Posts

Septembre 2017: Brèches de sécurité
October 3, 2017   |   Information Security

This post was published when this blog was also in French. This post is available in English. Septembre 2017 a été un mois intéressant pour plusieurs brèches importantes de sécurité. Nous avons tous appris la valeur de nos informations personnelles. À partir de maintenant, je vais publier un billet mensuel au sujet des brèches importantes de sécurité du mois précédent. Equifax Equifax est un des plus importants bureaux de crédits et ils ont eu un accès récurrent non autorisé à leurs systèmes du 13 mai au 30 juillet 2017.

Continue Reading
September 2017: Security Breaches
October 3, 2017   |   Information Security

September 2017 has been an interesting month for many important security breaches. We all learned the value of our personal information. From now, I will publish a monthly post about the major security breaches from the previous month. Equifax Equifax is a consumer credit reporting agency and they had a recurrent unauthorized access to their systems from May 13th to July 30th. The technical teams knew about the vulnerability exploited since they even got a memo on March 9th to patch it (Apache Structs CVE-2017-5638).

Continue Reading
Kantoku: Fin du projet et retour possible
September 17, 2017   |   Personal Thoughts

This post was published when this blog was also in French. This post is available in English. Kantoku était une application autohébergée pour les entreprises afin de pouvoir gérer facilement leur gouvernance, risque et conformité TI (GRC). Comme mentionné dans une publication précédente, j’ai développé cette application pendant les premiers mois de 2016. Au début du projet, c'était une solution Software-as-a-Service (SaaS) avec une infrastructure en haute disponibilité sur AWS. Toutefois, j’avais rapidement décidé de retirer cette infrastructure en arrière de la solution SaaS.

Continue Reading
Kantoku: Project Shutdown and Future Comeback
September 17, 2017   |   Personal Thoughts

Kantoku is a self-hosted application for companies to manage their IT governance, risk management and compliance (GRC). As mentioned in a previous post, I developed this application during the first part of 2016. At first, it was a Software-as-a-Service (SaaS) solution with a really nice high availability infrastructure on AWS. However, I had to put aside the infrastructure behind the SaaS solution. Back then, it was mostly a question of priorities.

Continue Reading
CISSP: Réussi, et une autre étape complétée
September 2, 2017   |   Information Security

This post was published when this blog was also in French. This post is available in English. Terminé. Cet examen de 6 heures avec ses 250 questions est enfin du passé. Eh oui, je parle bien du légendaire CISSP ou l’examen pour le “Certified Information Systems Security Professional” de ISC2. C’est probablement la certification que la plupart des professionnels en sécurité de l’information souhaitent obtenir à un moment donné dans leur carrière.

Continue Reading
CISSP: Passed, and One More Milestone Completed
August 28, 2017   |   Information Security

Done. The 6-hour exam with its 250 questions is finally in the past. Yes, I am talking about the famous CISSP or the “Certified Information Systems Security Professional” exam from ISC2. This is the certification that most information security professionals will try to obtain at one point in their career. Why? For most recruiters and companies that are looking for a professional in information security, the CISSP is now the golden ticket for employment in this field.

Continue Reading
Pourquoi avoir fait la certification OSCP?
April 4, 2017   |   Information Security

This post was published when this blog was also in French. This post is available in English. Depuis les dernières années, je suis de plus en plus du côté de l’audit TI et de la sécurité de l’information. Du moins, en théorie, j’ai encore plusieurs projets techniques… Toutefois, ça faisait déjà quelque temps que je voulais poursuivre la certification « Offensive Security Certified Professional » (OSCP). Au début, c’était un défi intéressant et surtout, je voulais valider mon intérêt à poursuivre une carrière dans le domaine des tests d’intrusion et c’était définitivement une bonne façon de confirmer, ou non, mon intérêt.

Continue Reading
Why did I do the OSCP certification?
February 20, 2017   |   Information Security

I am more an IT auditor, and on the business side of information security (at least, in theory, I still like doing many technical projects). However, it was still important for me to pursue the Offensive Security Certified Professional (OSCP) certification. At first, I was maybe interested in a career as a penetration tester (pentester) and it was indeed a good way to confirm, or not, my interest. The OSCP certification is unique among other IT certifications.

Continue Reading
Past 3 years, and a new beginning
December 30, 2016   |   Personal Thoughts

It has been a little more than 3 years since I graduated from my bachelor degree. I must admit, it has not been always simple to figure out what I wanted to do. It could have been easier, but overall, I understand now why those different experiences were required for me. Deloitte In 2014, I got my first full-time job related to my bachelor, and it took me almost a year after graduation to finally receive an offer.

Continue Reading
CISA exam passed, now the required experience
August 30, 2014   |   IT Compliance

Update: I published a new post with the most frequently asked questions on this post. Back in the summer 2013, I was interested to pass the CISA exam even if could not obtain the certification without experience. This was a way for me to demonstrate my interest in IT audit to future potential employers. I thought that I could have done the exam in December 2013, but I wasn’t enough sure that I was ready to pass the exam and considering the cost, I preferred to wait until the next date.

Continue Reading
Email Security and S/MIME
October 10, 2013   |   Information Security

As I wrote in one of my previous posts, emails are not a secure way to communicate and exchange confidential information but this is not all. In information security, the CIA triad (confidentiality, integrity and availability) is often cited alongside with other key elements such as authenticity and non-repudiation. It is important to keep in mind these elements in order to protect our information. Unfortunately, email structure is not designed to provide these concepts out of the box.

Continue Reading
Shared Passwords and Accountability
September 10, 2013   |   Information Security

Accountability is one principle often forgotten in daily business and many employees don’t take seriously their credentials e.g. usernames and passwords. What would be your reaction if an auditor or a person from a law enforcement agency would like to ask you some questions regarding a fraud in your organization? This is probably the worst case scenario but always possible if you share your information to someone else. Indeed. If you give your credentials to your colleagues and they use it to commit illegal activities, it’s your name that will show up in the transaction logs.

Continue Reading