As always, I was not really active around for the last few months or even the last year. At least, I had a good reason this time. I was kind of busy writing my essay for the master’s degree.
I began a graduate degree in September 2013 with a specialization in IT governance, audit, and security at Université de Sherbrooke. The program is accredited by ISACA to learn on the seven domains related to the CISA certification.
Well, I should definitely work on my master’s essay but I thought it could be a good time to update my website. Again. Less than 2 months after the previous version…
WordPress to Hugo Framework WordPress is certainly the most popular blog platform. However, a popular application, with many available plugins developed by third parties, also means a good target for malicious actors. The result is to have many weekly updates.
I finally obtained the Certified Information Systems Security Professional (CISSP) certification. It is definitely the most well-known certification in the information security industry and the one recommended for any professionals in this field.
What is the CISSP? It is not necessarily the most technical or specialized certification. It would seem that information security is one unique specific area but it’s quite the opposite when there are so many possible domains. The CISSP is the ideal certification that allows someone to know a little bit of everything on all these specializations.
You finally decided to use cloud services for your organization? Great! There are definitely many advantages. Your objective was also to outsource the security to the provider? Sorry, not quite. The security of your information will always be your own responsibility. You will still have some shared responsibilities with the cloud provider. True, you will probably manage less technology controls but still many administrative ones.
As with any partnerships, you have the responsibility to perform due diligence on your future business partners.
We trust cloud services to keep our data secure. But we don’t always think about the impact in the event where the service would have some downtime. Even less in a situation where the provider would decide to disable the service. Well, I had the last situation with one provider, Keeper Security.
Context All started in June 2017 when I subscribed to a 14-day trial period for the business edition. There is a sale representative who reached out to me toward the end of the trial period.
PCI DSS is probably one of the most misunderstood compliance obligations among IT professionals. It is in fact the Payment Card Industry Data Security Standard (PCI DSS) governed by the PCI Security Standards Council (PCI SSC) founded in 2006 by American Express, Discover Financial Services, JCB International, MasterCard and Visa. These organizations are still on the PCI SSC’s executive committee. However, there is also a board of advisors from organizations such as Amazon, Citigroup, Microsoft, PayPal, Square, Starbucks, Wells Fargo, etc.
There are more and more organizations interested in a penetration test, or simply a “pentest”, on their infrastructure. However, there is a requirement for specific skills and this expertise is not often available within most organizations. It is also a good idea to have an external opinion, someone who will be impartial and doesn’t know too much about the current configuration. Thus, it is often necessary to hire a security firm to accomplish this task.
In August 2014, I published a post about my experience with the CISA exam and the required experience. Even 3 years later, it is still the most popular post here and not so long ago, I was always seeing more requests after the exam dates. However, it seems that exams are not on specific dates anymore but within 3 specific testing windows throughout the year. I am still surprised by the number of comments I received on this post and I wanted to do an update with some recurrent questions.
Many cloud providers are often criticized for the security provided with object storage services. Even more after the disclosure of private information that occurred in 2017 by using these services. These security breaches were also from well-known organizations such as Verizon, Accenture, Booz Allen Hamilton, Viacom, National Security Agency, National Credit Federation, Australian Broadcasting Corporation, Department of Defense, Republican National Committee, etc. There are often new organizations to add on this list but they are the main one from the last months.
The NIST published last June the final version of the Digital Identity Guidelines also known as SP 800-63. This publication was a draft since 2016 and they even asked for comments from the community on GitHub during the summer 2016. All these comments were inputs for the final publication. Many posts on the Internet mention these changes. But I think it is still important to reiterate them since they are not necessarily well known by everyone who is not in information security.
The data security breaches occurred/disclosed in October 2017.
Disqus The popular commenting system was breached in 2012. Disqus got notified by Troy Hunt, a security expert, who obtained a copy of the data. According to the company, the data exposed are from 2007 and involve 17.5 million users. Among the user’s information stolen include email addresses, usernames, sign-up dates and last logins. However, about one third or approximately 5.8 million users, also got their passwords in the wild.
You probably already received one of these letters if you have registered a domain name in the past few years. The company behind these letters is Brandon Gray Internet Services Inc. The worst part is the fact this is a legitimate organization registered and operating in Canada (Markham, Ontario). I thought for a long time it was only a scam here, but I recently discovered they also operate in the United States, Europe and Australia.