Simple Security Mistakes People and Companies Make and how to Fix them! Installment #2

This is the second installment in this new series of Posts Titled Simple Security Mistakes People and Companies Make and how to Fix them!  I will explain the several common simple information security mistakes made by both organizations and individuals. I will also explain the typical reasons why these mistakes are made, why they pose a rather large risk and how simple it is to resolve them. Please note that correcting these mistakes cost little or no money to correct. I will break down each numbered mistake/task with a number followed by a (H) for home users and an (O) for organizations. I hope this first installment proves both educational and lends to your safe computing:

11.       (H) PROBLEM - When you first purchase a Microsoft based computer and begin the setup process at some point you are asked if you want to enable automatic updates (or Patches) along with a particular time for those updates to download and install automatically. There are many reasons why computer owners do not turn on this function ranging from not understanding the need all the way to the very short inconvenience that comes about once a month causing a longer time to shut down/reboot or start your computer. As it turns out, those very patches recommended by the software maker are designed to fix known bugs (vulnerabilities) with in the software. SO WHO CARES RIGHT? Well the bad people on the internet do. Furthermore they most of the time they count on your unwillingness or unknowingness about updating your software to compromise your computer for financial or other nefarious purposes. The Bugs (vulnerabilities) that those patches fix are not corrections that you will even notice, they do not make your computer easier or harder to use. Instead they stop the bad guys from using those vulnerabilities/exploits from take control of your computer. This does not only apply to Microsoft based software, if you use any APPLE or LINUX products updates and patching on a regular schedule is just as important SOLUTION – To protect your computer, its information, your privacy and your money either set your computer to automatically download and install updates at least once a month and if that is not possible do it manually on a monthly basis. Now this will not guarantee that you will not be hacked it will however reduce your exposure significantly.

22.       (O) PROBLEM - Look around your organization. How many of your Desktops and servers have not been patched in the past month. How about the past two months….Three Months…. Ever? Is it due to lack of resources, belief that it is not a priority or just not knowing any better? As mentioned above in the home user section “those very patches recommended by the software maker are designed to fix known bugs (vulnerabilities) with in the software”. The bad guys (those who would steal harm or disrupt your business count on your lack of OS and APP patching to compromise your computer and network systems. Here is a little known fact or at a fact that many business leaders have created a sense of denial about: Patching Operating systems and applications is considered “Generally Accepted Best Practices” worldwide. As such WHEN a breach occurs at your organization and it is discovered that your organizations computer and networking systems have not been patched in a reasonable amount of time and that the bad guy used an exploit that was addressed (remediated) by an already distributed patch your organization will not only be subject to civil damages and fines but may also be subject to Felony Criminal negligence charges as well. YEP! People from your organization could do jail time, typically executives. SOLUTION – As a business manager(s)/owner(s) make excuses for not mandating that all of their information systems be currently patched it becomes part of the organizational culture. There really is no excuse though, many systems can be patched with little or no expense and even can be automated. Do not expose your employees, customers and shareholders by ignoring this simple task. Failure to do so will result in your organization being compromised and may even land you in jail.

Simple Security Mistakes People and Companies Make and how to Fix them! Installment #1

Simple Security Mistakes People and Companies Make and how to Fix them! Installment #1

Over the next several weeks in this new series of Posts Titled Simple Security Mistakes People and Companies Make and how to Fix them!  I will explain the several common simple information security mistakes made by both organizations and individuals. I will also explain the typical reasons why these mistakes are made, why they pose a rather large risk and how simple it is to resolve them. Please note that correcting these mistakes cost little or no money to correct. I will break down each numbered mistake/task with a number followed by a (H) for home users and an (O) for organizations. I hope this first installment proves both educational and lends to your safe computing:

1.       (H) PROBLEM - When you first purchase a computer and begin the setup process whether it is a Microsoft, Mac or Linux operating system among the first choices you have to make it to create a user account. Most people just chose their own name or something funny. The account that you just created is an account that has complete rights to do anything on the computer from changing system settings to loading programs.  The PROBLEM ARISES from the daily use of that account. If you go to a website, click on a link or open an email that is infected you are essentially giving that malicious software the same power that you have on your computer (which is full access). SOLUTION – Create the initial account and only use it when absolutely necessary. Create a second account for your daily use (surfing the web, checking emails, creating documents, playing games etc.) This limits the ability of many of the malicious software from infecting your computer. Only use the first account created (the one that has administrative permissions) to load or remove software and to change system settings.

2.       (O) PROBLEM - Look around your organization. How many of your employees have local Administrative rights to the organization’s workstation/laptops? Just a few special cases, most of your employees or is it as it is for many organizations in the all of your employees have local admin rights to the computers that they work on? Allowing this to occur and/or continue has serious ramifications of which your information security is just one of them. I addition to the problems outlined in #1 above, how are you keeping your organization from being exposed to the criminal and civil penalties associated with unlicensed software? How can your workstation patching schedule/platform accommodate vulnerable software in need of patching when you do not even know that it is installed?  It Cannot. The last question is: do all of your employees absolutely need/require local admin rights in order to perform their job functions? Only you can answer that but the generally accepted principles and practices of IT show that they do not. SOLUTION – As a business manager/owner spend the little extra effort locking down organizational workstations/laptops providing only the applications that are needed by each department and take away the employee end user’s admin rights to your computers. Now I know it is easier in the short term to get all of the needed applications to run properly by just granting local admin rights but with a little effort by your sys admins/helpdesk in staff configuring the OS and the APPs Admin rights are not needed. Most certainly there are some cases where local admin rights are absolutely necessary. Those cases typically involve your IT staff and quite often remote sales staff. Provide those staff members with 2 user accounts, one with local admin rights and one as a regular locked down user. There is absolutely no reason IT staff should be browsing the web, checking emails or creating documentation with an account that has local admin rights. Taking the time to do it right up front will always save you both time and money in the long run, not to mention drastically reduce the number of malware infections, configuration errors and overall risk exposure of you organization.

Where is your money and who did you give it too?

Spear Phishing is not really a new tactic used by those who want to separate you from your money. That being said huge profits are being made from such attacks. The beauty of these attacks is that the victims (YOU)  willingly give those bad guys the information needed to clean out your bank accounts and are not even aware of the fact that they have been ripped off until it is too late.

It all starts innocently enough (if you are not paying attention) you receive an email from your financial institution that may look like one of these:

Banks:

They cyber crooks use any number of other financial or commercial institutions also.

What do you do?

 Sadly many people read the email become nervous and follow the instructions provided in the email.

First please allow me to provide some basic information that can/will protect your finances:

1.       No financial institution or e commerce business will ever send an email to its customers (no matter how well written) that contains as part of the instructions a link for you to follow to correct the issue. If you do not believe me, next time you receive such an email, hover your curser (DO NOT CLICK ON THE LINK) over the link to reveal the real destination you would be.

2.       Sending your information by following a link can have devastating effects.

3.       If you are like many you will fall for the con and follow the link. Many times the cyber crooks are even nice enough to provide a web page from that link that will look exactly like the Bank or ecommerce site you expect.

4.       However, once you put your user ID and password and any other information that they request control of the money in those account(s) now belongs to the person who sent you the fake email

IF you have any doubt, DO NOT FOLLOW THE LINK BUT GO TO THE WEBSITE AS YOU NORMALLY WOULD AND FIND OUT DIRECTLY FROM THE INSITUTION IF THERE IS AN ISSUE AND IF SO, CORRECT IT FROM THERE.

I hope you enjoy this latest blog entry and more importantly I sincerely hope that it helps you stay connected to your money.

Until Next time,

Brad Boynton, CISSP

Former CISO at a US Based Medical Device Manufacturer

Redtide69@gmail.com