Last week we had our annual (mandatory) external audit for the ISO 27001 standard at Cyber4Z. This time it was a surveillance audit including ISO9001 (quality management system). Our security consultant and internal security officer Yu-Mei Liebregt tells all about this audit and what it entails. “An audit is actually a check on compliance with the standard and a check on whether we as an organization are continuously improving the ISMS and therefore information security.”

What exactly does the ISO 27001 standard mean?

“The ISO27001 standard is a standard for information security. You can obtain a certificate that shows that you have the information security in your organization in order, that you are continuously working on it and making improvements. With the ISO27001 you have an information security management system (ISMS). As an organisation, you have to be constantly working on it and continue to develop the organization in this regard. Every year you are required to undergo an internal and external audit to see whether you still meet the standard.”

What exactly was last week's audit about?

“This year we had a surveillance audit incl. ISO9001 (quality management system). A surveillance audit is more limited than a recertification audit that occurs once every three years. During the audit, the auditor conducts several interviews with different functions in which the auditor will 'check' us as an organisation. The number of interviews and the duration of the audit depend on the organization size and scope. Several colleagues are involved in the interviews, such as me as an internal security officer for our ISMS/KMS, our managementteam and developers. This year, for example, we focused on ICT security management, development, security development, management dynamics, the physical environment, customer delivery and sales. In each interview/topic, this is discussed with regard to the associated controls. The auditor can ask for policy documents and practical examples of how we actually implement our policy with which he can compare whether this corresponds with what is on paper.”

What is your opinion on audits?

“An audit is certainly necessary to remain compliant and certainly interesting. You do have to invest time in it, but it also has good added value for the organization. You learn every audit a little more and in more detail, so that you can also implement it better for customers.”

An organization must regularly conduct internal audits for ISO27001 (but also for comparable standards). During such audits, it is examined how the controls have been implemented by, among other things, holding interviews, assessing records (e.g. information security incident register), assessing policy documents, procedures and/or manuals and monitoring systems and applications that are running at the customer. At Cyber4Z, we assist customers in this process by supporting the drafting of policies, procedures and records. And also the practical testing of the current measures and controls taken and how they fit within the standard and the controls required by the standard. Our consultant Rob van den Heuvel is happy to tell you more about it. “I could talk about it all day!”

Due to his past as an IT auditor, Rob is the right person to help clients with conducting the internal audits and preparing for the external audit. He knows better than anyone what an accountant is looking for. “This allows me to support customers well,” says Rob. “During such audits, it is often noticeable that many control measures have already been taken and are also carried out according to a fixed pattern. However, we often also see that for many of these controls that have already been performed, the documentation to guarantee the demonstrability is still missing. Commitment is often seen as an additional workload. But you don't have to: you can guarantee the demonstrability in a very efficient way by taking screenshots and including some context. This allows you to demonstrate the actual implementation during the performance of internal and external audits.”

Information security becomes more important

Our customer organizations are increasingly being asked by their own customers how they deal with information security. Rob notices this too. “Capturing the steps you take when performing an audit therefore plays a major role in this,” says Rob. The ISO27001 certification and the associated organization of the information security management system gives our customers the opportunity to demonstrate that they are consciously involved with information security and that the necessary processes and measures have been set up.

Continue to develop

In addition, Rob also continues to develop as a consultant. For example, in February he passed the Certified ISO27001 Lead auditor training. “The training has given me more knowledge about what an ISO auditor is looking for and how I can safeguard this within the policy documents and procedures that I draw up in collaboration with the organisation.” But the most important thing, according to Rob, is to work with the customer to define the standard and associated controls that suit the organization, can be implemented practically and efficiently and leads to both internal and external satisfaction.

At Cyber4Z we also do so-called penetration tests (also called pentests). These tests help companies find vulnerabilities on their systems. One of our testers is Raf Martino, who specializes as a cybersecurity architect. About 3 to 4 times a month he does a pentest for a company together with his colleague Martijn Claes. Raf is happy to tell us more about it.

What does pentesting involve?

“During a pentest, we look at the security of a system in different ways. This can be a test of an internal network, where we also test all devices such as laptops and printers. We also have web applications that we test. Sometimes this happens externally, sometimes we only get the name of the company and have to see what we can find. Sometimes we only look at a specific web application and how we can get into it.”

A pentest is taken about 4 times a month. Is this a lot?

“Yes, at the moment it is a lot. Each pentest takes at least 2 days. For a pe test for a web application we need two days. But for a test on location we need three days and then we also prepare a report. We also prepare our pentests well through discussions with the technical staff and with the company. This way we know what they are afraid of and which vulnerabilities we should look at.”

What do you do pentests on?

“On internal networks we mainly do pentests on Windows domains. The typical approach for this is that we will look for employee passwords and for misconfigurations of that Windows domain. If there are vulnerabilities or misconfigurations in it, we can usually get to the point where we can retrieve the login details of an administrator. As an example: we recently had a pentest on such an internal network and then we were able to take over the entire system within half a day.”

What about the security of the companies being tested?

“It varies a lot from company to company. This year we already had customers who had everything in order with strong passwords and a good awareness campaign. It varies and that makes it fun and challenging. We do see that companies have made significant improvements in cybersecurity in a second test. Of course, at Cyber4Z, we also regularly check how our own cybersecurity is doing. A while back we did an internal phishing test. And we ask our own employees to report vulnerabilities in our domain, so that they can be improved.

Interested in a penetration test for your company? Please contact us at 4z4u@cyber4z.com.

Cyber4Z is pleased to introduce a new colleague: Rob van den Heuvel! He will start as a Security Consultant with our team on the 1st of November and will focus on, among other things, the implementation of various standards and frameworks.

Rob likes to introduce himself: "Over the past four years I have gained experience at BDO as an IT auditor. Here I have carried out a large number of assignments for various clients in various industries, including ISO27001 internal audits, ISAE 3402 Type II, SOC 2 & 3 and security-related consultancy assignments At Cyber4z I want to develop myself further and work together with the customer to bring about change and achieve results.

"Actually, I'm already part of the furniture" shouted Jeffrey Dierckx when he announced that he was going to work at Cyber4Z Solutions. That's right, because after 2 successful internships, Jeffrey will start on September 1 as a developer for our beautiful product Neo4Z

Jeffrey introduces himself: My name is Jeffrey Dierckx. I recently completed the Application and Media Developer training and during this training I ended up at Cyber4Z as an intern. Now I look forward to continuing to work in the solution development team at Cyber4Z! Here he will focus on the development of Neo4Z and future products!

Great news: Neo4Z can be found on the front page of an supplement of the Financieel Dagblad about Business, IT Security and e-Health! Neo4Z is doing well to get more and more brand awareness. In addition, the developers at Cyber4Z Solutions ensure that there are great updates every week and they are happy to be in contact with the customer to ensure that everything is to your liking!

The entire issue can be found here. Interested in Neo4Z? Click here to go to the Neo4z website!

Neo4Z, the product being developed by Cyber4Z Solutions, has been officially included in the international Cloud Security Alliance (CSA) since July 2021! The CSA is the well-known program that contributes to security assurance in the cloud. Cyber4Z and Cyber4Z Solutions are proud that our new product has been accepted by CSA.

Neo4Z offers SAAS solutions for asset registration, application management, datasets and has its own ticketing system. Built for small and large businesses, Neo4Z has monthly feature updates and standard integrations with other security products. Neo4Z is built with security in mind and built by security experts.

The registration can be found here, together with the performed assessment with an explanation of how more than 300 controls have been implemented.

Centric recently released a webinar in which Rob Mellegers, one of the founders of Cyber4Z, could talk about his work as CISO at the municipality of Heerlen! All our colleagues are happy to talk about their work and experiences, so we are proud that Rob was able to tell his story at Centric.

In his position, he has to deal with, among other things, the use of secure passwords and solutions for this. One of the tools that is used is MindYourPass, a partner of Cyber4Z which has developed a revolutionary way to handle passwords in a safe way.

The Dutch webinar can be found here. Have fune!

On the 1st of May, Andra-Elena Albisoru is joining Cyber4Z, helping to bridge law & privacy with security at our clients. Welcome Andra to our group! She introduces herself below.

After moving in 2017 from Romania to the Netherlands in order to pursue my dream and obtain a law degree, I have completed my bachelor's degree in European Law at Maastricht University. Further on, I decided to also pursue a master's degree in Corporate and Commercial Law at Maastricht University.

As a result of these 2 degrees, I am now trained in Privacy and Data Protection. In order to familiarize myself with the technological world as well, in 2020 I have also completed an internship at a web-developing company, where I was tasked with creating cookie-wall content, privacy policies, and IT strategic plans. I am excited to become part of the Cyber4Z community, and curious to see what the future has in store for me.

On April 1, Rick van Leeuwen will start as a security consultant at Cyber4Z. Rick will use his technical background to help our customers improve their security. Welcome Rick and top for joining us! Rick introduces himself below:

My name is Rick van Leeuwen and I have a background in ethical hacking and security consulting. After my study software engineering & cyber security, I worked for five years as a security consultant and ethical hacker. I look forward to working at Cyber4Z with technical assignments and to support customers with their security issues.

In my spare time I love to play with my hobby servers and design and build all kinds of useful but certainly also less useful objects with my 3D printers. I am also a member of scouting, which is a great outlet after a week at the (home) office.

FERM helps companies around the port of Rotterdam to become more digitally resilient. Cyber4Z is happy to announce that we are allowed to work with FERM. Cyber4Z will help set up and manage a communication platform for participants and will assist in obtaining threat information from various sources.

Together we are strong!

Cyber4Z was founded in 2015 by Rob Mellegers and Mathé Grippeling. Matthijs Nelissen has also joined as co-owner two years ago. In the meantime, we have managed to achieve great things! Here is an overview of the last five years.

We have grown considerably in five years and have been able to achieve this with our own resources. We are also active internationally, where we have been able to create a number of successful partnerships that have proved successful for all parties. And that is important, because in these turbulent times we need each other more than usual and it is important that we not only keep success within ourselves, but share it with our strategic partners. We have successfully completed a large number of certifications and not only ISO27001, but also TISAX and BIO installations. For example, we helped the first municipal organization provide the first official statement that they comply with the BIO in design and existence. We have also embarked on a new adventure by diving into the development of an IT Service Management solution that really distinguishes itself from other products because security is embedded in the solution. Big names such as SSH and KPN have linked their products to the solution, because they also consider it important to have security of paramount importance.

We are happy with these developments, but remain focused on the requirements and wishes of our customers. For this we need continuous input and we strengthen our team with 'continuous learning' so that we can continue to provide our customers with sound advice based on knowledge and skills. We look forward with confidence to the next five years with new challenges, developments, small and large successes and, above all, a close-knit and strong team that is passionate about their profession and, above all, works with dedication and pleasure on their assignments.

Cyber4z is again delighted to introduce a new colleague. Yu-Mei came into contact with cybersecurity during her studies and started her career at Cyber4Z. We would like to welcome her to the team! She introduces herself below.

My name is Yu-Mei Liebregt. I recently graduated from Integrale Veiligheidskunde. During my study I learned more about cybersecurity and cybercrime. In Utrecht I followed the minor Privacy and Information Security, which increased my interest in cybersecurity. For my thesis I made a business continuity plan, after which I came into contact with Cyber4Z. Cyber4Z offers a nice combination between the policy / ISO part and the technical side, which interests me enormously. I am really looking forward to getting started and learning a lot!

Cyber4z is once again delighted to introduce a new colleague. Don has experience as a software engineer, pentester and security analyst and will use this great skillset for our customers. Welcome to the team! He introduces himself below.

My name is Don Mulders and I have a background in IT and IT Security. Specifically, I have a bachelor's degree in Game Technology, after which I obtained a master's degree in Information Security Technology. In addition, I have many years of experience in various programming languages. I like to think out-of-the-box and bridge the gap between technology and people. Cyber4Z offers me a wide range of opportunities, both to use my technical background and to further develop myself in the policy side of information security. In my spare time I play all kinds of games; drill games, Pathfinder, and also online games.

Cyber4Z is a partner of the Dutch Cyber Weerbaarheids Center Brainport (CWB). Cyber4Z has set up a Malware Information Sharing Platform (MISP) together with the CWB. Through this platform, the participants of the CWB, mostly companies in the high-tech and manufacturing industry, receive so-called events from the National Cyber Security Center. This actively informs participants about possible vulnerabilities and threats. Participants submit their IP addresses and a list of used hardware and software to the NCSC and these participants now receive current and relevant information. This news has now been picked up by various media. Cyber4Z is proud that they have been able to set up this service for the CWB and the many participants!

Click here to visit the website of the CWB and click here to read the article of Computable.

Cyber4Z is pleased to introduce a new colleague: Martijn Claes will start at the end of August and will focus on the technical aspects within cyber security and penetration testing. Welcome to the team, Martijn! Below he introduces himself.

While obtaining my Master of Electronics and ICT engineering I discovered the cybersecurity domain. I've been working in IT for 5 years with a specialization in security - more specifically infrastructure security. Coming from a pentesting background, I've successfully managed and conducted security penetration tests and provided clear advice and support to clients on how to apply fixes. My biggest satisfaction is helping organizations to find the weaknesses which makes them vulnerable and offer the best recommendations on how to fix them

Cyber4Z is pleased to announce that as of July 1, our new colleague Brandon will be part of our team! He will focus on software development. Below he introduces himself.

My name is Brandon Kleijnen and I completed my HBO ICT studies last year with a specialization in Software Development. During my HBO studies I worked for a number of years at a computer service provider. I am at the start of my career and want to gain as much knowledge as possible. Working for clients and on solutions is important to me and I would like to contribute this at Cyber4Z. The moment I help people with their issues and answer them successfully, are the moments when I am really happy.

Arissa has been working at Cyber4Z since 1 October 2019, combining learning and working. We were curious about her experiences and tips as a starting security consultant.

I am currently employed at a large customer as a Risk Manager, where I mainly deal with managing the risk register. I have monthly meetings with multiple Risk Managers to discuss progress and I report on this. In addition, I do application intakes where we gain more insight in the risks when using these applications and which information is on which system.

Yes, I am amazed at how many colleagues there are and how many different people are employed. I think that is very important and I feel better with the atmosphere of a large company.

I really enjoy working with colleagues and people. I am good at leveling with everyone, so the conversation is always pleasant.

It may sound very strange but when I am honest, I expected that in the first year I would get less confidence, but I actually get a lot of freedom and trust to be able to do my work and that helps enormously.

I would say complete your first year, get your foundation degree and start applying at jobs. When you start your study, it is very important to gain experience in the field. Learn about the field, because school is a completely different area.

The fact that a study program should initially focus the field of work. For example, I see 5 courses that all revolve around the same thing, but just a different description. I would go more into specific topics and the different aspects and possibilities. The current courses are too generic. We train too many globalists. If you do something with the work field, you immediately have more aspects of it.

Ransomware, also known as hostage software, is a type of malware that encrypts data, but also systems and an entire network, where the victim has to pay money to regain access. This is usually done by criminal organizations to make money. Ransomware has grown considerably in popularity among malicious parties in recent years. For example, the number of ransomware attacks registered with leading insurance company Chubb has risen on average by 12% a year in recent years compared to the previous year, with the number of attacks in 2019 increasing by as much as 18%. One of the best-known ransomware is WannaCry, affecting various organizations internationally.

There are several ways in which a ransomware can infect a computer or network. The most common way is through spam: emails sent to trick the recipient into clicking a link or opening a file. Another way is by visiting infected websites, where visitors automatically download malware. This can be websites that are specially designed to distribute ransomware, but also websites that are themselves infected without knowing this.

When your organization is dealing with ransomware, it is always recommended that you do not pay any money to unlock your files, systems and networks. The reason for this is that the malicious person will come back to you more often and moreover this person cannot be trusted, so there is no guarantee that your files will be released. Cyber4Z supports you and your organization in helping to prevent ransomware attacks. We use proven technologies and organizational measures to better prepare your organization for possible ransomware attacks. Feel free to contact us for more information, we are happy to assist you!

Cyber4Z-GCC had a successful presence during the 2nd Cyber Security Conference in Kuwait City. Prof. Dr. Safaa Zaman, Full professor of the University of Kuwait and General Manager of Cyber4Z-GCC organised this second event with support of his Highness, the Prime Minister Sheikh Jaber Almubarak Alhamad Alsabah. Rob Mellegers was invited to present about risks from open sources. He had assessed 4 companies in Kuwait from open sources without performing a scan or penetration test. The results have been presented and discussed afterwards. Thanks to the solution of Cyber4Z partner SecurityScoreCard, we were able to find many interesting results. The solution is used for Third Party Management. Some Dutch based products have been presented as well, like the Ubikey. An invention from NXP to handle authentication without passwords.

.

Cyber4Z is pleased to announce a new colleagues to our team as of the 1st of October. She will introduce herself below. Welcome Arissa and lots of success and fun!

My name is Arissa D’Fonseca and I am currently in the 3rd year of HBO ICT and I specialize in Cyber Security. I am very curious about the field of the Cyber Security industry. Cyber4Z gives me the opportunity to combine studying, working and gaining experience. There is a lot that I want to learn and I expect to gradually expand my knowledge and expertise and ultimately apply this carefully to Cyber4Z and its customers.