AI’s Growing Role in Controlling Devices:

As AI starts entering more workplaces, it is crucial to recognize that AI will become more interconnected with hardware devices in your organization. You might want AI to control room lighting and air conditioning to make it voice-controlled or adapt to the changing activities in the room. AI can also control massive machinery, including robots and high-powered lasers for cutting steel. We’ll all be surprised at how many real-world tangible controls AI can assist. For AI to control devices, computers must drive the machines. Threat actors could exploit weaknesses to disrupt companies, damage equipment, cause expensive delays, and worse.

Machines Driven by Computers, Including Those Running AI and Traditional Computer Control Systems, Introduce a Security Threat:

As AI becomes integral to your operations, remember: Everything from climate control and identity detection to robots and laser cutters hinges on computer systems. AI’s potential is vast, and its growing adoption means more devices linked to our networks.

However, this surge in AI adoption produces an often-overlooked danger that all organizations with industrial controls must consider. The computer systems hosting your AI and traditional solutions can become obsolete faster than the devices they control. Neglecting to update operating systems and using other security controls exposes your organization to cybersecurity threats. While devices might seem to run smoothly, the escalating sophistication of cyber attackers can’t be underestimated.

Executives: Unchain Your IT Pros from the Security Limitations:

Is your IT Team prohibited from applying critical cybersecurity updates to operating systems or upgrading to supported operating systems on workstations that control instruments, lasers, robots, and other machinery? If they are, those workstations pose a security threat to your organization.

Executives must understand that using workstations with old operating systems or without the most recent critical security updates is a significant security risk. In some cases, executives must ask the IT Team if they have encountered this situation. Sometimes, executives are inclined to delegate decision-making to the IT Pros. Instead, the IT team must alert the executives of the pros, cons, and expenses. The executives need to decide if it makes sense to pay to upgrade the applications that control robotics, manufacturing, or other equipment on a network.

Three Definitions:

In case nobody’s explained these terms, it is essential to differentiate between upgrades and updates:

1. Operating System Upgrades: An example is upgrading from Windows 10 to Windows 11. Newer operating systems often have more security features. Microsoft and Apple will naturally be tempted to assign their best and brightest people to develop and update the newest operating systems, so they eventually drop support for old operating systems. Unsupported operating systems are designated EOL (End of Life.) Using an operating system after it is no longer supported is a significant security risk.
2. Operating System Updates, a.k.a. Patches: Security updates are rated by the severity of the security risk and how likely an attacker will exploit the weakness. Critical security updates are the most important to apply. Staying up to date with patches can be a significant struggle in many situations.
3. Application Upgrades: Upgrades to new versions of the software that controls devices such as CNC machines, robotics, lasers, laboratory equipment, instruments, or any other hardware that connects to a computer.

The Shocking Reality:

Some applications that control devices may prohibit operating system upgrades and security patches. The applications might break if the IT team deploys the patches or upgrades the operating systems. Sadly, as reckless as it seems, some companies that create applications to control machinery will no longer provide technical support to your IT team if the operating system on the workstations is upgraded or has security patches. Their software developers may be too busy to create flexible, secure applications and are forced to focus strictly on functionality.

Depending on the application vendor, paying for an upgraded version of a controller application can be very expensive. Fortunately, sometimes, the upgrade charge is reasonable or free. Sometimes, no upgrade is available to permit operating system upgrades or critical security updates.

Another consideration is the risk that upgrading might interrupt manufacturing flow if the upgrading process requires extensive troubleshooting or potentially interrupt production. When equipment operates 24/7, the IT Team is under more pressure since there is no downtime for maintenance.

If the new application’s user interface significantly differs, shop floor personnel might require additional training. Inadequate training can lead to costly mistakes and safety issues. Scheduling training will affect the timing of deploying the new applications.

So, as you can see, when robotics, scientific instruments, lasers, manufacturing, or other equipment works just fine, upgrading the application offers no valuable benefits, and the IT team is busy, we find during audits and security assessments that many manufacturing organizations have outdated operating systems or need critical cybersecurity updates.

The organization’s executives might accept the risk, especially if compensating controls are in place.

Alternative Tactics Increase Security:

Using compensating controls in networks is essential because systems sometimes have significant vulnerabilities before updates are released or installed. Compensating controls are even more essential to help protect workstations if patches are missing.

Compensating controls include, and are not limited to, isolating the machines that control robotics, manufacturing equipment and scientific instruments on a separate network away from your network. That separate network must have limited connectivity to only allow traffic to and from the specific devices necessary and limit the kind of data and how it traverses the network to reduce the attack surface and make it more difficult for a malicious program or third party to access that instance or device. I sometimes refer to this tactic in keynote presentations as creating filtered subnets.

Another compensating control is to harden the unpatched or EOL machines by removing all applications except those essential for the equipment’s operation. Examples of applications that must be removed include browsers and email clients since they are common vectors for successful attacks. If the employees operating those devices require internet and email access, consider adding a separate workstation that is patchable for email and web access.

EDR/XDR (Endpoint Detection and Response / Extended Detection and Response) technology is another helpful control. It involves installing a small program called an agent on each computer. The EDR/XDR agent monitors the system’s software, services, and behavior for any signs that threat actors might have already compromised the computer. If the EDR/XDR tool detects an IoC (Indicator of Compromise), it can respond by interrupting the process. When tuned to avoid false alarms, the best response is to allow the agent to effectively quarantine the workstation from the rest of the network until the IT team can investigate. This helps prevent attackers from spreading to more hosts.

However, it is common for IT teams to succumb to the danger of relying too heavily on EDR/XDR to protect their organization and, therefore, neglect implementing other industry best practices to protect systems. Threat actors often set up EDR/XDR tools on their test networks to find ways to circumvent the protections. So, even if your EDR/XDR tool says everything is safe, it doesn’t necessarily mean threat actors aren’t active in your network.

To combat this, companies commonly conduct yearly red-team exercises, performed by exceptionally skilled IT teams that regularly perform these exercises and know the tricks and practices real-world threat actors use. These exercises are designed to test the effectiveness of the detection and response process. These exercises look for weaknesses in EDR/XDR and help keep the IT team in practice, ensuring they’re better prepared in the case of an attack.

Depending on your budget, if $20/user/month for EDR/XDR is not feasible, know that the other cybersecurity controls in this article, such as careful hardening and segmentation with very restrictive filtering, are much less expensive than EDR/XDR and have little if any ongoing expense. I don’t want to diminish the usefulness of EDR/XDR tools. If you are on a tight budget, unless your cybersecurity policy requires EDR/XDR, you might choose to focus on other compensating controls.

The IT Team must alert the executives about the expense of upgrading applications, isolating the shop floor instances on a separate network, deploying an additional network for web and email access, training users and operators, implementing EDR/XDR tools, and other expenses. Include time estimates along with financial estimates. Then, the executives can make an informed decision, and IT can follow their instructions and ask for support as necessary.

Step-by-Step Guidance for IT Teams:

Acknowledge that it can be a significant challenge and sometimes practically impossible to ensure that all workstations run with a current OS and that all critical security updates are applied. But keep applying updates if possible.

Inform your executives whether your team has time to make these changes. IT teams must alert executives of the time and expense involved. The executives will have options such as adding more IT professionals to augment the team, postponing other projects, or accepting the risk of continuing with unpatched systems or EOL OSs with the compensating controls listed below.

Explore all technical, training, and expense changes before upgrading applications.

Ask your supervisor to delegate the price checking to someone outside the IT department if feasible. Your IT team is very busy, so checking the prices might cause the upgrade to be delayed. It can be time-consuming to check with the robotic, manufacturing, and scientific equipment vendors to find the pricing for upgrades to their applications that control machinery.

Investigate more than the pricing. Ask about changes in the upgraded applications affecting the user interface and user experience. Ideally, the upgraded application software operates similarly and has the same interface. Unfortunately, some manufacturers significantly change the user experience when they upgrade their applications.

If users will need training, identify a trainer.

Determine how scheduling the training will affect the deployment timing.

Involve executives in decision-making and send them regular reports about the project’s progress.

Implement compensating controls on the workstations because of the high cybersecurity risk of missing critical patches or using EOL OSs. Compensating controls aren’t a replacement for missing patches, but the controls can help tremendously.

Remember that attackers can exploit security risks long before they are discovered. Only when the vulnerability is discovered will the operating system and application developers know to create or release patches to seal that security hole. Refrain from relying on patches as your sole security control for application software and operating systems.

Strongly consider isolating shop floor machines on a separate subnet, especially those you are prohibited from patching and those using EOL OSs. Isolate that subnet completely with an air gap or utilize aggressive filtering at the switch or router to limit traffic to only the required source, destination, ports, and protocols.

Additionally, hardening the workstations against attacks is strongly recommended.

Remove or restrict web and email access. This is one of the most effective ways to harden workstations, as web and email are two of the most common vectors for malware.

If the workers at those devices need access to the web and email, consider deploying a separate workstation to their station they can use for web and email. If feasible, that workstation should not be on the shop floor network. If you put those workstations on the equipment network, you would need to allow email and web traffic, and modifying access control lists to allow more sources, destinations, ports, and protocols can significantly reduce the security you would otherwise introduce to the equipment control network. Strive to exclude TCP ports 80 and 443 on the AI device network while allowing full functionality of the AI and other computer-controlled devices.

Be sure you limit the sources of inbound and destinations of outbound network traffic to the absolute minimum. If you need to run new cables to facilitate the additional workstations for web and email at the workers’ stations, then running new cables might be a significant investment. Deploying a WiFi network for email and web access might be more economical. Keep the key secret. If you share the WiFi password, workers might connect other devices to the equipment network and compromise security. Completely blocking email and web access and access to external IP addresses will hamper the workers on the manufacturing network from exposing the hosts to many threats.

Strongly consider using EDR/XDR tools, along with the Red Team Exercises, to help ensure the configurations’ effectiveness and allow your IT team to prepare for actual emergencies.

Summary:

Protect workstations that control hardware such as robotics, pharmaceuticals, lasers, and scientific instruments, regardless of whether they utilize AI. This helps ensure the safety and operability of your systems, protecting your organization and workers.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

(Image source: Bing. Learn more at [Bing.com].)

The post An Executive’s Handbook to Securing Modern Manufacturing Networks and Robots, AI or Not appeared first on Foster Institute.

–> ONE: Ask your IT team, “Do we still have Microsoft Exchange Server email software installed anywhere?”

If they answer affirmatively, even if they’re already moving to the cloud, you must continue:

–> TWO: Ask them, “What can I take off your plate or postpone so that you can immediately test and deploy the patches to the Exchange Server right now?”

Essential: Applying security updates to your Exchange server does not resolve the issue if your organization is already compromised. There might be a small program on your system quietly waiting for an attacker’s commands.

To help determine if you are already compromised: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log

If your team cannot update immediately, send them here: https://github.com/microsoft/CSS-Exchange/tree/main/Security

–> THREE: Say, “The emergency is too great to postpone. Later, let’s discuss the pros and cons of moving email to the cloud.”

Pros include eliminating one server and associated headaches. Often, online email is better for remote workers too. But you could lose some integration features you have now, for example, an on-site phone system tied into Exchange. Because saving money and streamlining is essential, online Exchange is often less expensive.

The blog posting https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log has a plethora of other information and guidance for your team related to the updates. Some organizations are experiencing errors after applying the security updates. For example, some learned they must install the updates from an elevated command prompt window. Microsoft provides more guidance:

https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459

The post Three Essential Questions to Ask Your IT Team Today Because of the Massive Exchange Attack appeared first on Foster Institute.

USB: A new ploy is bad actors mailing USB devices, appearing to be from your company to your users. Once plugged in, they can open up a channel that permits unauthorized remote control and capturing keystrokes, including passwords.

Fake Login Prompts: Remind your users to beware of login screens when they don’t expect them. Attackers create persuasive prompts that ask your users passwords for their logon, VPN, or Microsoft Office 365 login, and more. Sometimes the windows tell the user that their connection dropped, and to provide credentials to reestablish their link. Your Users must ignore those prompts and notify your IT team immediately.

Fraudulent websites and apps: Sites may have useful coronavirus information, but they also contain malicious attack software that strives to infect computers. Attackers create bad apps offering online statistics, tracking of the virus spread, and more.

Please forward this to your friends so they can alert their users too.

The post Alert Your Team – USB Devices, Login Prompts, and Apps appeared first on Foster Institute.

Add a footer to all of your web pages to the effect of “The CCPA requires us to notify you that we could sell your data unless you opt-out here” and provide them a link. Do it even if you don’t sell data.

CCPA applies to you if:

• At least half of your organization’s revenue is from the sale of personal data, or
• Your organization stores personal data of fifty thousand people or more, or
• Your organization has at least twenty-five million dollars annual revenue

If one of those applies, then:

• If a consumer in California asks, you must be able to give them copies of all of the data you collected about them.
• You must be able to tell them if you sold their data and to whom.
• Consumers can demand that you delete their data. Scouring their information from all of your applications and tools can be difficult because you have to remove them from your contact list, accounts receivable, order history, and everywhere else you store any information about them or their activities.

Protected data includes contact information and anything that can identify a household, including GPS locations.

Confusion abounds in the CCPA. For example, if consumers choose to opt-out, an organization cannot discriminate against them by blocking or offering a lower level of service. But some companies provide services based on their consumers’ data, so how can they give the same level of service to consumers who do not provide data? Another example is that employers need to keep some data on employees. What if an employee asks to have all their data, including their social security number, erased everywhere, but want to continue their employment? There are extensive attempts to address these issues, but the rules are confusing.

You’ll need to involve your lawyer to help wade through the issues, and that leads to the obligatory disclaimer: Do not misconstrue this to be legal advice. Check with your lawyer.

The CCPA is only the beginning. Expect to see similar laws in other states and at a national level too. Please forward this to your friends and associates, so they know they only have until July 1, 2020, to prepare.

The post Information that You Need to Know About the California Consumer Privacy Act appeared first on Foster Institute.

The Wall Street Journal released an enlightening article entitled “Six Subtle Signs You’re About to Lose Your Job – For Busy and Confident Executives, These Warnings Are Easy to Miss” by Joann S. Lublin.

Like executives, many outsourced IT firms are so incredibly busy that they do not catch the hints that they are about to lose a customer.

Many executives loathe considering the fallout of changing outsourced IT support companies. Sometimes they say, “I don’t want to fire our outsourced IT firm – it is so helpful that they’ve learned how our business works.”

Because outsourced IT firms have their finger on the jugular vein of your business, executives prefer to wait until the last possible moment, after making all the preparations, and sever the relationship without warning.

There are many wonderful outsourced IT firms out there. If you have one, keep them.

Technology is an essential component for most companies, and you must feel confident that you have excellent IT service providers. Moreover, most service providers want to be excellent. As Stephen Covey said, it is a win-win when your service providers exceed your expectations.

Next week, expect 3 questions to ask your service providers in order to see how well they are delivering.

Would you advise every executive you know to tell their outsourced IT firm what they do and do not appreciate about their experiences while working together? Please post your comments below…

The post Executives Give Clues Before Firing IT Firms appeared first on Foster Institute.

The Fire Phone, scheduled to be available the end of July from AT&T, tracks your face for “sort of 3D,” sports an amazing camera, can recognize almost everything it sees or hears, but what about features for your company?

You will have the ability to view MS Word, Excel, and PowerPoint files. The phone provides Outlook and uses your Exchange server for messages, contacts, calendar, tasks, etc. The device supports encryption and is supposed to support VPN connectivity soon. Then, of course, there are so many apps available in Amazon’s own Fire Phone Apps in Amazon’s store. See details by googling: “Fire Phone for Work site:amazon.com” or click here: Fire Phone for Work

For IT Pros, they will be happy that the phone supports their ability to remote-wipe a lost or stolen phone and control the installation of applications. A notable tool is Amazon’s Whispercast.

Whispercast is a stable platform that schools and businesses use already. It provides an easy interface for your IT professionals to manage these devices including limiting Wi-Fi connectivity and provide content restriction (such as blocking access to social media sites). IT Pros can configure users into “groups,” with each group receiving different content and restrictions.

Soon other MDM (Mobile Device Management) tools will add robust features that your IT Pros need in order to enhance security and productivity for devices using your network.

Is there a Fire Phone in your future? Can your IT manage the BYOD features? At least you know it can “do business.”

Please post your comments below…

The post Fire Phone at Work appeared first on Foster Institute.

And before you label me as a Microsoft hater, know that is incorrect. I enjoy products and services from both companies very much.

6. Similarly to the hardware, think about the “Apps.” Even when Apple applications don’t claim to have so many features, Apple products work as advertised. Though they’ve gotten so much better, in the past: if a Microsoft application’s feature doesn’t work properly, why do they publish that the feature “works?”

7. Most Apple customers have nothing bad to say about Apple’s tech support experience. One reason is that most Apple customers never need to use support at all. My experience with Microsoft is that they don’t know the answer to problems, and they seem to think that I’m willing to become part of their troubleshooting team, “try this, try that, what does this do, what if you do this? Ok, reinstall Windows and call me in the morning.” No thank you.
It is important to note: My experience with the Surface, Windows 8.1, and the latest version of MS Office has (so far) been spectacular. Microsoft sure got that one right!

8. There are always features in Apple products that make people say, “Oh wow! I never thought about having that feature and it is so cool!” For example, the “Burst Mode” of their camera feature is amazing. If you haven’t experienced it yet, you can point the camera at a scene, such as your kid doing something fun, and hold down the camera’s “take a picture” button. The camera takes many photos every second until you let go. Then, whenever you have time, you can go back to see all the pictures a simply select the one (or more) you like best and tell the device to “keep” those and throw the rest away. Makes it a ton easier to catch those otherwise tough shots.

9. Apple is willing to “change the world.” They sure did that with the original idea of really cool fonts (remember those days?), portable music players, and then with iPhones and iPads. What is their next big success going to be? To further promote “put all of your applications in the cloud?”

10. Apple provides competition in the marketplace. When “nobody does it better” than Microsoft, then Microsoft won’t be driven to step up too. Android is in the mix now. Of all 10 the best things, this is the benefit I like the most.

Please post your comments below…

The post 5 More Things to Love about Apple appeared first on Foster Institute.

1. Apple Stores! Isn’t it so neat that someone can walk into a store, experiment with the products, have workers who are very familiar with the products, and – if you decide to – you can buy a device right then and there.

2. Apples have a “cool” factor that is tough (though perhaps not impossible) to match. And many Apple users know how cool it is.

My wife phoned me immediately after last week’s newsletter, about Apple computers not having touchscreens, and announced, “You were way too harsh about Apple this time!”
“But Honey,” I explained, “We get the most responses on the blogs when I’m controversial about Apple.” She replied, “There is a difference between being controversial and adversarial!”

As usual, she is right. My wife said to tell you about her Apple Tattoo. That was a surprise to me too.

I do enjoy Apple, own and use two MacBook Airs that are a big part of every week for work. On the road, I carry two Airs and one Surface. I do use the Surface the most but don’t make up your mind until you’ve tried them both.

Bottom line: I respect Apple and enjoy their products. In fact, in many cases working with top level executives, I recommend to them the Apple (especially the Air) after finding out what their wants and needs are. Some dearest friends, and my lovely wife, are total Mac people too.

3. Apple’s “No-questions asked” 14 day return policy. Where else can you go buy a piece of hardware that you can use, including reloading the operating system with a new one such as Windows, connect every peripheral imaginable to test compatibility, and then can return it if it doesn’t suit your needs? After 14 productive days, you are likely to ask yourself how you ever lived without it. Or not. Isn’t it great for you to be able to find out?

4. Apple is a leader in the marketplace. Not just by selling so much hardware, but in the past, they’ve been “first to market” with features that none of their competitors had even thought of yet. Often, Apple defines the cutting edge. Though there is controversy, many Apple fans will tell you how the Macintosh was the first computer to even have a mouse – and then everyone else copied Apple.

5. Apple products actually work when you get them out of the box. Even “first releases.” Thank goodness, users of Windows products can now enjoy the same experience, but Apple was the first. Apple has the longest running record. Having confidence in the products you purchase is a huge buying factor for most people.

Keep an eye out: Next week will be the 5 more of 10 things to love about Apple.

The post 5 Things to Love about Apple appeared first on Foster Institute.

Logout.

To help keep unauthorized users from having access to the websites you protect with a password, you need to logout of the website.

Unbeknownst to many, it is a very bad habit to just “close the browser” when you finish at a web site.

For example, if you go to your banking web site, or Amazon, or LinkedIn, or any other site that asks for your username and password, do your business and choose the option to log out, sign out, or the similar function they provide. Yes, the next time you come to the site, it will ask you for your password again, but many sites do that already.

If you just close Chrome, Firefox, Internet Explorer, Safari or whatever browser you are using without logging out, it is much easier for an unauthorized person to impersonate you if you skip the logout process. That person could be in your office who sits at your computer when you aren’t in your chair, or it could be someone on the other side of the planet.

Make logging out of web sites a habit!

The post Keeping Hackers from Stealing Your Online Identity appeared first on Foster Institute.

Additionally, this topic is so important to communicate to users, that we hired a professional video production company a few years ago to create a “humorous” video that they “guaranteed” would go viral. Well, it didn’t go viral, and we feel it is still pretty clever: http://www.youtube.com/watch?v=-BIucJi7juI Or Google search for: Office romance goes wrong when someone gets a hold of your personal information. Facebook Identity Theft

The following videos are short, professional, and entertaining: http://www.consumerfed.org/issues/consumer-protection-and-privacy/fraud/665/#phishing
Or you can Google: Consumerfed.org Fraud Videos and Audio

The video at the bottom of the page is particularly entertaining.

Post some of your favorite video sources in the comments below.

The post These Short and Fun IT Videos Can Protect You! appeared first on Foster Institute.