Posts

Introduction In the first post of this series, I introduced the principle of Assume Breach and highlighted three areas that are often underdeveloped in practice: Business Continuity Planning, Data Loss Prevention and Cryptography. This post takes a closer look at the first of these topics: Business Continuity Planning, or BCP. In my experience when reviewing organisations through internal laudits, maturity assessments or ISO 27001 implementations, Business Continuity Planning is often present on paper. There may be a policy, a business impact analysis, a list of critical systems and perhaps even a recovery plan. However, the real question is not whether a BCP document exists. The real question is whether the organisation can continue to operate when disruption actually occurs. ...

Introduction In the past year, I have performed numerous internal audits. Across many of these audits, I observed a recurring pattern: three important security domains are often either limited in scope or insufficiently implemented: Business Continuity Planning Data Loss Prevention Cryptography In most cases, an initial effort has been made. However, the actual coverage, maturity and operational effectiveness of these implementations are often lacking. In my view, these controls do not always receive the level of attention and organisational weight they deserve. ...

A little over a year ago I started at CAN in the role of Senior Consultant Information Security. The role demands a lot of travel and gives me the chance to visit many different organizations, where I can help identify gaps in ISO 27001, ISO 9001 and NEN 7510 compliance, when performing internal audit. I also helped some organization in implementing an ISMS according to ISO 27001. Reflection In the past couple of months I have reflected on whether the role is the right fit and what I want to do for a living. ...

As some of you know, a couple of years ago our son was diagnosed with Autism Spectrum Disorder (ASD). During this process the characteristics of autism triggered a sense of recognition, not just regarding my son, but also for myself. We talked about this topic for a very long time and I have started the process, mid 2022, of diagnosing if I also might have ASD. Due to the long waiting list in (mental) healthcare and the specialized nature of diagnosing ASD in adults in the Netherlands the process started in April 2023, with the formal diagnoses Summer 2023. First the general practitioner transferred me for diagnoses of ADD or ADHD. For me that did not resonate well. It took some convincing and finding the right organization for me to get a transferral to them. ...

Although I joined Trustforce (in May of 2024) with the best intentions and high expectations, it became clear over the course of the year that the position was not the right fit for me. The nature of the projects and roles in outsourcing did not align with my professional interests and long-term goals. While I greatly appreciated the welcoming and supportive team environment, we mutually agreed that it was in the best interest of both parties to end the collaboration. ...

Another year and a another certificate to pursue. This time round a addition to my CISSP certificate, trying to achieve CCSP. According to ISC2 a nice combination that is in demand. This are my experiences and opinions. Course & Preparation In preparation I bought the set of books earlier this year. Just to get a feel of the course material. And lo and behold, it is, a bit expected, quite similar to CISSP, a nice overlap in domains and it seems slightly easier. The type of questions and chosen language is the same. This is quite tough. ...

Upgrading the platform Last December I bought a mini PC, a Intel N100 CPU with 6 LAN ports. The other router did not really perform anymore and it was time to upgrade. Although I ordered the device without RAM and storage, the order was received with 16GB of RAM and a 256GB NVME SSD installed. Nice gift. I had ordered a 16GB DDR5 and another SSD. So what to do with the extra SSD? ...

Running applications on TrueNas Scale All of the application that run on the TrueNas Scale, run default unencrypted. When accessing it just from the same network and if you control access to that network, it is a reduced risk. Nevertheless I prefer the communication to and from services to be encrypted. It fits in the layered security and defense in depth strategies. Creating the PKI When creating the Public Key Infrastructure (PKI) there are different solutions. Digicert has a nice series of white papers on what it is and how to use. However the scalable solution is a bit overkill for just one server with a load of services to secure. ...

Sometimes a opportunity presents itself and I would be stupid not to jump on it and change direction once more. In the last year I have learned a lot, from the effort it took to achieve my CISSP status to the uncertainties that being a freelancer brings and also I learned a lot on what I like and do not like. Downsides I encountered Let me start with the downsides, trying to get any assignment is tough. There are a lot of recruiters out there, they all claim to have the best opportunity for me. However a lot of times the role does not fit into my skill set at all. The requirements for the role are not even close to my skill set or are not for a role I am looking for. Next the majority claims to want to have a personal connection with the candidate. Like they are my best friend. Sadly I am the product they have to sell. And with ghosting me when the opportunity does not move forward is more and more the “norm”, if this is how one treats it’s “friends”, damn what is the world changing into? The, for me, common decency to call back or give a response should be the norm, not the exception. ...

Recently I tried to connect to my home using my trusted Wireguard solution, but it just did not work. Although the client claimed to be connected, I could not access anything on my Home Lab remotely. What is the issue? Why did this stop working? End of last year I replaced the router to a N100 CPU based mini pc, could it be due to migration of my config? Time to investigate…. And hopefully find a working solution. ...