In this blog post I will give a high level overview of topics relevant for data protection. The objective is to make sure any initiative to review the data protection approach would start with a broad enough scope avoiding common oversights and issues.
Browsing through old stuff I ran into a document of the year 2005. It is not out of nostalgia (primarily) that I keep old stuff, just stuff that looks good enough to keep, and sometimes I am spot on. The topic of the old document is a high level view for improving the state of security.
Contrary to the norm for academic papers, I will not include references to third parties. The text should be sufficient for the purpose of the blog. This content is not intended for cryptographers, they indicated it is too simple, so I left out details, and uninteresting. Security people might want to know that rogue signing without extracting the...
In this short blog post I will look at the two main attacks targeting data: ransomware and data exfiltration. They are closely linked in attacks and require related defensive measures.
The whole point of security testing is to provide a report on the risks for the business that have been identified. Business want to be assured that the changes or the state of the system keep the resulting risk within risk appetite.
The kick-off is the checkpoint verify if all arrangements have been made, like the SPoCs are briefed and available, the restrictions are clear, all contractual issues have been solved, NDAs are ok, test access is set-up, tested and ready to be used, test accounts are set-up, …
The what-when-where must be formalized:
The first question to answer is how independent the testing needs to be from the business and IT owners of the targets. For regulatory testing, the testers' organization must be independent from the organization owning the targets. It requires that the creation, maintenance or operation of the targets is not even partially done by the testers'...
Functional security testing like authorization enforcement, logging of security events etc. the testing should be part of standard Quality Assurance. Secure configuration standards compliance should also be business as usual.
