Internet Services Inc. The worst part is the fact this is a legitimate organization registered and operating in Canada (Markham, Ontario). I thought for a long time it was only a scam here, but I recently discovered they also operate in the United States, Europe and Australia.

Continue Reading
Septembre 2017: Brèches de sécurité
October 3, 2017   |   Information Security

This post was published when this blog was also in French. This post is available in English. Septembre 2017 a été un mois intéressant pour plusieurs brèches importantes de sécurité. Nous avons tous appris la valeur de nos informations personnelles. À partir de maintenant, je vais publier un billet mensuel au sujet des brèches importantes de sécurité du mois précédent. Equifax Equifax est un des plus importants bureaux de crédits et ils ont eu un accès récurrent non autorisé à leurs systèmes du 13 mai au 30 juillet 2017.

Continue Reading
September 2017: Security Breaches
October 3, 2017   |   Information Security

September 2017 has been an interesting month for many important security breaches. We all learned the value of our personal information. From now, I will publish a monthly post about the major security breaches from the previous month. Equifax Equifax is a consumer credit reporting agency and they had a recurrent unauthorized access to their systems from May 13th to July 30th. The technical teams knew about the vulnerability exploited since they even got a memo on March 9th to patch it (Apache Structs CVE-2017-5638).

Continue Reading
CISSP: Réussi, et une autre étape complétée
September 2, 2017   |   Information Security

This post was published when this blog was also in French. This post is available in English. Terminé. Cet examen de 6 heures avec ses 250 questions est enfin du passé. Eh oui, je parle bien du légendaire CISSP ou l’examen pour le “Certified Information Systems Security Professional” de ISC2. C’est probablement la certification que la plupart des professionnels en sécurité de l’information souhaitent obtenir à un moment donné dans leur carrière.

Continue Reading
CISSP: Passed, and One More Milestone Completed
August 28, 2017   |   Information Security

Done. The 6-hour exam with its 250 questions is finally in the past. Yes, I am talking about the famous CISSP or the “Certified Information Systems Security Professional” exam from ISC2. This is the certification that most information security professionals will try to obtain at one point in their career. Why? For most recruiters and companies that are looking for a professional in information security, the CISSP is now the golden ticket for employment in this field.

Continue Reading
Pourquoi avoir fait la certification OSCP?
April 4, 2017   |   Information Security

This post was published when this blog was also in French. This post is available in English. Depuis les dernières années, je suis de plus en plus du côté de l’audit TI et de la sécurité de l’information. Du moins, en théorie, j’ai encore plusieurs projets techniques… Toutefois, ça faisait déjà quelque temps que je voulais poursuivre la certification « Offensive Security Certified Professional » (OSCP). Au début, c’était un défi intéressant et surtout, je voulais valider mon intérêt à poursuivre une carrière dans le domaine des tests d’intrusion et c’était définitivement une bonne façon de confirmer, ou non, mon intérêt.

Continue Reading