Six years ago ...

Writing is too difficult. We have to think deeply to know what we want to say. We have to organize our thoughts and we have to decide how many paragraph we are going to write about something. I have already been writing for six years and it is still difficult for me. I have to recognize writing this post is easier than the first one but words and sentences are still difficult to find on my head to write what I want to say. This was the aim of creating this blog. Writing, writing and writing to improve my writing skill because it was too difficult for me when I was studying English language and I had to take the writing exam.

Six years ago I decided to write about tech things. Particularly, I decided to write about security and networks. Since then, I write weekly about what I’m learning, what I’m reading or what I’m doing in my job. This is going to be my last post before going on holiday thus I want to write about what I have been doing in the last year which has been full of experiences and technologies.

This year, I’ve learnt new technologies such as AWS Cloud and Web Application Firewall where I created my virtual Data Center in the Amazon Web Services with AWS Elastic Load Balancing, AWS Shield & AWS WAF and Amazon CloudFront. With regard to WAF, I deployed several F5 BIG-IP WAF where I learnt clearly the difference between WAF vs IPS and I ended up getting F5 BIG-IP ASM Certified Technology Specialist. In fact, I had to deploy F5 BIG-IP DNS for Data Center Load Balancing as well.

What has been demanding, but delighted at the same time, has been the Ethical Hacking Course and the Security courses on Networks and Systems where my students learnt how to create a backdoor for Android systems, make their own malicious WhatsApp as well as making app safer with HTTP Security Policy. It was demanding because I was also studying French language at Official School of Languages and I had to do my homework such as the Video Selfie in French Language or talking about Sophie Germain. However, it was delighted because I learnt a lot about security and I passed the A2 level in French Language.

In the meantime, I’ve been reading about security, economics and psychologist such as No Place to Hide and Thinking, Fast and Slow. I’ve been also studying about Computer Forensics and I’ve had time to go to the ForoCIBER 2018 where I resolved the CyberSecurity Challenge.

An overview about the most widely read posts in the last six years:

Posts

With regard about from where the blog is visited, we can see the statistics:

Posts by countries

Last but not less important, I would like to say thanks who read this blog and support me because they are the main reason why I have already written 292 posts with almost 225000 views. If someone has something to say for improving this blog, it is welcome.

Regards my friends and I hope to see you again back in September after a great holiday.

Risk assessments for GDPR compliance

When I was studying for CISA and CISM certifications, I read a lot about Business Impact Analysis and the Risk Management Process. That was cool because Ariadnex was ISO 27001 compliance and I had to help them to be ready compliance with this kind of processes. Today, we have also to be GDPR compliance where all EU citizens have cyber rights from the new GDPR. This is a good opportunity for reinforce my knowledge about risk assessments because it is essential for the new regulation.

All businesses have to comply with GDPR because most of them process personal data of its employees for salaries, benefits and social security. Most of them have also a recruitment process or they evaluate their employees. There are also companies which they store and process lots of personal data for advertising campaigns or they process sensitive data as the health sector does. Therefore, there is personal data processing everywhere and these businesses have to comply with the new regulation.

The first step for compliance is to know what personal data the company is processing because we’ll have to define and design the processing operation of personal data as well as the processing purpose. Once this is done, we can use tools such as Facilita which tell us what we have to do with personal data processing. If we don’t have too much personal data and the risk level is low, maybe, we only have to do some paper work and buy some tech stuff.

Workflow for GDPR compliance

However, if we have too much personal data or sensitive data, we should evaluate a proposal to identify potential effects on individuals’ privacy and personal data. Therefore, we have to know if a basic risk assessment is enough for the company or it will be necessary a Data Protection Impact Assessment (DPIA), which is an exhaustive process known as privacy by design where projects are designed with data protection in mind from the beginning.

If the company doesn’t have high risk personal data processing, we’ll have to do a basic risk assessment. This risk assessment will have to take into account the loss of integrity, availability and confidentiality for personal data protection and it will also have to take into account rights and freedoms of individuals. However, this risk assessment shouldn’t be a exhaustive risk assessment but a essential one where only critical risks should be considered such as unauthorized access, unintentional loss or lack of procedures.

Finally, if the company has high risk personal data processing, we’ll have to do an exhaustive risk assessment through the DPIA process where we evaluate impact and the threat occurrence probability of risks to know the level of risk of each personal data processing activity. I know, it is a demanding work but mandatory for GDPR compliance.

Regards my friends and remember protecting your data!!

A2 level in French language

Last summer, I wrote about French language A1 level passed because I started learning a new language, French language, at Official School of Languages and I passed the A1 level exam. These were my beginnings in French language, although I had already studied some of French at High School. As a result, my wishes for this year 2018 was keep studying French language and I’ve just successfully passed the A2 level in French. I feel happy to be able to pass to the next level, B1 level, because it means I'm improving my French language skills.

I got 9,5 in the listening skill which is very good. I mean, it's amazing! I think, I got it because I’ve done a lot of listening exercises. Almost five listening exercises a week since I started the course. They are online clicking on apprendre.tv5monde.com. Besides, I’ve heard the France Info radio on live from time to time. While I’m working, while I'm taking a shower or while I’m in the gym, I can listen the radio in French language. All of this has been enough to have a good marks in the listening skill.

The speaking skill is the most difficult skill from my point of view because students have to speak about a topic for a few minutes but you don’t have a lot of time to think about it. Therefore, students have to improvise and devise what they want to say. I got 8 in the speaking skill which is also very good. I’ve been speaking alone in my house with Vaughan Bonjour! and I’ve been also speaking with schoolmates in French language which has allowed me to improve my speaking skill. In addition, I think the Video Selfie in French language, my talk about the mathematician, physicist and French philosopher Sophie Germain, and the talk about La région Île de France have helped me to get this good marks.

I think the reading skill is the easier skill because although you don’t understand the whole document, you can know what you are reading by the context. I really love reading. Therefore, I’ve read three books in French language in this course. I still read books for beginners which means I read books with basic vocabulary and easy grammatical sentences but I hope getting more and more vocabulary and complex grammatical sentences in the next years for reading more interesting books.

Finally, I have to admit that the writing skill is not easy. Although I usually write in this blog, writing is not easy even for me because you have to think about what you are going to write as well as you have to think about how you are going to organise the text. How many paragraph you are going to write, what verbal tense you are going to use for the story, the letter, mail or whatever. Many thing you have to think and decide before writing the first letter. However, I got 9 in writing skill which is also a very good mark.

To sum up, I’ve been studying for the whole course and I've finished with very good marks. Thanks for the teacher, thanks for the schoolmates and thanks for my supporters.

Regards my friends and keep studying!!

F5 ASM - Denial of Service (DoS) Mitigation

From time to time, I talk about techniques and methods of DoS attacks with workmates and customers, and when we speak about it, most of them always think about DDoS Attacks where a botnet flood the targeted server with excessive bandwidth consumption. However, we shouldn’t forget that an attacker can also make services unavailable with just requesting heavy URLs. Therefore, it’s not necessary to have lots of resources, neither a botnet, to make services unavailable because it can also be accomplish with a simple DoS Attack.

Mainly, there are three DoS attack categories: volumetric attacks, computational attacks and application attacks. Firstly, volumetric attacks, like UDP Flood Attacks or Amplification DDoS Attacks, which are the most known DoS attacks. Secondly, computational attacks, like SYN Flood Attacks, are less known than volumetric attacks where attackers want to exhaust resources such as firewall session tables. Finally, application attacks, like HTTP Flood Attacks, are easy to execute with DoS attack tools such as LOIC or slowloris. However, these last attacks are little known by companies and most of them even don’t know how to mitigate it nor which mitigation tools are on the market.

DoS Attacks Categories

When we are mitigating DoS attacks, it’s important to have a good classification between malicious traffic and legitimate traffic because the mitigation process could also block legitimate users when DoS mitigation tools are not well configured. In addition, DoS attacks are increasingly sophisticated and targeted which are delivered in SSL traffic as well against servers and applications. As a result, behavioural analytics, ultra-fast automated detection and comprehensive protection are required for a good mitigation strategy.

F5 BIG-IP WAF is also able to detect and block DoS attacks. We can watch in the next video how I configure a DoS profile to detect and block attacks based in TPS (Transactions Per Second). When the bot iMacros requests two transactions per second, the DoS profile blocks requests and the DoS attack is stopped. In addition, the video shows how to block DoS attacks with a CAPTCHA challenge to find out who is behind the web server whether a bot or a human being. Last but not least, DoS reporting are very important to know what’s going on and what happened in the services.

  

Regards my friends and don’t forget to protect your services.

F5 BIG-IP ASM Certified Technology Specialist

As you will have realised, I’m writing a lot about load balancers lately. In fact, I’ve written 10 posts about F5 BIG-IP since April. This is due to the fact that my F5 Certified BIG-IP Administrator (F5-CA) certification is going to expire soon. Therefore, I was thinking how to renovate this certification and what was the best option for my job, my skills and my knowledge. Finally, I chose to study for the 303 – BIG-IP ASM Specialist v2 exam for the recertification process because I had already worked with Web Application Firewalls.

Two years ago, I studied for 101 - Application Delivery Fundamentals and 201 - TMOS Administration. I passed the exams with an score of 86 and 73 respectively. This is the entry level certification for F5 BIG-IP. Once I got the F5-CA certification, I could register for F5 Certified Technology Specialists (F5-CTS) certification where I could choose between LTM, DNS, ASM or APM. However, if I wanted to pass the F5 Certified Solution Expert (F5-CSE), first, I would have to achieve all CTS levels.

F5 Certification Program

I think the exam 303 – ASM Specialist is the best option for my recertification because I’ve already worked with Web Application Firewalls. In fact, I’ve had to talk about ASM module and show its features in marketing campaigns as well as I’ve delivered training courses and deployed demo and appliances for production environments. In addition, I’ve also worked with other manufactures such as AWS WAF or Fortinet FortiWeb. For this reason, my knowledge about WAF is not only limited to F5.

What have I been studying for the exam? First, I took the Getting Started with BIG-IP ASM course from F5 University. Next, I’ve had the lucky of taking a training course in ASM and I’ve done all the labs twice. I’ve also read the book I got from the training course as well as I read the BIG-IP ASM Operation Guide. Finally, I’ve read carefully the OWASP Top 10 to know and understand the most critical security risks to web application.

Although BIG-IP v13.1 has already been released, BIG-IP ASM exam is still from the old version 12.1, which is nice for people who has already worked with ASM but it’s undesirable for newbie who are learning for the first time about ASM because there has been some changes in the new version and, probably, they are going to deploy, configure and manage the last version, v13.1, in the future. It’s also important to highlight that the passing score is 57%, which is the lower passing score to get a F5-CTS. This is great!!

Exam descriptions and study materials

 

If you want to take the plunge to this certification, I would recommend you to read the next posts:

• Web Application Vulnerabilities
• Web Application Firewall
• XML and Web Services
• WebSockets
• OWASP Top 10
• F5 BIG-IP WAF
• What’s new in BIG-IP version 13.1
• WAF vs IPS
• Policy Tuning and Violations
• Positive Security Policy
• Cookie and HTTP Header Tampering
• Parameter Tampering Attacks
• Login Enforcement & Session Tracking
• Preventing Web Scraping
• Brute Force and Web Scraping

Regards my friends and keep studying!!