It was reported yesterday that malicious apps running on Android phones has resulted in 1 million Google user accounts being hacked. Check Point Software Technologies estimates that 75% of Android phones are still vulnerable to this attack. Once the attackers take over the phone, they can then gain access to the user’s Google accounts. Often the best way to steal data from a mobile device is to simply steal data and images stored in a user’s account. That applies to all brands, not just Android.

A big problem is that security patches that protect against these kinds of breaches never reach users’ Android devices because of something known as Android fragmentation. When Google releases security patches, the patches are sent to device manufacturers, who are then responsible for releasing the patches for their different models. Some do not release the patches, or do so after a long delay.

Google is taking steps to help mitigate the problem, such as scanning phones and apps to look for Gooligan code and forcing resets of credentials to Google accounts. But so far that hasn’t been enough to protect those million users that have had their accounts hacked.

So, what can you do? Always stay up to date with the latest Android versions and patches. Choose a brand that has a track record for releasing patches every 30 days. Blackberry is one of those brands, but few people use those devices. If 30 days is too long to wait, consider using the Google Pixel line of Android phones since, because Google makes the devices, patches and upgrades should be available for download immediately upon release. Note: Brand names are mentioned to provide value to you. We do not receive any kind of compensation for mentioning brands. Another strategy is to install as few apps as possible on your device. Each app is a potential security issue and many people have installed apps that they realize are not essential, and some apps are rarely, if ever used.

Please forward this to anyone you know that uses Android devices and would like to be more secure.

It happens all the time: A user clicks on a link in an email message, and the computer gets infected. Ransomware can lock up the data on the drive or even your servers. Sensitive data can be stolen, wire transfers attempted, and other bad things can happen. When a user is tricked into clicking on a bad link, the link instantaneously takes the user to a malicious website. It may even look like a real website or pop-up window. Now the attackers win.

A drastic solution is to uninstall all browsers. Browsers can’t get hacked when they don’t exist. You can switch to hosted browser service that runs browsers in the cloud, not on your computer.

To see how this works, watch the short videos at authentic8 dot com and Citrix dot com/virtualization/secure-browser

This newsletter is targeted to executives who don’t need to understand technology, so you may choose to forward the following technical information to your IT Department.

And please forward this to anyone whose cybersecurity you care about.

For our more technical audience: As of today, only authentic8’s solution supports general web browsing, but both support web applications.

Since these services put security first, and functionality a close second, you may still need a local browser for some applications if they don’t function properly in the hosted browser environment. But, if that is the case, you may be able to remove Flash and Java from your systems to make your local browsers more secure.

The biggest problem with both products is that they do not have a way to be set as the default browser to be used if a user clicks inside an email message. So, if you must leave a local browser installed, your users will still need to be careful about clicking links in email messages. The solution may be available soon.

Hosted browsers still protect your computers during web browsing sessions. And it becomes practically impossible for an attacker to use a hosted browser to access the sensitive data stored on your network drives.

Investigate using a hosted browser for added protection against the many threats on the Internet that exploit browsers and plugins such as Flash and Java.

You hear in the news that Yahoo, or some other company, got hacked and your username and password may be in the hands of attackers. There is a way to find out if your credentials were exposed.

An Australian Web Security Specialist, Troy Hunt, has compiled a database containing usernames that have been stolen in hacks and then published or sold. Some people use his site to look up their own email address or username.
His website is haveibeenpwned dot com. (In this case, Pwned refers to a condition of someone else having access to your login credentials.)

At his site, people enter their email address or any usernames they’ve used for online logins. Sometimes, they look up addresses of their family members. If there is a hit, the details of the breach are displayed on the site.

Even if not on the list, there is no guarantee that person’s credentials haven’t been stolen, but it still helps to know.

If you ever suspect that your login credentials to any website have been exposed, it is very important that you reset the password on that site, as well as any other sites where you may have used the same password.

There are other strategies to protect yourself. Enabling two-step-logon is very important these days since it can thwart attackers who know your username and password. Using a password manager, as opposed to letting your browser store passwords, can help make password security more convenient, but it still needs to be used carefully. These strategies are explained in detail elsewhere in this blog.

Forward this to anyone who might want to know if their username and password has been hacked.

My 7-year-old daughter has been very ill since Thanksgiving. She has been under the careful care of her pediatricians at the medical system to which we belong. They have more than 10 million health plan members across the US, so they can be trusted, right?
Even with multiple appointments and following the pediatricians’ prescriptions exactly, her health has been on a steady decline over many weeks.

She became so tired and lethargic that I determined that one of the best thigs I could do was stop letting her pediatricians care for her; so, I rushed my 7-year-old angel to an emergency room at a different healthcare system. Tests revealed that her body was on the precipice of shutting down. Her body was going into shock, perhaps irreversibly. The ER physician explained that, even with immediate medical intervention, she might die. I had no idea how hearing those words would feel to a parent. Like a sledge hammer hitting one’s chest. The doctors admitted her to the hospital immediately.

Today marks her fourth day the pediatric unit at the hospital. I just gave her a big hug, and she smiled and said, “I love you Daddy.” Were it not for the IV in her arm, it could have been a normal evening. After giving that sweet hug, she snuggled up with my wife in the hospital bed, and fell asleep.

She is going to be ok. But, had I continued to adhere to our health system’s pediatricians’ advice, that hug would never have happened, and her sleep would have been eternal.

How is it that a huge medical system, with 10 million members and more than 180 physicians, could do such a poor job? If a doctor has a computer in the examination room, and a tablet everywhere they go, does that make them a competent physician? Does the technology help them do their jobs, or get in the way of taking care of their patients?

Another experience: Two weeks ago I encountered a CEO who has tossed his smartphone and gone back to a flip-phone. He is not the only CEO making this move. He says the smartphone technology slowed him down. He didn’t need the frustration, and is fine with all the ribbing he receives from his peers about being a technology Neanderthal.

Perhaps he possesses the uncommon wisdom to know when to use, and not to use, technology.

How often do salespeople, especially those in the field, lament that being forced to use technology for all aspects of their role hurts their ability to sell productively?

Have you ever encountered an organization that spent a ton of money on a new ERP that was supposed to be amazing, but they ended up abandoning the ERP project later at an incredible expense?

Have you ever heard of a company so debilitated by ransomware that they could not run their organization until they recovered from the attack? Should your organization be that dependent on technology? Yes. In some businesses, it is practically mandatory to be that reliant on technology.

Being reliant on technology is a big part of doing business.

But it is time to reconsider the wisdom of relying on computers, the cloud, and other technologies for every process in your organization. As the CEO pointed out, this not only applies to the organization, but to individuals as well. Just because there is an app for that doesn’t mean the app is a better way to do things.

I encourage you to make another New Year’s resolution: Identify where technology truly helps, and where it impedes, your organization’s effectiveness. By all means, continue to use technology where it serves you well; be the best at utilizing the technology. And, be courageous enough to go against the technology trend, where appropriate.

Challenge your executives to identify the effectiveness of using every program and process in your organization. Definitely keep technology that serves you, and ditch the rest. Those actions may lead to some of your biggest wins in 2017!

Please forward this to anyone who you feel will benefit from stepping back and examining which technology serves them, and what doesn’t.

Spam isn’t just for email anymore. I just landed at Kansas City International airport. They don’t have a taxi line; passengers go to a special taxi phone, lift the handset, and the taxi dispatcher said, “Taxi 1515 will be there in 2 minutes.” Less than a minute later, a man approached saying, “I am the taxi you called.” His car was a black Nissan sedan. Sort of like getting a spam email message that contains spelling errors, he was giving away clues that he was bogus.

I decided not to click. In other words, I thanked him and walked away.

He came after me, showed me an airport security badge that looked official, and reassured me that he is the taxi I called. I asked him what his taxi number was. He made up a number 1212. I told him no, so he jumped in his car and sped away.

Soon, a taxi showed up, painted like a taxi, with the number 1515 on the windshield. That’s the taxi I expected. The driver said that kind of thing goes on frequently, costing real taxi drivers income.

So the concept of spam messages, bogus people trying to get users to click, extends beyond email. In fact, that misleading problem has likely been around ever since business started. The victims are trusting of the wolves. Spam is no different. Teach your workers, and your family, to follow the admonition: Trust, but verify.

And how did that guy get an airport security ID anyway?

Security patches are so important to security, but they are difficult to manage and you always stand the risk of a patch interrupting productivity. And there are some new patches your IT team needs to know about…

Microsoft has released a series of patches related to the Windows Graphics Component. As IT professionals, we are tempted to think that, since it only applies to graphics, the patch isn’t that important.

Actually, the patch is very important. An attacker can execute code on your computers, perhaps even ransomware, if the patch is not installed.

We are seeing a trend during audits, of these patches being missing.

If you are a home user, be sure you are applying patches too. Chances are that you have your computer configured to auto-update.

And at your organization, be sure to alert your IT team that these patches to the graphics component are important too.

As long as your IT team is provided enough time to keep your system backed up, and to test the patches, then their applying your patches isn’t as ominous as hackers hope they feel it is.

And, as executives, you can help a lot by providing them time to focus on testing and deploying the patches. They are very busy already.

Please forward this to everyone you know whose systems may be missing these seemingly unnecessary patches. It will help stop the attackers!

It is day four of the massive RSA security conference, and it is incredibly enjoyable to be gathering the latest security information. Was visiting over lunch with a gentleman from London, and he made the comment that Ransomware would no longer exist, were it not for Bitcoin.

He pointed out that governments and banks are getting much better at tracking wire transfers.  The way ransomware attackers can remain anonymous is through requiring ransomware payments via Bitcoin. But, alas, Bitcoin is not going to go away.

Some people, as controversial as it sounds, feel that ransomware has a bright side. If an organization gets infected with ransomware, at least they know their systems have been compromised. Other successful hacks may not become obvious to the victim for months or even years. When an organization gets infected with Ransomware, then hopefully they will shore up their defenses, and that naturally helps protect them from many other attacks as well.

The security solutions demonstrated here at RSA are very powerful. And, for better or worse, so are the new attack vectors that are almost impossible to protect against.

The conference is exciting and depressing all at the same time. There is a lot of hype, and, when filtered through, a lot of hope. One thing is for sure, if you end up in the cross-hairs of attackers, well, let’s just hope you don’t.

Imagine giving each of your team members a loaner computer every time they need to open a file that they download or receive as an attachment. The loaner computers won’t be connected to your network, so if a file is infected, ransomware and other viruses would not affect your network.

Note: This blog is written for non-technical executives. So, if this sounds too technical, that’s fine, just skip the rest and know your computers can, in theory, be protected even when a user opens a malicious attachment or downloads a malicious file.

The experience would be that, when a user needs to open five PDF documents, you could temporarily give that user five new computers. One computer to use for each opened attachment or downloaded document.

If one of the files contains ransomware, the infection would be isolated to just one of the computers, and would not affect the user’s normal computer, nor your network.

Instead of you needing to buy more computers to loan to your team members, what happens is that a brand new tiny Windows Operating System gets created automatically, for each attached or downloaded file.

A product called Bromium is designed to do this, and Microsoft has something more basic called WDAG. Bromium only sold to companies with 500 or more computers, but will be offering services to smaller companies, and is even shipping free on some laptops soon. Your IT professionals can get a free copy now at Bromium dot com forward slash freebeta to experiment with this micro virtualization.

There was so much to see at the RSA Security convention last week. I’ll be sharing some of the more interesting technologies with you over the next few weeks.

We do not receive any kind of compensation for mentioning products. Nor are we endorsing the products. It just helps for you to hear about these neat technologies.

Please forward this to your friends who are concerned about users opening attachments and downloaded files.

Everyone is concerned about the danger of a user clicking on a link in an email message, perhaps invoking a ransomware attack, or users responding to requests to transfer money. There are tools that will help.FYI: We do not receive any kind of compensation or payment for recommending products, nor do we endorse any of them.

An example tool that can help protect against users opening or clicking in an email is Mimecast Targeted Threat Protection. At least one of our clients use this tool and now we do too.  There are similar solutions that may work better in your situation.

Here’s what the tools do: When an inbound email contains one or more links and a user clicks, Mimecast will intercept the link and attempt to determine if the link goes to a website that is known to be malicious. If it is a known bad site, the click is blocked and the user receives a message. Your existing firewall (if you have the web content filtering feature enabled) may provide you with similar protection already for users inside your office, but not always for users who are travelling or working from home.

These tools scan email attachments in an effort to detect malicious code in the attachments. Your existing spam filtering mechanism may offer this feature.

Mimecast will also block email messages that seem to be from impostors. When a user receives an email that appears to be from someone impersonating the boss, requesting a wire transfer, the service will warn the user to be careful.

While there are no guarantees this kind of tool will stop an email phishing attack, any kind of protection is a welcomed improvement. Ask whomever is providing your anti-spam solution if they offer an add-on solution similar to Mimecast’s Targeted Threat Protection.

Please forward this to everyone you know who is concerned about their users clicking a link in an email message, opening an infected attachment, or responding to an email asking them to transfer money.

If you use Apple products, here is what to do to protect yourself. By now, you’ve probably heard that attackers have told Apple that they have access to millions of iPhone and iCloud accounts.

The hacking group calls themselves “Turkish Crime Family.” They are demanding $100,000 in gift cards, or $75,000 in cryptocurrency by April 7, or they will wipe all the Apple accounts. It is easy to see why people who have Macs, iPhones, and iPads are concerned.

Apple says that Apple has not been hacked, but it is likely that any compromised passwords are the result of Apple users who may have used the same password at other websites as they do for their Apple account.

What should you do?

Perhaps the best solution to protect all your online accounts, Apple and other companies as well, is to set up two step verification.

You may have experienced going to a website, entering your username and password, and then your mobile phone buzzes and tells you to enter a code such as 777888 to complete the login process. That’s one type of two step verification.

When you use that kind of two step verification, an attacker would need to steal your mobile phone too before they could log on with your username and password. So, keep your phone with you. It will be difficult for people, especially those thousands of miles away, to access your phone even if they already know your username and password.

Another, even easier to use method for two step verification is called one tap login. Then, instead of needing to enter a code that comes via text message, all you have to do is tap an app on your phone to approve a login attempt.

To set up two step verification to protect your Apple devices, follow the instructions you will find when you google the following text. Either use copy and paste or manually type these words into a Google search:

two factor authentication for apple id site:apple.com

Always keep your devices upgraded with the latest security patches. If you have an older iPhone or iPad that cannot be upgraded to at least iOS 9 or newer, or a Mac that cannot be upgraded to El Capitan or newer, then follow the instructions you will find when you google:

two step verification for Apple ID site:apple.com

Drobox, PayPal, Google apps, and many other sites already support two step verification. You just have to turn it on. Do it today for all of your sensitive accounts.

To set up two step verification on your Google accounts, visit www dot google dot com/landing/2step/

Another way to find that page is to google this text, including the first word google:

Google 2 step verification site:google.com

For instructions to set up two step verification at Dropbox, google this text:

enable two step verification site:dropbox.com

Use similar searches to find instructions for your other services. It is important to use the word site followed by the actual website of your service if you want to get the information straight from the service, not somewhere else.

But you may wonder what to do for all the sites that you use that do not support two step verification.

Remembering passwords is too much trouble, so many people, even non-technical people, use a password manager to remember the different passwords for them. When they visit a site that asks for a password, the password manager quickly and automatically fills in their username and password for them.

But of course, you can never feel positive that password managers will keep your passwords secure. So, separate your passwords into two groups:

Put the passwords that you need to keep really secure, such as bank passwords, into the first group. You may choose to omit those sensitive passwords from your password manager. You might choose to remember them in your head. Or if you don’t like that idea, then you can write them down on paper that you keep in a secure location. Writing them down isn’t as good as memorizing them, but at least it is difficult for people thousands of miles away to read the paper on which you wrote the passwords. Or, if you feel you must store those passwords in a file on your computer, then encrypt the file, and name the file something other than “my passwords”.

The second group of passwords contains passwords, such as airline website logins, that it will not devastate you in the unlikely event that your password manager gets compromised. The passwords in this group are great candidates for your password manager.

Many people put the vast majority of their passwords in the password manager. The automatic filling in process sure speeds up the login process. Additionally, since you needn’t remember passwords anymore, using different passwords at different sites is easy. In fact, people sometimes trust password managers with even their most sensitive passwords, but only if those sites use two step verification too.

And, for a sometimes fun/sometimes scary experience, if you want to see if your password might have been hacked, follow the instructions you will find in The Foster Institute blog when you google:

How to Find Out if Your Password Might Have Been Hacked site:fosterinstitute.com

Please forward this to anyone you know who uses Apple devices, as well as anyone you know who wants to make their user names and passwords much more secure.

A password manager company announced that there is a vulnerability that could allow attackers to gather stored passwords.

Password managers are very helpful since they make it so convenient to be secure, and can greatly simplify and speed up the login process at websites. Many people feel password managers are worth the risks, especially when the risks can be minimized as summarized below:

First, as you can see, there is no guarantee that password managers are perfect. Never store super-sensitive passwords into your password manager. Store them in your head.

Second, enable two-step verification on all websites. Then, if an unauthorized person obtains your password, they will have a difficult time logging in, if they cannot perform the second step.

Third, one of the ways to launch the exploit involves tricking the user into clicking a link, such as a link in an email message, or getting a script to run on a web page as the user visits the page. Using click-to-play can greatly minimize those risks.

To learn more about the first two, see last week’s newsletter posted at www.fosterinstitute dot com/blog/your-iphone-and-ipad-are-in-danger. Never mind the title; the content addresses the first two steps listed above even if you use Windows or Android.

As for the third point, we’ll cover click-to-play next week, or you can simply google those terms and get started right away.

The announcement came from LastPass, and don’t panic if you use it. LastPass says the exploit is very difficult for an attacker to use, but not impossible. Resetting your passwords is not going to help, yet. Only after LastPass develops a patch, and then only when LastPass on your computers are patched. LastPass said this only affects users using the LastPass extension in Chrome, but that researchers have used the exploit in other browsers too. Email us if you want more technical details.

Please forward this to anyone you know who may use a password manager or lets their browsers remember their passwords.

Many organizations use VMware to host their servers. VMware has released an urgent update they label as Critical.

Patching VMware, which is often used as a platform for many of your other servers, can be frustrating. If the patch causes a problem, there is a risk that all your servers hosted on that machine will go down.

This is one of those risk vs. benefit decisions that is so important, business executives must be involved.

On the one hand, the patch could interrupt business, but not applying the patch could be considered reckless.

Test the patch prior to deployment, when possible. Having a pre-planned, if not pre-tested, roll-back plan is crucial in case the patch causes a problem.

Preferably patch one server at a time so that, if the patch does cause a problem, at least the interruption is limited to that server.

Without the patch, someone could run programs on your computer, potentially taking control of the server.

The patch fixes a vulnerability in the VMware Customer Experience Improvement Program, even if a customer is not participating in the program.

Please emphasize the last phrase to your IT pros.

Ask your IT pros to look at VMware’s information by searching for VMSA-2017-0007.

Please forward this to everyone who may be using VMware, so that they can alert their IT pros just in case they don’t know already.

A newly discovered virus, called Milky Door, permits attackers to connect to your organization’s network through apps on mobile devices. The users have no idea their mobile device is being used in this way.

This is an example of how, just because an app is in the app store, that does not mean that the app is safe. 200 apps in the Google Play Store are infected. Milky Door has been downloaded millions of times hidden in infected apps.

Apple is not immune to this risk.

One of the best ways to protect against this is to set up a separate wireless network, one that is isolated from your office networks, for employees’ mobile devices to use.

That way, even when a device may be physically present in one of your offices, the device will still be isolated from your network.

The same goes for laptops that sometimes leave the office. Help protect your network by forcing them to connect to a network that is isolated from your office network, even when they are present. They can gain access in the same way they do when working remotely.

A simplified version of this is for you to force all mobile devices, be they BYOD devices or company issued devices, to connect to the guest network at your offices.

The goal is to keep the phones and tablets off your network, so that infected apps won’t have such easy access into your network’s resources.

Milky Door has infected many apps before it was even detected. How many apps in app stores are infected with other malware that has yet to be discovered? To help reduce your attack surface, mandate that users only install apps that are essential.

Please forward this to everyone you know who is an executive, or owner of a business that uses mobile devices, so that they can improve their security too. Remember, you can suffer harm from hackers, even when it is someone else’s network that gets hacked.

We were flying at more than 500 mph, seven miles straight up. It was around 11 pm and we were over the Northern US during a snowstorm. The big explosion in the plane surprised everyone…

Before our takeoff in Minneapolis, the flight attendant announced that this was the newest aircraft in this airline’s entire fleet and on one of its first flights.

All was normal during takeoff. The plane had climbed and leveled off at altitude. The flight attendant was in the aisle, just emerging from the forward galley.

Without warning, there was a blinding flash of light, right where she was standing! She seemed to disappear and was replaced by what looked like an orange fireball.

Everything happened at once. All the lights went off inside the cabin. There was an ear-splitting BOOM! The seats launched upwards with a powerful jolt.

Passengers’ minds raced. Did a terrorist plant a bomb in the cargo hold and now we were all going to crash? How long does it take to dive seven miles straight down? Do we have a chance to survive? Calmly, my thoughts were of our family and how I would miss getting to help them, as well as how much I’d miss getting to help organizations protect their networks – the two missions of my life.

I expected to feel the heat of flame and the smell of smoke, but there was none.

Instead of diving, the plane stayed straight and level.

The lights in the cabin came back on. The flight attendant was getting up from the floor.

The man in the seat next to me announced, “We just experienced a lightning strike under the nose of the jet.”

We all turned to look at him. Interesting choice of words – he used the word experienced, rather than the word survived. He went on to explain that he was from London, and his firm built many components for this new jet.

He started explaining: In the past, planes were made of aluminum, and getting struck by lightning was no big deal. The lightning usually travelled around the aluminum hull of the plane and exited without causing any problems.

New jets replace aluminum with carbon fiber since doing so can shave more than 10,000 pounds of weight off a jet.

But, carbon fiber doesn’t conduct electricity, so a lightning strike would make a plane explode into flames. To overcome this, the aircraft manufacturers embed a conductive metallic mesh into the carbon fiber, and the mesh will conduct the electricity from lightning around the fuselage.

Just like in cyber-security, a computer must be protected to achieve survivability.

Akin to the metallic mesh pressed into carbon fiber on new aircraft, computers and networks must be protected.

The wire mesh you use needs to be making sure to keep up to date with the most recent critical security patches, use technologies like click-to-play, uninstall non-essential programs, and make sure users use standard (not administrative) local user accounts.

Once you protect your network, it is possible that security strikes will be thwarted and the event may even go unnoticed. Similarly, maybe some lightning strikes go unnoticed. But not the strike that night – there was still a bright beam of light, surround sound, and a tooth jostling bump.

Please forward this to anyone you know who might benefit from knowing that, just like metal mesh inside modern aircraft protects against lighting strikes, there are important steps to protect computers from cyber-attacks too.

The Google scam: If anyone receives an email that contains a link to Google Doc, do not click on the link. Even if the email appears to be from someone they know and trust. Google did not get hacked, but someone else who has your email address in their contact list probably did. Anyone who clicked on that link needs to go to https://myaccount.google dot com/permissions and remove the one called Google Docs

This kind of stuff happens all the time, not just to Google, but to other unsuspecting people.

If someone receives an email that appears to have been sent by you, and the email contains a malicious link, lots of people would think it was your fault. There is a good chance that you did not get hacked, just like Google did not get hacked, but you may get blamed anyway. What probably happened is that one of your friends, or at least someone who has you in their contact list, got hacked. Then the attacker chose to send the malicious message, that appeared to be from you, to all the other contacts stored in that person’s contact list.

Spread the word encouraging the people you know to be sure they are secure, since, if someone you know gets hacked, it can make you look bad too.

And, tell others that, when they receive a malicious email message that appears to be from someone they know, that person they know may not have been hacked.

For your own protection, forward this message to everyone who may have you in their address book.

You’ve likely heard of the massive ransomware attack that has taken down so many organizations, including hospitals, around the world. The ransomware appears to have exploited a bug for which Microsoft released a fix a little over a month ago. Follow these 10 steps to help protect your organization from this, and from future attacks:

Instructions for Windows and Apple home users are listed below the numbers. For organizations, here are 10 Steps To Avoid Incidents Including the Massive Ransomware Attack:

1. The reality is that most organizations are missing critical security patches and there is a very strong likelihood that yours is too.

2. Provide your team with extra time, and perhaps additional personnel, to test and then deploy patches ASAP. Some organizations are adding a new IT professional to their team whose sole responsibility is to manage patches. If the patch fails testing, then time must be invested to resolve the issue or implement compensating controls.

3. Prioritize critical security patches for the operating system, all the browsers, Flash, Java, your PDF Reader, and Microsoft Office. They are usually the easiest to attack and form your first line of defense.

4. Many IT teams are very reluctant to apply patches for fear of breaking your systems that are already running. Help remove their fears by reassuring them that you take on responsibility if the patch causes a problem. Encourage them to follow a procedure that mitigates risks:

5. Test Patches in a test environment that uses the same applications as the rest of your network. For very small companies, your test environment might be a single computer. For larger organizations, and organizations that stand to lose a great deal in the event of an attack, create a separate testing environment that is isolated from the production environment.

6. Have a pre-tested rollback plan so that, if the patch does cause a problem, your IT team will already know what they need to do right away to roll back a patch that causes an unexpected problem. They will then go back to the testing phase.

7. Deploy the patches in stages rather than patching all machines simultaneously. That way, even if the patch does cause a problem, not all your machines will be affected.

8. You may decide to empower your IT team with a patch management tool such as Ninite, LANGuard, Shavlik, or others. Allow them to test and choose a tool, and provide them with the means and time to do so, ASAP.

9. Ask IT, perhaps weekly and at least monthly, to provide you with a list of missing patches, not a pie chart.

10. You must upgrade from older operating systems, any of the ones that Microsoft no longer supports. If some machines cannot be upgraded, then they must be isolated or some other compensating control put into place. Microsoft clearly states when they stop producing patches for old operating systems.  So, there was no patch available for Windows XP and others.

Call me if they are not able to apply patches. Let’s team up to help prevent this.

At home, or if your organization is so small that you do not have an IT team or have an outsourced IT company that takes care of your patches, be sure that the option that provides automatic updates to Microsoft is enabled. The instructions are easy to find – just google the phrase: configure automatic updates site:Microsoft.com

Apple computer users, google: Automatic security updates os x site:apple.com

iPhone and iPad users, google: Automatic security downloads ios site:apple.com

Additionally, manually check for updates in Microsoft Office to be sure those are applied. Be sure that automatic updates are enabled in your browsers. Regularly download and apply patches to, or new versions of, Flash, Java, and your PDF reader.

Please forward this to everyone you care about and want to help stay secure.

For those of you with Apple products, Apple just released some important updates.

Knowing that updates might cause a problem, please back up your computer first. You are backing up all the time already, right? Time Machine is a wonderful tool and is built in. If you want to supplement Time Machine with an additional backup, Carbon Copy Cloner from Bombich dot com is very popular and clients experience great results. You’ll need a couple of external USB drives, but the investment is worth it.

In case you are not familiar with how to apply patches, here are instructions:

On your Apple computer, even if your computer is set for automatic updates, it is good to verify that you have the most recent patches. Click on the image of the apple in the top left corner, and choose App Store. If not already selected, choose Updates inside the title bar that already contains the words: Featured, Top Charts, Categories, Purchased, and Updates. You may see many updates for your applications, and those are fine to apply, but the urgent one is the update called macOS Sierra Update and the version is 10.12.5. If you’ve not updated in a while, you may see other macOS updates too.

iPhone and iPad users, press on the Settings icon that looks like a gear. In the left-hand column, select General, and you’ll see Software Update on the right-hand column near the top. The most recent patch is for iOS 10.3.2.

If you want to configure automatic updates for your Apple computers, find instructions by searching for this phrase in Google: Automatic security updates os x site:apple.com

If you want to configure automatic updates for the iPhone and iPad, find instructions by searching for this phrase in Google: Automatic security downloads iOS site:apple.com

Please forward this to everyone you know who uses Apple devices and you want to help be more secure…

Just yesterday, someone told me they think they are secure because they have anti-virus, strong passwords and a firewall.

Last weekend, I asked my daughter to tell me a fairy tale. She chose The Three Little Pigs and the Big Bad Wolf. As she told the story, it became so clear that organizations use straw, sticks, or brick to build their cyber-security protection. See which you are, and how to improve:

Security built with straw, is weak, and too common. It is when executives say:
1. “We moved everything to the cloud so we no longer need to be concerned with security.”
2. “Everybody is getting ransomware, so it is no big deal if we do too.”
3. “We encrypt our data, so it is safe.”

Security built with sticks is common too, and better, but will not stand up against attackers. They think they need only three things and can stop there:
1. Anti-virus
2. Firewalls
3. Strong passwords

Security built with bricks is very rare. You still need the “sticks” combination, and the rest of making a home out of brick is achieved by doing the hard things that attackers are counting on organizations not doing:
1. Ensure no programs or scripts can run unless approved
2. Keep patches current without crashing systems
3. Constantly measure to make sure the right things get done. Support your IT Professionals generously by truly listening to them and supporting them as they accomplish these difficult tasks

Past, and future, blog entries explain how to implement the brick solutions above.

Please forward this to everyone you know who may have built their cyber security out of straw or sticks. Encourage them to get out the bricks ASAP.

Some people turn on a brand new computer, connect to the Internet, and download anti-virus to the their new computer. When you think about it…It would be better to install anti-virus on the new computer, and have more protection, before connecting it to the Internet.

This involves going to a computer you trust that is well protected, and downloading the installation files for the anti-virus program that you will install on your new computer.

Then you can copy the anti-virus installation files to the new machine, install anti-virus, and then connect to the Internet so your new computer can get patches, etc.

Of course, if the old computer that you use to download the files is infected, there is a good chance that the new computer will catch that virus too – so be sure you trust the old computer.

Please forward this to everyone you know who might otherwise be tempted to connect a new computer to the internet before installing anti-virus first.

Without getting complicated, OneLogin, Okta, Centrify, Microsoft, RSA SecureID Access, SalesForce App Cloud, and even more basic password managers store user identities, and login information. Using these services means that users only need to remember one password and all of their other logins are handled for them.

The most important thing about the OneLogin breach: It affects you and everyone else, not just the 2000 customers of OneLogin.

If you store information in the cloud, including information your customers entrust to you, and if your cloud provider uses OneLogin internally, then your sensitive information could possibly be accessible as well. Cloud based service providers you use every day might use identity management.

This is another example of how someone else’s breach can hurt you, including exposing your customers’ sensitive information.

The big question is: How long have attackers had access? Thank goodness OneLogin at least identified that they’d been breached. Are any other identity management firms breached and don’t yet realize it? What are attackers accessing around the world using stolen passwords?

Please forward this to anyone you know who may not realize that these single points of failure, holding login information for many services that even your service providers may use internally, are very attractive targets for attackers. One successful attack results in a goldmine of information, including yours.