January 16, 2024

Good morning, everyone!

This week’s critical vulnerabilities: Ivanti has released citical fixes for its Endpoint Manager (EPM) product QNAP has released multiple security patches for QTS, Video Station, QuMagie and Netatalk products Microsoft and Adobe released multiple security updates for January's Patch Tuesday Two WordPress plugins, POST SMTP and AI Engine, released critical updates this past week Did your "automatic" updates get installed? Patch All the Things!

Back in November I wrote a newsletter on this topic, prompted by the Okta breach. Not long after, I got a question while speaking at a conference that made me think about this a bit more.

I was speaking to a HR group when a question came up about the MGM breach:

"All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk"

The question asked of me was "How do we stop the use of employee information on LinkedIn for social engineering attacks?"? It struck me as wrong somehow. People are going to put their employment history, experience, job titles, skills, etc. in their LinkedIn profiles, and you can't stop attackers from using whatever information is available to them.

The real question is How do we stop social engineering attacks from being successful?

Last week I read a good piece (8 Strategies for Defending Against Help Desk Attacks) with some pretty good technical recommendations on the subject for businesses, and one really good piece of advice for everyone in most every situation: When a user request is received, IT should call the user on their trusted, registered device to verify their identity.

This is truly the simplest way to stop a social engineering attack in its tracks. Just a few days after reading this article, I received a phone call from a good friend who is the bookkeeper at a financial services firm. She had received an email request to change the bank account for an employee's salary deposit. Her standard procedure is to call and verify before making a change like that. She called, and the employee had not requested the change, had not sent that email. How about that? A simple phone call prevented a potentially expensive mistake.

It reminded me of the "grandchild in jail" scam that I first read about in 2014 and is still happening now. A simple phone call to verify can prevent a potentially expensive mistake.

So, I leave you with this thought for the week: When in doubt, pick up the phone and call to verify! Sometimes the old ways really are the best.

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Have a great week!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺