April 26, 2022
Good morning, everyone!
The latest critical vulnerabilities:
Patch All the Things!
If you don't need Java, uninstall it now
Some people are calling it "The Crypto Bug of the Year": a flaw in Java versions 15-18 that makes it easy for anyone to digitally sign an application and make it look legitimate. If you need Java, make sure all your systems are patched ASAP. If you don't need it, uninstall it! When Java has a bug, it's often a big one, so don't take unnecessary risk. (In fact, this is good advice generally -- any applications that you don't actually need to use, just get rid of them. Eliminate the possibility of being vulnerable.)
Who has access to your systems?
A few weeks back, everyone was talking about the Okta data breach by the Lapsus$ group. The biggest stink was that Okta kept it quiet for two months. Okta has finished its investigation and released a report – turns out, the breach happened originally on a computer used by a third-party contractor with access to Okta’s information systems.
What does this mean for you? Whether a business or home computer, anyone with access to the computer can install malware, whether on purpose or accidentally. Take steps to protect yourself:
(1) If you allow someone else to remote in to help you with something on your computer, sit there and watch what they are doing! A few years back, credit card data was stolen from several Gulf Coast restaurants because “tech support” (not really) was given remote access to the server and not properly supervised. If they do something you don’t understand, ask them to explain.
(2) Ask yourself, who called whom? In the case of the restaurants above, someone called the manager during a busy lunch hour, stating they needed to update the credit card software immediately. He gave them remote access to the system and went back out to the dining room. If he had called his software vendor to verify the update, he would have known immediately this was a scam. So if someone calls you and says there’s a problem with the system, they need to get on your computer -- ask for a trouble ticket number, then call the vendor separately, at the number you already have (not the phone number the caller just gave you!). If there is truly a problem, the vendor will tell you.
(3) If you use third-party contractors to provide services to your company or your customers, vet them carefully. Ask them about their cyber security policies, what tools they have in place. Do they routinely provide security awareness training to their employees? Do your contractors receive the same training that you provide to employees?
Avoid single points of failure
The Okta investigation article makes another really good point ("Cloud Rife With Single Points of Failure"):
The incident also underscores that while cloud providers typically raise their customers' level of security, the cloud attracts attacks because so much access is concentrated in a small number of providers. Companies should always start by conducting a threat assessment to understand the risks presented by any infrastructure that they move to the cloud, Sullivan says....
"Don't assume that the vendor is going to take care of security and will do it all perfectly," he says. "Have the right playbooks and policies ready to go, so if there is an incident, you can take action whether the vendor is ready or not."
And don't forget about the shared responsibility model of cloud security.
Hope this gives you something to think about this week!
Talk to you again soon!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺