August 25, 2020
Good morning, everyone!
Restart Now, not LaterPatch Tuesday was BIG this month! And yet many people still haven’t applied critical security fixes to their computers. When you get the popup that a restart is required to install updates, do that NOW. Don’t wait! Last week, critical security updates were released by Microsoft, Intel, Adobe, SAP, Red Hat,Amazon’s Alexa, and Citrix.
Your Email Account is the Key to Your Life Online
I’ve been saying this for years! And now someone has written a really good blog post on the subject, with tons of good advice. At a minimum, your email account password needs to be long, strong and unique. Don't re-use that password on any other accounts! And enable two-factor authentication.
Think about it: if you need to reset the password to most any online account, what do you do? Click the “forgot password” link. What happens then? You get an EMAIL to reset the password! So if I have control of your email account, I can reset the password to any online account attached to that email. I own you.
Several years ago, journalist Matt Honan experienced an attack in this vein (fascinating story, BTW):
My Twitter account linked to my personal website, where they found my Gmail address. Guessing that this was also the e-mail address I used for Twitter, Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission. Because I didn’t have Google's two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery.
Ooooh, did you see that? ”Because I didn’t have Google's two-factor authentication turned on” – how many times have I told you that enabling two-factor authentication is one of the easiest ways to prevent multiple types of attacks? If you haven’t already enabled this everywhere you can, do that now!
CISA Releases Cyber Essentials Toolkit #3
CISA has released the third installment in its Cyber Essential series, "Essential Element: Your Systems":
Protecting your systems requires knowing which devices are connected to your network, which applications are in use, who has access to these, and the security measures in place.
Oh, hey! That reads almost word-for-word what I wrote last week in my first "Back to Basics" post!!!! Let's keep the good stuff coming.
Back to Basics (part 2)
Controlled Use of Administrative Privileges
Removing Microsoft admin rights from employees mitigates 92% of critical vulnerabilities and 60% of all vulnerabilities reported by the software firm in the past year, a study has revealed.
It’s pretty simple, really. If you have administrative privileges, you can install software, right? That includes malware. If you can’t install software, you can’t install malware. So if you are logged in as a standard (not administrative) user when you get hit by a drive-by on an infected website, or click on a bad link, you get a popup asking for the admin password to install something. You know right then that you’ve been attacked! And your standard (not admin!) user permissions blocked the attack.
So how do we manage life as standard users?
Everywhere. Most operating systems and applications have an automatic update option that will keep the software updated without an admin having to log in to approve updates. Turn this on.
At Home. The best practice for home computers is to have two admin accounts where only parents have the passwords, and everyone (even the parents!) have standard user accounts. If children need to install software for school or want a new game, they have to ask a parent to log in as admin and install it for them. Parents need to log in at least once a week to check for updates, to keep all software on the computer patched. This simple strategy will greatly increase the security of your home computers.
At Work. Think carefully before granting admin privileges to all employees on their work computers. Do they really need admin privileges? Sometimes it is required by certain software, but most of the time it isn’t. In particular part-time and seasonal employees probably don’t need to be admins, likewise interns and other temporary employees, and this group tends to be higher risk (less training, less experience, less personal commitment to the company’s best interest).
If you can control patch management via your network, then it’s a great idea to have all employees work as standard users only. This means even IT people! Only log in to an admin account when you actually need to do something that requires admin access. Otherwise work as a standard user.
If you must grant admin privileges to employees, train them to mitigate the risk! Explain why administrative access increases risk. Be specific, use statistics (like those in the articles referenced above) and tell stories. Make the training personal, valuable at home as well as the office, and your employees will develop a heightened security awareness that will go with them everywhere:
Businesses should focus on educating employees on how to protect their personal data, therefore encouraging employees to enact further security-orientated practices in the workplace
As always, I could talk a lot more about this! Come back next week for the next installment. :)
Security Awareness Training Goes Virtual
Thanks to COVID-19, lots of things are going virtual, and that includes my employee Security Awareness Training. I've set up a small studio in our conference room (nobody there but me) so I can provide live training (almost) just like before! You can see me wave my hands and make faces while a wall of fascinating facts and practical tips slideshow across your screens, wherever you and your employees may be.
Contact me to schedule your employee training sessions. They're fun! ☺
Talk to you again soon!