What is CMMC? CMMC Update Archives CMMC Links
Security Awareness Training Public Speaking Expert Witness
Newsletters Whitepapers Articles Videos Interviews Additional Resources
Cyber Security News & Tips by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

August 8, 2023

Good morning, everyone!

This week’s critical vulnerabilities:
  • Mozilla has released updates for both Firefox and Thunderbird, addressing 14 security issues
  • Ivanti has disclosed two more critical vulnerabilities in its Endpoint Manager Mobile (EPMM, formerly known as MobileIron Core) software
  • Canon has announced a vulnerability in its printers that may reveal private info, including wifi credentials
  • More than 500 Citrix Netscaler ADC and Gateway servers have been compromised by vulnerability addressed with a patch last month (make sure yours is fixed!)

Patch All the Things!

How Does That Work? (Understanding integrations)

I recently signed up for an online scheduling calendar tool. Oh, boy, has this made my life easier! One of the best things I've ever done to improve efficiency. BUT ... there were serious security implications that I needed to understand and mitigate before signing up for this wonderful new tool and implementing it into my workflow. Hopefully walking through these steps with you all this week will help you recognize the risks in similar circumstances and provide you with insight into mitigating those risks.

Okay, I know a few of you are scratching your heads and wondering, seriously? How risky is a calendar app? You have to understand "How does this work?" to understand the potential risks.

Typically these scheduling calendar apps work as an integration with your existing calendar application (O365/Outlook, Google Workspace, whatever) so that they can schedule appointments for you during your open times. Oh, the convenience! BUT ... Do you hear warning bells in the back of your head? How Does That Work? Well, first you have to use the scheduling calendar app to log into your regular calendar app, so it can read your open times and write new appointments into your calendar for you. This is a concern for two reasons:

(1)You have to give read & write permission to the scheduling app on your calendar app. This means the calendar app can read every single appointment in your calendar (yep, not just the confidential client meetings, but also the doctor visits and the babysitter's contact info). That level of insight into my personal schedule -- by a third-party app over which I have no real control -- made me very uncomfortable. (Sure, I can control my personal Settings in the app, but I can't control the company and its resources -- who has access to their servers? how secure are they? how do I know what is being done with my data?)

(2) In order to set up the integration, I would have to log in to my Google account to "hook" up the two apps. That account controls not only my calendar but my email, my file share, *everything* that I do in Google Workspace. That made me uncomfortable. (Did you read my March 7 newsletter "What is OAuth and why do you care?")

So ultimately I chose an app that gives me nearly full functionality without the direct calendar integration. I am confident that I found a good solution to provide the efficiency I need without compromising security in any way.

Remember, the most important question you can ask yourself before signing up for a new service, or buying a new product, is "How Does That Work?"

The woman who secured the Internet

I read this really interesting article this week, Meet Window Snyder, the trailblazer who helped secure the internet and billions of devices. This woman has had an incredible career, being among the first to codify threat modelling and the secure development lifecycle, both methodologies that are foundational to cyber security. She was a leader in Microsoft's "Trustworthy Computing Initiative" in the early 2000s, then on to Apple where where, as the only product manager responsible for the privacy and security of all Apple products, she introduced end-to-end encryption into iMessage and full-disk encryption by default on all Apple products.

A truly inspiring story. Read and share!

Stay cyber safe this week!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Glenda R. Snodgrass

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!



Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺

TNE. Cybersecurity. Possible.

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

Site Map

Home
Employee Training
Security Awareness Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy