Any of your computers that you purchased six years ago came with Windows 7 installed. Unless you paid for new licenses and gave your team time to upgrade them, those computers run Windows 7 today.

Some of your options include:
– Buy new computers
– If the computer is strong enough, upgrade Windows 7 to Windows 8.1 or Windows 10
– You can ask your IT team if you use a technology called VDI. If so, they can uninstall Windows 7 completely. They can install Linux, or make a bootable thumb drive, or use a No Touch Desktop program. The computer can function as a screen and keyboard to a server where Windows runs

If, for any reason, you need to keep Windows 7 on some workstations, be sure to give your IT team time to implement compensating controls. For example, they can isolate the computers from the rest. Ask them to install Microsoft’s downloadable EMET security tool that works in Windows 7.

Support for Windows 8.0 ended in 2016.
Support for Windows 8.1 ends on January 10, 2023.

Please forward this to your friends and business associates, so they know January 14 is the when Windows 7 becomes a severe security risk to their networks.

The post Microsoft Will Stop Protecting Windows 7 on January 14, 2020 appeared first on Foster Institute.

Now, what affects you directly whether you own a Tesla or not. Many IT Professionals, consultants, and outsourced IT firms access your network remotely using tools designed to help them help your users solve technical issues. Example programs include GoToMyPC, TeamViewer, LogMeIn, VNC, and Splashtop. Some outsourced companies use a product called Agent Tesla to support their customers. If you visit the website agent tesla dot com, you will see that the product has additional features including stealing keystrokes, breaking passwords, and spreading itself like a virus through a network. It appears that some bad actors have been using this tool to infect computers at companies without the company’s permission. And the tech support representatives at Agent Tesla were more than willing to assist the bad actors.

A key takeaway is that user-friendly tools can permit non-technical people to hack your network without needing any technical know-how.

What if a disgruntled or unscrupulous worker in your company installs GoToMyPC, LogMeIn, or similar easy-to-use software on computers in your private offices? They could overhear private conversations without anyone knowing. One of our clients experienced millions of dollars of embezzlement because a trusted worker used one of those programs on the computer that was in the conference room. The embezzler was not technically savvy at all, and he heard enough confidential information to embezzle millions and wreak all kinds of havoc. He did not need to use the additional user-friendly features that Agent Tesla provides including password cracking and automatic infection of other computers, but he could have.

Visit with your IT professionals. What are you, as an organization, doing to protect yourself from someone intentionally utilizing a readily available program, such as Agent Tesla, to infect your network, spy on your workers, steal information, and break your passwords?

The CEO, Owner, President, and other chief executives suffer the most when an attack devastates an organization. Most of them wish they’d have taken more of an active role in security. Learn from their mistakes, before it is too late.

The post Stealing Tesla Cars, and Stealing Your Network with Agent Tesla appeared first on Foster Institute.

When your IT team logs onto a server, the server’s screen looks similar to what you would experience looking at a Windows workstation’s screen. The display on the server’s screen would remind you of your desktop or laptop computer’s screen.

Your IT professionals can remove this desktop experience and produce significant benefits. Your servers need less storage space, are faster, need fewer security patches, and are more reliable. Additionally, there is a smaller attack surface for attackers to exploit. Those benefits will help you, as an executive, sleep better at night.

Your IT team will install the server’s core software, and omit all of the programs that produce the desktop experience.

For your IT team to control and configure the server, they can use a server manager program that runs on their computers. Your IT team might use Windows PowerShell or even Project Honolulu too.

Please forward this message to fellow executives who want to make changes that will help them sleep better at night and, in the future, save money too.

The post A New Opportunity for Your IT Pros to Protect your Servers appeared first on Foster Institute.

Intel advises that IT Professionals stop deploying the current versions of patches for the recently discovered security flaws in CPU chips. Find details, just updated, by searching:
Root Cause of Reboot Issue Identified Updated Guidance for Customers and Partners site:intel.com

Do not insert a space after the colon.

For most of you, deploying Microsoft patches is easy compared to managing Flash, Java, and browser updates. Oracle is releasing multiple security patches for Java SE. Additionally, if you are upgrading Chrome to the 64 bit version, Google is releasing new patches for that browser.

For executives wondering what to do at home, you may find it best to download fresh versions of any non-Microsoft browsers you use, and reinstall the most recent versions of Flash and Java, if you still use either, from https://get.adobe dot com/flashplayer/ or java dot com . Your Microsoft and/or Apple patches are likely configured to install automatically.

For both organizations and home office users, if you can remove Flash and/or Java from some or all of your computers, then you can forget about patching them. If you haven’t already, try it on a few computers. You may find that all of the websites essential to your business no longer require either. Worst case, you can re-install the most recent version.

Executives, please forward this to your IT Professionals. Be sure to, if you have not already, have a conversation with them about how aggressive you want them to be with patching. They can share the pros and cons with you. These days, an aggressive posture related to patches can increase your security dramatically, when handled properly. Provide them time to test the patches, test un-installing the patches, and then to deploy the patches in stages. They will also need to contact your cloud providers to discuss how they are handling the flaws and patches.

The post Patching Nightmare – Please Forward to Your IT Pros appeared first on Foster Institute.

Almost always, the vendor or contractor had no malicious intent. Their organization’s own IT systems were not secure, and/or their team members performed actions in a non-secure way.

Be sure the service providers you use are working every day to be more secure too. Ask them about their security awareness training program. Ask them how often they are audited by independent third party firms that are interested in helping them increase their own security. If you want to, encourage them to sign up for our newsletter.

Remember, your IT security relies on their IT security too.

The post About Half of All Breaches are Caused by a Contractor or Service Provider appeared first on Foster Institute.

By default, all of your computers permit communication between each other, and attackers use those same communication channels to spread attacks from one machine to the next.

The solution is so basic that it is often overlooked: Computers do not need to talk to each other anyway, just to servers. Block the communication between workstations, and you take away a major vector used by ransomware to spread.

Ask your IT team to use local firewall settings on each computer to prohibit communication between workstations. They can make the setting once, and your servers will propagate that message to the other computers on the network. Give them a little time to complete this, because they will want to test their settings.

Please forward this message to help make the world a safer place. And remember, the more secure your service providers are, the more secure you are too.

The post One Setting Can Protect Your Network from Ransomware appeared first on Foster Institute.

Almost universally, security log files are too small and have overwritten themselves, making it impractical, and sometimes impossible, to see what security events have been happening on the network for more than a few hours.

Ask your IT Pros to be sure that the security log file size is set to at least 256 Megabytes.

Your IT Pros probably already know all about security logs, and can find out all the details on Microsoft’s site. Someday, as time permits, they may be interested in monitoring more than the default events, and that’s good. Microsoft provides detailed recommendations about events to monitor.

Please forward this to every executive you know so that they can forward it to their IT professionals and outsourced IT companies. Experience has shown that the majority of companies are still configured to use the tiny default size, and attackers love that.

The post Please Alert Your IT Pros – Increase Your Security Log File Capacity appeared first on Foster Institute.

Executives are trying to do the best they can, to make good decisions, but they often have bad input.

Some executives learned what they know about IT security from advertisements rather than textbooks, or from advisors who did not know what they were talking about.

For example, reports show that it is probable that the breach at Equifax could have been avoided if executives had ensured that basic step #1 was implemented.

The essential steps are:

1. Keep current with critical security patches.
2. Make sure that users have the right amount of privileges to do their jobs.
3. Only allow good programs to run.

It is human nature to want the easy way out, such as buying the latest threat protection tool and stopping there. Threat protection tools are important to have, but are not enough.

Be smart. Give your IT team time to accomplish the three steps above. Then you can sleep better at night.

Please forward this to every single executive that you know, so they can protect their companies with these three very important basics.

For more details, see:

https://fosterinstitute.com/blog/cyber-securitys-three-essential-steps/

https://fosterinstitute.com/blog/patching-10-steps-to-seal-the-holes-in-your-armor/

The post Do the Basics. Do not Believe that Threat Protection Software Will Save You. appeared first on Foster Institute.

The hacking group calls themselves “Turkish Crime Family.” They are demanding $100,000 in gift cards, or $75,000 in cryptocurrency by April 7, or they will wipe all the Apple accounts. It is easy to see why people who have Macs, iPhones, and iPads are concerned.

Apple says that Apple has not been hacked, but it is likely that any compromised passwords are the result of Apple users who may have used the same password at other websites as they do for their Apple account.

What should you do?

Perhaps the best solution to protect all your online accounts, Apple and other companies as well, is to set up two step verification.

You may have experienced going to a website, entering your username and password, and then your mobile phone buzzes and tells you to enter a code such as 777888 to complete the login process. That’s one type of two step verification.

When you use that kind of two step verification, an attacker would need to steal your mobile phone too before they could log on with your username and password. So, keep your phone with you. It will be difficult for people, especially those thousands of miles away, to access your phone even if they already know your username and password.

Another, even easier to use method for two step verification is called one tap login. Then, instead of needing to enter a code that comes via text message, all you have to do is tap an app on your phone to approve a login attempt.

To set up two step verification to protect your Apple devices, follow the instructions you will find when you google the following text. Either use copy and paste or manually type these words into a Google search:

two factor authentication for apple id site:apple.com

Always keep your devices upgraded with the latest security patches. If you have an older iPhone or iPad that cannot be upgraded to at least iOS 9 or newer, or a Mac that cannot be upgraded to El Capitan or newer, then follow the instructions you will find when you google:

two step verification for Apple ID site:apple.com

Drobox, PayPal, Google apps, and many other sites already support two step verification. You just have to turn it on. Do it today for all of your sensitive accounts.

To set up two step verification on your Google accounts, visit www dot google dot com/landing/2step/

Another way to find that page is to google this text, including the first word google:

Google 2 step verification site:google.com

For instructions to set up two step verification at Dropbox, google this text:

enable two step verification site:dropbox.com

Use similar searches to find instructions for your other services. It is important to use the word site followed by the actual website of your service if you want to get the information straight from the service, not somewhere else.

But you may wonder what to do for all the sites that you use that do not support two step verification.

Remembering passwords is too much trouble, so many people, even non-technical people, use a password manager to remember the different passwords for them. When they visit a site that asks for a password, the password manager quickly and automatically fills in their username and password for them.

But of course, you can never feel positive that password managers will keep your passwords secure. So, separate your passwords into two groups:

Put the passwords that you need to keep really secure, such as bank passwords, into the first group. You may choose to omit those sensitive passwords from your password manager. You might choose to remember them in your head. Or if you don’t like that idea, then you can write them down on paper that you keep in a secure location. Writing them down isn’t as good as memorizing them, but at least it is difficult for people thousands of miles away to read the paper on which you wrote the passwords. Or, if you feel you must store those passwords in a file on your computer, then encrypt the file, and name the file something other than “my passwords”.

The second group of passwords contains passwords, such as airline website logins, that it will not devastate you in the unlikely event that your password manager gets compromised. The passwords in this group are great candidates for your password manager.

Many people put the vast majority of their passwords in the password manager. The automatic filling in process sure speeds up the login process. Additionally, since you needn’t remember passwords anymore, using different passwords at different sites is easy. In fact, people sometimes trust password managers with even their most sensitive passwords, but only if those sites use two step verification too.

And, for a sometimes fun/sometimes scary experience, if you want to see if your password might have been hacked, follow the instructions you will find in The Foster Institute blog when you google:

How to Find Out if Your Password Might Have Been Hacked site:fosterinstitute.com

Please forward this to anyone you know who uses Apple devices, as well as anyone you know who wants to make their user names and passwords much more secure.

The post Your iPhone and iPad are in Danger appeared first on Foster Institute.

Qty – Application
79 – Adobe Flash Player
84 – Microsoft Office Standard
99 – Mozilla Firefox
10 – WinPcap
25 – WinZip
And your list will be much longer…

To make your systems more secure, look through the list, and identify the applications that are essential to your doing business. Then, ask your IT Pro to remove anything that is not essential.

As you remove the non-essential programs, you make your network more secure. The fewer toe-holds, the more like The Bean, the more secure you will be.

Forward this…

The post Smooth and Slippery for IT Security appeared first on Foster Institute.