We are celebrating a milestone: CWB has been a customer for four years!

🎉 We are proud to share that we have reached a special milestone: The Cyber Weerbaarheidscentrum Brainport (CWB) has been a valued customer of us for four years now! 🙏

In these four years, our cybersecurity specialist Matthijs Nelissen has perfected a portal on which threat information and cybersecurity articles with best practices are posted. Cyber4Z also provided support for all common technical issues. Arissa D'Fonseca, Yu-Mei Liebregt, Rob van den Heuvel, Thierry-Paul van der Vliet and Morrison Toussaint were also able to help our customer fantastically with all kinds of matters. As a result, Cyber4Z contributes to increasing resilience in the Brainport region and beyond because the CWB focuses on the national high-tech manufacturing industry!

We are extremely grateful for the trust that CWB has placed in us and we look forward to continuing this pleasant collaboration for many years to come.

October: European Cybersecurity (Awareness) Month

October is known in Europe as Cybersecurity Month. This month is all about increasing awareness of cybersecurity and how individuals, organizations and governments can protect themselves against cyber threats.

At a time when cyber attacks and data leaks are common, awareness is the first step against these threats. This month, all kinds of activities on the subject of cybersecurity are being organized under the name Alert Online. For example, you can use a tool to check a website or URL or you can attend a workshop on the maturity of data protection within your organization.

Cyber4Z: Eye on Cybersecurity

Cyber4Z also actively contributes to increasing cybersecurity awareness. As a leading company in the field of cybersecurity services, Cyber4Z offers a wide range of solutions that help organizations protect themselves against cyber attacks and data breaches. We offer various services, including:

  1. Assesments
  2. Certifications
  3. Security Awareness Tranining
  4. CISO as a service
  5. GDPR compliance in one day

More information about the above services and additional services can be found on our website under the heading 'Portfolio'.

Today is World Normalization Day!

This day was founded by IEC (International Electrotechnical Commission), International Telecommunication Union and ISO (International Organization for Standardization).

These are all organizations that are involved in standardization of, for example, pen testing or Information Security Management Systems (ISMS). We can't really celebrate this day, but it is a good time to think about your certification process and how we can support you: Our Services.

International Coffee Day

On 'International Coffee Day' we combine our passion for cybersecurity with our love for sustainability.

We like to treat ourselves to a cup of sustainable coffee in our Cyber4Z mugs while we think about the digital security of tomorrow. If you are interested in a fascinating conversation about cybersecurity, we would like to invite you to drop by for a cup of coffee.

Emirhan Sarikaya presents at Tech Know Fest

We are proud to announce that our security consultant Emirhan Sarikaya will be giving a presentation at the first edition of the Tech Know Fest on September 28, 2023, organized by The.NextGen.

During the presentation he explains how he discovered a security hole in the Jira environment of the RIVM and how malicious parties can also do this and abuse it. He also provides trips and tricks to increase the security of organizations against similar attacks and the mitigating factors are discussed. We look forward to an inspiring presentation at Tech Know Fest!

The Airbus cyberattack shows how important secure software usage and supply chain security is

In a recent cybersecurity incident Airbus fell victim to a cyberattack originating from a Turkish Airlines employee’s compromised account. What led to the account's compromise? The use of pirated software by the employee. This event once again demonstrates the importance of using safe software and maintaining supply chain security in the linked digital environment of today.

The cyberattack on Airbus highlights the rising worry over the use of unauthorized or illegal use of software. The employee of Turkish Airlines unintentionally introduced weaknesses by using the hacked software, giving the so-called hacker 'USDoD' a way inside Airbus.

The Challenge of Supply Chain Security

Beyond the compromised software issue, the Airbus hack reveals the vulnerability of supply chains. Businesses rely on intricate networks of partners and suppliers, which leaves them open to assaults through these interrelated channels. Cybercriminals increasingly exploit these vulnerabilities to gain access to valuable targets, as seen in this case.

To address this, organizations must adopt a comprehensive approach to cybersecurity that includes supply chain security measures. It is not enough to just protect your network; you must also make sure that your supply chain partners follow strict security guidelines. If your company needs help with this, feel free to reach out to us because we can help with both secure software use and supply chain security.

DEF CON memory: US speakers were asking for European privacy rules

On today's Throwback Thursday we are going back to the hackersconference DEF CON in Las Vegas this summer.

Our privacy consultant Andra-Elena Albisoru loved the privacy village. "I loved it because you could see that all the changes the US speakers were asking for, are rules that have been in place in Europe for years. It gives a bit of faith in the data protection policies and laws are we have here." There is ofcourse a reason that the US doesn't have the same privacy rules right now. "Mostly the government still wants to have control over the data 'for national security' reasons. But I think it is a policy issue that the states do not get along when it comes to harmonizing the rules. It can't be done at a federal level,' Andra explains. 'California has the best rules on data protection, but I think it takes a lot of time and resources to get 50 other states to agree on doing the same."

AVG compliant with Cyber4Z

It is critical for businesses to comply with the world's strictest privacy and security law, the GDPR (General Data Protection Regulation). At Cyber4Z we understand how important this is, and we can help you do this in an efficient way. Our privacy expert will visit you on location for a day, after which we will deliver a comprehensive improvement report and the necessary documents within a week.

Our exclusive program, called 'Privacy in 1 day', includes several components including a thorough check of GDPR compliance within your organization, as well as a check, improvement or implementation of a privacy statement on your website.

With our complete service, including the assessment, implementation and available templates, we offer this package for only €2,200. Don't wait any longer and ensure your company is GDPR compliant and protects your customer and data privacy with the help of Cyber4Z. Contact us today and you will soon be GDPR compliant!

DEF CON 2023

With Cyber4Z and the Neoforce team we attended DEF CON 2023 in Las Vegas!

Attending this conference in such a special place was a tremendous experience. The things we have seen and heard have given us inspiration and insights that we can apply in our work. We cannot rule out that we will visit this conference again!

Cyber4Z participates in the Gymforce Challenge

At Cyber4Z we regularly do team building and improving competences outside the work field. Last month we did this in extreme form by participating in The GymForce Challenge.

During this challenge in the form of a kind of 'Kamp van Koningsbrugge', we stepped out of our comfort zone by going over an obstacle course together and walking through the Biesbosch polder with packs. With this challenge we have improved our cooperation within the team and we have learned more about who we are and what we can do. It was certainly an event that we will talk about for a long time to come.

Below our co-owner and warrior Matthijs Nelissen in the Biesbosch polder.

The exciting life of a bug bounty hunter: "Don't be afraid to join a hacker platform"

Hackers can wreak havoc on businesses, so it's understandable that businesses go to great lengths to avoid being hacked. That is why there are several bug bounty programs and online forums that invite ethical hackers to find bugs in company security. One of these ethical hackers is Emirhan Sarikaya from Cyber4Z: “It is mainly sitting behind the computer a lot.”

The life of a bug bounty hunter may not be as sensational as you might expect. Emirhan is a member of various hacker forums such as HackerOne and Bugcrowd where hackers are invited by companies to find vulnerabilities in their security. “It's mostly sitting at the computer and looking for possible bugs or vulnerabilities,” Emirhan explains. He gives the example of examining a search bar on a website. "When I open a website, I look at how that site can be searched. For example, is it using a database? Then I look at how I can crash that database to find a bug," Emirhan added. As soon as he has found a bug, Emirhan reports this on a hacker forum or uses a so-called Coordinated Vulnerability Disclosure (CVD), in which agreements are made between the reporter and the organization concerned.

Emirhan spends his free time researching bugs. "I do this as a hobby because I find cybersecurity interesting and I find it fascinating how everything works. The rewards you get are also a good incentive for this work." But Emirhan is not only shown to be passionate, he is also extremely skilled. "A recent success story is that I discovered a vulnerability in a live chat of an online casino that allowed malicious parties to take control of anyone who was gambling at the time. This was of course a serious vulnerability, which also paid off. In general, companies are happy when we report a bug, because they can fix it before malicious people take advantage of it, so I want to give companies the following message: don't be afraid to sign up with a hacker platform to get checked for bugs. This way you prevent a lot of suffering for your customers."

Interview with insurer Centraal Beheer

Our co-owner Mathe Grippeling was recently interviewed by Centraal Beheer about our absenteeism insurance with the insurer. He says about this: "I think absenteeism insurance is an important insurance if you have employees". You can read the full interview here .

Protect your social media on Social Media Day!

Today we celebrate Social Media Day. On such days, it is especially important to prioritize your online safety and be aware of security measures you can take to better secure your social media. Below are some tips:

  1. 𝟭. Use strong passwords: As always, it is important to use unique and complex passwords for all of your social media profiles. Avoid reuse and use two-factor authentication where possible.
  2. 𝟮. Be alert for phishing: Be careful when opening suspicious links or sharing personal information through messages.
  3. 𝟯. Check privacy settings:Regularly check the privacy settings of your social media profiles and limit the visibility of your personal data.
  4. 𝟰. Stay up to date: Make sure your apps are up to date, as updates often include important security patches that protect you from known vulnerabilities.

CELEBRATE THE POWER OF CAPSLOCK ON CAPSLOCK DAY

CAPSLOCKS DAY WAS CREATED BY SOFTWARE DEVELOPER DEREK ARNOLD TO REMIND PEOPLE THAT NOT EVERYTHING NEEDS TO BE TYPED IN CAPS!! BUT DO NOT USE CAPS LOCK WHEN LOGGING IN, BECAUSE YOUR PASSWORD WILL NO LONGER WORK.

Cyber4Z welcomes Emirhan Sarikaya as a new colleague

Emirhan Sarikaya will join us on 1 July. He would like to introduce himself:

"My name is Emirhan Sarikaya, a 21-year-old cybersecurity specialist with a passion for Web application pen testing, API testing and discovering vulnerabilities in cloud solutions, such as AWS, GCP and IBM Cloud. In addition, I am also very interested in exploring AD & AAD. My expertise includes a wide range of complex technical skills and in-depth knowledge of security mechanisms. With a keen eye for detail and an unparalleled dedication to finding vulnerabilities, I am determined to protect systems and data from potential cyberthreats. I have built myself learned these skills over the years, so I consider myself an autodidact in this field."

Welcome again, Emirhan!

Cyber4Z welcomes new colleague: Calvin Hendriks

Calvin Hendriks will join us on 1 July. He would like to introduce himself:

"My name is Calvin Hendriks and I will soon be joining Cyber4Z as a Security Consultant. Over the past 3 years I have fulfilled various roles as a consultant. From SecDevOps to Mystery Guest visits and Phishing campaigns. During this time I also developed a passion for pen testing and ethical hacking. At Cyber4Z I get the opportunity to further develop myself in this area. I am therefore very much looking forward to taking on new challenges together to make the IT environment of customers a bit safer."

Welcome again, Calvin!

Why is supplier management important?

Supplier management starts with selecting suppliers and making agreements with them. It is important to work on this because bad agreements can have major consequences, because it is not clear who is responsible for it. Our security consultant Yu-Mei Liebregt tells us exactly what it means and what risks are associated with this topic. “How dependent do you want to be on your supplier?”

As already mentioned, supplier management starts with choosing suppliers. “You have to identify which potential suppliers are within range and meet certain criteria. Think of quality, security, price, reliability,” according to Yu-Mei. After choosing the supplier(s), the real work starts. “You have to discuss what the supplier is responsible for and then document this clearly. Then think about what you as a customer want in terms of response times or uptime. If this is not clearly defined and contractually concluded, this can have consequences if a problem arises between the parties where it is not clear where the responsibility lies.”

Monitoring and evaluation

Suppliers should then be monitored and evaluated to ensure expectations are the same on both sides. “You want to keep a grip on your suppliers by monitoring their performance. Set predetermined objectives and criteria for the supplier and also record these in the contract,” says Yu-Mei. “That way you won't be faced with any surprises afterwards.” In addition, monitoring and evaluation also includes identifying new shortcomings, evaluating possible incidents at the supplier and taking measures to prevent or reduce negative effects (mitigate) when necessary. “You can't have every situation on paper in theory. Sometimes it is also good to see what happens in practice, evaluate this and adjust or expand the agreements on paper. It is a continuous process, in which relationship management with the supplier also plays a role,” says Yu-Mei.

Risks

However, there are also risks in supplier management. “You want to work securely and you also want to pass that on to your suppliers. Your supplier probably has data from your company such as personal data or confidential information that you would like to have protected.” That is why it is important that your supplier also takes security measures to protect your data.

“Another risk that comes with this is: how dependent do you want to be on your supplier? If the supplier has an incident that prevents them from delivering, what consequences will this have for the provision of your own services? Think about this in advance when hiring a new supplier and make good agreements in this area as well,” advises Yu-Mei. Business continuity plays a major role in this. Another measure to mitigate this risk is to have alternative suppliers or work with multiple suppliers.

In addition, Cyber4Z can help with effective and safe supplier management by checking contracts and performing tests at the supplier if desired. For more information, please contact us via the contact button at the top right of this website.

𝗔𝗽𝗿𝗶𝗹 𝟮𝟯𝗿𝗱: 𝗧𝗵𝗲 𝗗𝗮𝘆 𝗼𝗳 𝘁𝗵𝗲 𝗘𝗻𝗴𝗹𝗶𝘀𝗵 𝗟𝗮𝗻𝗴𝘂𝗮𝗴𝗲 𝗮𝗻𝗱 𝗕𝗶𝗿𝘁𝗵𝗱𝗮𝘆 𝗼𝗳 𝗦𝗵𝗮𝗸𝗲𝘀𝗽𝗲𝗮𝗿𝗲

On April 23, we celebrate the Day of the English Language and the birthday of the greatest writer in English literature, William Shakespeare. It's a day to reflect on the power of language and communication in our lives and in our work.

As a cybersecurity company, we understand at Cyber4Z how important it is to communicate effectively and understand what's being said, especially when it comes to protecting sensitive information and preventing cyber attacks. A good command of the English language is therefore crucial in our field. Let's take a moment today to reflect on the influence of language in our daily lives and how we can use it to convey our message even more effectively. And let's not forget to raise a toast to the man who gave us and the world so many beautiful words: Happy Birthday, Shakespeare!

Effective supplier management is becoming increasingly important

Supplier management is the process by which companies manage their relationships with suppliers and other external parties to ensure the efficiency, quality and safety of their products and services. Unfortunately, we often see that the process between the two parties does not go well: there is a lack of clarity about who has what responsibilities and who should carry them out. We will discuss this with our IT auditor and security consultant Rob van den Heuvel. "Discuss with suppliers about what can be improved."

Effective supplier management requires an in-depth understanding of the relationships between companies and their suppliers, as well as an in-depth understanding of the risks and challenges associated with working with external parties. “We see that customers rely more and more on their suppliers, for example in managing servers, back-up and redundancy measures. But also a bit of office & network management,” says Rob. This means that a supplier has an important role in guaranteeing the (information) security for the customer. It does not mean that you as a customer are no longer responsible for the underlying risk and the measures taken for it (purchasing services from a supplier). “But we often see conflicts or shortcomings arise because there is a lack of clarity about what the responsibilities of the customer are and what is the responsibility of the supplier. Nowadays you see that instructing and monitoring suppliers is becoming increasingly important, especially because this is now also reflected in, for example, standards frameworks such as ISO27001.”

How do I instruct and monitor IT suppliers?

It is important to be aware of agreements and to maintain regular contact with suppliers. These conversations must be conducted on the basis of measurable performance indicators. Outsourcing IT also involves risks. It is important to identify these risks and then determine which risks need to be reduced with mitigating measures. One of these measures is to be aware of agreements with suppliers and to maintain regular contact with them. For example, the High Tech Campus became fell victim to a hack at the access card supplier.

SMART SLA

In addition, it is good to have a Service Level Agreement (SLA) with a supplier in which concrete measurable (SMART) agreements have been made about the quality and availability of the service and the way in which information security is guaranteed.

Cyber4Z can support supplier management. “We can support supplier management by, for example, visiting suppliers and checking whether they comply with the agreements in the contracts. In addition, supplier management is also explicitly included in the ISO 27001 implementation and the associated audits.” This means that Cyber4Z can also help to better organize the supplier management process. “We map out the most critical suppliers and set up a process for periodically assessing the service and level of information security at these external suppliers.”

In short, supplier management is an essential process for companies that want to optimize their products and services and have chosen to rely on external suppliers. Supplier management aims to reduce the risks of outsourcing to external relations. By setting clear expectations and standards, monitoring performance and implementing proactive risk management, companies can better manage their supplier relationships and improve their overall efficiency and safety.

10 practical tips for a more secure web application

In the modern world, web applications have become indispensable for performing various tasks. Be it online banking, online shopping or social media, we rely on web applications to make our daily lives easier. However, it is important to take the security of our web applications seriously to protect our data and personal information from cyber threats. Here are 10 practical tips to make your web application more secure:

  1. Use a strong password policy. Using a strong and unique password is one of the most important ways to protect your web application from unauthorized access. Make sure you change your passwords regularly and use two-step verification.
  2. Make use of encryption. Encryption ensures that data exchanged between the user and the server is encrypted and cannot be read by malicious parties. Always use strong encryption protocols such as SSL or TLS to secure communication between the user and the server.
  3. Validate the entry. Validating the user's input is important to ensure that only valid and secure data is processed by the web application. This prevents attackers from injecting malicious code into the web application.
  4. Restrict access. Restricting access to certain parts of your web application based on users' roles and permissions is an effective way to prevent unauthorized users from accessing sensitive information.
  5. Secure your server. Make sure your server is protected against attacks and unauthorized access. Regularly install updates and patches to close security vulnerabilities.
  6. Use secure sessions. Use secure sessions to verify users' identities and encrypt their session information. This prevents attackers from hijacking sessions and accessing the web application.
  7. Limit the number of error messages. Limiting the number of error messages displayed on your web application prevents attackers from gathering information about the security of your web application.
  8. Keep your software up to date. Make sure you regularly install updates to the software used in your web application to fix security vulnerabilities.
  9. Conduct regular security audits. Perform regular security audits to test and improve the security of your web application.

In conclusion: It is important to take the security of your web applications seriously. Do you need help with this? Please feel free to contact us at 4z4u@cyber4z.com.

Get tickets for the the #XPOSURE Virtual Summit!

Get ready to join CISOs, security executives, practitioners, and experts for3 hours packed with 10 hands-on thought-provoking sessions to gain:

  • Know-how on identifying, assessing, and managing threat exposure to reduce security risk and maximize cyber readiness
  • Latest trends and best practices in cybersecurity from professionals who are setting the standards globally
  • Practical perspectives on exposure management from hackers turned researchers, and security leaders and analysts
  • CPE credits

Got excited? Claim your spot here: https://xposure2reg.pentera.io/?utm_source=partner&utm_medium=Cyber4Z%20B.V&source=partner&medium=Cyber4Z%20B.V

Safer Internet Day: A day to improve children's online safety

On every second Tuesday in February, the whole world celebrates Safer Internet Day. This is an annual campaign to raise awareness and provide education on how to be safer online. The aim is to bring children, young people, parents, teachers, police and industry together to make the online world a safer place for everyone.

In a world where more and more activities are taking place online, it is more important than ever to be aware of the dangers of the internet. Children and young people are particularly vulnerable and can become victims of cyberbullying, sexual exploitation, identity theft and other online dangers. Safer Internet Day is therefore supported worldwide by governments, non-profit organizations, industry and the media. In the past, Cyber4Z gave a presentation at the Eckartcollege high school about cybersecurity and how important it is to start early.

Safe online behaviour

Safer Internet Day aims to help children and young people understand how to behave more safely online. This includes limiting sharing of personal information, refusing to meet strangers you've met online, and always being alert to online threats.

Talk about it

Parents, teachers and other adults can also help by talking about online safety and making sure children and young people are aware of the dangers of the internet. This also means that adults need to be aware of the online activities of children and young people and always be on the lookout for any sign of cyberbullying or other online dangers.

In summary, Safer Internet Day is an important campaign to improve the online safety of children and young people. By raising awareness and providing education, we hope to create a safer online world for everyone. Let's work together for a safer internet for all children and young people.

CYBER4Z GOES TO DEF CON IN LAS VEGAS

In 2023 we have big plans: we are going to the largest and annual hacker convention DEF CON in Las Vegas, Nevada from August 10 to August 13. Here we hope to learn new things and gain new experiences within our field. We are already looking forward to it!

Privacy concerns with Lensa AI app

by Andra Albisoru

In case you have been on any social media platform in the past week, most probably you have come across pictures produces by the new mobile application, Lensa AI. This is a photo-editing app available for IOS and Android users, where uploaded selfies are transformed into avatars. The app allows the user to retouch their photos, change the background, or modify it to fit into different time period art currents.

Nevertheless, as nicely as it sounds, this app does not come without any privacy concerns, which may easily be overlooked by the common smartphone user, eager to jump on this trend as well. Therefore, we thought it would bring a benefit to explain these concerns in a simple manner, and warning potential users of the security risks they expose themselves when using the mobile application.

When reading the documentation of the Lensa app, several red flags may be noticed. While it is stated in section 5 of their privacy policy that the pictures collected from users are not used for other purposes than for applying the relevant filters, in the Terms of Use of the application it states that by using the app, you grand ‘a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable, sub-licensable license to use, reproduce, modify, distribute, create derivative works of your User Content’, for advertising, commercial purposes, as well as for training of the AI. Moreover, in order to use this app, a 1 use fee needs to be paid, and in return you receive 50 edited imagines, based on the photos that you have uploaded. However, the tool used for these edits is a tool developed by Prisma Labs, which owns the Lensa app too. In essence, when using this app, you are offering a company free training for their AI, which helps them further develop and improve their product, as well as creating free advertisement for them. All that, in return for 50 edited avatars.

Lastly, there is a social concern which condemns the implication of artificial intelligence in face recognition practices, as it creates high risks of IP theft, as well as identity theft. The boundaries of ownership for the usage of this application are still ambiguous, leaving room for too much interpretation with regards to whom may use the images after they have been created. If you have already used the application and you are worried that your data may not be used in an ethical way, you may send an e-mail to privacy@lensa-ai.com and you may ask for your collected data to be deleted. Additionally, if your pictures are used in advertising, you may send an e-mail to contact@lensa-ai.com and you may revoke that permission. It is important to create and maintain a secure and ethical environment on the internet, especially when it comes to our facial data.

Cyber4Z welcomes new colleague: Caner Filibelioglu

On December 1st Caner Filibelioglu will join our team as a senior consultant. He briefly introduces himself below.

'I'm super happy to join Cyber4z as Senior Security Consultant. My main strength is infrastructure and network penetration testing, active directory testing, and social engineering. My biggest motivation is to show customers that they might be using cutting edge technologies but there is always a weak chain in the system and this is always people. This makes the most secure networks vulnerable! For Cyber4z i'm willing to bring new customer to company and build new service lines. I believe together we are stronger and together we'll bring the success.' Welcome Caner!

How secure is your password? #changeyourpasswordday

3 out of 5 Dutch people use the same password for multiple online services. Also in organizations in the Netherlands the password policy is not always in order and a variation of Welcome with a special character and a year number is often used.

On 'Change your Password Day' it is extra important to be aware of your password. We can help with this by introducing a password policy as part of the ISO 27002 implementation. Want to know more? Contact us at 4z4u@cyber4z.com.

New ISO 27001 standard: we're on top of it

The new ISO 27001 standard was introduced at the beginning of October. This means that companies need to be compliant with improved and new standards, but what exactly does this mean for them? At Cyber4Z we are busy with the process of providing our current and new customers with appropriate advice.

It is new for many organizations that the ISO 27001 standard is being updated, making it unclear what exactly they should do. At Cyber4Z, we can remove this ambiguity by making a GAP analysis between the current state of the ISMS 2013 and ISO standard 27001 2022. This then produces a clear list of tasks that need to be done, so that the gap can be closed. For our new customers we immediately implement according to the new ISO 27001 2022 standard, to ensure that they are also compliant.

In this way we give our customers a pleasant and secure feeling. Interested in becoming ISO 27001 compliant? Please contact us at 4z4u@cyber4z.com.

Security.txt is also used by DTC

In addition to internet.nl, the Digital Trust Center (DTC) also uses the security.txt file to find contact details in response to vulnerabilities they receive.

Adding this record ensures that found vulnerabilities can reach you. How to add the security.txt record to your external servers is described here: https://www.digitaltrustcenter.nl/securitytxt. You will also find a video that explains security.txt in one and a half minutes in Dutch.

Ransomware Ready webinar

Yesterday we hosted our Ransomware Ready webinar with Matthijs Nelissen, Anders Larsson and Hardeep Singh. Using the Pentera automated validation platform, Hardeep took us step by step through a ransomware attack and how to validate this.

Thanks to Anders for the introduction and Hardeep for the great demo!

For anyone interested, it is possible to view the recording on Youtube.

‘Informationsecurity is and remains a hot topic’

Taking information security to a higher level: that's what it's all about during the ISO 27001 certification process. Cyber4Z can help with the process by performing certain activities (such as a risk assessment or a stakeholder analysis). Our security consultant Morrison Toussaint tells us more about it.

When a company wants to be certified for ISO 27001, it is important that the processes and procedures stated in the standard are implemented. “This concerns, for example, risk assessments, a stakeholder analysis or a management review. These are all activities that should contribute to a higher level of information security. I make these myself at companies, so I'm not just working on support during the audit for ISO 27001,” says Morrison. But how exactly does such a process start? “I start with a gap analysis. This is basically a questionnaire in which the aim is to find out what a company still has to do to meet the requirements as set in ISO 27001. This then results in action points that I will tackle and implement together with the organization."

In addition to the work for ISO 27001, he is also involved in other ISO standards. “There are also other standards such as ISO 9001 on quality management, ISO 22301 on business continuity management and 31000 on risk management. Those are also frameworks that we implement again.”

Getting acquainted

To start with an ISO 27001 it is important to get acquainted with a company. “I always start with a conversation about the company. For example, I ask about the organizational structure, whether IT is outsourced and how many people work there, so that I get an idea of ​​the organization. With all the information I can make a gap analysis which is the first step to achieve certification.”

This is followed by a stakeholder analysis, in which all stakeholders are mapped. “For example, it becomes clear that a company outsources it's IT activities to an IT administrator. I can talk to the IT manager, because sometimes a contract has to be adjusted in order to comply with the ISO standard.” Because of these conversations, it can sometimes take longer before an ISO process is completed. “But it's also because we don't just deliver documents to organizations, but we actually help implement things. This can be, for example, the implementation of mitigating measures, which are identified during the risk analysis.”

A positive trend

In recent years, information security has become an increasingly important topic due to cyber incidents that reach the media amongst other things. “In recent years you have seen that a company wants to be ISO 27001 certified because one of their customers asks for it. Now you see that these companies also expect their suppliers to have an ISO 27001 certificate. It is actually a snowball effect where one implementation leads to multiple implementations at other companies. That is a positive trend, because that way you ensure that the entire chain becomes safer.” That is why Cyber4Z is receiving more and more requests to help with ISO processes.

In short: Cyber4Z not only supports during the ISO audits, but also helps with the entire process around it. Want to know more? Send us an email at 4z4u@cyber4z.com.

Negotiating ransom: "They are nice to me, I to them"

Recently, Omroep Brabant worte an article about Cyber4Z concerning a cyberattack on a dental organization. This article was written by Dit artikel is geschreven doorSven de Laet. It was also discussed in a broadcast of Brabant Nieuws on Thursday 11 August (fragment starts at 4:10).

Dental organization Colosseum Dental paid a ransom of about 2 million euros to end a cyber attack. Sounds intense, but it is increasingly common for companies to go overboard. This is also what Rob Mellegers of the Eindhoven company Cyber4Z sees. He regularly negotiates with hackers. "Unfortunately, it is a growth market."

Mellegers does not know exactly who he is talking to. But he regularly has conversations with hackers, who want ransom. "Companies approach us when they are attacked. How do they know that they have been hacked? You soon find out that you can no longer use programs."

At such a moment, Mellegers and his colleagues spring into action. That communication often runs smoothly. "You will be sent a link, which will take you to a secure portal. Sometimes you can just talk to each other, as if through a kind of crypto telephone."

Mellegers' task is clear. "Make agreements with the hackers on behalf of the hacked company. Sometimes there is room for negotiation. They are very open about that. Those criminals also know exactly what they can ask of you. They have looked up your turnover for a long time, so they can also estimate whether haggling is really necessary."

But isn't it strange to chat with such a hacker? "Somehow, because you know that they have done something that is not right. But I am mainly busy limiting the damage for my client. The conversations are often very friendly. They are nice to me, I to them. It is best to make agreements, for example about paying in installments, so that you know that they actually return data."

Because that's the risk: will the hackers give that data back? "It is of course possible that they sell the data or make it public. But in general it is much more useful for them to be reliable. If they do not deliver once, everyone will know immediately. Then it makes no sense for the next hacked company to pay."

Paying is happening more and more often. "Also because the measures at companies are getting better and better. Hackers are therefore able to steal less data, which means that it also involves smaller amounts." And while ransom transfers are strongly discouraged, Mellegers can imagine paying it. "A company is the only one able to assess the impact, damage and consequences if that data ends up on the street."

Incidentally, it is not the case that companies transfer the ransom quickly to avoid negative publicity. "The moment you are hacked, you are simply obliged to report it to the Dutch Data Protection Authority."

It doesn't look like Mellegers' agenda is getting emptier any time soon. "Unfortunately, hacking is a growth market. Am I not doing my job properly? Well, you are never completely safe. It is and remains the fault of the hackers themselves."

New collegue!

Harrie van den Boomen joined Cyber4Z as an accountmanager on July 18. He will mainly focus on acquiring customers for our subsidiary Neoforce. Welcome Harrie!

Cyber4Z has moved!

Today was a big day for us at Cyber4Z: we have moved to High Tech Campus 41.

At our new location we have a bigger office with more workplaces. We also have our own meetingroom where we can meet with our cliënts. We can't wait to work at our new office!

Business with a social touch

As Cyber4Z we do business with a social touch. This means that we take people, the environment and society into account in our business activities. In this way we contribute by donating money and deploying our carfleet.

Each staff member may donate €100 per year to a social cause in the name of Cyber4Z. Think of a sports association, a good cause or someone who is committed to a good cause. The following charities have received a contribution in recent years: Justdiggit, Giro 555 for Ukraine, Trees for all, Ronald McDonald Huis, Leev in collaboration with the Pay it Forward foundation, Veldhoven Zoo, Zevenhoek Foundation, the Sterk voor Dieren foundation and Goodwill.

Use our cars

We are also concerned with the environment and how we can reduce our emissions. For example, half of our fleet is electric with brands such as Kia, Jaguar, MG and Tesla. However, we don't stop there. We also use our cars for various charities. In 2018 people were picked up and brought home after a Christmas dinner for lonely people, in 2021 one of our Teslas was used to transport ICU nursus to and from work for free and in 2022 people were brought home in a Tesla with a contribution of €1,000 has been realized for Ukraine.

What is a disaster recovery plan?

Suppose there has been a ransomware attack at your organization. What exactly do you do to respond as efficiently as possible and to minimize the impact? A disaster recovery plan (DRP) can help with this. Our security consultant and internal security officer Yu-Me Liebregt talks about the added value of a DRP for every organization. "You've thought about how to handle a crisis in advance."

What is exactly a DRP?

“In a DRP you take the steps you want and need to continue in the event of a disaster. Depending on the service, a DRP may differ. Basically, a DRP is about how to respond and reduce the impact of a disaster. This often concerns the infrastructure of your organization, i.e. the servers and laptops that may have been hacked.”

What's in a DRP?

“I use a template that contains elements that apply to each DRP, such as the composition of a crisis team, critical components, concrete recovery steps, crisis communication and contact details of the people involved. The rest of the content depends on the type of service and the size of the company. A company that offers software must take different measures than a company that makes machines, for example.”

What is the added value of a DRP?

“The added value is that you are prepared for a calamity. You have thought about critical parts and steps to take in advance. With such a plan you can actually respond as efficiently as possible to a calamity and you can limit the damage as much as possible. Think of financial damage or reputational damage. It is important that you test the plan every year and adjust it where necessary, so that you are always well prepared.”

Also ready for a DRP? Please contact us for the possibilities.

GDPR celebrates its fourth birthday!

The GDPR became applicable on 25 May 2018, which means the General Data Protection Regulation is having its fourth birthday. In honor of this, we interviewed our cybersecurity consultant Andra Albisoru about her opinion on the GDPR and her vision for the future. “I hope people will realize soon that things on the internet are never gone.”

Do you often have to deal with the GDPR in your daily work?

“Actually, I think all of us have to deal with the GDPR in our daily online activities. Especially during the pandemic, we moved our social life online. We spend more and more of our time on different websites and online applications. With that, we have the pop-up cookies that appear on our screen. We always need to agree or consent. It is very broad, but the GDPR is always there.”

What is your opinion on the GDPR?

“I think the GDPR is actually the realization that the internet is becoming more and more important in our lives. I feel like it was understood that we need to be very careful with what we share online and with our data because it holds a lot of value. I think people are starting to realize the value, especially when you are a victim of a scam online. Then you realize how much you put out there and how important it is to protect it.”

Do you think the GDPR has improved cybersecurity in the last four years?

“Yes, I do think that because the GDPR is making it mandatory for more and more companies to respect. Before the GDPR we used to have a directive (Directive 95/46/EC) but that directive was not as clear and viewed as important as the GDPR is viewed now. With the GDPR, the rules aren’t new but the force to be compliant is.”

What is your vision for the future regarding the GDPR?

“I hope at least that more and more companies will be more compliant. Even though the GDPR has been around for four years, we need to understand that it required a very big change from companies and that it takes time to implement those changes. Right now, I think it’s important to help those companies to change and then look if new rules are needed. And I hope people will realize soon that things on the internet are never gone and that we need to be as careful with those things as we are with important physical things like a passport or ID-card.”

Rob Mellegers gives a presentation at the Eckartcollege Beroepenavond

Last week Rob Mellegers gave a presentation and demonstration at Eckartcollege Eindhoven because of so-called Beroepenavond. “With the push of a button you already have insight into the security,” says Rob.

The Beroepenavond or Profession evening means that students at Eckartcollege can attend presentations by several different professionals and learn about them.

With his phone in his hand and a screen on the wall, Rob showed the class a few visible network vulnerabilities that you try to hack (ofcourse you should never do that without premission). According to Rob, the most important thing is to show that cybersecurity doesn't have to be complicated at all: "With the push of a button you already have insight into the security." Several students hung on his every word. " I was pleased to see that a large group of students is interested in the fields of ethical hacker and cybersecurity consultant. And that the students, who have to make a career choice, found it very interesting to see what I can do and how I do it." According to Rob, it is important to start with cybersecurity early. “The sooner you start, the sooner children can recognize dangers in their own behavior and that of others. That can come in handy later on.”

Fridays are for knowledge sessions

At Cyber4Z we think it's important to maintain and expand our knowledge. That is why we organize an knowledge session every three weeks on a Friday afternoon. During such sessions, a company or peron shares their expertise on a particular topic. This week we attended a presentayion about Corelight and it's product.

Developments in the field of cybersecurity are moving at lightning speed: almost every day new applications are available or new vulnerabilities are revealed. It's like a train that keeps going, that you want to sit on. By regularly organizing knowledge sessions, we ensure that we stay up-to-date and learn new things.

Would you also like to teach us something new? Please contact us at 4z4u@cyber4z.com.

Cyber4Z welcomes new collegue: Bart van der Wilt

As of June 1, Bart van der Wilt will strengthen our team as a Junior Consultant. He briefly introduces himself:

'Hello! My name is Bart and I am an eager to learn as a cybersecurity starter. I live in 's-Hertogenbosch with my girlfriend. When I'm not working, I like to exercise outside in the form of running or cycling. I have gained experience related to security during my training at the Royal Military Academy. My goal is to extend this experience with cybersecurity knowledge, so that I can help the customer solve their issues. 'Welcome Bart! We wish you lots of fun!

Cyber4Z welcomes our new colleague: Ben Willems

Today Ben Willems starts his first workday with us. He would like to introduce himself: I am a pragmatic security consultant with a strong technical background in software design, electronics engineering and computer science. My experience includes diverse set of projects on hardware-software co-design, such as safety-critical automotive software and secure embedded systems. Ultimately, my goal is to use my experience to address the technical challenges of our customers with custom security solutions.

Cyber4Z holds annual (mandatory) external audit

Last week we had our annual (mandatory) external audit for the ISO 27001 standard at Cyber4Z. This time it was a surveillance audit including ISO9001 (quality management system). Our security consultant and internal security officer Yu-Mei Liebregt tells all about this audit and what it entails. “An audit is actually a check on compliance with the standard and a check on whether we as an organization are continuously improving the ISMS and therefore information security.”

What exactly does the ISO 27001 standard mean?

“The ISO27001 standard is a standard for information security. You can obtain a certificate that shows that you have the information security in your organization in order, that you are continuously working on it and making improvements. With the ISO27001 you have an information security management system (ISMS). As an organisation, you have to be constantly working on it and continue to develop the organization in this regard. Every year you are required to undergo an internal and external audit to see whether you still meet the standard.”

What exactly was last week's audit about?

“This year we had a surveillance audit incl. ISO9001 (quality management system). A surveillance audit is more limited than a recertification audit that occurs once every three years. During the audit, the auditor conducts several interviews with different functions in which the auditor will 'check' us as an organisation. The number of interviews and the duration of the audit depend on the organization size and scope. Several colleagues are involved in the interviews, such as me as an internal security officer for our ISMS/KMS, our managementteam and developers. This year, for example, we focused on ICT security management, development, security development, management dynamics, the physical environment, customer delivery and sales. In each interview/topic, this is discussed with regard to the associated controls. The auditor can ask for policy documents and practical examples of how we actually implement our policy with which he can compare whether this corresponds with what is on paper.”

What is your opinion on audits?

“An audit is certainly necessary to remain compliant and certainly interesting. You do have to invest time in it, but it also has good added value for the organization. You learn every audit a little more and in more detail, so that you can also implement it better for customers.”

Cyber4Z provides support with internal and external audits

An organization must regularly conduct internal audits for ISO27001 (but also for comparable standards). During such audits, it is examined how the controls have been implemented by, among other things, holding interviews, assessing records (e.g. information security incident register), assessing policy documents, procedures and/or manuals and monitoring systems and applications that are running at the customer. At Cyber4Z, we assist customers in this process by supporting the drafting of policies, procedures and records. And also the practical testing of the current measures and controls taken and how they fit within the standard and the controls required by the standard. Our consultant Rob van den Heuvel is happy to tell you more about it. “I could talk about it all day!”

Due to his past as an IT auditor, Rob is the right person to help clients with conducting the internal audits and preparing for the external audit. He knows better than anyone what an accountant is looking for. “This allows me to support customers well,” says Rob. “During such audits, it is often noticeable that many control measures have already been taken and are also carried out according to a fixed pattern. However, we often also see that for many of these controls that have already been performed, the documentation to guarantee the demonstrability is still missing. Commitment is often seen as an additional workload. But you don't have to: you can guarantee the demonstrability in a very efficient way by taking screenshots and including some context. This allows you to demonstrate the actual implementation during the performance of internal and external audits.”

Information security becomes more important

Our customer organizations are increasingly being asked by their own customers how they deal with information security. Rob notices this too. “Capturing the steps you take when performing an audit therefore plays a major role in this,” says Rob. The ISO27001 certification and the associated organization of the information security management system gives our customers the opportunity to demonstrate that they are consciously involved with information security and that the necessary processes and measures have been set up.

Continue to develop

In addition, Rob also continues to develop as a consultant. For example, in February he passed the Certified ISO27001 Lead auditor training. “The training has given me more knowledge about what an ISO auditor is looking for and how I can safeguard this within the policy documents and procedures that I draw up in collaboration with the organisation.” But the most important thing, according to Rob, is to work with the customer to define the standard and associated controls that suit the organization, can be implemented practically and efficiently and leads to both internal and external satisfaction.

Pentesting at Cyber4Z

At Cyber4Z we also do so-called penetration tests (also called pentests). These tests help companies find vulnerabilities on their systems. One of our testers is Raf Martino, who specializes as a cybersecurity architect. About 3 to 4 times a month he does a pentest for a company together with his colleague Martijn Claes. Raf is happy to tell us more about it.

What does pentesting involve?

“During a pentest, we look at the security of a system in different ways. This can be a test of an internal network, where we also test all devices such as laptops and printers. We also have web applications that we test. Sometimes this happens externally, sometimes we only get the name of the company and have to see what we can find. Sometimes we only look at a specific web application and how we can get into it.”

A pentest is taken about 4 times a month. Is this a lot?

“Yes, at the moment it is a lot. Each pentest takes at least 2 days. For a pe test for a web application we need two days. But for a test on location we need three days and then we also prepare a report. We also prepare our pentests well through discussions with the technical staff and with the company. This way we know what they are afraid of and which vulnerabilities we should look at.”

What do you do pentests on?

“On internal networks we mainly do pentests on Windows domains. The typical approach for this is that we will look for employee passwords and for misconfigurations of that Windows domain. If there are vulnerabilities or misconfigurations in it, we can usually get to the point where we can retrieve the login details of an administrator. As an example: we recently had a pentest on such an internal network and then we were able to take over the entire system within half a day.”

What about the security of the companies being tested?

“It varies a lot from company to company. This year we already had customers who had everything in order with strong passwords and a good awareness campaign. It varies and that makes it fun and challenging. We do see that companies have made significant improvements in cybersecurity in a second test. Of course, at Cyber4Z, we also regularly check how our own cybersecurity is doing. A while back we did an internal phishing test. And we ask our own employees to report vulnerabilities in our domain, so that they can be improved.

Interested in a penetration test for your company? Please contact us at 4z4u@cyber4z.com.

Cyber4Z welcomes our new colleague: Rob van den Heuvel!

Cyber4Z is pleased to introduce a new colleague: Rob van den Heuvel! He will start as a Security Consultant with our team on the 1st of November and will focus on, among other things, the implementation of various standards and frameworks.

Rob likes to introduce himself: "Over the past four years I have gained experience at BDO as an IT auditor. Here I have carried out a large number of assignments for various clients in various industries, including ISO27001 internal audits, ISAE 3402 Type II, SOC 2 & 3 and security-related consultancy assignments At Cyber4z I want to develop myself further and work together with the customer to bring about change and achieve results.

Cyber4Z and Cyber4Z Solutions welcome our new colleague: Jeffrey Dierckx!

"Actually, I'm already part of the furniture" shouted Jeffrey Dierckx when he announced that he was going to work at Cyber4Z Solutions. That's right, because after 2 successful internships, Jeffrey will start on September 1 as a developer for our beautiful product Neo4Z

Jeffrey introduces himself: My name is Jeffrey Dierckx. I recently completed the Application and Media Developer training and during this training I ended up at Cyber4Z as an intern. Now I look forward to continuing to work in the solution development team at Cyber4Z! Here he will focus on the development of Neo4Z and future products!

First national Dutch advertisement for Neo4Z is a fact!

Great news: Neo4Z can be found on the front page of an supplement of the Financieel Dagblad about Business, IT Security and e-Health! Neo4Z is doing well to get more and more brand awareness. In addition, the developers at Cyber4Z Solutions ensure that there are great updates every week and they are happy to be in contact with the customer to ensure that everything is to your liking!

The entire issue can be found here. Interested in Neo4Z? Click here to go to the Neo4z website!

Cyber4Z Solutions is included in the Cloud Security Alliance!

Neo4Z, the product being developed by Cyber4Z Solutions, has been officially included in the international Cloud Security Alliance (CSA) since July 2021! The CSA is the well-known program that contributes to security assurance in the cloud. Cyber4Z and Cyber4Z Solutions are proud that our new product has been accepted by CSA.

Neo4Z offers SAAS solutions for asset registration, application management, datasets and has its own ticketing system. Built for small and large businesses, Neo4Z has monthly feature updates and standard integrations with other security products. Neo4Z is built with security in mind and built by security experts.

The registration can be found here, together with the performed assessment with an explanation of how more than 300 controls have been implemented.

Rob Mellegers attended the webinar of Centric!

Centric recently released a webinar in which Rob Mellegers, one of the founders of Cyber4Z, could talk about his work as CISO at the municipality of Heerlen! All our colleagues are happy to talk about their work and experiences, so we are proud that Rob was able to tell his story at Centric.

In his position, he has to deal with, among other things, the use of secure passwords and solutions for this. One of the tools that is used is MindYourPass, a partner of Cyber4Z which has developed a revolutionary way to handle passwords in a safe way.

The Dutch webinar can be found here. Have fune!

Cyber4Z welcomes a new colleague: Andra-Elena Albisoru!

On the 1st of May, Andra-Elena Albisoru is joining Cyber4Z, helping to bridge law & privacy with security at our clients. Welcome Andra to our group! She introduces herself below.

After moving in 2017 from Romania to the Netherlands in order to pursue my dream and obtain a law degree, I have completed my bachelor's degree in European Law at Maastricht University. Further on, I decided to also pursue a master's degree in Corporate and Commercial Law at Maastricht University.

As a result of these 2 degrees, I am now trained in Privacy and Data Protection. In order to familiarize myself with the technological world as well, in 2020 I have also completed an internship at a web-developing company, where I was tasked with creating cookie-wall content, privacy policies, and IT strategic plans. I am excited to become part of the Cyber4Z community, and curious to see what the future has in store for me.

Cyber4Z welcomes a new colleague: Rick van Leeuwen!

On April 1, Rick van Leeuwen will start as a security consultant at Cyber4Z. Rick will use his technical background to help our customers improve their security. Welcome Rick and top for joining us! Rick introduces himself below:

My name is Rick van Leeuwen and I have a background in ethical hacking and security consulting. After my study software engineering & cyber security, I worked for five years as a security consultant and ethical hacker. I look forward to working at Cyber4Z with technical assignments and to support customers with their security issues.

In my spare time I love to play with my hobby servers and design and build all kinds of useful but certainly also less useful objects with my 3D printers. I am also a member of scouting, which is a great outlet after a week at the (home) office.

Cyber4Z and FERM are going to work together!

FERM helps companies around the port of Rotterdam to become more digitally resilient. Cyber4Z is happy to announce that we are allowed to work with FERM. Cyber4Z will help set up and manage a communication platform for participants and will assist in obtaining threat information from various sources.

Together we are strong!

Cyber4Z is happy to celebrate its fifth anniversary!

Cyber4Z was founded in 2015 by Rob Mellegers and Mathé Grippeling. Matthijs Nelissen has also joined as co-owner two years ago. In the meantime, we have managed to achieve great things! Here is an overview of the last five years.

We have grown considerably in five years and have been able to achieve this with our own resources. We are also active internationally, where we have been able to create a number of successful partnerships that have proved successful for all parties. And that is important, because in these turbulent times we need each other more than usual and it is important that we not only keep success within ourselves, but share it with our strategic partners. We have successfully completed a large number of certifications and not only ISO27001, but also TISAX and BIO installations. For example, we helped the first municipal organization provide the first official statement that they comply with the BIO in design and existence. We have also embarked on a new adventure by diving into the development of an IT Service Management solution that really distinguishes itself from other products because security is embedded in the solution. Big names such as SSH and KPN have linked their products to the solution, because they also consider it important to have security of paramount importance.

We are happy with these developments, but remain focused on the requirements and wishes of our customers. For this we need continuous input and we strengthen our team with 'continuous learning' so that we can continue to provide our customers with sound advice based on knowledge and skills. We look forward with confidence to the next five years with new challenges, developments, small and large successes and, above all, a close-knit and strong team that is passionate about their profession and, above all, works with dedication and pleasure on their assignments.

Cyber4Z is pleased to announce our new colleague: Yu-Mei Liebregt!

Cyber4z is again delighted to introduce a new colleague. Yu-Mei came into contact with cybersecurity during her studies and started her career at Cyber4Z. We would like to welcome her to the team! She introduces herself below.

My name is Yu-Mei Liebregt. I recently graduated from Integrale Veiligheidskunde. During my study I learned more about cybersecurity and cybercrime. In Utrecht I followed the minor Privacy and Information Security, which increased my interest in cybersecurity. For my thesis I made a business continuity plan, after which I came into contact with Cyber4Z. Cyber4Z offers a nice combination between the policy / ISO part and the technical side, which interests me enormously. I am really looking forward to getting started and learning a lot!

Cyber4Z is pleased to announce our new colleague: Don Mulders!

Cyber4z is once again delighted to introduce a new colleague. Don has experience as a software engineer, pentester and security analyst and will use this great skillset for our customers. Welcome to the team! He introduces himself below.

My name is Don Mulders and I have a background in IT and IT Security. Specifically, I have a bachelor's degree in Game Technology, after which I obtained a master's degree in Information Security Technology. In addition, I have many years of experience in various programming languages. I like to think out-of-the-box and bridge the gap between technology and people. Cyber4Z offers me a wide range of opportunities, both to use my technical background and to further develop myself in the policy side of information security. In my spare time I play all kinds of games; drill games, Pathfinder, and also online games.

Cyber4Z is working together with the Dutch Cyber Weerbaarheids Center on the development of a threat intelligence platform

Cyber4Z is a partner of the Dutch Cyber Weerbaarheids Center Brainport (CWB). Cyber4Z has set up a Malware Information Sharing Platform (MISP) together with the CWB. Through this platform, the participants of the CWB, mostly companies in the high-tech and manufacturing industry, receive so-called events from the National Cyber Security Center. This actively informs participants about possible vulnerabilities and threats. Participants submit their IP addresses and a list of used hardware and software to the NCSC and these participants now receive current and relevant information. This news has now been picked up by various media. Cyber4Z is proud that they have been able to set up this service for the CWB and the many participants!

Click here to visit the website of the CWB and click here to read the article of Computable.

Cyber4Z is pleased to announce our new colleague: Martijn Claes!

Cyber4Z is pleased to introduce a new colleague: Martijn Claes will start at the end of August and will focus on the technical aspects within cyber security and penetration testing. Welcome to the team, Martijn! Below he introduces himself.

While obtaining my Master of Electronics and ICT engineering I discovered the cybersecurity domain. I've been working in IT for 5 years with a specialization in security - more specifically infrastructure security. Coming from a pentesting background, I've successfully managed and conducted security penetration tests and provided clear advice and support to clients on how to apply fixes. My biggest satisfaction is helping organizations to find the weaknesses which makes them vulnerable and offer the best recommendations on how to fix them

Cyber4Z welcomes our new colleague Brandon!

Cyber4Z is pleased to announce that as of July 1, our new colleague Brandon will be part of our team! He will focus on software development. Below he introduces himself.

My name is Brandon Kleijnen and I completed my HBO ICT studies last year with a specialization in Software Development. During my HBO studies I worked for a number of years at a computer service provider. I am at the start of my career and want to gain as much knowledge as possible. Working for clients and on solutions is important to me and I would like to contribute this at Cyber4Z. The moment I help people with their issues and answer them successfully, are the moments when I am really happy.

Interview with Arissa d'Fonseca - Security Consultant at Cyber4Z

Arissa has been working at Cyber4Z since 1 October 2019, combining learning and working. We were curious about her experiences and tips as a starting security consultant.

What do you do at Cyber4Z?

I am currently employed at a large customer as a Risk Manager, where I mainly deal with managing the risk register. I have monthly meetings with multiple Risk Managers to discuss progress and I report on this. In addition, I do application intakes where we gain more insight in the risks when using these applications and which information is on which system.

Then you speak a lot of people!

Yes, I am amazed at how many colleagues there are and how many different people are employed. I think that is very important and I feel better with the atmosphere of a large company.

What do you enjoy the most about your job?

I really enjoy working with colleagues and people. I am good at leveling with everyone, so the conversation is always pleasant.

Is there anything about working as a consultant that you expected in advance but turns out to be very different?

It may sound very strange but when I am honest, I expected that in the first year I would get less confidence, but I actually get a lot of freedom and trust to be able to do my work and that helps enormously.

What is your best tip for people who study now for work later?

I would say complete your first year, get your foundation degree and start applying at jobs. When you start your study, it is very important to gain experience in the field. Learn about the field, because school is a completely different area.

Do you have any tips for universities on how they offer classes?

The fact that a study program should initially focus the field of work. For example, I see 5 courses that all revolve around the same thing, but just a different description. I would go more into specific topics and the different aspects and possibilities. The current courses are too generic. We train too many globalists. If you do something with the work field, you immediately have more aspects of it.

Article: what is ransomware and how does it work?

What is ransomware?

Ransomware, also known as hostage software, is a type of malware that encrypts data, but also systems and an entire network, where the victim has to pay money to regain access. This is usually done by criminal organizations to make money. Ransomware has grown considerably in popularity among malicious parties in recent years. For example, the number of ransomware attacks registered with leading insurance company Chubb has risen on average by 12% a year in recent years compared to the previous year, with the number of attacks in 2019 increasing by as much as 18%. One of the best-known ransomware is WannaCry, affecting various organizations internationally.

Methods

There are several ways in which a ransomware can infect a computer or network. The most common way is through spam: emails sent to trick the recipient into clicking a link or opening a file. Another way is by visiting infected websites, where visitors automatically download malware. This can be websites that are specially designed to distribute ransomware, but also websites that are themselves infected without knowing this.

Recommendation

When your organization is dealing with ransomware, it is always recommended that you do not pay any money to unlock your files, systems and networks. The reason for this is that the malicious person will come back to you more often and moreover this person cannot be trusted, so there is no guarantee that your files will be released. Cyber4Z supports you and your organization in helping to prevent ransomware attacks. We use proven technologies and organizational measures to better prepare your organization for possible ransomware attacks. Feel free to contact us for more information, we are happy to assist you!

Cyber4Z and Cyber4Z-GCC successful in the Gulf region during the Cyber Security Conference in Kuwait City

Cyber4Z-GCC had a successful presence during the 2nd Cyber Security Conference in Kuwait City. Prof. Dr. Safaa Zaman, Full professor of the University of Kuwait and General Manager of Cyber4Z-GCC organised this second event with support of his Highness, the Prime Minister Sheikh Jaber Almubarak Alhamad Alsabah. Rob Mellegers was invited to present about risks from open sources. He had assessed 4 companies in Kuwait from open sources without performing a scan or penetration test. The results have been presented and discussed afterwards. Thanks to the solution of Cyber4Z partner SecurityScoreCard, we were able to find many interesting results. The solution is used for Third Party Management. Some Dutch based products have been presented as well, like the Ubikey. An invention from NXP to handle authentication without passwords.

.

Cyber4Z will support the Cyber Resilience Center Brainport by performing security health checks for a part of the joined organizations

Cyber Resilience Center Brainport is the first in the Netherlands in having a Cyber Resilience Center to help companies within the knowledge-intensive industry with resilience against digital espionage and sabotage. This makes the high-tech region the leader in the Netherlands that -in addition to the vital sectors as designated by the Dutch government (such as health care, energy, harbor, etc.)- is making serious work out of cyber resilience.

For more information about CWC Brainport, visit LinkedIn or the website of Brainport.

Cyber4z welcomes new colleague: Arissa!

Cyber4Z is pleased to announce a new colleagues to our team as of the 1st of October. She will introduce herself below. Welcome Arissa and lots of success and fun!

My name is Arissa D’Fonseca and I am currently in the 3rd year of HBO ICT and I specialize in Cyber Security. I am very curious about the field of the Cyber Security industry. Cyber4Z gives me the opportunity to combine studying, working and gaining experience. There is a lot that I want to learn and I expect to gradually expand my knowledge and expertise and ultimately apply this carefully to Cyber4Z and its customers.

Cyber4z positively assessed on ISO 27001 and 9001 surveillance audit

Cyber4Z has been certified against ISO27001 and ISO9001 for a number of years now. Certification is a way to formally prove that we handle confidential information responsibly, since we have set up an information security management system in a structured manner. In the first three years we are tested annually by means of a surveillance audit. If there have been changes in the management system, it will be independently assessed whether we have organized these changes in a responsible manner. Because we help our customers with various certification processes, we believe that we ourselves must also comply with the security guidelines from both ISO standards. That is why we are pleased that DEKRA has acknowledged again that we can continue to maintain our certificate. Compliments for the entire team who took responsibility for the activities in a continuous improvement process and that we are able to manage our management system and the associated measures, and thus managing the risks adequately!

Strategic partnership between Foreach-IT & Cyber4Z

Cyber4Z is very pleased to announce that Foreach-IT and Cyber4Z have signed a contract for a strategic partnership. We will be able to deliver security software in addition to consultancy. The focus of this software is on risk and compliance, in particular technical compliance in accordance with the BIO (Baseline Information Security for the Government), which is derived from ISO 27001:2017 and ISO 27002:2017. In addition, access mechanisms are incorporated into the software, in partnership with SSH, so that administrators have controlled access to the systems they manage, based on the keywords manageability, controllability and irrefutability.

Nice collaboration between Brunel and Cyber4Z!

Brunel organizes the exclusive 'Meet & Inspire event: Ethical Hacking' on Thursday 6 June 19 at Van der Valk Hotel Brussels Airport for cyber security and information security professionals. From Cyber4Z, Rob Mellegers and Raf Martino will share their expertise with ethical hacking that evening. Do you want to be attend this event? Register now via EventsBE@brunel.net. Be quick, because the places are limited. .

Frank van Hooft, our new colleague in the role of Senior Security Consultant

My name is Frank van Hooft, on March 1st I will join Cyber4Z as Senior Security Consultant. With a background in process and project management, I started with information security twelve years ago. The width and depth of information security has grabbed me. The multitude of topics such as risks and mitigating measures, the difficult communication between "the business" and "IT" are some examples of the world in which I feel at home. I get my energy by supporting "business" in this.

I live in Almkerk, together with my wife and son of 22. My hobbies are music, reading, exploring Scotland and going out on my motorbike.

Cyber4Z is wishing you a succesfull 2019!