August 3, 2021
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things!
Most weeks I choose a particular topic to write about, but sometimes (like this week!) I just hit a few highlights from recent reading:
Enable 2FA whenever possible
You all know how much I love Two-Factor Authentication, right? I was surprised to read this:
Twitter has revealed in its latest transparency report that only 2.3% of all active accounts have enabled at least one method of two-factor authentication (2FA) between July and December 2020.
Honestly, 2FA is the single most important (Easy! Free!) thing you can do to protect your online accounts, whether business or personal. I’ve written lots about this before. Just do it!
Wireless device Do's and Don'ts from the NSA
The NSA recently released a tip sheet focused on the safe use of wireless devices in public settings, when traveling, etc. Lots of good stuff there and written in (mostly!) plain language.
"No More Ransom" saves almost 1 billion in ransomware payments in 5 years
On a happy note, the No More Ransom project recently celebrated its fifth anniversary, having helped ”over six million ransomware victims recover their files and saving them almost €1 billion in ransomware payments.” The project has over 170 partners worldwide, ”offering 121 free tools able to decrypt 151 ransomware families.” Isn’t that awesome?!?
84% of ransomware attacks start like this
Lots of home computers get ransomware too, ya know, and it’s miserable no matter when/where it happens. Security researchers at Coveware recently analyzed ransomware attacks in the 2nd quarter of 2021, and found that 84% of ransomware attacks start in one of two ways:
(1) Phishing attacks – those emails (or text messages) that trick you into opening an infected email attachment, or clicking on a link that takes you to a site hosting malware. So think before you click! Trust only original sources of information. When in doubt, pick up the phone and call the person or company that sent you the phishy-looking email.
(2) Open RDP ports -- this an easy way for attackers to get into your network. Many businesses opened RDP ports when the WFH wave hit last year, and unfortunately many of those open ports were never closed. If you have any doubt about open RDP on your firewall, ask your IT staff or vendor to confirm that you’re not vulnerable to this kind of attack (and why).
Don’t click on “blind” links behind URL shorteners
What is a URL shortener? It’s a service that provides a short – but blind – link to a website address. For example, the actual web address of my newsletter signup page is https://theneteffect.us4.list-manage.com/subscribe?u=bba7f5e67d3a1213cdaecc7f6&id=08d392ca5b – and that’s pretty horrible, isn’t it? So I used Bitly’s service to create a short link (https://bit.ly/TNESignUP) for use in my email signature. I had to change it recently, though, because Gmail started to block all my emails. Bitly and other URL shorteners are increasingly being used to hide links to malware downloads, fake calendar entries, and more. This interesting article describes some of the most common attacks (in a lot of detail! LOL).
Change default admin passwords
You know this, right? The very first thing you do when you bring home a new device, especially one that connects directly to the Internet, is change the default passwords. Not just the connection key, but especially the admin password. It’s usually on a sticker on the device or on a card inside the box, and nearly always available on the manufacturer’s website. Unfortunately a recent study has shown that one in 16 home Wi-Fi routers is still using the default admin password. This is a HUGE security problem in your home!
And that’s my cyber security round up for the week. Read & share!
Talk to you again soon!
Security Awareness Training Goes Live Again!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Thankfully, live training is making a comeback! So wherever you and your employees may be, I can deliver a fun and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺
TNE. Cybersecurity. Possible.Speak with an Expert