September 14, 2021

Good morning, everyone!

This week’s critical vulnerabilities: Apple has released fixes for a critical security flaw. Update now to iOS 14.8, MacOS 11.6 and WatchOS 7.6.2. Fortinet VPN passwords were leaked online by hackers who scraped them from exploitable devices last summer. If you have a Fortinet VPN, change all the passwords now. Atlassian Confluence vulnerability is being actively exploited. SpyFone has been banned by the FTC for illegally harvesting data. Huge privacy concern. Don’t use these “stalkerware” apps. Netgear has released firmware updates to correct security flaws in over a dozen smart switches. ”Billions of devices” are impacted by a recently discovered vulnerability in Bluetooth. Some vendors have released patches, others haven’t (yet). Meanwhile, turn off Bluetooth if you don’t need it. (That’s good advice any time.) Zoho ManageEngine Password Manager has a fix for critical vulnerability currently being used in attacks. Annke security camera systems are being attacked; a patch has been released. Patch All the Things!

Breaking down those “best practices” from ERISA (part 2)

Back in July, I started writing about the list of cyber security best practices released by the Department of Labor. I broke down the first three on the list in my July 20 newsletter, and I’m going to tackle four more today.

Clearly define and assign information security roles and responsibilities

Sure, small organizations don’t have CTOs or CISOs or even IT Security Directors, but there is still usually someone who is “responsible” for information security, whether voluntarily or by designation. What kind of information security “responsibilities” need to be assigned? Here are a few things that someone needs to maintain:

• List of active network accounts
• List of network/software permissions
• List of passwords for shared accounts
• List of access devices (keys, fobs, swipe cards, alarm codes, copier codes)

Part of your new hire onboarding procedure should include a form that defines what network/software permissions that person should have, what kind of access, etc. Part of your exit procedure should be revoking those permissions, closing those accounts, retrieving those access devices. I can cite dozens of cases where former employees have used their accounts for malicious purposes, and of course the recent big ransomware incident at Colonial Pipeline was due at least in part to a remote access account still active though no longer needed (and the password had apparently been stolen and leaked on the dark web).

Can you think of more things like this in your particular organization that could be managed a bit better?

Have strong access control procedures

What does this mean? First of all, don’t just put all your data into a single shared folder that everyone can access. Think about “the need to know” – not everyone needs to know everything! Sensitive data in particular should have additional protections (separate passwords, for example, maybe multi-factor authentication (MFA)).

Have individual accounts for each user, with their own (good! strong!) password. Limit or eliminate shared “role” accounts that make it difficult to track activity to a particular person.

Protect cloud/managed assets

The full control states: “Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.” What does this mean?

I have written about the shared responsibility model in the Cloud in past newsletters ( 07-14-2020 To Cloud, or Not to Cloud? and followups on 08-04-2020 and 11-17-2020 ).

Many people don’t think “hosted” or “managed” services could be in the Cloud, but they often are! Talk to your service providers about security options. Definitely require MFA whenever that’s an option. Ask about encryption. Is it possible to restrict access to your data only to your IP address(es)? Arrange for local backups of your data, rather than relying entirely on the service provider. Ask about their security policies, their incident response plan and business continuity plan. If your service provider loses everything to ransomware, so may you -- and sometimes they just close up shop, leaving customers in the lurch.

Conduct periodic cybersecurity awareness training

Hey, they are singing my song! I firmly believe that effective training for employees is critical to protecting data in any organization. Remember, your employees are NOT the weakest link in your organization if they are properly trained – they are your last line of defense! When that brand-new malware sample gets past all your technical defenses and lands in an employee’s inbox, but that employee does not open that infected attachment or click on that suspicious link, that employee has just saved your organization from a potential data breach. Invest in employee training! Contact me to schedule!

What is your biggest security-related challenge?

I'd love for you to reply to this email with just one sentence, one phrase or even one word. What is your biggest security challenge? What do you worry about? What do you fear? What do not understand? I'll tackle everyone's answers in future newsletters! I want to be sure that the information I'm providing each week is relevant to YOU.

Catch you again next week!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Talk to you again soon!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺