January 19, 2021

Good morning, everyone, and Happy New Year!

This week’s critical vulnerabilities: Microsoft released 83 bug fixes last week, including a zero-day vulnerability in Defender. NOTE: If you have unpatched Windows computers on your network, you may soon lose access to some network resources. "Starting Feb. 9, Microsoft will enable Domain Controller 'enforcement mode' by default to address CVE-2020-1472" (the Zerologon vulnerability). Adobe Systems fixed seven critical vulnerabilities for users of Windows, macOS and Linux, and has started blocking Flash Player content. Finally. Cisco released a fix for 67 vulnerabilities affecting AnyConnect Secure Mobility Client, as well as Cisco RV110W, RV130, RV130W, and RV215W small business routers and its Connected Mobile Experiences (CMX) software solution. NOTE: "Cisco said it would not release software updates for the Cisco Small Business RV110W, RV130, RV130W and RV215W routers, as they have reached end of life." That means these devices need to be replaced ASAP. Patch all the things!!

So you've probably heard something about SolarWinds

The big cyber security news the past few weeks has been the SolarWinds hack that exposed thousands of government and private industry networks. The bad guys managed to break into a server that pushes software updates out to clients, and embedded malware in the software updates. How on earth did this happen? All that you really need to know is in this one sentence:

Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”

Folks, this is why we can't have nice things! Even reputable companies providing security services for large enterprises and our own government ... aren't following basic cyber hygiene. Two take-aways:

1. Use long, strong, unique passwords
2. Use two-factor authentication whenever possible

Especially #2! Even with that bad password, if 2FA had been in place, the attack would most likely have failed.

SMS phishing is getting out of control

Phishing is moving from the inbox to message apps and now it’s called smishing. “According to security firm Proofpoint, text message phishing went up 328 percent in the third quarter of the year, compared to the previous one.

What’s your best defense? As always … Think before you click! If you get a text from your bank asking you to verify a charge, don’t just click on that phone number. Look up the bank in your contacts. Get your ATM card out and call the number on the back. Go to bookmarked website to log into your account. Use the app on your phone. Remember, trust only original sources of information.

Three tips on how to approach ransomware

It’s not going away. It’s only getting worse. This article discusses three tips on how to handle ransomware. Number one, as always, is education! “You need to have a comprehensive cybersecurity training program in place to educate your team about online threats (phishing schemes, etc.) and cybercrimes. The best way to avoid a ransomware attack is to inform employees and increase awareness.” (Hint: I can help! I love teaching security awareness.)

CISA releases new Cybersecurity and Physical Security Convergence Action Guide

CISA recently released a new action guide addressing the convergence of physical and cyber security. It focuses on the “benefits of a holistic security strategy that aligns cybersecurity and physical security functions with organizational priorities and business objectives. The guide describes the risks associated with siloed security functions, a description of convergence in the context of organizational security functions, benefits of convergence, a flexible framework for aligning security functions, and several case studies.”

GSA extends the CMMC into civilian contracting

Earlier this month, the GSA put out a draft request for proposals on “Polaris”, a new contract vehicle for providing IT services to federal agencies.

“While CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisitions; so it is vital that contractors wishing to do business on Polaris monitor, prepare for and participate in acquiring CMMC certification...”

What is the CMMC? you may be asking yourself. The Cybersecurity Maturity Model Certification (CMMC) is a recently-released program for third-party certification of the security of information systems in all DoD contractors and subcontractors. It is widely believed that the CMMC will be extended to all federal government contractors in the coming years. Polaris is the second time the GSA has referenced CMMC in contracting documents, encouraging all federal contractors to adopt the CMMC security model.

Curious? Concerned? Want to learn more? Join my next work(fromhome)shop on January 26, Understanding the CMMC, where I’ll be covering the basics of the CMMC: what it is, why we have it, applicability, terminology, timeline, the assessment process, methodology, etc.

Register Now

Tuesday, January 26 @ 10:00 AM - 11:00 AM (CT)

This newly-updated online class is an introduction to my "deep dive" series on the specifics of achieving Maturity Leve ls 1-3 coming up in Spring 2021. Participants in this class will have the first chance at signing up for the spring series.

As always, I could talk a lot more about this stuff! Come back next week for the next installment. :)

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Talk to you again soon!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Goes Virtual

Thanks to COVID-19, lots of things are going virtual, and that includes my employee Security Awareness Training. I've set up a small studio in our conference room (nobody there but me) so I can provide live training (almost) just like before! You can see me wave my hands and make faces while a wall of fascinating facts and practical tips slideshow across your screens, wherever you and your employees may be.

Contact me to schedule your employee training sessions. They're fun! ☺