September 1, 2020
Good morning, everyone!
Cybersecurity During a PandemicOn September 17, 11am - 12 noon, I'll be moderating a panel discussion about current technology during COVID, updating procedures/policies, and sharing challenges/success stories. It's virtual and it's free, a program of the Gulf Coast Technology Council. You can read more here and register here.
More Thoughts on the Importance of Your Email Account
In the news this week, apparently it’s easy to hijack Twitter accounts with email accounts on expired domains – though the attack isn’t unique to Twitter. It started me thinking ...
Reclaiming Lost Online Accounts
Do you keep track of which email addresses are attached to which online accounts? We read the story last week of the attack on Matt Honan via an old email address attached to his Twitter account. This problem is more common than you think!
You wouldn’t believe how often people come up to me and ask me how they can regain control of a Facebook account when they no longer have the email address attached to it. Several times, this happened because they had a Yahoo! Email address, and switched to Gmail after that big hack on Yahoo! a few years ago, but they didn’t change the email account on their online accounts. Now, needing to upgrade their phone or something similar, they don’t recall their Facebook password but can’t reset it because the email on the account no longer exists.
So what do you do? Seriously, right now, make yourself a note that you need to audit your online accounts, and make a record of which email address is attached to which. Update accounts with old email addresses you no longer use. Make a list of this somewhere safe, and let a loved one know where to access it if needed.
Let’s take this a step further. Why let a loved one know where this list is? Because if something happens to you, some of your accounts may need to be maintained (paid!) and someone needs to know how to do it!
One friend told me recently that a family friend in his 20s died in an automobile accident. His family were totally lost at trying to take care of his affairs, because they had no idea what accounts he had nor how to access them. Think about it, 20 years ago, when someone died, you went to the desk in the corner of the kitchen and started opening drawers! Monthly statements, annual statements, the person’s entire life was there on paper. Those days are gone.
So start making a list of your online accounts. It will probably include things like:
- Bank Accounts
- Credit Cards
- Investment Accounts
- Retirement Accounts
- Health/Life/Auto/Home Insurance
- Car loan
- Professional Associations
- Social Media
- Cloud Storage Accounts
and probably other things I can’t think of right now! Make a list of these accounts, how to access them, what are the email addresses and passwords, etc. Write it all down on paper, and stick it in your safe deposit box at the bank! Then make sure a trusted person can open that box. Your family will appreciate it someday.
Back to Basics (part 3)
This week I want to talk a little bit about #5 of the 20 CIS Controls & Resources:
Secure Configuration of Hardware & Software
Because you can’t secure it if You Don't Know How It's Configured
Many people know how to make things work, but few people know how to make things work securely -- put simply, it's more difficult! This means that most off-the-shelf technology often comes with every option enabled.
Printers, for example, can be problematic in several ways. One of our clients brought in a new district manager earlier this year. He wanted a multi-function machine in his office for scanning and printing documents, but he "didn't want to bother IT" so he picked up a device and installed it via USB to his own PC. On our next visit, we discovered the wireless connection to this printer. There was no wireless on our client's network, but the printer had wireless turned on that anyone could connect to -- even from other buildings nearby -- thus opening a backdoor to the manager's PC and the entire network from there.
Many modern printers have as much processing power and memory as PC desktops did a few years ago, yet most people think of printers as "accessories" rather than actual computers. The search engine Shodan reveals that there are hundreds of thousands of printers exposed to the Internet at any point in time, and security researcher Chris Vickery has found examples of attackers using printers on the Internet to host and serve up malware.
And don’t forget those “things”! Over the past few years, there have been multiple incidents of massive DDoS attacks taking down portions of the Internet for hours at a time. We know that much of this junk traffic came from webcams and DVRs and other "smart things" that were hijacked because the devices could be remotely controlled with the manufacturers' default passwords still in place. From printers to thermostats to light bulbs and more, many ordinary things now have wireless and other "smart" capabilities built in. These devices are innocently installed by small businesses and individuals, with little understanding of how they work, nor of how to properly configure them.
At a minimum, for any new device, take these two steps:
- Change the default password
- Disable remote administration
- Register the product.
Further, if the wireless capability of the device isn't actually needed, disable it (or at least secure it). These simple steps will go a long way to securing your devices. See "Secure Your Stuff" for more on this)
As always, I could talk a lot more about this! Come back next week for the next installment. :)
Security Awareness Training Goes Virtual
Thanks to COVID-19, lots of things are going virtual, and that includes my employee Security Awareness Training. I've set up a small studio in our conference room (nobody there but me) so I can provide live training (almost) just like before! You can see me wave my hands and make faces while a wall of fascinating facts and practical tips slideshow across your screens, wherever you and your employees may be.
Contact me to schedule your employee training sessions. They're fun! ☺
Adding “cyber” to your disaster recovery plan
Have you been thinking about your disaster recovery plan? If your current plan only covers hurricanes, tornadoes and fire -- you need to add "cyber" to assure business continuity. This is the subject of my September 29 work(fromhome)shop and I’d love to “see” you there!
Talk to you again soon!