June 29, 2021
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things!
The importance of tracking & managing user accounts
The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password [to] a virtual private network account…. The account was no longer in use at the time of the attack but could still be used to access Colonial’s network [emphasis added]
You can’t believe how often unused accounts are exploited by cyber criminals. It’s happened again. We have just learned that the San Francisco Area Water Treatment Facility network was compromised in January, and the attacker deleted some programs that treat drinking water. How did he get in?
The individual is being referred to as a hacker, but it doesn't appear it took much hacking to get in. The person got hold of a former plant employee's username and password, and simply logged themselves into the system.
Arrrgghhh (banging head) how many times do we see the same problems? Another report of this attack identifies the account as a TeamViewer account, used for remote access. And what’s the additional lesson in this report? Remote access accounts should ALWAYS require two-factor authentication (2FA).
Make a list and check it periodically
As more and more of our transactions, both business and personal, take place online, it is becoming critically important to keep track of your online accounts. Ask yourself these questions:
- Do your employees and/or family members routinely create online accounts on their own initiative?
- Do some of these online accounts access important data?
- Do you have a means of identifying these accounts, changing passwords when needed, and disabling the accounts when necessary?
Cast the net far and wide when you start thinking about all the online accounts that have been created:
- Remote access (GoToMyPC, LogMeIn, TeamViewer, VPNs)
- Video conferencing (Zoom, GoToMeeting, WebEx, BlueJeans)
- Purchasing (from Amazon to Best Buy to Office Depot to Etsy)
- Document storage (DropBox, Google Drive, Box)
- Financial (banking, investment accounts, retirement accounts)
- Asset management (mortgage, car loan, insurance)
- Entertainment (movies, games, VRBO, social media)
- Professional development (training, associations, certifications)
Once you have identified all your accounts (or at least all that you can think of), ask yourself these questions:
- Who exactly has this password?
- Where are all the places this password may be stored?
- What email address is tied to this account?
- Is 2FA enabled on this account?
- If so, how? What phone number? What authentication app? Where is the token stored?
- Do we still use this account?
Now start documenting these things. Keep a list in a safe place, like a locked cabinet or a safe deposit box. If you get hit by a truck, will someone in your office or your family know where to retrieve this list, to manage these accounts?
Periodically review the list and keep it up to date. Do you need to change some passwords because an employee has left? Or because a password has been compromised?
Pro tip: don’t create accounts you don’t really need
More and more online shopping sites offer the ability to check out as a guest. Take advantage of this opportunity! Especially if this is a one-off purchase (like that funny t-shirt you ordered for your sister’s birthday), don’t create an account. Don’t store a password on one more server. Don’t create one more opportunity for your login credentials to be compromised. Don’t let the store keep your credit card data for a future purchase, unless there is no option. I’ve noticed lately that lots of online shopping sites now have a checkbox to store card data or not, which is a great improvement.
Tracking and documenting online accounts is critical to business continuity and estate management, but it’s something that I find most people just don’t think about. Take some time this week to start working on your list, and put a reminder on your calendar to check it every 3 months.
And that's all for now, folks!
Talk to you again soon!
Security Awareness Training Goes Live Again!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Thankfully, live training is making a comeback! So wherever you and your employees may be, I can deliver a fun and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺