If you have cybersecurity insurance or feel this incident could cause significant damage, consider having a forensic analysis to track down what happened.

Contact your email provider, explain what happened, and ask for help. Continue down this list while you wait for their response.

Reset your email account password immediately. If you can’t log in because someone unauthorized reset your password, try resetting it yourself. If that doesn’t work, contact your email company’s tech support.

Check if your username and old passwords have appeared on the dark web. Visit https://haveibeenpwned.com/ and similar sites to find out. Never enter your password.

Change passwords for all your accounts including social media, banking, and other sensitive accounts, especially if you’ve used the same password for multiple accounts. Someone may have access to more than just your email.

Consider using a password manager like 1Password, Dashlane, LastPass, NordPass or another to help ease the pain of having different passwords on every website from now on.

When setting up security questions, avoid real answers that are easy for a bad actor to research. When asked, “Where were you born,” you could answer something like, “The fourth crater on the moon.” Save your secret answers in a file in a random place with a random name like “socks.docx” for when you need the answers. You can encrypt the file for added safety.

Enable two-step verification for your email account. While you are at it, set up two-step verification everywhere you can, primarily on sensitive websites and services. Here is how to add MFA to your LinkedIn account for added security https://www.linkedin.com/help/linkedin/answer/544/turning-two-step-verification-on-and-off?lang=en

If you set up two step authentication so that the site or service sends you an email message for the second part of logging in, and the hacker has access your email, it defeats the purpose of MFA. Therefore, if you set up the two-step login with email as the second step, use a different secure email address.

Review your email’s “sent” folder to spot any unrecognized messages.

Look at all your email accounts in your organization to ensure there are no email forwarding or filtering rules you did not configure.

Check your websites, especially LinkedIn, for any unauthorized changes.

Set up SPF and DKIM. More information here: https://fosterinstitute.com/block-inbound-and-outbound-fraudulent-email-messages/

Watch out for remote control applications that might allow a bad actor to compromise your computer and send email messages as you.

Be aware that your computer or another computer in your organization might be hacked, enabling attackers to send messages on your behalf. Stay vigilant and take measures to protect against such incidents.

Regularly apply critical security patches to your computer. You can check for updates manually, even if automatic updates are enabled.

Ensure your anti-virus program is current and run a manual scan regularly. Using EDR or XDR services add more security.

If you use a browser to send and receive email, this is a drastic step, but consider uninstalling the browser. When you reinstall the browser, add only the plugins you need.

If you use your phone or tablet for email, they could be hacked. Apply security patches, keep them in your possession, examine the privacy settings, and lock devices when not in use.

Watch out for apps on your computer, tablet, or phone that may be harvesting your address book without your knowledge. A drastic move would be to factory reset and erase them, but be sure your important data is stored in the cloud or backed up.

Notify financial institutions that if they receive messages from you, the messages could be fraudulent.

You might want to set up a new email address to use until you feel confident your old address is safe.

If you haven’t already, freeze your credit.

Monitor your financial accounts.

Before you send out notifications, you will want to talk to an advisor who can help you know what to say.

Please forward this to your friends so that, if someone appears to hack their email account, they will know what to do to.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

The post What to Do if Someone Hacks Your Email Account appeared first on Foster Institute.

–> ONE: Ask your IT team, “Do we still have Microsoft Exchange Server email software installed anywhere?”

If they answer affirmatively, even if they’re already moving to the cloud, you must continue:

–> TWO: Ask them, “What can I take off your plate or postpone so that you can immediately test and deploy the patches to the Exchange Server right now?”

Essential: Applying security updates to your Exchange server does not resolve the issue if your organization is already compromised. There might be a small program on your system quietly waiting for an attacker’s commands.

To help determine if you are already compromised: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log

If your team cannot update immediately, send them here: https://github.com/microsoft/CSS-Exchange/tree/main/Security

–> THREE: Say, “The emergency is too great to postpone. Later, let’s discuss the pros and cons of moving email to the cloud.”

Pros include eliminating one server and associated headaches. Often, online email is better for remote workers too. But you could lose some integration features you have now, for example, an on-site phone system tied into Exchange. Because saving money and streamlining is essential, online Exchange is often less expensive.

The blog posting https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log has a plethora of other information and guidance for your team related to the updates. Some organizations are experiencing errors after applying the security updates. For example, some learned they must install the updates from an elevated command prompt window. Microsoft provides more guidance:

https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459

The post Three Essential Questions to Ask Your IT Team Today Because of the Massive Exchange Attack appeared first on Foster Institute.

A little background information helps explain what is going on: Every device connected to a network has a serial number, called a MAC address. That address is how the network identifies the device and differentiates it from all the other devices on a network. As you can imagine, networks need to know what devices are connected. Think of what might happen if the network thought your computer was a printer. Printer paper might not come shooting out of your keyboard, knock over your coffee or smoothie, but you get the idea.

Because the MAC address uniquely identifies you for everyone else, think of the MAC address as a fingerprint for your device. Potentially, an advertiser, or someone in a public place, could use your fingerprint, in this case, your device’s MAC address, to track you, your activities, and what networks you use.

Apple, Google, and Microsoft want to help protect your privacy, so they might periodically change the MAC address on your computer to a different address. The new behavior strives to help keep you more anonymous on public networks at hotels and coffee shops. However, randomly changing MAC addresses can break essential security features, including:

1) As my friend did, you might start receiving alarming alerts that another person connected a new device to one of your websites or accounts. The warnings are concerning until you realize it is your computer reconnecting with a new unique index. After a time, you might ignore the alerts. But then you won’t know if a real attacker broke into your account with some other computer, tablet, or phone.

2) Parental controls at home fail if the safety restrictions are unique for each family device. When a youngster disconnects and reconnects to your network, sometimes they are no longer protected.

3) Your company keeps an inventory of your computers, tablets, and phones. It is challenging to keep the list current when your IT team must track three times as many devices as you have.

How do you solve this? It is possible to disable the randomization feature, but it takes time to reconfigure. Time is a precious commodity for you and your IT team too. An example of how to disable the behavior on iPhones, iPads, and Apple Watches: support.apple.com/en-us/HT211227

However, your employees or kids could change the feature back again to help them hide on your networks.

The answer to my friend’s question is that if the website tells you a date, time, and location of that person’s login, and you know you weren’t logging in from there at that time, yes, you need to be concerned. Otherwise, your experience may be because your device is disguising itself from the website. Disable the randomization feature, and the problem might go away.

Please forward this to your friends so that if they, or their IT team, cannot figure out why some of your security features are breaking, they will know to suspect their devices are rotating through MAC addresses.

If you want more technical details, a network identifies your device with an index number called a MAC address when you connect. There are more than 280 trillion possibilities for a MAC address; the odds are that nobody you know has the same number as your device. The first half of the number identifies the manufacturer; that makes it easier to find unidentified devices on a network.

Other problems you’ll notice because of rotating MAC addresses include:

4) Security tools at the office fail to work if the security tools rely on associating users with their computers, tablets, or phones. This problem affects both BYOD and company-issued devices.

5) IT Professionals can configure necessary reservations for computers, tablets, and phones. Those reservations are based on index numbers. When the index changes, the reservation stops working, and systems can fail or lose security.

6) Your websites will forget you. Some sites have a feature to Remember This Computer, so you do not need to go through as many steps each time you log in. The sites identify your devices by their index numbers. Your device will need to be re-remembered when your index changes.

MAC addresses look like FF:FF:FF:FF:FF:FF:FF:FF where each value I listed as F can be a hexadecimal digit 0,1,2,3,4,5,6,7,8,9, A, B, C, D, E, or F. If you know where to look, your phone, tablet, and computer can tell you the MAC addresses of each network interface.

The new behavior is causing lots of frustration in the cybersecurity world. This battle isn’t over yet.

The post Your Phone, Tablet, and Computer Started Hiding You – and How to Overcome the Associated Problems appeared first on Foster Institute.

There are so many webpages about the Solar Winds attack. Here are three of the most useful. Please forward this to your IT team.

Do not let the title of this Microsoft article fool you. Microsoft explains how the attack starts and progresses, complete with diagrams. Not only is this page fascinating reading about this horrible attack, understanding the tactics helps your team protect you from future supply chain attacks:
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

Microsoft’s recommendations about how to protect Office 365: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/protecting-microsoft-365-from-on-premises-attacks/ba-p/1751754

SUPERNOVA is malware that different attackers made to impersonate the SolarWinds SUNBURST attack, and it is dangerous too. SolarWinds addresses both in their comprehensive information about determining if SolarWinds installations are affected and how to protect your organization: https://www.solarwinds.com/securityadvisory

Please forward this message to other organizations you care about, especially your suppliers, so their IT Pros have three of the most useful links amongst the dozens of others.

The post Three of the Most Useful Links About the SolarWinds Attack: appeared first on Foster Institute.

Official channels report that some software giants, including at least one major cloud hosting platform, are compromised. Your suppliers and vendors might be compromised and that affects you, too, even if your systems are safe.

Some steps to take:

1. Remind all of your users that they will likely receive fraudulent email messages that look more realistic than ever. Never enter usernames, passwords, or sensitive data into any forms without checking with your IT Pros first. Never transfer money based on email messages alone.

2. If you receive an email that appears fraudulent, then phone or text the sender to discuss the authenticity. If you email the sender to ask if they sent the first message, a bad actor who compromised their email system will reply to you and say that the original message is safe. Email is less trustworthy than ever, even when you start the conversation.

3. Contact your vendors, suppliers, customers, and anyone you rely upon to ask if they are following this emergency and actively looking for breaches. Ask if they check with their suppliers to require their vigilance too. Assess your risk of one of those entities failing. Have a business continuity plan in place.

4. Many organizations are temporarily disabling SolarWinds. Nobody is sure of the extent of infiltration.

5. Ask your IT pros to implement a two-step login process wherever possible. Reset passwords. Install critical security updates. Restrict account privileges as much as possible. Uninstall all non-essential software. Be hyper-vigilant of anything that appears to be an attack. Our audits and security reviews will help your IT teams secure your systems too.

Rest assured that software giants are working round-the-clock to fight the attackers. The problem is that the attackers had a head start, so they are one step ahead. And, if an organization you rely upon is compromised, it might be too late to stop. The infected organization will need to resolve the problems. They might not realize they are compromised.

The post The SolarWinds Breach Affects You Too. Ask your IT Team to Take these Steps. appeared first on Foster Institute.

The attacker does not need to know any passwords; they do not even need a username. They plug in a cable, and 3 seconds later, they’ve completely compromised your network. An attacker posing as a visitor, a copier repair person, or a member of a cleaning crew can all compromise your organization. They can steal sensitive information, install ransomware, and can shut down operations entirely. They bypass the majority of, if not all, of your other protections because now they’re a Domain Administrator.

This exploit is so severe that the Department of Homeland Security directed all federal agencies to apply the patch in accordance with the Federal Emergency Directive 20-04.

Take these three steps ASAP:

First, ask your IT team if they’ve backed up your Domain Controller servers and applied Microsoft’s patches that address the Zerologon exploit CVE-2020-1472. They must do this immediately. Be compassionate if they’ve not. IMPORTANT: Realize that if an attacker already took over a network, the patch doesn’t help.

Second, if you have Domain Controllers using operating systems older than Windows Server 2008 R2, your IT professionals must shut them down for good. Be sure to migrate any mission-critical services to other servers.

Third, does your organization rely on third parties to support you? What if one of your major suppliers, a distributor, or your biggest customer falls prey to an attack? Prepare your organization now for an interruption of their operations. Be sure their executives know about this flaw and these three steps. You do not want a catastrophe at their organization to domino and cause a disaster for you, even though you’ve protected your systems.

Additional steps:

Inform your work-from-home team members that, in some cases, the attacker can take over your network using a VPN connection. Do you have an armed guard at every work-from-home user’s home to watch visitors? Of course not. But your entire organization might rely on their security. What if a teenager’s friend feels like playing around, experimenting, with this new cool exploit on a mom or dad’s computer?

The patches only protect you from attacks from Windows devices. If an attacker accesses a network port or cable with a non-Windows machine, the attacker can still take control of your network. Microsoft will release a second patch on February 9, 2021. Ask your IT team to configure alerts now to monitor security log events 5827 thru 5831 to see when connections are allowed or denied.

The average time for IT Professionals to apply critical security patches is five months, but you need to help yours be above average. Ask them what you can do to help them have time to test and install all critical security patches within 14 days or sooner. They might want to have a patch management tool. They might need more time to devote to applying updates.

Confirm that your IT Team disconnects or disables all unused Ethernet ports, including those in conference rooms. Lock doors to any offices and conference rooms that contain active Ethernet ports. Train everyone to be proactive and remove opportunities for anyone, including guests and repair people, to plug a device into a network port.

Keep in mind that 911 systems, airlines, governments, and every organization that you depend on are at risk for Zerologon exploit CVE-2020-1472 until they take action too.

Please forward this to fellow executives you care about so they can support their IT Professionals successfully backing up servers and applying the emergency patch.

The post Attackers Can Take Control of Your Network in Three Seconds, and How to Stop Them appeared first on Foster Institute.

When another family member shares a work-from-home computer, it magnifies your risk exponentially. If users already work from home using personal home computers, there are potentially cost-free steps to help protect your organization. Consider allowing them to take their work computer home. If their work computer doesn’t have wireless access, you can provide an inexpensive USB wireless adapter.

Allow your IT professionals, or IT consultants, to monitor and maintain the security of those computers. Many protection tools support remote users, so you might already have what you need.

Dedicated work computers must remain off-limits to other family members. Set a firm boundary that your workers are not authorized to use the computers for any purpose other than working.

Please forward this to your friends, so they know this cost-free way to help protect work-from-home users.

The post One Nine-Year-Old Checking her Email can Breach Your Entire Organization, and How to Protect Yourself appeared first on Foster Institute.

Believing that small to mid-size businesses are not targets helps business owners and executives sleep better at night. The thought is comforting.

However, the reality is that instead of choosing targets based on organization size, the majority of attackers choose soft, easy to breach, targets. In particular, that category includes work-from-home computers.

In our consulting business, we’re seeing many firms suffer major breaches that originate at an unsuspecting work-from-home user’s computer.

Please forward this to your friends so they know that it may feel comforting to believe attackers only go after the big companies, that belief is putting their organization at tremendous risk.

The post Be Smart and Avoid This Comforting Belief appeared first on Foster Institute.

• They may be married and have a family
• Introverted with a close group of friends
• Often learned to program at a young age
• College educated, often in electronics, IT, or physics
• No social media accounts – to avoid drawing attention
• Believe that soft drugs, such as marijuana, help them work

Notice that the Secret Service doesn’t specify a gender.

Please forward this to your friends, so they know their adversaries a little bit better.

The post A Hacker Profile – Who Are They? appeared first on Foster Institute.

You’ll make your computer less attractive to attackers, and it limits the window during which they can attack. You have nothing to lose, and you might even reduce your power bill!

Please forward this to all of your friends, so they know this simple step to protect themselves.

The post Power Down to Boost Security appeared first on Foster Institute.