You can encourage them to buy, or even issue them, a small uninterruptable power supply UPS for their Internet router. Laptops have built-in battery power. If a worker has a desktop computer or other networking equipment, those devices must be on a more powerful battery backup.

If you are comparing unit run times, watts are usually a better comparison than VA. A 500W UPS, around one hundred dollars, will probably run an Internet router for between one and two hours. You can ask your IT Pro if you want more details and find out their favorite brand name. APC, Tripp Lite, and CyberPower are popular brands. (The Foster Institute does not receive any compensation for mentioning brands, nor is this an endorsement of the brands. You might find it helpful to know what products our clients find useful).

Please forward this to your friends who might benefit if their workers stay connected during a power outage.

The post Battery Backup for Your Work from Home Users’ Internet and Computers for Power Outages appeared first on Foster Institute.

–> ONE: Ask your IT team, “Do we still have Microsoft Exchange Server email software installed anywhere?”

If they answer affirmatively, even if they’re already moving to the cloud, you must continue:

–> TWO: Ask them, “What can I take off your plate or postpone so that you can immediately test and deploy the patches to the Exchange Server right now?”

Essential: Applying security updates to your Exchange server does not resolve the issue if your organization is already compromised. There might be a small program on your system quietly waiting for an attacker’s commands.

To help determine if you are already compromised: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log

If your team cannot update immediately, send them here: https://github.com/microsoft/CSS-Exchange/tree/main/Security

–> THREE: Say, “The emergency is too great to postpone. Later, let’s discuss the pros and cons of moving email to the cloud.”

Pros include eliminating one server and associated headaches. Often, online email is better for remote workers too. But you could lose some integration features you have now, for example, an on-site phone system tied into Exchange. Because saving money and streamlining is essential, online Exchange is often less expensive.

The blog posting https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log has a plethora of other information and guidance for your team related to the updates. Some organizations are experiencing errors after applying the security updates. For example, some learned they must install the updates from an elevated command prompt window. Microsoft provides more guidance:

https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459

The post Three Essential Questions to Ask Your IT Team Today Because of the Massive Exchange Attack appeared first on Foster Institute.

Cloning a hard drive creates a second drive that looks, to a computer, identical to the source drive. If your laptop or computer gets ransomware or seems infected somehow, you can restore a cloned drive’s image to effectively reset the computer to how it was when you most recently made a clone. Additionally, if the hard drive crashes, the clone could quickly replace that drive’s functionality.

Create frequent clones of your computer’s hard disk to one or more external USB hard drives. Keep making your other backups too.

For Windows computers, Microsoft provides the System Image Creation feature. Commercial options include Shadow Protect Desktop from StorageCraft and Acronis True Image.

For Macs, options include Carbon Copy Cloner, Acronis True Image, and SuperDuper! Check compatibility with your version of OSX. Apple Time Machine is always compatible, and it is possible to boot into recovery mode to restore a drive from Time Machine, but it’s not a clone.

(We do not receive compensation for, nor do we endorse specific products. It is essential to give you examples.)

Please forward this to your friends to ensure they know cloned hard drives often permit speedy recovery of ransomed computers. If they have a clone image of a hard drive, work from home users can likely stay productive even when their computer malfunctions.

The post Prepare Now to Recover Quickly from Ransomware on Mac and Windows Computers appeared first on Foster Institute.

It makes sense that malware uses strategies to infect and hide inside of networks undetected. Here is some fascinating insight into that self-preservation: The malware related to SolarWinds attack looks for specific security related software, including a free program named WireShark, before installing itself. If Wireshark is running in Windows, the virus installation terminates itself.

Should you run WireShark on your computers 24×7? Ordinarily, IT Professions remove WireShark in case attackers installed it. Paradoxically, running WireShark will stop the initial activation of the SolarWinds attack. WireShark is not the only choice. Open this Microsoft article and use CTRL-F search for the word WireShark to see the other security related tools that will horrify some malware: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

But, after SUNBURST installs itself, it is too late. It doesn’t look for security related tools after installation.

This message is not a recommendation to run these applications, nor is it intended to dissuade you. If organizations start adopting this strategy to thwart cautious attacks, it will be interesting to see how malware responds.

Forward this article to your friends so they receive this insight into how bad actors strive to avoid detection and discuss implementing this unconventional approach to stopping malware installations.

The post Tips and Tricks: An Unconventional way to Protect Yourself from SolarWinds and Future Hacks appeared first on Foster Institute.

There are so many webpages about the Solar Winds attack. Here are three of the most useful. Please forward this to your IT team.

Do not let the title of this Microsoft article fool you. Microsoft explains how the attack starts and progresses, complete with diagrams. Not only is this page fascinating reading about this horrible attack, understanding the tactics helps your team protect you from future supply chain attacks:
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

Microsoft’s recommendations about how to protect Office 365: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/protecting-microsoft-365-from-on-premises-attacks/ba-p/1751754

SUPERNOVA is malware that different attackers made to impersonate the SolarWinds SUNBURST attack, and it is dangerous too. SolarWinds addresses both in their comprehensive information about determining if SolarWinds installations are affected and how to protect your organization: https://www.solarwinds.com/securityadvisory

Please forward this message to other organizations you care about, especially your suppliers, so their IT Pros have three of the most useful links amongst the dozens of others.

The post Three of the Most Useful Links About the SolarWinds Attack: appeared first on Foster Institute.

Official channels report that some software giants, including at least one major cloud hosting platform, are compromised. Your suppliers and vendors might be compromised and that affects you, too, even if your systems are safe.

Some steps to take:

1. Remind all of your users that they will likely receive fraudulent email messages that look more realistic than ever. Never enter usernames, passwords, or sensitive data into any forms without checking with your IT Pros first. Never transfer money based on email messages alone.

2. If you receive an email that appears fraudulent, then phone or text the sender to discuss the authenticity. If you email the sender to ask if they sent the first message, a bad actor who compromised their email system will reply to you and say that the original message is safe. Email is less trustworthy than ever, even when you start the conversation.

3. Contact your vendors, suppliers, customers, and anyone you rely upon to ask if they are following this emergency and actively looking for breaches. Ask if they check with their suppliers to require their vigilance too. Assess your risk of one of those entities failing. Have a business continuity plan in place.

4. Many organizations are temporarily disabling SolarWinds. Nobody is sure of the extent of infiltration.

5. Ask your IT pros to implement a two-step login process wherever possible. Reset passwords. Install critical security updates. Restrict account privileges as much as possible. Uninstall all non-essential software. Be hyper-vigilant of anything that appears to be an attack. Our audits and security reviews will help your IT teams secure your systems too.

Rest assured that software giants are working round-the-clock to fight the attackers. The problem is that the attackers had a head start, so they are one step ahead. And, if an organization you rely upon is compromised, it might be too late to stop. The infected organization will need to resolve the problems. They might not realize they are compromised.

The post The SolarWinds Breach Affects You Too. Ask your IT Team to Take these Steps. appeared first on Foster Institute.

SolarWinds is a well-respected organization, and many organizations utilize their products. Not enough details are known to discredit their organization. Clearly, attackers see them as valuable enough to use as an infection vector.

This is called a supply chain attack because bad actors use a trusted product in an organization’s supply chain to attack the organization. A similar well-publicized attack happened with a popular tool, with many benefits, called CCleaner. The attackers successfully compromised 2.3 Million PCs.

The CCleaner supply chain attack is an illustration of dwell time. Attackers waited five months from the time they gained access to CCleaner before they launched the attack on CCleaner users. Many computers were safe, but not 2.3 Million of them.

Remember: Just because your organization fixes a vector through which the infection came does not eliminate damage already done. As an analogy, if you were the king or queen of a castle, and you found that attackers entered your castle walls to attack your city, raising the bridge over your moat does not eliminate the attackers who already made it inside.

Supply chain attacks are one of many reasons to eliminate as much software as possible at your organization. If a program is not essential, remove it asap. SolarWinds is vital for many organizations.

Please forward this to your friends so they can alert their IT departments to address this situation, and know to remove all non-essential software from all computers.

The post Emergency Update if Your IT Team Uses SolarWinds Products, and How to Protect Against Supply Chain Attacks appeared first on Foster Institute.

Here is how the scam works: Suppose you want to look up a company online named Super Duper, so you type the store’s name into your favorite search engine. An attacker might have purchased the top result to take you to the website superduperco.com. However, if you knew to scroll down past the paid-for-results, you would have seen that the real website is superduper.com. Attackers set up a website and named it superduperco.com.

Their deceptive site might contain malicious advertising, ask you to enter credit card numbers during checkout, or tempt you to download malicious programs and apps. They might ask you to login or reset a password, and they capture the password you type in.

If you look up a retailer in a search engine, skip past the ads and paid results. Scroll down to see real search results. Even then, be skeptical in case attackers used SEO techniques to appear at the top of the actual search results.

Please forward this to your friends to alert their users that top search engine results can be a trap.

The post Beware: Attackers Buy Top Search Engine Results to Trick You appeared first on Foster Institute.

The attacker does not need to know any passwords; they do not even need a username. They plug in a cable, and 3 seconds later, they’ve completely compromised your network. An attacker posing as a visitor, a copier repair person, or a member of a cleaning crew can all compromise your organization. They can steal sensitive information, install ransomware, and can shut down operations entirely. They bypass the majority of, if not all, of your other protections because now they’re a Domain Administrator.

This exploit is so severe that the Department of Homeland Security directed all federal agencies to apply the patch in accordance with the Federal Emergency Directive 20-04.

Take these three steps ASAP:

First, ask your IT team if they’ve backed up your Domain Controller servers and applied Microsoft’s patches that address the Zerologon exploit CVE-2020-1472. They must do this immediately. Be compassionate if they’ve not. IMPORTANT: Realize that if an attacker already took over a network, the patch doesn’t help.

Second, if you have Domain Controllers using operating systems older than Windows Server 2008 R2, your IT professionals must shut them down for good. Be sure to migrate any mission-critical services to other servers.

Third, does your organization rely on third parties to support you? What if one of your major suppliers, a distributor, or your biggest customer falls prey to an attack? Prepare your organization now for an interruption of their operations. Be sure their executives know about this flaw and these three steps. You do not want a catastrophe at their organization to domino and cause a disaster for you, even though you’ve protected your systems.

Additional steps:

Inform your work-from-home team members that, in some cases, the attacker can take over your network using a VPN connection. Do you have an armed guard at every work-from-home user’s home to watch visitors? Of course not. But your entire organization might rely on their security. What if a teenager’s friend feels like playing around, experimenting, with this new cool exploit on a mom or dad’s computer?

The patches only protect you from attacks from Windows devices. If an attacker accesses a network port or cable with a non-Windows machine, the attacker can still take control of your network. Microsoft will release a second patch on February 9, 2021. Ask your IT team to configure alerts now to monitor security log events 5827 thru 5831 to see when connections are allowed or denied.

The average time for IT Professionals to apply critical security patches is five months, but you need to help yours be above average. Ask them what you can do to help them have time to test and install all critical security patches within 14 days or sooner. They might want to have a patch management tool. They might need more time to devote to applying updates.

Confirm that your IT Team disconnects or disables all unused Ethernet ports, including those in conference rooms. Lock doors to any offices and conference rooms that contain active Ethernet ports. Train everyone to be proactive and remove opportunities for anyone, including guests and repair people, to plug a device into a network port.

Keep in mind that 911 systems, airlines, governments, and every organization that you depend on are at risk for Zerologon exploit CVE-2020-1472 until they take action too.

Please forward this to fellow executives you care about so they can support their IT Professionals successfully backing up servers and applying the emergency patch.

The post Attackers Can Take Control of Your Network in Three Seconds, and How to Stop Them appeared first on Foster Institute.

More often than ever before, bad actors infiltrate organizations in a slow, methodical way. They can remain undetected for weeks, months, even years. The FBI uses the term dwell time to designate the period from when attackers infiltrate systems until you discover them. The FBI warns businesses that attackers can cause significant damage during dwell time. Bad actors quickly establish backdoors to ensure access, even if you block their first point of entry. They deploy keyloggers on systems to record keystrokes. If your cyber assets are compromised, the bad actors can potentially monitor your messages to find out when you discover their presence in your network, computers, applications, cloud resources, websites, or anywhere else.

Once attackers know you’ve discovered their infiltration, that triggers them to move forward with their next phase, often contacting you to demand a ransom. Sometimes they threaten severe consequences if you attempt to recover your system in any other way than paying them. Since they are in your systems, you must take the threats seriously.

Establish a protocol for workers to communicate suspicions in some method other than email.

Even your IT department must avoid emailing each other questions such as, “I received an alert that someone is resetting an administrator password. That’s odd. Is that you?” Instead, they must communicate by mobile phone or radio.

If you suspect a breach and contact us, consider phoning. If you must email, use a personal account outside of your company account, and use a phone or some device other than a company computer’s keyboard to send the message.

I’m not talking about when users receive a phishing message. I’m talking about if they receive a phishing message that includes customer account information, if an important file is missing or won’t open, or if they receive an unexpected login request on a website or to open a file. IT needs to investigate these early-warning signs.

Please forward this to other executives who you care about to establish a mobile hotline number for users to reach the IT team to report suspicious activity. Help avoid triggering attackers’ responses before your IT team has time to react and, hopefully, mitigate a potential cybersecurity disaster.

The post If You Get Hacked, Do Not Email Anyone About It appeared first on Foster Institute.