Collaborate Disseminate
The Emotet trojan is active again and I read a bit about how it propagates. This includes phishing and having users launch all kind of files (exes, fiels with macros, …) – a typical method.
It also scans the network for wr… Continue reading How does the Emotet trojan activates its remote copies?
HPKP was used to ensure that a browser accepts to connect to a site only if the public key he has on file is the one presented by the target site. I saw it as a way to make deep content inspection more complicated (some sites… Continue reading How effective is Expect-CT against content inspection in an enterprise context?
Organization A has a service that is ISO 27001 certified. It is acquired by Organization B which does not have any certification.
What are the formal impacts of the acquisition on the ISO 27001 certification?
I am intereste… Continue reading How does a merger formally impact an ISO 27001 certification?
I am currently discussing / considering the possibility to disable access to USB drives (USB storage) on Windows machines.
There are technical means to do this and I am trying to balance arguments in the threat scenario.
PRO removal of … Continue reading Are there tangible recommendations for USB drives to be disabled?
Personally Identifiable Information (PII) is defined (the example below is from NIST) as (emphasis mine)
Information that can be used to distinguish or trace an individual’s
identity, such as name, social security numbe… Continue reading Is a standalone phone number considered Personally Identifiable Information?
This question already has an answer here:
What technical reasons are there to have low maximum password lengths?
14 answers
The definition of Insecure Direct Object Reference (IDOR) from OWASP is (emphasis mine)
Insecure Direct Object References occur when an application provides
direct access to objects based on user-supplied input. As a re… Continue reading Can an Insecure Direct Object Reference point to a plain file or page?
aka “how to scare my family into stopping publishing their life online?”
I do not publish personal photos / opinions publicly online as a rule. I never gave hard thoughts about that but I believe that one should either expli… Continue reading What are the real physical risks of casual social media publishing?
When reading some documentation about the security of a product, I found that the vendor uses the SHA-2 of a password to encrypt data (AES-256), instead of using this password directly.
Are there any advantages of doing so?
… Continue reading Why would a password be hashed before being used to encrypt something?
I did not find any mention of the need to renew a self-assesment (PCI DSS SAQ-A or SAQ-A-EP) in the PCI DSS documentation.
There are mentions of renewal for assessors (to maintain their accreditation) and a search over Inte… Continue reading Should a PCI-DSS certification be renewed?