April 12, 2022

Good morning, everyone!

The latest critical vulnerabilities: Zyxel has released updates to fix a critical security flaw in many of their firewall products. WatchGuard issued a fix for a critical vulnerability last year, but didn’t tell anybody. Unpatched devices are being actively exploited. NOTE: Both these two vulnerabilities are mitigated by not exposing the admin interface to the Internet. Haven’t I said this before? VMWare has released patches for some of its products and workarounds for others, securing against the Spring4Shell vulnerability which is being actively exploited. Rockwell PLC products have a critical security flaw that needs to be addressed immediately. Patch All the Things!

Are WordPress sites the Mosquitoes of the Internet?

"Of the phishing sites that used a CMS, 46% of those used WordPress"[link]

Anytime you get an email asking you to click on a link with "wordpress" in the URL, stop and think HARD before you click! Ask yourself, "Do I really need to click on this link? Is there some other way to get this information? Should I call the sender of the email and verify its legitimacy before clicking on this link?” (HINT: the answer to the latter is “yes”)

More lessons learned from the SolarWinds breach

Last week SolarWinds lost a bid to throw out a data breach lawsuit, with three important points made by the Court:

1. While organizations must have fundamental security measures in place, it is also important that an organization have a security culture, that employees understand that this "security mindset," and have a real awareness of the Company's efforts around security. [...]

2. Organizations should ensure that their public statements related to security are accurate, not misleading, and regularly updated in response to relevant events. [...]

3. It is important for boards and management to heed the advice of their own security advisors. [...]

PCI DSS 4.0 has been released

The PCI Security Standards Council has released version 4.0 of their Data Security Standard (PCI DSS), with some 60+ new requirements. While most of them don’t kick in until March 2025, giving merchants time to prepare and upgrade their systems, many of them are effective immediately. In this category, new requirements for process maturity and documentation have been added to 10 of the 12 principal requirements. If you process credit cards, we should probably talk soon.

Go forth and be secure! and have a great week.

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Talk to you again soon!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺