June 6, 2023

Good morning, everyone!

This week’s critical vulnerabilities: A vulnerability in the firmware used in motherboards of over 270 models with both Intel and AMD chipsets will be patched soon. Meanwhile there are steps you can take to protect your computers. MOVEit Transfer, a file transfer application, has a released a patch for a critical vulnerability with "mass exploitation and broad data theft" occuring the past few days A variant of Mirai is being used to target smart devices with unpatched vulnerabilities. You can follow the tips here to secure these devices. Jetpack plugin for WordPress has released a patch for a critical flaw Patch All the Things!

"Detect" may be the most important

The NIST Cybersecurity Framework identifies five core functions to develop and manage an effective information security program: Identify, Protect, Detect, Respond, Recover. Over the years of doing security assessments for organizations in many industries, we routinely find that "Detect" is the core function most often ignored, and yet may actually be the most important. Why? Read on.

I recently made a new acquaintance, a security professional for a Fortune 500 company (which for obvious reasons, I won't name). We were chatting about physical security vs. cyber security and he said he just realized that they must have IT security people at this company, but he doesn't know any. Wow. How could this be?

He then told me a story. He said he's actually surprised he hasn't heard from them, because he makes manual backups of his company laptop to an external USB drive nearly every day. He dumps gigabytes of data on a regular basis but has never been questioned about it. I asked whether IT had provided this drive (which could possibly explain their lack of concern), and he said nope, he bought it himself. Double wow. This guy could be stealing confidential company information and selling it to competitors with his employer having no idea.

This reminded me of the 2019 data breach which compromised approximately 184,000 traveler images from CBP’s facial recognition pilot. It happened because a contractor used an external USB drive to copy all this data from CBP's network, without permission, and without CBP realizing (detecting!) this activity.

So what should you do? Every organization should have (1) policies in place (don't copy company data without permission, don't bring in your own hardware), (2) training (so your employees know not to bring in external drives and not to copy data willy-nilly) and (3) if your organization is anything but very very small, it should have a technical means of detecting this type of activity.

Stay safe online this (and every) week!

Important information for all US Dept of Defense contractors If you do work for the US DoD, or for any of its contractors, there's a lot going on right now in the realm of cyber security requirements. My latest CMMC Update newsletter discusses some of these, and there is a lot of good info in the archived editions as well. If you aren't a DoD contractor but know someone who is, please share!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Have a great week!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺