I was given a task to write a small article for the Meet magazine Fall2021 edition and it has arrived:
Too Late, You're Hacked! - Defending Your Small Business' Computers and Networks is available from the publisher at Publishing Concepts bookstoreOpens in a new window Ebook and Paperback versions:
Yes you should use password managers, long passwords over short complex as you see below's XKCD famous image. we discussed in our blog oversitesentry before: https://oversitesentry.com/password-managers-are-impossible-to-hack/
It is useful to review the latest info on length of passwords:
But what about the password manager? How should you use it exactly? Do you let it pre-fill the password and username in your browser?
If you do you may be making it easier for a hacker to grab your information if they are on your system according to marektoth. As he says specifically:
Most password managers have the autofill feature enabled by default, even though it reduces the security of the stored password.
If a user uses the default configuration or follows the password manager's recommendation, it is possible to steal the saved login credentials from 11 of the 16 tested browsers and password managers in one mouse click. So the database/password on the website doesn't have to be leaked, and the attacker still gets your data - all in readable and unencrypted form (in plaintext).
I am always looking for more information that changes the current cybersecurity landscape in case we need to change our TTP (Tactics Techniques and Procedures) so as to help us defend from the criminal hackers.
So change your TTP everyone - and do not pre-fill !!!
Order my book for more good Cybersecurity advice (If you purchase from Publishing concepts Store we keep more than if you buy from Amazon.
To do that what I need to do is to hand you hundreds of pages of Information Technology understanding specific for your environment.
I.e. when you need to figure out how to do this thing that is cybersecurity for your environment does it seem like you are building a new house brick by brick? Well, I have good news to tell you - I have 1000 bricks to dump in your lap. Here are the bricks - build a nice house.
This analogy seems a bit much, but maybe give you a better understanding that many security people have a complex explanation
So instead what i recommend is to wait for my book as it will be out soon -
Then you can develop a risk management strategy and Security policy just to get started.
You can get a fixvirus.com webcover when you join our email list for news on the book. Oversitesentry page with webcover email list form.
Psychology of security –Humans avoid security on purpose sometimes, essentially a risk gambler. In my upcoming book we will discuss the interesting phenomenon where 'enough' people are not paying attention(about 30%) so that everyone now is being attacked more. (with so many machines as an attack surface the criminal hacker has a target rich environment)
We seem to be in a kind of catch 22 in cybersecurity
A lot of people and thus companies do not want to tell others if they need help or have problems (in their cybersecurity). It could just be that it is too complex an issue.
Many managers or owners are not aware the danger that they are in, they think they are not a target(too small to get attacked). Not true, at minimum the computer itself is of use as an attack platform.
These are just some of the reasons about 30% are not doing necessary prevention tasks.No communication of problems here, causes a lot of people not to pay attention.
Ultimately this causes the rest of us problems since their machines are used to attack the rest of us.
Contact me to discuss how you can work on your processes.
My Book titled: Too Late You're Hacked! – Defending Your Small Business’ Computers and Networks
Stage 4 editing – which means I reviewed their comments and fixed some more contextual issues, some clarity issues, and others. Indicated 15 items to watch when publishing software has manuscript.
Grammar editing is next (not sure how long that will take), but the manuscript at 41k words needs a once over with a grammar expert.
The steps after that will consist of the manuscript moving off the Word platform(8.5” x 11”) into the Book publisher software. (the book will be 6” x 9”) here is where we will find out how many pages it will be. With 38 illustrations, and 91 citations, an appendix with a glossary, and a PCI outline.
We are not done yet but I see the light at end of the tunnel.
Cover art is being worked on - the following is the basic media image with a logo placeholder.
Yes we (as a society) have a problem.
Most people do not want to talk about Cybersecurity for a variety of reasons (nod your head if you agree)
Many people (some say 30%) are not doing what is necessary to protect their machines properly.
Managers or owners are not aware of the dangers they are in, think they are not a target(too small to get attacked) or another reason. Psychology of Security: 30% of people are unwilling to spend money on the chance they will lose less money. they think it is a gamble that is worth it.
No communication of problems or when one needs help, no problems here, causes a lot of people to not pay attention (especially when they just keep operating as normal and nothing happens)
This causes problems for the rest of us as the machines with problems will be used to attack everyone.
Thus the Catch22 - People which do think they have a problem - even if they get a problem will not ask for help except when it is too late already (after a successful attack it is too late)
What will actually make everyone that needs it perform preventative measures (spend money to possibly lose less money)
This is why I have written a book that will be released shortly - within the first quarter of 2021 - as we are finalizing editing and other publishing tasks. Get on our mail list to learn more about the book: mail list link.
Contact Us to discuss
My latest blogpost at Oversitesentry discusses this image(below) among other things.
I agree with Bruce Schneier that the ransomware attacks are more intense and sophisticated , the requested fee in 2018 was $5000 and in 2020 it went up to $200,000. The criminal attackers are doing research and going after larger targets. And the ransom might not only be computers and the data it may be information that the hacker will unload to the public unless you pay them.
It behooves everyone to start dotting the i's and crossing the t's because the hackers are not staying still. Maybe you were not targeted in 2020 or in 2019, but that may not be the same in 2021 or 2022. It is nigh time to make sure and make things as difficult as possible for the hacker attackers.
I am putting the finishing touches on a book in 2021 that will help small businesses manage cybersecurity.
The Image is trying to make a point that governance includes PCI compliance and can be a basis of making proper IT decisions with the future in mind. Where the focus of compliance and regulations efforts are on specific actions and data, governance can be all encompassing and most important create an environment where proper decisions are made with the right people in the room. Nothing is missed, whereas the compliance efforts are only doing what they have to.
Our latest blogpost at https://oversitesentry.com/compliance-vs-framework/ (a bit more information)
Is it important to focus on Security? How much should we pay attention to Computer Security? Can we relegate Computer Security or as some coin the phrase 'Cybersecurity' to an afterthought? Or at least a small line item in the plan for 2019!
So 'IF' there is a ransomware attack on the most important data that we use, and we cannot recover the data(for whatever reason) is that important enough to pay more attention?
As the image above notes in six months we could be out of business if we did not prepare properly setting up backups for our data. Sometimes ransomware just destroys data and it cannot be recovered.
Contact us to get someone to review your backup plans and more to make sure that your business will be viable even after a ransomware attack.
Triple extortion Ransomware means that a good backup is not good enough anymore:
Because the data may be stolen and ransomed to patients/clients/ 3rd party associates1!
Today's news is typical for Cybersecurity:
April Microsoft Patch Tuesday - (the day that Microsoft releases regular patches conveniently released once a month when possible) was on April 13th since it is the 2nd Tuesday of the month.
Are you comfortable with your ignorance? Your discomfort? Is it a standard Operating Procedure and thus since it happens every day nothing new will happen?
The problem with Cybersecurity is that it changes every month and sometimes faster:
Contact me to discuss your cybersecurity or buy the book and work on it after reading.
Example #1: March 28, 21 - Sick.codes has the information and chronology of a disturbing vulnerability found in some software.
If one looks at the details of this vulnerability and how it was found (by accident) and what was found was that some software (that includes netmask) it is included in the npm package in Unix/Linux systems or other operating Systems.
A CVE has been issued CVE-2021-28918 . Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
Does the above explanation make sense to non-systems or programmer people?
Interesting to note that
So what does this vulnerability mean to your systems and devices?
It means that there may be software that incidentally has been downloaded 278,000 times which has this arcane problem. So we have to find out whether it will affect and then upgrade. It may not affect your program, it depends (as the sick.codes post explains.
How do we fix this? We have to have a system of upgrading/patching and testing your devices to find out if your systems are vulnerable.
Contact Us to discuss or buy my ebook for now soon paper copy coming.