Timeline Update: CMMC 2.0 and the Phenomenon of Midnight Rulemaking

Not familiar with CMMC 2.0? For more information regarding CMMC 2.0, please refer to this article. The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), shared with…

   How to build a coding game around Public Cloud Security step by step?    

Step 0: context and objectives  Wavegame is a Wavestone inter-school challenge designed to promote cybersecurity expertise and the consulting profession created in 2019. In its 2023 edition, 33 teams competed in a hands-on exercise focused on securing an AWS Infrastructure.…

KMS: The Key to Secure Management of Cryptographic Objects 

This article is intended primarily for an informed public, mastering the use of cryptographic keys in an IS and their management in organizations.  Increasing security requirements for both industrial environments and connected objects have led to a profusion of cryptographic…

The DoD Strikes Back: Enhancing Supply Chain Cybersecurity with CMMC 2.0

In late October 2023, a third-party data breach incident sent shockwaves through the business world, affecting over 57,000 entities engaged in business with Bank of America. This breach exposed sensitive personal and financial information, underscoring the pivotal role that third-party…

PLC network: the history of industrial systems  facing up to the challenges of the future

Introduction Industrial systems are a category of information systems of their own, with codes and properties that differ from "classic" IT systems. It is well known that the level of maturity of the industrial sector in terms of cybersecurity is…

Microsoft Defender for Cloud Apps: how to secure cloud applications use 

Data and collaborative spaces migration to the cloud has created new data breach possibilities and has particularly extended the attack surface of companies. Furthermore, cloud applications increasing utilization and new ways of working have considerably widened - whether voluntary or…

Deceptive Security: the solution for effective detection in the cloud? – your luring strategy. 

    Today, cyber-attacks are part of our daily lives, and are becoming increasingly numerous and sophisticated.   Simultaneously, we are moving towards Information Systems built on an ever-increasing diversity of environments, thanks in particular to the Cloud, which is now…

IT for OT: What process to develop cybersecurity solutions adapted to industrial businesses?

During the Wavestone OT Cyber Day, Loïc Lebain and Benoit Bouffard conducted a workshop in which they noted that IT departments were still struggling to develop a catalogue of cybersecurity solutions for OT. Based on their experience with our customers,…

The Quest for Cybersecurity’s Purple Squirrels: How to Find and Keep Them

“Talent shortage”, “skills gap”, “employee burnout in cybersecurity”, “high turnover rate” – as a cybersecurity professional, you must be familiar with these expressions, for better or for worse. You may have seen the big headlines pointing out talent shortage issues…

PIPL: is information system decoupling necessary to comply with protectionist local laws?

The PIPL (Personal Information Protection Law) has emerged as an unprecedented first example of highly protective regulation of personal data, establishing an uncertain framework that reinforces China's control. Despite recent clarifications from China’s authorities, the centralisation of information systems continues…

Application control: what strategy you should adopt for your industrial supervision system?

The industrial control system (ICS) is the set of resources and machines used to supervise and control an industrial process. This article looks at the security issues surrounding Windows devices of the ICS supervision and maintenance layer: SCADA servers and…

CI/CD in AWS: The Solution to All Your Problems? What You Need to Know.

Integrating security directly into the configuration of CI/CD pipelines, especially through the practice of DevSecOps, enables the development of secure applications while increasing delivery frequency. This relieves pressure on security teams, which can often be a limiting factor in the…

ChatGPT & DevSecOps – What are the new cybersecurity risks introduced by the use of AI by developers? 

In November 2022, the conversational agent ChatGPT developed by OpenAI was made accessible to the general public. Since then, it's an understatement to say that this new tool has garnered interest. Just two months after its launch, the tool became…

Surviving an Active Directory compromise: Key lessons to improve the reconstruction Process 

Active Directory is a critical asset whose failure affects a large portion of your information system  Your company is currently dealing with a major ransomware crisis. Given its central role in managing access, authentication, and network resources within any organisation,…

Improving the security of your IoT infrastructure: configuration tips and best practices on Azure IoT

Internet of Things (IoT) platforms enable the connection, management and monitoring of fleets of devices. The 3 cloud leaders, GCP, AWS and Azure each have their own offering, in a particularly fragmented sector, which sees many players competing. Azure, in…

Barb’hack 2022: Leveraging PHP Local File Inclusion to achieve universal RCE

For the third consecutive time, the French city of Toulon hosted the French southernmost hacking event known as Barb'hack. We - two of Wavestone security auditors - have had the opportunity to attend the conference and participate in the Capture-the-Flag (CTF) event…

Back to top