Contrary to the norm for academic papers, I will not include references to third parties. The text should be sufficient for the purpose of the blog. This content is not intended for cryptographers, they indicated it is too simple, so I left out details, and uninteresting. Security people might want to know that rogue signing without extracting the...
Blog
Attacks targeting data
07-03-2025
In this short blog post I will look at the two main attacks targeting data: ransomware and data exfiltration. They are closely linked in attacks and require related defensive measures.
The whole point of security testing is to provide a report on the risks for the business that have been identified. Business want to be assured that the changes or the state of the system keep the resulting risk within risk appetite.
The kick-off is the checkpoint verify if all arrangements have been made, like the SPoCs are briefed and available, the restrictions are clear, all contractual issues have been solved, NDAs are ok, test access is set-up, tested and ready to be used, test accounts are set-up, …
The what-when-where must be formalized:
The first question to answer is how independent the testing needs to be from the business and IT owners of the targets. For regulatory testing, the testers' organization must be independent from the organization owning the targets. It requires that the creation, maintenance or operation of the targets is not even partially done by the testers'...
Functional security testing like authorization enforcement, logging of security events etc. the testing should be part of standard Quality Assurance. Secure configuration standards compliance should also be business as usual.
Introduction: business viewpoint
Regulation a magical solution?
15-01-2025
A basic rule in security is that everything could and probably will fail eventually. How to respond to failures should therefor be a standard reflection for security professionals.
Regulated or deregulated?
16-12-2024