August 8, 2023
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things!
How Does That Work? (Understanding integrations)
I recently signed up for an online scheduling calendar tool. Oh, boy, has this made my life easier! One of the best things I've ever done to improve efficiency. BUT ... there were serious security implications that I needed to understand and mitigate before signing up for this wonderful new tool and implementing it into my workflow. Hopefully walking through these steps with you all this week will help you recognize the risks in similar circumstances and provide you with insight into mitigating those risks.
Okay, I know a few of you are scratching your heads and wondering, seriously? How risky is a calendar app? You have to understand "How does this work?" to understand the potential risks.
Typically these scheduling calendar apps work as an integration with your existing calendar application (O365/Outlook, Google Workspace, whatever) so that they can schedule appointments for you during your open times. Oh, the convenience! BUT ... Do you hear warning bells in the back of your head? How Does That Work? Well, first you have to use the scheduling calendar app to log into your regular calendar app, so it can read your open times and write new appointments into your calendar for you. This is a concern for two reasons:
(1)You have to give read & write permission to the scheduling app on your calendar app. This means the calendar app can read every single appointment in your calendar (yep, not just the confidential client meetings, but also the doctor visits and the babysitter's contact info). That level of insight into my personal schedule -- by a third-party app over which I have no real control -- made me very uncomfortable. (Sure, I can control my personal Settings in the app, but I can't control the company and its resources -- who has access to their servers? how secure are they? how do I know what is being done with my data?)
(2) In order to set up the integration, I would have to log in to my Google account to "hook" up the two apps. That account controls not only my calendar but my email, my file share, *everything* that I do in Google Workspace. That made me uncomfortable. (Did you read my March 7 newsletter "What is OAuth and why do you care?")
So ultimately I chose an app that gives me nearly full functionality without the direct calendar integration. I am confident that I found a good solution to provide the efficiency I need without compromising security in any way.
Remember, the most important question you can ask yourself before signing up for a new service, or buying a new product, is "How Does That Work?"
The woman who secured the Internet
I read this really interesting article this week, Meet Window Snyder, the trailblazer who helped secure the internet and billions of devices. This woman has had an incredible career, being among the first to codify threat modelling and the secure development lifecycle, both methodologies that are foundational to cyber security. She was a leader in Microsoft's "Trustworthy Computing Initiative" in the early 2000s, then on to Apple where where, as the only product manager responsible for the privacy and security of all Apple products, she introduced end-to-end encryption into iMessage and full-disk encryption by default on all Apple products.
A truly inspiring story. Read and share!
Stay cyber safe this week!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺