August 31, 2021

Good morning, everyone!

This week’s critical vulnerabilities: Microsoft has released guidance on the ProxyShell vulnerabilities affecting on-premises Exchange servers. F5 has released critical fixes for its BIG-IP and BIG-IQ devices Cisco has released fixes for its Nexus 9000 Series Switches. B. Braun Medical Infusion Pump and Dock devices should be updated immediately to fix a critical flaw. Users of Microsoft’s Power Apps are urged to immediately check their security settings, after it was revealed that 38 million records (including sensitive data) were exposed online. Patch All the Things!

When Shadow IT goes wrong

About a year ago, I wrote a newsletter Back to Basics (Part One) where I talked about Shadow IT – problems that arise when employees acquire and install hardware without proper review. Last week’s news brought a doozy of a story in this vein:

A zero-day bug in the device installer software for Razer peripherals – be they a Razer mouse, keyboard or any device that uses the Synapse utility – gives the plugger-inner full admin rights on Windows 10, just by inserting a compatible peripheral and downloading Synapse.

There’s apparently nothing keeping the vulnerability from allowing the same privilege escalation on Windows 11, although, if that operating system has in fact been tested, its vulnerability hasn’t yet been reported.

Yes, you read that right. A standard user, who supposedly cannot have administrative privileges on a computer, can in fact get around this quite easily by installing the driver for a Razer peripheral. (smacking forehead) Razer is working on a fix and Microsoft is investigating.

But wait, there’s more! A few days later we learned that SteelSeries, maker of high-end peripherals popular with gamers, has the same problem only worse – you don’t even need one of the SteelSeries devices to exploit the vulnerability.

How do you protect your company against Shadow IT?

1. Have a written security policy. It should include things like a prohibition on providing hardware and software without proper authorization. (See my white paper ”Protecting Company Data with Simple Security Policies” for more on this subject.)
   
   
2. Train your employees. Not just on the policy specifics, but why the policy is in place. Use examples like the NASA JPL hack. Tell stories, make the policy come alive to your employees. People remember stories!
   
   
3. Use technology. Regular internal and external scans can provide the data you need to identify unapproved hardware and software on your network.

How to keep your emails from being flagged as suspicious or spam

One of my faithful newsletter readers sent me this email a few days ago:

I am having a problem lately. I send all of my quotes via email and of late (last couple of months) most seem to be going to the spam folders of my clients. Previously this did not appear as an issue. Any idea why?

Yep, it’s because of cybercriminals! One of the hot trends in phishing emails lately is to send fake quotes and invoices. So if you are sending legitimate quotes and invoices by email, you need to be extra careful in crafting those emails, so that they don’t look suspicious. There is no magic bullet, I’m afraid, but here are a few tips:

• Make certain the text of your email is standard business language, with no typos or errors of diction.
• Use more text than links in the body of the email. A very short email that refers to an attachment or a simple link is more likely to be flagged as suspicious.
• Don’t use URL shorteners (like bit.ly) for links.
• Don’t put too many links in one email (and that includes your signature).
• Try to avoid “spam triggers” like these:
  • Discount
  • Special promotion
  • Guarantee
  • Risk-free
  • Click here

Yes, I realize those are legitimate business terms, but they are overused by the spam kings, so you should be judicious in their use, and try to come up with alternatives if possible. For example, instead of saying “We guarantee our work” you could say “We stand behind our work” – get creative!

There are also a few technical things you can do, like sending “from” the email address that matches the account name you are using, making certain your mail server isn’t on a blacklist somewhere, and so on. If you are really having trouble with this, I recommend consulting a professional.

And I think that about wraps up this newsletter. Ida is pouring rain outside as I’m typing this, and I hope that we are all safe and have dried out by the time you are reading it!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Talk to you again soon!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺