Instructions for Windows and Apple home users are listed below the numbers. For organizations, here are 10 Steps To Avoid Incidents Including the Massive Ransomware Attack:

1. The reality is that most organizations are missing critical security patches and there is a very strong likelihood that yours is too.

2. Provide your team with extra time, and perhaps additional personnel, to test and then deploy patches ASAP. Some organizations are adding a new IT professional to their team whose sole responsibility is to manage patches. If the patch fails testing, then time must be invested to resolve the issue or implement compensating controls.

3. Prioritize critical security patches for the operating system, all the browsers, Flash, Java, your PDF Reader, and Microsoft Office. They are usually the easiest to attack and form your first line of defense.

4. Many IT teams are very reluctant to apply patches for fear of breaking your systems that are already running. Help remove their fears by reassuring them that you take on responsibility if the patch causes a problem. Encourage them to follow a procedure that mitigates risks:

5. Test Patches in a test environment that uses the same applications as the rest of your network. For very small companies, your test environment might be a single computer. For larger organizations, and organizations that stand to lose a great deal in the event of an attack, create a separate testing environment that is isolated from the production environment.

6. Have a pre-tested rollback plan so that, if the patch does cause a problem, your IT team will already know what they need to do right away to roll back a patch that causes an unexpected problem. They will then go back to the testing phase.

7. Deploy the patches in stages rather than patching all machines simultaneously. That way, even if the patch does cause a problem, not all your machines will be affected.

8. You may decide to empower your IT team with a patch management tool such as Ninite, LANGuard, Shavlik, or others. Allow them to test and choose a tool, and provide them with the means and time to do so, ASAP.

9. Ask IT, perhaps weekly and at least monthly, to provide you with a list of missing patches, not a pie chart.

10. You must upgrade from older operating systems, any of the ones that Microsoft no longer supports. If some machines cannot be upgraded, then they must be isolated or some other compensating control put into place. Microsoft clearly states when they stop producing patches for old operating systems.  So, there was no patch available for Windows XP and others.

Call me if they are not able to apply patches. Let’s team up to help prevent this.

At home, or if your organization is so small that you do not have an IT team or have an outsourced IT company that takes care of your patches, be sure that the option that provides automatic updates to Microsoft is enabled. The instructions are easy to find – just google the phrase: configure automatic updates site:Microsoft.com

Apple computer users, google: Automatic security updates os x site:apple.com

iPhone and iPad users, google: Automatic security downloads ios site:apple.com

Additionally, manually check for updates in Microsoft Office to be sure those are applied. Be sure that automatic updates are enabled in your browsers. Regularly download and apply patches to, or new versions of, Flash, Java, and your PDF reader.

Please forward this to everyone you care about and want to help stay secure.

The post Patching – 10 Steps to Seal the Holes in Your Armor appeared first on Foster Institute.

The hacking group calls themselves “Turkish Crime Family.” They are demanding $100,000 in gift cards, or $75,000 in cryptocurrency by April 7, or they will wipe all the Apple accounts. It is easy to see why people who have Macs, iPhones, and iPads are concerned.

Apple says that Apple has not been hacked, but it is likely that any compromised passwords are the result of Apple users who may have used the same password at other websites as they do for their Apple account.

What should you do?

Perhaps the best solution to protect all your online accounts, Apple and other companies as well, is to set up two step verification.

You may have experienced going to a website, entering your username and password, and then your mobile phone buzzes and tells you to enter a code such as 777888 to complete the login process. That’s one type of two step verification.

When you use that kind of two step verification, an attacker would need to steal your mobile phone too before they could log on with your username and password. So, keep your phone with you. It will be difficult for people, especially those thousands of miles away, to access your phone even if they already know your username and password.

Another, even easier to use method for two step verification is called one tap login. Then, instead of needing to enter a code that comes via text message, all you have to do is tap an app on your phone to approve a login attempt.

To set up two step verification to protect your Apple devices, follow the instructions you will find when you google the following text. Either use copy and paste or manually type these words into a Google search:

two factor authentication for apple id site:apple.com

Always keep your devices upgraded with the latest security patches. If you have an older iPhone or iPad that cannot be upgraded to at least iOS 9 or newer, or a Mac that cannot be upgraded to El Capitan or newer, then follow the instructions you will find when you google:

two step verification for Apple ID site:apple.com

Drobox, PayPal, Google apps, and many other sites already support two step verification. You just have to turn it on. Do it today for all of your sensitive accounts.

To set up two step verification on your Google accounts, visit www dot google dot com/landing/2step/

Another way to find that page is to google this text, including the first word google:

Google 2 step verification site:google.com

For instructions to set up two step verification at Dropbox, google this text:

enable two step verification site:dropbox.com

Use similar searches to find instructions for your other services. It is important to use the word site followed by the actual website of your service if you want to get the information straight from the service, not somewhere else.

But you may wonder what to do for all the sites that you use that do not support two step verification.

Remembering passwords is too much trouble, so many people, even non-technical people, use a password manager to remember the different passwords for them. When they visit a site that asks for a password, the password manager quickly and automatically fills in their username and password for them.

But of course, you can never feel positive that password managers will keep your passwords secure. So, separate your passwords into two groups:

Put the passwords that you need to keep really secure, such as bank passwords, into the first group. You may choose to omit those sensitive passwords from your password manager. You might choose to remember them in your head. Or if you don’t like that idea, then you can write them down on paper that you keep in a secure location. Writing them down isn’t as good as memorizing them, but at least it is difficult for people thousands of miles away to read the paper on which you wrote the passwords. Or, if you feel you must store those passwords in a file on your computer, then encrypt the file, and name the file something other than “my passwords”.

The second group of passwords contains passwords, such as airline website logins, that it will not devastate you in the unlikely event that your password manager gets compromised. The passwords in this group are great candidates for your password manager.

Many people put the vast majority of their passwords in the password manager. The automatic filling in process sure speeds up the login process. Additionally, since you needn’t remember passwords anymore, using different passwords at different sites is easy. In fact, people sometimes trust password managers with even their most sensitive passwords, but only if those sites use two step verification too.

And, for a sometimes fun/sometimes scary experience, if you want to see if your password might have been hacked, follow the instructions you will find in The Foster Institute blog when you google:

How to Find Out if Your Password Might Have Been Hacked site:fosterinstitute.com

Please forward this to anyone you know who uses Apple devices, as well as anyone you know who wants to make their user names and passwords much more secure.

The post Your iPhone and iPad are in Danger appeared first on Foster Institute.