Welcome back to the TCE Strategy monthly technology and cybersecurity newsletter! The mission of this publication is to cut through the clutter of cybersecurity news stories and provide you with the most important, relevant and actionable cybersecurity information.
If this newsletter adds value, fantastic! That is the goal. Please forward it on to friends/colleagues. If not, no hard feelings. Please look to the bottom for an easy to click "unsubscribe" button.
In this issue:
Month's News in Review
Upcoming Speaking Events
TCE Strategy in the News
Must Read Articles This Month
Cybersecurity Tip of the Month
Enjoy this month's newsletter? You can use this link to post on social media or send to friends! Thanks for sharing!
This Month's News in Review
Month’s Cyber News in Review
My Favorite Password
“But I like that password,” was her reply. I made the mistake of starting the conversation with the urgent need to change her password. Her computer was infected with a virus, and a cybercriminal may have compromised it. The good news was that she was not using that password anywhere else. The bad news was that she is the owner of a very successful company and wasn’t used to being told that she had to do something she didn’t want to do.
My team cleaned up the virus infection, secured her network, and then changing passwords was the last step. It took some convincing, but after she told me the etymology of her password (a favorite loved one from her childhood whose name she had done a great job of obfuscating by repeating some letters, adding special characters, etc.), I was able to help her create a similar password using a completely different starting point (for example, a favorite teacher from her childhood). Then she felt better about the change, and all was good.
I’m often asked how frequently is “frequent enough” to change passwords. Some companies still require changes every 30 days. I’m not a fan. PCI (credit card) compliance demands every 90 days. I’m also not a fan. Lots of my clients require yearly password changes, and overall, I think that’s a sound approach. More and more, though, I’m being asked why should I change my password at all unless there is suspicion that it has been compromised? Frankly, that’s a good question. Frequent password changes often backfire, in that people will choose a pattern to change them, and that defeats the whole purpose of changing them at all. For example, back when I worked at a company that demanded monthly password changes, I used a password of: arnold1!, which I changed the next month to arnold2!, and then arnold3!, all the way around to 0! and I started the cycle over. I did this for 8 years, and it was not a good idea. It was also not a good idea to expect me to come up with completely new passwords every month and then remember them without writing them down. It’s a setup for failure.
I recommend the following:
You need to use different passwords for different things. If you use the same password everywhere, then if/when one account gets compromised, your whole world can get compromised. The only reasonable way to accomplish this is with a password keeper such as Lastpass, 1Password, Dashlane, etc.
You need to turn on multi-factor authentication, or MFA, for your email account, your bank accounts, your work account, and any other account you care about. If your work computer systems don’t support MFA, ask your management team to start a project to enable it.
You need a real antivirus program on your computer(s). Windows Defender (for Windows 10 and 11) is getting better and better. Mac and Linux computers don’t come with any antivirus software, and they need it. Without a good antivirus program, how are you going to know if there is a suspicion of compromise?
Change your passwords either once per year or when there is any indicator of compromise. If you never want to change passwords, well, if you are following the rules outlined above and you will change any password where there is an indicator of compromise, then that is also a reasonable strategy. I’m not the only one who thinks so – many cybersecurity frameworks have moved away from mandatory password changes on a schedule (in fact, I think PCI is the only holdout). The FTC (USA Federal Trade Commission) has weighed in on this as well: https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
More Log4j fallout
Last month’s report on the Apache Log4j issue (detailed in last month’s newsletter) has turned out to be as serious as it was feared. Lots of breaches around this vulnerability. The FTC has threatened companies that ignore Log4j that they may be in violation of “the Federal Trade Commission Act and the Gramm Leach Bliley Act”. If you are a home consumer, there isn’t much to do here other than to set all your systems to autopatch and to uninstall any applications that you aren’t using. For companies, scanning for Log4j is critical, both internally and externally. https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability
Microsoft December 2021 Windows Server patches – new “out of band” patches released
If you put in December Windows Server patches for 2012R2 through 2022 and you are having issues, Microsoft released an out-of-band patch. Some reports are specifically for RDP (Remote Desktop Protocol), but others include more serious problems such as server hangs and blue screens. I haven’t had any clients report issues with the December patches, but apparently some people are. https://redmondmag.com/articles/2022/01/05/remote-desktop-patches-for-windows-server.aspx
Until next month, stay safe!
Upcoming Speaking Events
Live events are back in action! Here is a list of the cities that I will be in for 2022. Please feel free to reach out if you have an event in mind.
Good news! "They said that this trend was primarily by a decline in ransomware attacks and the fact that a number of large cybercrime gangs have seen their activities curtailed by law enforcement."
The FTC is threatening companies with fines/penalties for failing to remediate Log4j. "It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action."
Here is some great reading on good-news stories in the world of cybersecurity. We need more stories like these.
Truer words are rarely spoken: "Security is not just a technical issue; it’s an organizational and human problem"
Cybersecurity Tip of the Month
“It won’t ever happen to me”
Ever heard of optimism bias? It’s the idea that we all believe we are above average at most things and have a deeply held belief that bad things won’t happen to us. The problem is… we can’t all be above average, and bad things do happen to many of us.
If you've ever thought to yourself, "I'll never get hacked/be a victim of ransomware/have my accounts compromised, etc," then you're probably optimistically biased towards yourself.
For this month’s cybersecurity tip of the month, here are two ways to avoid optimism bias when it comes to cybersecurity.
Be aware. Knowing that you’re prone to optimism bias is the first step in fixing the problem. The truth is, it could happen to you. And if you’re not securing your business and your personal belongings properly, more than likely, it will happen to you.
Use positive reinforcement. Instead of saying, “If I'm not cyber secure, I'll get hacked,” say, “if I’m cyber secure, I will keep all the money I made this year.”
Stay vigilant. The longer you live in your optimism bias, the higher your chances are of being sorely disappointed when the inevitable comes along. But take heart! The chances go down drastically when you take simple steps to secure yourself and accept the reality that you're not immune to bad things happening. Use MFA, update passwords yearly, get antivirus, and patch, patch, patch. Good things come (and fewer bad things happen) to those who are cyber aware.