March 21, 2023
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things!
Remove Unnecessary Software
This is a standard security practice, included in most every security standard I've ever read, and yet few people or organizations actually follow this practice. Let's talk about what this is, and why it's important.
You can't secure it if you don't know it's there. If your employees (or family members) have local administrative privileges on their computers, they can install software (and malware, but that's a topic for another time). There are two reasons this could be problematic:
1. Missing updates Remember that LastPass Breach ? More recent information has indicated that the bad guys took advantage of a vulnerability in Plex, a streaming app, installed on the senior engineer's computer. Having auto-update turned on for Windows and MacOS is not going to auto-update third-party applications on your computer (and even the endpoint management tool on your network can't update software it doesn't know about). You need to keep a software inventory, check periodically to make sure everything is up to date, and remove unnecessary software. (If you need a refresher, read How do I Patch my Things?)
2. Leaking data Ever heard of Grammarly? Ever used it? Do you know how it works? It's a plug-in you can install on your computer or mobile device that will make suggestions to improve your grammar as you type. How does this work? Everything you type is live-streamed to a Grammarly server and analyzed for suggested improvements. Read that sentence again. Everything you type is live-streamed to a Grammarly server ... If your employees have installed Grammarly on a work device, are they sending sensitive corporate and/or customer data offsite without your knowledge? If a family member has installed Grammarly on your home computer, is everyone in the family unknowingly sending private data offsite?
These are just two examples of the many, many software applications that may be installed on work or personal devices. They may seem innocuous, and aren't inherently bad, but they can provide backdoors to your network and to your data.
So, go take inventory and delete the software you don't need. Have a good week!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺