Welcome back to the TCE Strategy monthly technology and cybersecurity newsletter! The mission of this publication is to cut through the clutter of cybersecurity news stories and provide you with the most important, relevant and actionable cybersecurity information.
If this newsletter adds value, fantastic! That is the goal. Please forward it on to friends/colleagues. If not, no hard feelings. Please look to the bottom for an easy to click "unsubscribe" button.
The recent turmoil on the Russian / Ukrainian border is the culmination of years of conflict, cyber and otherwise. We are entering a new age where the combination of Internet-connected critical infrastructure (electricity, gas, water, etc.) and political discord are bringing forward cybersecurity concerns that were often hypothetical before. Disinformation is nothing new in warfare, but the Internet facilitates more widescale use/abuse of misinformation than ever before, to the point where there are now information campaigns about the disinformation campaigns. Which side of this conflict is using information vs. disinformation is an exercise for the reader, but I will say that in all my years of professional speaking, the Russian/Ukraine conflict is the only topic I have ever raised where someone walked out of my talk because of differing political views. Let us all hope for a peaceful resolution to this situation, and for the safety of the citizens caught in the middle of this conflict.
When you can’t fix every crack in the dam
TCE Strategy has begun working with a number of new clients in 2021/2022, and a common theme has emerged where there are so many vulnerabilities to address that prioritizing them becomes difficult. There are a couple of tips I’d like to share on how to figure out which vulnerabilities present the greatest risk to your organization:
Is a risk that a scanner marks as “critical” externally facing (is it on a firewall, a website, or some other system that can be accessed from the Internet)? If so, these come first, especially if your firewall hosts a VPN or your website is very important to your business (e-commerce companies for example – this is exactly what Equifax didn’t do).
Is a risk something that has been “weaponized”? That is, has the vulnerability been actively exploited by cybercriminals? If so, that means that other low-sophistication cybercriminals (“script kiddies” is the slang often used for these folks) can download the code to exploit them. CISA is keeping an active list of exploited vulnerabilities. This is a fantastic resource to use when prioritizing which vulnerabilities to address first.
Is the risk “wormable”? “Wormable” vulnerabilities are those that can spread from one computer to other computers on your network, which often leads to widespread ransomware attacks or a large destructive attack designed to make computers permanently inoperable.
Is a risk part of a system that could prevent your company from doing whatever it is your company does? These come next.
Is a risk part of a system that contains information that would be damaging to your company and/or your customers if it was breached? This includes credit card information, healthcare data, trade secrets, HR information about your employees, etc. These vulnerabilities matter. In fact, depending on the specific company, these may be more important than #4 above.
Is a risk something that leads to complete system takeover? The Log4j vulnerability that I covered in my last two newsletters is an example of this (although it fell in category 1 for many companies and category 2 for everyone).
This is the list I use to prioritize which issues to address first when working with a neglected computer environment. Please feel free to reach out if you have more specific questions on this topic.
Do you have a Linux computer? MUST READ!
As if we weren’t already having a ton of fun patching Log4j, there is a new Linux vulnerability that allows any user (even one with almost no access at all) to elevate themselves to root (administrator). This is bad. Here is a 2-minute video on how it’s done. Yes, the code to do so is already available, so this has been weaponized. Patches are easy and effective, and I have yet to see any ill effects when patching. You need to patch your Linux computers ASAP, especially those that may be facing the Internet.
Live events are back in action! Here is a list of the cities that I will be in for 2022. Please feel free to reach out if you have an event in mind.
February 1st-3rd, Tampa, FL February 16th-17th, Providence, RI March 1st-2nd, Madison, WI May 10th-11th, Allentown, PA May 17th-19th, Huntsville, AL June 14th-21st, San Francisco, CA
TCE Strategy in the News
Thank you to InBusiness Phoenix and PICPA for running my article on 8 Do’s and Don’ts of Ransomware Prevention and Recovery.
"The study, written in collaboration with Accenture, revealed there is a wide perception gap between business executives and security leaders on the issue of cybersecurity."
These criminals have no morals. They go after educational systems. They go after critical infrastructure. It's up to us to make it more difficult for them to attack. Defense against ransomware is very practical. It's like car accidents -- an ounce of prevention is worth a pound of cure.
"The lawsuit's continuance signals further unwelcome scrutiny for Meta that could potentially end with some of the company's most valuable assets spun off. That would mark a shift with monumental consequences for society in light of the tech giant's reach into seemingly every corner of our lives."
Cybersecurity Tip of the Month
Create Online Accounts Before Someone Else Does For You
Many people choose to have a minimal online presence thinking it may help keep them safe from becoming a victim of cybercrime. However, with the increased availability of personal information that can be found online, cybercriminals have gotten better at using social engineering and other methods to commit fraud. This can include using information such as addresses, Social Security numbers, and birthdays to impersonate victims and create accounts online, allowing them to steal financial information or money and avoid detection until well after the damage is done.
Banks, water companies, power companies, the IRS and even the post office are all offering to service you through an "online account". It is very important that you set up these accounts as yourself, before a cybercriminal beats you to it and tries to have your mail rerouted to them or your IRS tax refund sent to the wrong account. Turn on multi-factor authentication on these accounts and add a pin number if possible. Freezing your credit can also help prevent fraud. If you have older friends or family members who do not have much experience using the internet, offer to help them set up their own accounts and credit freezes as well.
Some places that you should set up online accounts include: