To end this security nightmare, Adobe set Flash’s official termination date to December 31, 2020. Expect your browsers, Firefox, Chrome, Edge, etc. to disable and remove Flash on or before that date.

That helps security, but Flash’s demise could negatively impact your organization. If one of your websites requires your customers to use Flash, it is time to convert the content asap. Unless you are sure, meet with your web development team and confirm your visitors and customers do not need Flash to use your sites. If so, your developers can convert your content to use supported technologies.

Additionally, ask your IT professionals if your team members rely on sites that require Flash. If so, now is the time to work with those providers to spur them to transition away from Flash. If they refuse to move, you need to find other options.

While frustrating to many, especially frustrating to attackers, the ultimate demise of Flash helps make the world a safer place!

Please forward this to your friends in case they aren’t aware that Flash’s termination date is December 31, 2020.

The post Adobe Flash Stops on December 31, 2020. Are You Ready? appeared first on Foster Institute.

Of course, large service providers are expected to do much more for their security. But what about your service providers that have 10 or fewer employees and cyber-security has never been appropriately addressed? The chances are that they are hungry for some detailed security guidance. Once they implement some or all of the following recommendations, they can sleep better at night too.

None of these are unreasonable for you to request. And, a massive benefit to your service provider is that they can improve their cyber-security and that helps their own company and other customers, too. Everyone wins!

If you want to, send your contractors and service providers something like this. You may want to ask your IT team to review and perhaps edit it since your organization may already have security measures in place that eliminate the need for your providers to perform some of these recommendations:

Dear – you fill in the blank,

Cyber-security is a big concern these days, and we are checking in with all of our valued service providers, including you.

Our cyber-security depends to some degree on your level of cyber-security.

Below are cyber-security recommendations for you to follow in your organization. You may fall under laws and regulations that are even more stringent than these.

If you have any questions or decide not to follow the recommendations for any reason, please say so, and that will start a dialogue that can be beneficial for all parties.

First and foremost, you should always have great backups, and the ability to restore, because you accept full responsibility if you experience any problems as you implement these recommendations.

Unless you use patch management, and maybe nobody ever told you what that is, then to help ensure you are receiving protective patches from Microsoft and Apple, strongly consider enabling the automatic update feature in Windows and Mac OSX. There is a good chance it is activated already, but be sure. Installing critical security patches is essential since it increases security dramatically. There is always a small risk that a security patch could cause problems, but not installing a critical security update can put you at a much higher risk.

Patch your browsers too. Browser security patches are critical since, if a user clicks a malicious link in an email message, the attack usually makes a mad dash to poison that user’s browser quietly.

Uninstall all programs on each computer that you don’t think you will use. It is ok to start with the programs that are easy to recognize and skip the rest for now. That speeds and simplifies implementing this recommendation. Every program installed on a computer is a potential toe-hold for an attacker to gain access to a system. Worst case, if you delete an application now that you need later, you can usually re-install it quickly and easily.

In particular, remove Java and Flash. These are two tools that are frequently hacked and are likely unnecessary for your organization. Leaving them installed creates a significant security risk in your organization. If you later discover that you do need either, you can reinstall them with the newest version. Make sure to only get Java from java dot com and Flash from get dot adobe dot com forward-slash flash player Do not insert the space between the words flash and player.

If you do leave Java or Flash installed, investigate the click-to-play option that could protect you from unauthorized attacks based on Java and Flash.

Make sure to make your user accounts a “standard user” on your computers. Implementing this recommendation is slightly more complicated, especially if you are unfamiliar with creating new users. But it is included in these recommendations because it can increase your security immensely. If you use a third party IT company, you may choose to ask them to do this part for you.
The necessary steps for Windows and Mac: 1) Create a new local user account 2) Promote that user to be a local administrator 3) Demote the computer user’s current account to a standard user and use that account. Perform this change on each computer separately. It is rare that a user will notice there has been a change. If you ever need administrative access to a computer, you can use the new user account that you created and promoted to have administrative access. In rare circumstances, a program you use may require each user to be a local administrator. Needing to configure users to be local administrators is unfortunate indeed since it is so damaging to security.

The previous recommendation is all about local user accounts. Larger organizations especially will use something called the Active Directory. However, even when using the Active Directory, this recommendation about local administrators still applies.

Enable two-step verification on all the websites that require a login. In its most basic form, once two-step login is turned on, then when a user enters a username and password, their phone will receive a text message with a code to use to complete the login process. This added protection helps you tremendously if an attacker steals one of your website passwords. The setting is usually in the security settings of the website.

Even if your screen is set to lock after a brief period automatically, an insider can easily bypass that will artificially jiggle the mouse. The computer will think you are there, even if you are not, and the computer will not lock automatically. Before you ever move away from your computer, manually lock the screen. One way to quickly accomplish locking the screen in Windows is to hold down the Windows key and then tap the L key. On Macs, utilize the hot-corners feature to lock the screen when you move the mouse to one of the corners of your screen. Require a password to unlock the screen.

Before you send us a file that contains sensitive information, encrypt the file. It is straightforward to encrypt Microsoft Office and PDF documents using settings within the software. If you are emailing a file, do not email the password too, not even in a separate email message. If an attacker has access to the email accounts, they will have both the file and the password. Instead, exchange the passwords via a phone call or a text message. Unless required by regulation or law, use a passphrase at least 15 characters long, but you do not need to use the upper case, lower case letters, numbers, and symbols. Making passwords complex interferes with productivity and doesn’t help as much as using longer passphrases. An example passphrase could be: thanks for being secure. Just be sure you still comply with rules and regulations.

Know that it is an excellent practice to avoid connecting to Wi-Fi services at hotels, airports, coffee shops, etc. It is more secure to use a phone or personal hot-spot to connect a computer to the Internet. The added phone charges may be lower than you expect, especially if you change to a plan with unlimited data.

Please forward this to your smaller service providers; it can help prevent some big heartaches and expenses for you and them both.

The post Updated: Forward these 7 Minimum Security Requirements for Your Small Service Providers appeared first on Foster Institute.

Intel advises that IT Professionals stop deploying the current versions of patches for the recently discovered security flaws in CPU chips. Find details, just updated, by searching:
Root Cause of Reboot Issue Identified Updated Guidance for Customers and Partners site:intel.com

Do not insert a space after the colon.

For most of you, deploying Microsoft patches is easy compared to managing Flash, Java, and browser updates. Oracle is releasing multiple security patches for Java SE. Additionally, if you are upgrading Chrome to the 64 bit version, Google is releasing new patches for that browser.

For executives wondering what to do at home, you may find it best to download fresh versions of any non-Microsoft browsers you use, and reinstall the most recent versions of Flash and Java, if you still use either, from https://get.adobe dot com/flashplayer/ or java dot com . Your Microsoft and/or Apple patches are likely configured to install automatically.

For both organizations and home office users, if you can remove Flash and/or Java from some or all of your computers, then you can forget about patching them. If you haven’t already, try it on a few computers. You may find that all of the websites essential to your business no longer require either. Worst case, you can re-install the most recent version.

Executives, please forward this to your IT Professionals. Be sure to, if you have not already, have a conversation with them about how aggressive you want them to be with patching. They can share the pros and cons with you. These days, an aggressive posture related to patches can increase your security dramatically, when handled properly. Provide them time to test the patches, test un-installing the patches, and then to deploy the patches in stages. They will also need to contact your cloud providers to discuss how they are handling the flaws and patches.

The post Patching Nightmare – Please Forward to Your IT Pros appeared first on Foster Institute.

Be sure the “automatic update” feature is turned on in Windows and in Mac OS. Students must have the critical security patches installed to dramatically increase security. They’ll need to patch their browsers separately.

Uninstall all programs that they don’t think they will use. Start with the programs that are easy to recognize and skip the rest for now. Each program is a potential toe-hold for an attacker to gain access to a system. Worst case, if they delete something now that they need later, they can re-install it. In particular, remove Java and Flash. These are two tools that are frequently hacked and may be unnecessary. If a student finds they need either, he or she can reinstall them with the newest version. Make sure they get Java only from java dot com and Flash from get.adobe dot com/flashplayer/

Make sure they make their user account a “standard user” on their computer. This helps block attackers. Steps for Windows and Mac: 1) Create a new user 2) promote that user to be a local administrator 3) Demote your account to a standard user and use your own account.

Turn on two-step verifications on all the websites they visit. The setting is usually in the security settings of the website.

They need to keep their computer physically secure. Someone could access their files, social media, and e-mail accounts easily and without their knowledge. Passwords aren’t that helpful. It is usually trivial to bypass passwords on computers once an attacker gains physical access to a computer.

And though they may not heed this last step, it is a really good idea to avoid connoting to Wi-Fi services at school, coffee shops, etc. It is better if they use their phone or personal hot-spot to connect their computer to the Internet when they need to. The phone charges may be lower than you expect, especially if you call your phone provider and check about new data plan options.

Please forward this to your friends who have students; it can help prevent some big heartaches.

The post Moms, Dads, and Friends: Take 7 Steps to Secure Your Students’ Computers appeared first on Foster Institute.

The application inventory shows how many machines have a specific program installed on them, such as:

Qty – Application
18 – Adobe Flash Player version 11
22 – Adobe Flash Player version 16
79 – Adobe Flash Player version 20
29 – Mozilla Firefox version 38.0.1
99 – Mozilla Firefox version 44.0.2

Your list will be longer.

Notice that there are three versions of Adobe Flash Player and two versions of Firefox.

As you can imagine, more recent versions of software are generally the most secure. Most organizations such as Adobe and Mozilla recommend that you always use the most recent versions of their tools.

Using the most secure versions of applications is especially important for programs that interface directly to the Internet, such as Flash, Java, and your browsers.

Ask your IT Professionals to update, when possible, those kind of applications. Then, they can show you an updated application inventory report, one that shows the machines being all up-to-date. And, you’ll be able to sleep better at night.

Please forward this email message to everyone you care about…

The post Security Version 2.0 appeared first on Foster Institute.

Flash is a tool used on web-sites to, among other things, play videos.

When people visit websites, they can be vulnerable to what is referred to as a drive by download. Just by visiting a site, even a legitimate site, their computer may be exposed to an attack.

That attack can happen via a Flash video within an advertisement that was surreptitiously posted by an attacker.

It is always a good idea to use “click to play” functionality that prevents Flash content from running automatically.

Now, when Google stops accepting advertisements with Flash content, that will significantly diminish the Flash vector of attack.

The post No Flash Attacks After June 30 appeared first on Foster Institute.

Test to see if you have the most recent version of Flash. Ask your IT Pros to visit, and you do this on your family’s computers too, this page:

https://www.adobe.com/software/flash/about/

Adobe will provide a report about what version of Flash you have, and provide a way to update it if necessary.

Forward this to all of your friends if you care about their security!  Should you omit your mother-in-law from the list of people to whom you forward this? Well, that’s up to you. 🙂

The post Stop Your Vulnerabilities in a Flash appeared first on Foster Institute.