What is CMMC? CMMC Update Archives CMMC Links
Security Awareness Training Public Speaking Expert Witness
Newsletters Whitepapers Articles Videos Interviews Additional Resources
Cyber Security News & Tips by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

April 18, 2023

Good morning, everyone!

This week’s critical vulnerabilities:
  • Apple has released updates to older versions of iOS and macOS to address the critical vulnerabilities under active exploit (these were fixed last week in the latest versions of iOS and macOS)
  • Microsoft last week released patches for 114 vulnerabilities, including 7 critical and 1 already being exploited
  • Google Chrome has released a fix for a new zero-day currently being exploited (remember, you must close Chrome and reopen to install updates)

    Don't rely on auto-update! It doesn't always work. Check manually.

  • Azure Shared Key authorization should be turned off; use Azure Active Directory authentication instead (the first few paras of this article are a great reminder of the shared responsibility model of the cloud)
  • HP has warned of a critical vulnerability affecting certain HP Enterprise LaserJet and HP LaserJet Managed Printers when IPsec is enabled. A patch is expected within 90 days; meanwhile, revert to a prior version of the firmware (FutureSmart version 5.5.0.3) or disable IPsec.
  • QNAP has released more patches to fix more vulnerabilities. Update to QTS 5.0.1.2346 build 20230322 or later, and QuTS hero h5.0.1.2348 build 20230324 or later
  • SAP has released 24 security notes, including fixes for two critical vulnerabilities
  • Hikvision has released critical fixes for its Hybrid SAN and cluster video storage products

Patch All the Things!



FBI IC3 Annual Internet Crime Report 2022

There are some eye-popping statistics in this report:

  • By year: Losses have increased from $2.7 billion in 2018 to $10.3 billion in 2022
  • By type: the number of successful phishing attacks has dropped for the first time -- is education actually working?!?!
  • By industry: Ransomware is overwhelmingly targeting healthcare and manufacturing (42% of attacks in 2022 were in these two sectors)
  • By age: Victims over age 60 lost $3.1 billion in 2022, compared with $1+ billion for ages 30-59. We need to educate our elderly friends and relatives.
Infosec vocabulary lesson

A few weeks ago there was an entertaining thread on LinkedIn where folks were trying to explain some often-misunderstood technical terms in a way that ordinary folks would understand. I thought you might find these interesting and enlightening:

  • threat actor = someone who wants to punch you in the face
  • threat = the punch that might be thrown
  • vulnerability = your inability to defend against the punch
  • risk = the likelihood of getting punched in the face
  • acceptable risk = your willingness to be punched in the face
Immediately unplug all Nexx devices

I think this one is pretty self-explanatory:

A market-leading garage door controller is so riddled with severe security and privacy vulnerabilities that the researcher who discovered them, Sam Sabetan, is advising anyone using one to immediately disconnect it until they are fixed.

The result: Anyone with a moderate technical background can search Nexx servers for a given email address, device ID, or name and then issue commands to the associated controller. (Nexx controllers for home security alarms are susceptible to a similar class of vulnerabilities.) Commands allow a door to be opened, a device connected to a smart plug to be turned off, or an alarm to be disarmed. Worse still, over the past three months, personnel for Texas-based Nexx haven’t responded to multiple private messages warning of the vulnerabilities.

Remember, if you can access it from anywhere ... it can be accessed from anywhere!

Have a cyber safe week!

Glenda R. Snodgrass

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!



Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training has made a comeback, but many organizations have found virtual training to be useful as well. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺

TNE. Cybersecurity. Possible.

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

Site Map

Home
Employee Training
Security Awareness Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy