Beware of additional fraud. Several sites are claiming to help you find out if you were part of the breach, but of course, the sites ask for personal information. Be safe: Use the contact information provided by Equifax. The Equifax FAQ says to visit: https://www.equifaxsecurity2017.com/

To find out if you are affected, that site points you to: https://www.equifaxbreachsettlement.com/

For identity theft, credit monitoring is helpful, so you know you are a victim, but by then, it is too late.

Placing credit freezes are a critical step in preventing your identity from being stolen.”

Freeze your credit, everyone in your family’s, at all major credit bureaus. To save you time, here are four and how to reach them:

Experian (888) 397-3742
https://www.experian.com/freeze/center.html

TransUnion LLC – To Freeze: (888) 909-8872
https://www.transunion.com/credit-freeze

Equifax Information Services, LLC (800) 685-1111
https://www.equifax.com/personal/credit-report-services/

Innovis – To Freeze: (800) 540-2505
https://www.innovis.com/personal/securityFreeze

Please forward this to your friends. If they don’t understand the importance of a credit freeze, The FTC provides more information at https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

The post Find Out if You Can Collect a Bundle from the Equifax Breach appeared first on Foster Institute.

Instructions for Windows and Apple home users are listed below the numbers. For organizations, here are 10 Steps To Avoid Incidents Including the Massive Ransomware Attack:

1. The reality is that most organizations are missing critical security patches and there is a very strong likelihood that yours is too.

2. Provide your team with extra time, and perhaps additional personnel, to test and then deploy patches ASAP. Some organizations are adding a new IT professional to their team whose sole responsibility is to manage patches. If the patch fails testing, then time must be invested to resolve the issue or implement compensating controls.

3. Prioritize critical security patches for the operating system, all the browsers, Flash, Java, your PDF Reader, and Microsoft Office. They are usually the easiest to attack and form your first line of defense.

4. Many IT teams are very reluctant to apply patches for fear of breaking your systems that are already running. Help remove their fears by reassuring them that you take on responsibility if the patch causes a problem. Encourage them to follow a procedure that mitigates risks:

5. Test Patches in a test environment that uses the same applications as the rest of your network. For very small companies, your test environment might be a single computer. For larger organizations, and organizations that stand to lose a great deal in the event of an attack, create a separate testing environment that is isolated from the production environment.

6. Have a pre-tested rollback plan so that, if the patch does cause a problem, your IT team will already know what they need to do right away to roll back a patch that causes an unexpected problem. They will then go back to the testing phase.

7. Deploy the patches in stages rather than patching all machines simultaneously. That way, even if the patch does cause a problem, not all your machines will be affected.

8. You may decide to empower your IT team with a patch management tool such as Ninite, LANGuard, Shavlik, or others. Allow them to test and choose a tool, and provide them with the means and time to do so, ASAP.

9. Ask IT, perhaps weekly and at least monthly, to provide you with a list of missing patches, not a pie chart.

10. You must upgrade from older operating systems, any of the ones that Microsoft no longer supports. If some machines cannot be upgraded, then they must be isolated or some other compensating control put into place. Microsoft clearly states when they stop producing patches for old operating systems.  So, there was no patch available for Windows XP and others.

Call me if they are not able to apply patches. Let’s team up to help prevent this.

At home, or if your organization is so small that you do not have an IT team or have an outsourced IT company that takes care of your patches, be sure that the option that provides automatic updates to Microsoft is enabled. The instructions are easy to find – just google the phrase: configure automatic updates site:Microsoft.com

Apple computer users, google: Automatic security updates os x site:apple.com

iPhone and iPad users, google: Automatic security downloads ios site:apple.com

Additionally, manually check for updates in Microsoft Office to be sure those are applied. Be sure that automatic updates are enabled in your browsers. Regularly download and apply patches to, or new versions of, Flash, Java, and your PDF reader.

Please forward this to everyone you care about and want to help stay secure.

The post Patching – 10 Steps to Seal the Holes in Your Armor appeared first on Foster Institute.

What to do:

First: Ask your web application designer to patch OpenSSL if your site uses OpenSSL (about 85% do). Consider telling them to “get new keys” for your site in case your old keys are already stolen.

Second: Reset your passwords on the websites on which you care to keep your information secure. Know that the web site’s you’ve been visiting may have already been compromised, and will remain compromised until those sites fix the problem. Once they fix the problem, you need to reset your password again.

LastPass created a tool that will allow you to see if a site is susceptible to Heartbleed. Visit: LastPass

Websites, perhaps including yours, that use encryption, may be completely vulnerable. Attackers can access the “keys” that are used to securely lock your data during transit. Once the attacker has the keys, they can read sensitive data from your site and use the keys to bypass your protection. Without getting technical, this relates to sites that use the “s” as in https:\\websitename.com vs. sites that aren’t encrypted http:\\websitename.com

Additionally, until the websites that you visit apply their fixes too, your information will be vulnerable too. This includes shopping sites, banking sites, and other sites that you trust. Not only do the sites need to patch the security holes, they need to register for brand new “keys.”

Please post your comments below ….

The post Heartbleed Hack Impacts You Too appeared first on Foster Institute.

By the way, here is a short 2 minutes and 40 seconds video that explains this: 

Is the bank kidding? Reduce security? Really? One of the reasons you have security is to protect against attackers gaining access to your online banking!

Often, banks tell IT to disable protections so you don’t experience technical difficulties. If your security measures mistakenly identify the bank as an attacker, the online banking may not work right.

Two key points:

1. The bank is simply passing along instructions from the company that provides the electronic banking services to the bank. This isn’t the bank’s idea.
2. It isn’t just banks. Some of our customers have insurance software providers, medical applications, voice enabled tools, etc, telling our customers to reduce security on some of the customer’s machines.

So what do you do when a vendor tells your IT Pros to lower your defenses? You tell your IT person to keep security in place and to open up the bare minimum that the banking functions need in order to operate properly.

Tight restrictions are the key. Your IT Professionals know that they can still protect users when the users visit other web sites, and still set a browser exception just for the bank’s site. Your IT Professionals understand about reducing security only on source and destination locations (in this case, between your network and the bank) in order to provide more leeway during online banking communications but still restrict other communications.

Sometimes banks recommend that you set up a separate computer to use only for banking. See: Should Executives Buy a Second Computer for Banking?

There is a chance your IT Professional may elect to configure a “virtual computer” inside one of the workstations so you don’t need to buy another machine. The same posting, Should Executives Buy a Second Computer for Banking?, includes information about a third strategy too.

In a perfect world, 100% of the companies that provide software applications to banks (and elsewhere) will invest the time to make their applications function properly with strong security still in place.

But vendors are incentivized to produce “inexpensive” software. Things will get better when enough Executives, like you, start understanding this problem, and demanding better service!

If you haven’t already, ask your IT professionals if your banking applications mandated any kind of reduced security settings. Your IT Pros will be happy you started this discussion. They want to keep your network secure and sometimes don’t want to interrupt you and respect your dedication to your own tasks.

Please forward this to your friends and post your comments below…

The post The Bank Tells Us To Disable Security! appeared first on Foster Institute.

First of all, realize that someone may be watching your data go back and forth to the web sites you visit. Behave accordingly.

Second, know that when you visit a web site with an address that starts with HTTPS://, rather than HTTP:// without the S, the attack process becomes much more difficult. Using your bank web site is more secure than looking up nearby restaurants on yelp.com.

Third, accessing your email from a public place? It depends on how your IT professionals configured the connection. Not always, but usually accessing email is secure. Check with a qualified IT professional to be sure. If they use Outlook Web Access OWA or Outlook Anywhere, there are built-in mechanisms to help keep your data secure.

And, a bonus tip is to know that one of the best ways to protect yourself is to not use Wi-Fi at all. Instead, sign up for a data plan from ATT, Verizon, Sprint or other carrier. And, if you have tethering on your phone—guess what, the connection from the phone to your computer may very well be, you guessed it, Wi-Fi!

Post your comments on this blog.

The post Three tips for using Wi-Fi in public places appeared first on Foster Institute.

In some cases, the application patches are even more important than OS patches—although both are important.

Attackers often exploit applications before the vendor has issued a patch to prevent the exploit. These attacks are referred to as zero-day exploits.

Your organization’s IT professionals need to create a list of applications in order to apply patches ASAP because, unless they identify all of your applications, they will not be able to patch all of them.

Ensure that new application patches get tested first on non-production machines. The test needs to be instituted immediately after the patch is released. Desktop and server virtualization can help IT with the testing process by providing a method to run server and workstation configurations on a single piece of hardware for testing.

Please post your comments on this blog.

The post Single Biggest Way to Repel IT Attacks appeared first on Foster Institute.

Some IT professionals tell me that their “boss” came down and said, “Give company such and such access into our network to access our data files so they can provide such and such service.” If the IT professional was brave enough to object to the “order,” they often got shot down.

If your IT professional knows anything about security, they get some pretty sweaty palms when opening up access to other companies. Their nights of restful sleep are probably over at that point too. And so should the executives be terrified!

Please do NOT open up your network for access by third party companies. I run into this at four or five companies a month and it has to stop!  Do you realize that:

• If the other company catches a virus, you probably will too?
• If an employee at the other company wants to steal your data, destroy your information, and even store illegal information at your office, they can?
• If you have a security problem, the other company may come after you for damages you cause on their network?

Indeed, it is feasible to outsource some of your services and functions into the “cloud.” More and more organizations are doing this.

The important part is to connect to the other entity in a responsible way! Allowing them unfettered access into your network is often a reckless choice.

The post Executives – what vendor wants to connect? appeared first on Foster Institute.

The primary reason we perform vulnerability assessments as parts of security assessments is to generate an inventory of all the computers currently alive on the network and a list of vulnerabilities those computers have.

The challenge is that the human brain loves a “list of what’s wrong.”  Most of the IT professionals at organizations go immediately to work solving the identified problems thereby “killing alligators.”

We always implore executives and IT professionals alike to focus on “draining the swamp” in addition to, and sometimes instead of, “killing alligators.”

In our ongoing effort to help IT professionals and organizations focus on strategic, as well as tactical, plans to take IT to the next level, I sometimes feel like a dentist who hands out new toothbrushes as well as a gift certificate to the local candy store in the same visit.

Vulnerability assessments are wonderful—just remember to focus on the one or two strategic changes that can fix one hundred or more tactical issues.

The post Are vulnerability scans of your network helpful? appeared first on Foster Institute.

Before I could catch them, these words spewed out of my mouth: “We need more government regulation of businesses.”  I immediately stopped, appalled at what I had just said, and stood there in disbelief.

The fact is, due to a number of problems in organizations, IT security too often gets pushed to the back burner. Next week’s blog entry will deal with those reasons. Do we need more laws to force companies to be secure? For the responsible companies I work with, I say “No! Enough regulation already!” I know they are taking steps to be more secure. But for those companies that send the rest of us letters notifying us of breaches, I think we all would have been happy if some regulation forced them to be more careful with private information. PCI-DSS standards for companies that accept payment cards is still a regulation—except in Nevada where it is now a law. Minnesota also has laws around the core requirements of PCI-DSS.

I used to be totally against some government regulations, but as I see some organizations being careless with your private data, I wonder if a little regulation might go a long way? Please respond with your comments on this blog.

The post Do we need more government regulation? appeared first on Foster Institute.

The theory is that, if the “online banking only” computer is only used for online banking and nothing else, the computer is less likely to be infected with viruses, key loggers, and other malicious software.

Having two computers comes at a huge cost to convenience for the people in your office that need to perform online banking. That means they need to have two computers at their desk. They could use a KVM switch to use their same keyboard, monitor, and mouse to switch back and forth between the computers.

Your IT professional might be willing to set up a virtual machine on the regular machine to use for online banking, but IT will still need to keep that virtual machine current with patches and protected with anti-virus. The end-user may become confused using the virtual machine and reject the idea completely.

Controls would probably need to be put in place to limit access to banking web sites to the single machine so no employees ever “cheat” and use their own workstation to access online banking.

On a positive note, an inexpensive computer would be more than enough to handle the online banking, and there are tools like Microsoft’s Microsoft Steady State and Deep Freeze (http://www.faronics.com/html/deepfreeze.asp) that can help lock the machine down to a single purpose and help protect from infections.

Do you dedicate a single computer for your online banking tasks? What is your response to the ABA’s advice? Please add your comments to the blog.

The post Banks suggest you dedicate one PC for online banking appeared first on Foster Institute.