I think the entire software development world saw NVIDIA’s CEO saying that the world will stop needing software developers, because they will be replaced by AI. Well, considering that this comes from the guy who sells the core on which…
Tag: Sorin Mustaca on Cybersecurity
Understanding NIS2 and DORA: What executives need to know
These days businesses are subject to increasing regulatory scrutiny, particularly regarding cybersecurity and operational resilience. Two significant EU regulations, NIS2 (Network and Information Systems Directive 2) and DORA (Digital Operational Resilience Act), outline mandatory requirements for organizations. Failure to comply…
How-To create Security User Stories
In the previous article, we explored how Scrum enables teams to add security to the backlog and prioritize it based on risk. Incorporating security into the SDLC ensures that security is not an afterthought but an integral part of the…
Bitcoin fraud through (hacked?) WordPress installations
I don’t usually write anymore about phishing attempts, but this one draw my attention due to large amount of emails and to variety of websites being used. Of course, I would not write “massive” if I would have received 1-10,…
Delivering secure software in an agile way
Agile Software Development: Why It’s Better Traditional development methodologies, such as the Waterfall model, struggle to keep up with the need for quick iterations, frequent releases, and adaptability to changing requirements. Agile software development addresses these challenges by emphasizing…
Understanding Defense in Depth in IT Security
The recent outage caused by Crowdstrike’s faulty update has create a lot of discussions. I wrote a post on LinkedIn where I asked the readers why are IT professionals using Crowdstrike on some systems that shouldn’t be in need of…
ISO 27001:2022 and TISAX: overlaps and differences
Introduction ISO 27001:2022 and TISAX VDA ISA 6.0 are two prominent standards in the realm of information security management, particularly within the automotive industry. While ISO 27001 provides a global framework for establishing, implementing, maintaining, and continually improving an information…
Understanding the SOC 2 Certification
Introduction SOC 2 (Service Organization Control 2) certification is a framework designed by the American Institute of CPAs (AICPA) to help organizations manage customer data based on five Trust Service Criteria: , confidentiality,processing integrity, availability, security and privacy. This certification…
Introduction to CISA’s Secure by Design Initiative
What is Secure by Design? Secure by Design products are those where the security of the customers is a core business requirement, not just a technical feature. Secure by Design principles should be implemented during the design phase of…
Implementing ISO 27001:2022 Annex A.18 – Compliance
We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented. Today we end the series with ISO 27001:2022 Annex A.18, “Compliance”, which addresses the importance of ensuring that organizations comply with…
Maping NIS2 requirements to the ISO 27001:2022 framework
We described here the process needed to perform a gap analysis for NIS2, but we did not add the details on how to approach this. This article references on the ISO27001:2022 series, especially on the description of the Annex A…
Implementing ISO 27001:2022 Annex A.17 – Information Security Aspects of Business Continuity Management
We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented. Today we address ISO 27001:2022 Annex A.17, “Information Security Aspects of Business Continuity Management” is crucial for organizations to ensure the resilience…
Implementing ISO 27001:2022 Annex A.16 – Information Security Incident Management
We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented. Today we address ISO 27001:2022 Annex A.16, “Information Security Incident Management” is crucial for organizations to effectively detect, respond to, and recover from…
NIS-2: 10 common misconceptions about the regulation
We wrote here about NIS2 and we will continue to add more content about it. Because we are getting closer to October 17th, many people are getting more and more nervous about NIS2. Despite its significance, there are numerous misconceptions…
Google Ads for Bitbucket.org – malvertising at its best
What is it? Malvertising : Malware delivered through Advertising. These corrupted ads are designed to appear legitimate but they may serve malicious code, which can infect a user’s device simply through viewing or clicking on the ad. Malvertising exploits…
Implementing ISO 27001:2022 Annex A.15 – Supplier Relationships
We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented. Today we address ISO 27001:2022 Annex A.15, “Supplier Relationships”, which is crucial for organizations in order to ensure the security of information assets…
Understanding ISO 27001:2022 Annex A.14 – System Acquisition, Development, and Maintenance
We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented. Today we address ISO 27001:2022 Annex A.14, “System Acquisition, Development, and Maintenance”, which addresses the importance of ensuring the security of information…
Understanding ISO 27001:2022 Annex A.13 – Communications Security
We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented. Today we address ISO 27001:2022 Annex A.13, “Communications Security”, which addresses the importance of securing information during its transmission over communication networks.…
Understanding ISO 27001:2022 Annex A.12 – Operations Security
We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented. Today we address ISO 27001:2022 Annex A.12, “Operations Security”, which focuses on ensuring secure operations of information systems and assets. This annex provides…
Understanding ISO 27001:2022 Annex A.11 – Physical and Environmental Security
Understanding ISO 27001:2022 Annex A.10 – Cryptography
We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented. Today we address ISO 27001:2022 Annex A.10, “Cryptography”, which plays a vital role in ensuring the confidentiality, integrity, and authenticity of sensitive information.…
Understanding ISO 27001:2022 Annex A.9 – Access Control
We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented. Today we address ISO 27001:2022 Annex A.9, “Access Control”. Access control is a fundamental component of information security management systems (ISMS). It…
Understanding ISO 27001-2022 Annex A.9 – Access Control
We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented. Today we address ISO 27001:2022 Annex A.9, “Access Control”. Access control is a fundamental component of information security management systems (ISMS). It…
Understanding ISO 27001:2022 Annex A.8 – Asset Management
ISO 27001:2022 Annex A.8, “Asset Management,” addresses the importance of identifying, classifying, and managing information assets within an organization. This annex emphasizes the need for organizations to establish processes for inventorying assets, assessing their value, and implementing appropriate controls…
Understanding ISO 27001:2022 Annex A.7 – Human Resource Security
We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented. Today we address ISO 27001:2022 Annex A.7, “Human Resource Security”. These controls address the critical role that personnel play in information security…
Understanding ISO 27001:2022 Annex A.6 – Organization of Information Security
We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented. We start today with ISO 27001:2022 Annex A.6, “Organization of Information Security”, which outlines requirements for establishing an effective management framework to…
Understanding ISO 27001:2022 Annex A.5 – Information Security Policies
We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented. We start today with A.5. Information Security Policies. Importance of Information Security Policies Information security policies are crucial…
Annex A of ISO 27001:2022 explained and tips to prepare for an audit
We wrote in the previous article ISO 27001:2022: chapter by chapter description about ISO 27001:2022 Annex A. Annex A of ISO 27001:2022 is a vital component of the standard, outlining a comprehensive set of controls that organizations can implement to mitigate…
ISO 27001:2022: chapter by chapter description
I’ve been asked many times by customers, especially those in automotive industry, who deal with the TISAX certification, which is based on ISO 27001, if I can make them a summary of the ISO 27001 standard. It turns out that…
The ISO 27000 family of protocols and their role in cybersecurity
The ISO 27000 family of protocols represent a series of standards developed by the International Organization for Standardization (ISO) to address various aspects of information security management. These standards provide a framework for organizations to establish, implement, maintain, and continually…
Risk Assessment of AWS services used in building a resilient Web App on AWS
We wrote here in the article “Building Resilient Web Applications on AWS: A Comprehensive Approach to Security” how to use certain AWS services to implement a resilient web based application. The services mentioned require also a brief analysis in respect to…
Building Resilient Web Applications on AWS: A Comprehensive Approach to Security
I have been asked by friends and customers what is the best way to implement a web based application with minimum costs and good security. Of course, the best way is to define exactly what you want to achieve…
TISAX: new Catalogue ISA v6 available
This post is more for me to quicker find the details. Source: ISA Version 6 Now Available · ENX Portal Here is a summary ISA 6: The latest version of the ISA catalogue, published in October 2023, with many changes and…
Evolving beyond your core expertise: it’s time to add security
This post is for creators of digital services like optimization tools, VPN solutions, Backup and Disaster Recovery tools, Parental control tools, Identity protection tools, Privacy tools, Email clients, Browsers and many others. Your products are doing a good job in…
Evolving beyond your core expertise: it’s time to add security
This post is for creators of digital services like optimization tools, VPN solutions, Backup and Disaster Recovery tools, Parental control tools, Identity protection tools, Privacy tools, Email clients, Browsers and many others. Your products are doing a good job in…
Balancing functionality and privacy concerns in AI-based Endpoint Security solutions
The integration of Artificial Intelligence (AI) in endpoint security has revolutionized the way organizations protect their devices and data. Ok, let’s take a break here: have you read the article about Artificial Intelligence vs. Machine Learning ? By leveraging…
Artificial Intelligence vs. Machine Learning
I will write in the future a lot about AI and ML with focus on cybersecurity. I will mix AI and ML and other terms quite a lot, so I think it is necessary to have a base from where…
Thoughts on AI and Cybersecurity
Being an CSSLP gives me access to various emails from (ISC)2. One of these announced me that there is a recording of a webinar about AI and Cybersecurity held by Steve Piper from CyberEdge. Very nice presentation of 1h, and…
NIS2: 2.Designate a responsible person or team
We wrote here https://www.sorinmustaca.com/how-to-nis2-eu-directive/ that the second step in implementing NIS2 requirements is to designate a responsible person or team. Appointing an individual or a team responsible for overseeing the implementation of the NIS2 directive within your company is critical to…
NIS2: 1. Perform a gap analysis
We wrote here https://www.sorinmustaca.com/how-to-nis2-eu-directive/ that the first step in implementing NIS2 requirements is to perform a gap analysis. The most critical part when performing a gap analysis is to define upfront against which standard or security framework are you…
How-To: NIS2 EU Directive
The NIS2 Directive is a European Union legislative text on cybersecurity that supersedes the first NIS (Network and Information Security) Directive, adopted in July 2016. NIS vs. NIS2 While the first NIS (Network and Information Security) Directive increased the Member…
Executive summary: NIS2 Directive for the EU members
The NIS 2 Directive is a set of cybersecurity guidelines and requirements established by the European Union (EU) . It replaces and repeals the NIS Directive (Directive 2016/1148/EC) . The full name of the directive is “Directive (EU) 2022/2555 of the European…
Implementing secure over-the-air (OTA) updates in embedded devices
This is a follow up article related to Secure Booting and Secure Flashing. It is the 5th article related to Strengthening the Security of Embedded Devices Implementing secure over-the-air (OTA) updates in embedded devices requires careful consideration of various security…
The Importance of Secure Flashing for Embedded Devices and Secure Implementation Practices
This is the third article in the series about embedded devices security, started with Strengthening the Security of Embedded Devices The second article was Secure Booting for Embedded Devices: Safeguarding Systems from Intrusions In this article, we will explore the…
Secure Booting for Embedded Devices: Safeguarding Systems from Intrusions
This is the second article in the series about embedded devices security, started with Strengthening the Security of Embedded Devices Embedded devices are specialized computing systems designed to perform specific tasks or functions within a larger system. Unlike general-purpose computers,…
Strengthening the Security of Embedded Devices
Embedded devices are specialized computing systems designed to perform specific tasks or functions within a larger system. Unlike general-purpose computers, embedded devices are typically integrated into other devices or systems and are dedicated to carrying out a specific set of…
How to Configure the Most Secure Settings for Microsoft Defender
This article is entirely written by Bing AI client integrated in Skype. Q: write an article describing most secure settings of Microsoft Defender A: Microsoft Defender is a comprehensive security solution that protects your Windows devices from various threats,…
The Importance of Implementing an Information Security Management System (ISMS)
In today’s interconnected and data-driven business landscape, information has become one of the most valuable assets for companies. As organizations rely heavily on technology and digital platforms, protecting sensitive data from threats has become a critical concern. This is where…
How to convince Top Management to invest in cybersecurity and secure software development
I’ve heard many times IT people and Software Developers complaining that they have difficulties to sensibilize their managers to invest more in cybersecurity. Also some employees of my customers in the cybersecurity consulting area show sometimes frustration when we are…
The Importance of Training Employees in Cybersecurity
In today’s increasingly interconnected world, cyber threats pose a significant risk to businesses of all sizes. As technology advances, cybercriminals become more sophisticated, making it imperative for organizations to prioritize cybersecurity measures. While investing in robust infrastructure and advanced tools…
Preventing Attacks and Securing the Supply Chain in the Security Software Industry
The security software industry plays a vital role in safeguarding sensitive data and protecting digital infrastructure. However, the industry itself faces a significant threat from supply chain attacks. Supply chain attacks occur when cybercriminals target vulnerabilities within the supply chain…
Securing the Secure: The Importance of Secure Software Practices in Security Software Development
In an increasingly interconnected digital world, the importance of secure software cannot be overstated. Many people think that by using security software all their digital assets become automatically secured. However, it is crucial to recognize that security software itself is…
Checklist for how to become a business owner by selling your skills and passion
I’ve been asked many times what are the steps to build your own business. This is not a post about “how to…”, the Internet and LinkedIn is full of them, but more like a checklist with things you should consider…
I’ve been asked many times what are the steps to build your own business. This is not a post about “how to…”, the Internet and LinkedIn is full of them, but more like a checklist with things you should consider…
The Automotive industry’s inadequate approach towards software (in the cars)
Introduction The automotive industry has witnessed a paradigm shift with the increasing integration of software in vehicles. Modern cars are no longer just mechanical devices with a motor, wheels and steering; they are now sophisticated machines having dozens of CPUs…
Targeted Phishing: Your auth password for [ user@host.com ] expires today !
It’s been a while since I received a targeted phishing. This time it is on one of my email accounts hosted on Google, and strangely, their phishing filter did not catch this one. ITNotification <ITNotices@mail.com> sorin@mustaca.com Expiration Your…
ChatGPT and copywriting
I received a spam and the guy offered to have my corporate site re-written. He sent me an example of how it be like in a Google Docs document. The text was very artificial, kind of those written by ChatGPT…
ChatGPT and automotive cybersecurity #1/2: About CSMS from ISO 21434
As promised, I played more with ChatGPT and this time I started to dig a bit into cybersecurity for automotive. Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting…
So much hype about Chat GPT… here are some facts
So much hype about ChatGPT these days.. But what does it mean? So, I gave it a try … and I created an account. This is the first post from many about ChatGPT. First thing you see when you go…
PayPal is teaching fraudsters how to create the perfect phishing email
PayPal is sending a lot of emails these days, one of these got me confused. I am sure now it is a valid email, but the multitude of different links in it and the confusing information is making this email…
A brief history of software vulnerabilities in vehicles (Update 2023)
A brief history of software vulnerabilities in vehicles (Update 2023) The post A brief history of software vulnerabilities in vehicles (Update 2023) first appeared on Sorin Mustaca on Cybersecurity. This article has been indexed from Sorin Mustaca on Cybersecurity Read…