Jean-Baptiste Bres

Chief Information Security Officer

💡 Risk Management in Technology

Article

Learn about the importance of risk management in technology, particularly in mitigating cybersecurity threats, preventing system outages, and building trust with stakeholders.
This article covers the risk management process, including risk identification, assessment, treatment, and monitoring, as well as the significance of controls in information security.
Additionally, it introduces the concept of a quantitative risk model for assessing and managing risks using numerical data and metrics to enhance control effectiveness and resilience against cybersecurity threats.

Read More…

🔐 Security Operations

Article


Get Certified in Cybersecurity - Part 6 of 6
🔐 Security Operations
Learn key elements of data security, including data handling, classification, logging, encryption, system hardening, configuration management, security policies, and social engineering defence through security awareness training.

Read More…

🔐 Network Security

Article

Get Certified in Cybersecurity - Part 5 of 6
🔐 Network Security
Delves into common threats and best practices for securing computer networks. It explores the array of network threats, from malware and ransomware to insider threats, and understand how network professionals mitigate these risks.

Read More…

🔐 Network Concepts

Article

Get Certified in Cybersecurity - Part 4 of 6
🔐 Network Concepts
Discover the intricate world of computer networks. This article covers topics such as network types, essential devices, IP addresses, DHCP, network ports, and key network terms. It also explores the OSI and TCP/IP models, showcasing their role in network communication. Furthermore, the article touches upon cloud computing, highlighting different service and deployment models.

Read More…

🔐 Access Management

Article

Get Certified in Cybersecurity - Part 3 of 6
🔐 Access Control
Delves into the importance of access control, covering concepts encompassing defence in depth, least privilege, segregation of duty, two-person integrity, passwords, multi-factor authentication, privileged access management, account provisioning, log management, physical access control, biometric access control, and logical access control.

Read More…

🔐 Incident Response, Business Continuity and Disaster Recovery

Article

Get Certified in Cybersecurity - Part 2 of 6
🔐 Incident Response, Business Continuity and Disaster Recovery
Explore the crucial aspects of cybersecurity incident response, business continuity, and disaster recover. We will talk about the importance of incident response plans, business impact analysis, recovery strategies, and crisis management in ensuring the resilience and continuity of organisations in the face of cyber threats and disruptive events.

Read More…

🔐 Key Security Principles

Article


Get Certified in Cybersecurity - Part 1 of 6
🔐 Key Security Principles
Discover the essentials of safeguarding sensitive data and protecting against cyber threats. From the CIA Triad to Risk Management and Privacy, this article breaks down key principles in an accessible way.

Read More…

💡 Certified in CyberSecurity - Your Journey to Certification

Article

🚀 Unlock your path to a career in cybersecurity with the ISC2 Certified in Cybersecurity (CC)!
As part of Cyber Awareness Month 2023, I'll be sharing a series of articles throughout October covering the all the knowledge needed to prepare for the ISC2 Certified in Cybersecurity (CC).
Ideal for IT professionals, career changers, executives, and recent grads, this entry-level certification offers free exam and online training for a limited time, making it more accessible than ever.
Find out more about the ISC2 CC Certification. Your cybersecurity journey starts here!

Read More…

💡 Ensuring CyberSecurity in Vendor Management

Article

As our interconnected world amplifies cyber risks in the supply chain, the indispensable role of vendor managers in protecting valuable assets cannot be overlooked. With their unique insights and strategic position, they are instrumental in identifying and mitigating potential vulnerabilities.

This article provides vendor managers with invaluable guidance on elevating their role in safeguarding the supply chain. From selecting secure vendors to establishing robust contractual agreements, they will find actionable steps to fortify their organisation's cybersecurity posture.

Read More…

Adapt Security Edge 2023

I had an amazing time participating in the Adapt Security Edge conference last Thursday!
It was an incredible experience to be part of the panel discussion on "Latest Strategies from the Security Front Line," and share with Peter Hind, Bianca Wirth and Francis Ofungwu on Zero Trust, AI and more.

TPA07335

NSA's Best Practices for Security your Home Network

In a very recent piece of news, it was revealed that LastPass, a wildly used password manager, fail victim to a cyber attack and got all their customer data (i.e. the users stored passwords) stolen in the form of an encrypted database. Because the database was encrypted, the hackers could not access the content, so they proceed by attacking the personal home devices of one of the only 4 employees that had access to database password, and managed to break into his network and stole that password, getting access to all customer data.
That is a very committed hacker, but sadly, that is the reality: we are now all targets at home, because it is often easier to break into someone personal device and use it as a leverage to attack their organisation they work for.

Just as timely as this news is the recent publication by the NSA of their Best Practices for Security your Home Network. These are great recommendations that we can only recommend everyone to have a look at and, when possible, implement at your home!

💡 ChatGPT and the future of CyberSecurity

Article

If you have been using ChatGPT, you probably feel now that nothing will never be the same. It is the same feeling you had when you used the internet for the first time, when you touched your first iPhone. There will be a before and an after Artificial Intelligence, and the tipping point is now.

It is hard to predict what a world supported by AI will look like. Some think it will be a scary place, some see a lot of exciting opportunities. But regardless what your views are, there is no denying that the cybersecurity industry will be - and already is - particularly affected. Tools like ChatGPT are a new set of capabilities, with both new opportunities and new challenges for security professionals.

Read More…

💡 Your Home under Cyber Attack

Article


As Cyber Awareness Month is coming to an end and Halloween is almost upon us, I thought it would be a great time to share a few real cyber-horror stories, and how to protect yourself from them.

Read More…

Free (ISC)² Cybersecurity Certification Exams

There are no excuses left to not do a security certification now 😁
(ISC)² Pledges One Million FREE (ISC)² Certified in Cybersecurity℠ Courses and Exams

Janet Jackson had the power to crash laptop computers

I think this might well be the coolest security vulnerability of the year! 😂

Article

Open Junior Cybersecurity Analyst role in HSBC Australia

HSBC is looking for a junior Cybersecurity Analyst to join our fantastic team in Australia! A great opportunity to join HSBC incredible cyber capabilities if you are a recent graduate or have a little experience in that domain.

If you are interested, please apply on our career website.

💡 The CIA Triad (explained to non-security people)

Article

A short article explaining what the CIA Triad is, or how Security is focusing on key concepts: Confidentiality, Integrity and Availability.
It's not always easy for non-security people to understand the challenges and endless efforts spent by security staff, so hopefully you will now have a better idea of why, and how, we do it.

Read More…

💡 Vulnerability Management (explained to non-security people)

Article

A short article explaining what is Vulnerability Management - one of the key areas of Information Security.
It's not always easy for non-security people to understand the challenges and endless efforts spent by security staff trying to remediate vulnerabilities, so hopefully you will now have a better idea of why, and how, we do it

Read More…

Australia's overheated property market has become a target for hackers — and they're scamming millions

Pasted Graphic

What, exactly, is cybersecurity? And why does it matter?

I regularly get asked what are my job and my field (cybersecurity) about. It’s a fair question. Cyberattacks steal data and cause millions in economic costs. This article explains very broadly what cybersecurity professionals do.

20211103-001

Up to 1,500 businesses infected in one of the worst ransomware attacks ever

Interested in understanding how a large scale ransomware attack is performed? Here is a very good article from Ars Technica. A bit technical, definitively scary... so a good read.


20210709-001

Critical CISO Initiatives for the Second Half of 2021

20210703-001

The Lazarus Heist 🎧 Podcast

If you are into podcasts, BBC World is producing a very good series on the hacking group Lazarus and its ties to North Korea. The first episode goes in details through the Sony hack in 2014 as the movie "The Interview" was about to be released. It then moves onto how North Korea uses hacking to finance itself. Very interesting so far.

Pasted Graphic

Stop using your work laptop or phone for personal stuff, because I know you are

20210427

In a time of change, identity has become the key to security - Webminar

I was honoured to discuss Identity and Security in the cloud with Nigel Phair and Serkan Cetin at the Quest Software webinar "In a time of change, identity has become the key to security – and business continuity" last week.



Check out the full video on GoToStage.

💡 Defence in Depth

Article

"Defence in depth", sometime also called “layering” is a central concept in information security. It relates to the idea that security components should be designed so they provide redundancy in the event one of them was to fail.

This article explores the concept of defence in depth, and how it applies to modern technology stacks and in the cloud.

Read More…

Xinja emails get maximum security score

Email. It is hard to imagine life without it. Although invented back in the seventies, it became mainstream in the nineties. Unlike overalls and bandanas, it remained popular until this day. So popular in fact, that spam and so called ‘spoofing’ has become a real threat on the internet. This is how Xinja keeps their emails super secure.

20201020-001

Incident Response and Breach Impact Minimisation Panel

I am looking forward to be part of the panel on Incident Response and Breach Impact Minimisation on Thursday October 8th 2020 (1pm - 1.50pm AEST) with Susie Costa, Alvin Rubyono and Stephen Burmester.

More than ever, Government, industry and businesses have been under increasing attacks. The Australian Cyber Security Centre (ACSC) recently published a report stating it had responded to approximately 2300 cyber security incidents between July 2019 and June 2020. But in these times with many staff working from home, if your business was to suffer from a cyber breach, would you be able to respond effectively?
We will discuss best practices in incident response and how to manage and minimise the impact of a breach on your business.

More information at https://app.livestorm.co/forefront-events/incident-response-1

Xinja is now PCI DSS compliant certified

Xinja just got certified PCI DSS compliant! The PCI DSS compliance refers to the technical and operational standards that businesses must follow to secure and protect your credit and payment card data. These standards for compliance are developed and managed by the Payment Card Industry Security Standards Council.

It is a huge milestone for us and, if you ever got through such a certification process, you would know how challenging it is!

To mark the event, we published a short article on how we designed our environments to get compliance. So read more about it below:

20200922-001

Future of Security Conference

I was honoured to be part of the FST Security conference on Monday, for a fireside chat around data privacy with Mark Sheppard and a Security Leader's Panel with Larkin Ryder, Michelle Bower and Sumeet Kukar.
If you were not able to attend, you can still catch these sessions on the conference website.

Interview

Future of Security Conference

After having to cancel the event back in March due to COVID-19, the Future of Security conference is back (online this time) from the 24/08.

I am very honoured to be one of the speakers. I will be discussing the Australia Consumer Data Right (CDR), and how it can be used to champion privacy while spurring innovation.

I will also be part of a panel discussing how emerging technologies are reshaping cyber security risks and controls, strategies to infuse security culture into financial services’ enterprise DNA.

Find out more on the conference website.

20200721-001

Understanding the Payload-Less Email Attacks Evading Your Security Team

Picture 1

How to become a Fierce Female Leader in Cybersecurity Meetup

I am very excited to participate with Joss Howard at the very first Women in CyberSecurity Meetup next week! Hopefully I will be able to provide some insightful perspective to all!

20200520

Watch outs for Working From Home

Screen Shot 2020-04-14 at 10.02.24

Security GRC Manager role @ Xinja

We’re on the hunt for a killer Security GRC Manager 🔒 Must be highly skilled with excellent credentials. Ready to come help us build Australia's first (and best 😉) neobank? Apply at https://xinja.com.au/careers/security-grc-manager/

Screen Shot 2019-08-05 at 10.15.51

Future of Security Conference, Sydney

Unfortunately this event has been cancelled due to the COVID-19 outbreak, but it will be rescheduled for later on this year. Stay safe and see you all in a few month!

I am very honoured to be one of the speakers at the next Future of Security conference in Melbourne on 24/03 and in Sydney on 26/03. I will be discussing the Australia Consumer Data Right (CDR), and how it can be used to champion privacy while spurring innovation.

On the 26/03 (Sydney), I will also be part of a panel discussing how emerging technologies are reshaping cyber security risks and controls, strategies to infuse security culture into financial services’ enterprise DNA with Wayne Bozza, Sarah O'Brien and Sumeet Kukar and Larkin Ryder.

Future of Security

CPS 234 NSW Morning Briefing

Thanks all for coming to our panel on strategies to prevent data breaches & improve incident response yesterday at the CPS 234 NSW morning briefing.
Thank you to Jason Anderson and Wayne Bozza for their insightfull perspectives. And thanks to Paul Schofield for his fantastic facilitation and direction.

0-2

💡 Digital Identity and Authentication

Article

Time to go through the concepts of Digital Identity and Authentication, and how they are generally implemented in IT environments to automate access to websites, services and applications.

While this article does not require any specific technical knowledge, it is not a trivial topic, and I have purposely tried to not oversimplify some of the concepts. I have done my best to keep it easy to read, but feel free to send some feedback if some parts are too complex and you would like further clarifications.

Read More…

CPS 234 NSW Morning Briefing

I am looking forward to be one of the speakers at the CPS 234 NSW Morning Briefing in Sydney on 20/02/2020 with 3 great experts: Neil Hopkins, Susie Costa and Wayne Bozza.

With the passing of the July 1st deadline, ARPA regulated entities must meet the mandatory Prudential Standard CPS 234. The Standards have been created to improve resilience against information security threats, and those entities need to put the correct implementation strategy in place to safeguard themselves in the information age.

A key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including information assets managed by related parties or third parties.

DevOps role @ Xinja

A new security-related role we are recruiting for at Xinja: we are looking for a DevSecOps engineer. You’ll be embedded in the DevOps team to facilitate continuous delivery of secure, quality software to the Xinja Banking Platform using DevSecOps practices and principles. You’ll need to have a broad cross section of skills along with a strong consultative approach.
You’ll work with software engineers and security experts to ensure that the right practices are in place and to take the security lead on automating the path to production to enable deployment of changes with no manual intervention and in a highly secure manner.
We run a small, crack team of DevOps engineers to help us to build out a world class continuous integration and delivery pipeline for the Xinja Banking Platform as we continue to scale at pace. You will ensure security standards are upheld and secure coding practices maintained.

If you think this is something for you,
contact me or visit Xinja career website for more information.


DevSecOps

💡 What is Identity Theft? (a beginner guide)

Article

With Christmas coming fast, it is a great time to remember identity crime is a critical threat to the everyone. A short beginner guide on how to protect yourself against identity theft and what to do if your identity get stollen.

Read More…

Is Australia struggling from a bout of breach fatigue

Another good read this week…


Screen Shot 2019-12-03 at 09.55.39

Unto the breach: let’s face up to data security

We just published an article that talks about data security and how we, at Xinja, are protecting our customers. Let us know what you think!

Screen Shot 2019-10-15 at 13.12.25

Cyber Attack Conference Sydney 2019

I am very honoured to be one of the speakers at the upcoming Cyber Attack 2019 Conference in Sydney on October 17th. I will be facilitating a round table discussion on how to implement a security Bring Your Own Device (BYOD) policy.

Australian banks face secret penetration tests

An interesting initiative from NPP (which coordinate the open access infrastructure for fast payments in Australia, PayID). Following the PayID lookup attacks that occurred in the last months, they might now perform secret penetration tests to ensure that participating banks are up to the right level of protection. 💡

Read more at http://bit.ly/2lyNQT4

Security Designer @ Xinja

Last but not least, we are also hiring a Security Designer, a strategically critical role in defining and assessing Xinja’s security strategy, architecture and practices.

If you think this is something for you, contact me or visit Xinja career website for more information.

Security Designer

Info Sec GRC Manager @ Xinja

Another great opening in the Xinja Security Team. We are looking for an Information Security GRC Manager!

This is a key role for the organisation: You will manage the information risk and security governance, focussing on raising standards and awareness, as well as providing assurance and monitoring compliance with policies and standards.

If you think this is something for you, contact me or visit Xinja career website for more information.

More openings coming soon…
😉

Screen Shot 2019-08-05 at 10.15.51

DevSecOps role @ Xinja

Another great new security-related role we are recruiting for at Xinja: we are looking for a DevSecOps engineer with a focus on security automation. You’ll be embedded in the DevOps team to facilitate continuous delivery of secure, quality software to the Xinja Banking Platform using DevSecOps practices and principles. You’ll need to have a broad cross section of skills along with a strong consultative approach.
You’ll work with software engineers and security experts to ensure that the right practices are in place and to take the security lead on automating the path to production to enable deployment of changes with no manual intervention and in a highly secure manner.
We run a small, crack team of DevOps engineers to help us to build out a world class continuous integration and delivery pipeline for the Xinja Banking Platform as we continue to scale at pace. You will ensure security standards are upheld and secure coding practices maintained.
You should know that we do things a little differently at Xinja. You won’t be micromanaged and will have the flexibility to choose the tools you need to get your work done. Along with the team you work with, you’ll be given autonomy on how you design and build DevSecOps processes as long as it stays within the guidance of the Xinja Software Development Lifecycle and Information Security Management System. You should be comfortable with pushing new tools and processes and challenging the norms of secure software development and deployment.

If you think this is something for you,
contact me or visit Xinja career website for more information.

More openings coming soon…
😉

DevSecOps

Security Analyst role @ Xinja

I am recruiting a Security Analyst to join the fantastic security team at Xinja. The role will be responsible for assisting in building upon and improving Xinja’s Information Security Program. You will be the primary technical security resource in a small team responsible for the day-to-day operations of the security of all things Xinja.

If you think this is something for you, contact me or visit Xinja career website for more information.

More openings coming soon… 😉

Security Analyst

Your inbox is spying on you

It seems that Technology and Privacy still have a long road to go to work hand-in-hand. Security is still - for a lot of organisations - an afterthought and not an inherent part of the design.

"When we built [our company], we focused only on the needs of our customers. We did not consider potential bad actors." 😧

Read more: https://lnkd.in/gRWsFKW

Is your cybersecurity training reaching the right people?

People attitude toward security is probably the most important factor when it comes to ensure a good Security strategy is in place. Even with the right technical protections, if people do not act carefully, it is not going to work out! So awareness is key. And targeting the right audience is critical to ensure the right outcome. On that topic, ZDNet published an interesting article titled: Is your cybersecurity training reaching the right people?

💡 Conference Transcript: Building an Information Security Policy Framework

Article

Following my presentation on Building an Information Security Policy Framework at the "Implementing CPS 234" conference held in Sydney in May 2019, I received many requests to publish a transcript. Thank you all for your interest and for the large amount of feedback you shared with me. As promised, here is an augmented transcript of my presentation.

It covers an overview of what a Policy Framework is, and why it is an essential part of any Information Security program; the various existing frameworks used across the industry, their strengths and limitations; a methodology to create a flexible framework, supported by a risk assessment and a strong understanding of the assets owned by the institution and the threats they are exposed to; and an approach to define an adequate control set and how to prioritise its implementation.

Read More…

Microsoft Patches ‘Wormable’ Flaw in Windows XP, 7 and Windows 2003

Microsoft today is taking the unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003, citing the discovery of a “wormable” flaw that the company says could be used to fuel a fast-moving malware threat like the WannaCry ransomware attacks of 2017. Read more at http://bit.ly/2Xr3Kgv

💡 Creating a Secure Bring-Your-Own-Device Strategy

Article

Corporate reality is that there is a growing interest from employees to use their personal devices for work. This can have a very positive impact on business – choosing which device is best for them and when, empowers workers and makes them more productive – but it also raises many security concerns for the enterprise – especially around access, confidentiality of information, compliance, security and privacy.

Factsheet


In order to define how employees will be able to interact with the corporate resources, the Bring-Your-Own-Device (BYOD) strategy is a critical part of your journey toward BYOD. It is there to define the capabilities your organisation offers to employees to use their personal laptops, smartphones or tablets for work.

To assist you in your journey, this article covers how to answer these questions and what are the options available for you in order to create a secure BYOD strategy.

Read More…

What the Marriott Breach Says About Security

Marriott disclosed earlier this week a four-year-long breach. It involved the personal and financial information of 500 million guests of some of its hotel properties.
What could have gone so wrong that such a breach remained unnoticed for so long? This great article shares some considerations around the security postures that companies take on, and why they work... or not.

💡 APRA CPS 234: Are you ready?

Article

The Australian Prudential Regulation Authority (APRA) just published the final version of the Prudential Standard CPS 234 (Information Security), that will be enforceable by 1 July 2019. Have you assessed your readiness? This article reviews the main expectations from the regulator and provides some guidance on how to ensure timely compliance.

Read More…

Facebook Security Breach Exposes Accounts of 50 Million Users

Facebook is breached, putting 50 Million users’ data at risk. Great time to ask yourself what data you are making available on the net, and what would you do if it ends ends available to all because of a breach? Maybe it’s time to close your social network accounts that are not providing you any real value?...

💡 Security 101 – Why is it not safe to share sensitive information by email?

Article

You are regularly being reminded by your security team that sharing sensitive information by email is not safe. But why? Well, good question. Here are some answers

Read More…

💡 Understanding Meltdown and Spectre

Article

As an executive or senior manager, what should I know and what should my company be doing about Meltdown and Spectre?
If you are not an IT Security specialist and you have been trying to understand what all the fuss is about - you are probably struggling to find articles that are not overly technical or too generic. Hopefully, this one will be answer your questions.

Read More…