July 13, 2021

Good morning, everyone!

This week’s critical vulnerabilities: Microsoft released multiple patches last week, including fixes for critical flaws that are being actively exploited (you may have heard about PrintNightmare). Even older versions of Windows have a patch available, including Windows 7. Pro Tip: Disable printing on any devices that don’t actually need to print (e.g., backup servers, database servers, domain controllers, etc.) – this is actually a very basic security practice, “uninstall or disable unnecessary tasks & protocols” Netgear has released a firmware update for its DGN2200v1 Router, with critical fixes included. QNAP has released fixes for critical bugs in its Hybrid Backup Sync 3 (HBS 3) disaster recovery and backup application. Sage has released critical fixes for its X3 enterprise resource planning (ERP) platform. Patch All the Things!

US Government is going “all in” on cyber security

Many of you have heard me say (many times over the years) “if businesses don’t start securing our stuff, the government is going to make us do it” – well, guess what? The USG is suddenly putting out directives right, left and center related to cyber security requirements for various industries. I’ll touch on just one this week: Finance.

The US Department of Labor recently published its first-ever official guidance on cyber security. “This guidance is directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act” and includes a list of cyber security best practices:

1. Have a formal, well documented cybersecurity program.
2. Conduct prudent annual risk assessments.
3. Have a reliable annual third party audit of security controls.
4. Clearly define and assign information security roles and responsibilities.
5. Have strong access control procedures.
6. Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
7. Conduct periodic cybersecurity awareness training.
8. Implement and manage a secure system development life cycle (SDLC) program.
9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
10. Encrypt sensitive data, stored and in transit.
11. Implement strong technical controls in accordance with best security practices.
12. Appropriately respond to any past cybersecurity incidents.

I like this list so much, I’m going to break it down and discuss in detail over the next few weeks. Keep watching your inbox or bookmark my newsletter archives and check back regularly.

Protecting online accounts

The US Department of Labor also recently published a great fact sheet on protecting online accounts. You’ve read all these things in my newsletters over time, but this fact sheet puts it all together nicely, along with links to report identity theft and cyber incidents.

Trying to reason ...

Even if you don’t have to worry about hurricane season, you no doubt still face other potential disasters (tornadoes, earthquakes, fires). The FCC and FEMA have teamed up to create a Emergency Communications Tips webpage with lots of truly useful info. For example, do you know whether your home telephone service is a POTS (Plain Old-fashioned Telephone Service) line over copper wire, or whether it’s a VoIP service? That could make the difference in whether you have phone service during a power outage.

This web page has lots more good advice, like creating a list of emergency contact phone numbers on everyone’s cell phones, and then writing those phone numbers down for when cell phones don’t work. Be sure to charge all your mobile/portable devices before an expected storm, and adjust settings to preserve battery life. Use text messages when calls won’t go through. Forward your home number to your cellphone before evacuating. Lots more good stuff there, go read it all and take action!

That’s all for today, I guess. Take all this great advice available online and share it far and wide!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Talk to you again soon!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Goes Live Again!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Thankfully, live training is making a comeback! So wherever you and your employees may be, I can deliver a fun and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺