Windows 7 computers will still run, your anti-virus will still work, as will your other programs. But you are taking a significant risk because Microsoft will no longer provide security updates that help keep attackers out of your network.

Security patches are one of the best ways to protect your systems from attacks.

Any of your computers that you purchased six years ago came with Windows 7 installed. Unless you paid for new licenses and gave your team time to upgrade them, those computers run Windows 7 today.

Some of your options include:
– Buy new computers
– If the computer is strong enough, upgrade Windows 7 to Windows 8.1 or Windows 10
– You can ask your IT team if you use a technology called VDI. If so, they can uninstall Windows 7 completely. They can install Linux, or make a bootable thumb drive, or use a No Touch Desktop program. The computer can function as a screen and keyboard to a server where Windows runs

If, for any reason, you need to keep Windows 7 on some workstations, be sure to give your IT team time to implement compensating controls. For example, they can isolate the computers from the rest. Ask them to install Microsoft’s downloadable EMET security tool that works in Windows 7.

Support for Windows 8.0 ended in 2016.
Support for Windows 8.1 ends on January 10, 2023.

Please forward this to your friends and business associates, so they know January 14 is the when Windows 7 becomes a severe security risk to their networks.

The post Microsoft Will Stop Protecting Windows 7 on January 14, 2020 appeared first on Mike Foster, CEH, CISA, CISSP.

When you receive an email message with a PDF attached, it is always best to confirm that you are expecting the attachment before opening it.  However, if you receive a Word, Excel, or another file type other than a pdf, beware.

In the past several days, two of our customers suffered a potential breach when their users opened Word documents sent as attachments. The infected files slipped right past sophisticated email protection systems.

Fortunately, at both companies, the IT teams got involved early on and averted disaster.

In one case, the attachment came from a trusted third party that was unaware their systems were compromised. Remember, your security is only as good as the security of your third party providers.

If you unexpectedly receive an email message with any attachments other than pdf files, be very skeptical and notify IT immediately. You may save the security of your organization.

The post Avoid Opening Word Attachments – Check with IT First appeared first on Mike Foster, CEH, CISA, CISSP.

A business contacted our office last week because a bad actor tricked an employee to give them full access to their computer.

The bad actor immediately took over the network and started performing highly illegal activities that appeared to come from the victim’s systems.  User training is not enough. It is essential to take additional steps to help protect your network when an attacker is crafty enough to trick a user.

Firewalls, almost universally, have a feature called web content filtering. There is a possibility that your IT professional configured the firewall to block known gambling, gaming, and sites with people with no clothes.

Unless you do business with every country in the world, tell your IT team to block the firewall from permitting traffic from all countries except those where you do business.

It is possible that some of your third parties use sites in other countries to handle your sensitive data, and this is a great time to find out by blocking other countries to see what happens. Your security is only as good as the security of your third party providers, and they need to disclose to you any risks they take with you, and your customers’ confidential data.

If you want to be super cautious, rather than block everything at once, you can ask your IT professional to dump the contents of your web filter’s log into a spreadsheet, or some other database, that will identify traffic trends, sources, and destinations.

Now is an excellent time to ask your IT professionals, even if you outsource IT, to devote time to tuning your web content filtering to be restrictive.

You can even update your routers at home if they support web content filtering, and they might. An excellent place to start is at the device manufacturer’s website. There will be instructions to download and install the most recent firmware. Look at the support site about ways you can enable supported security features in your home devices, including web content filtering.

Please forward this to everyone you know so they can ask their IT professionals to turn up your web content filtering to help protect against social engineering attacks.

The post Protect Your Network Even when Attackers Trick Your Users appeared first on Mike Foster, CEH, CISA, CISSP.

One of the ways your spam filter helps to stop unwanted messages is to block messages from mail servers with a bad reputation for spamming. What will you do if your company gets labeled as a spammer? First of all, nobody will receive your company’s messages.

What will you do when you send invoices, but your customers never receive them?

When you reply to your customers’ email messages, and they never receive your reply, what will you do when they think you are ignoring them?

What if your prospects never hear back from you?

Being blacklisted can cause havoc at your company because of lost communications. A common way to get blacklisted is to send repetitive email messages, such as a newsletter, from your email server. Instead of risking being blacklisted, many organizations use an email newsletter service to send newsletters.

A growing problem is when attackers take over your email server to send spam. The next thing you know, you’ll be blacklisted, and your email messages won’t reach your recipients. AI technology escalates the sensitivity of spam filters that feed blacklists.

Over the past several weeks numerous customers experienced instances when their email messages do not reach customers who use Office 365. Microsoft’s spam filter is very aggressive, and it is close to impossible to get Microsoft to stop blocking your organization’s email messages after their servers disapprove of your email addresses.

Sometimes your messages are blocked because of a long signature.

Even if an attacker cannot access your servers, all they need is one user’s email address in your company. If they use the user’s account to send out spam messages, spam filters may put your entire domain on a blacklist.

The key is to protect your email accounts and your email servers. Be sure your network and cloud security is substantial. Revisit your email server’s security, as well as your users’ accounts security, regularly to avoid being blacklisted.

Please forward this to your friends, so they know about blacklists too.

The post What Will You Do if Your Customers’ Spam Filters Block Your Messages? appeared first on Mike Foster, CEH, CISA, CISSP.

Microsoft stops supporting Windows 7 on January 14, 2020. If you are not going to upgrade, there are options.

The post Good News for Windows 7 Users appeared first on Mike Foster, CEH, CISA, CISSP.

Your IT Team pours out so much time and energy. If you aren’t already, you can brighten their holidays by giving them a gift.

The work they do is often so complicated, yet they make it look easy. Unless you are a high-tech executive, it can be difficult to appreciate how sometimes your team accomplishes a miracle.

In some organizations, the only time the IT team gets noticed is when something technology-related stops functioning correctly.

IT pros, by nature, need to invest more than 40 hours a week to keep up with rapidly changing technology. That doesn’t include responses to the helpdesk crises and completing the projects assigned to them.

Executives reading this newsletter already feel compassion for and support their IT teams. But just in case you know an executive who doesn’t, or the gift slipped their mind, please forward this message to them. And why not add an IT Appreciation Day to company calendars?

Happy Holidays – and you deserve a bunch of credit too!

The post Remember to Give Your IT Pros a Holiday Gift appeared first on Mike Foster, CEH, CISA, CISSP.

For more than 20 years, Adobe Flash helped websites deliver video content to your screen. However, attackers use Flash to inject ransomware and other malicious code into computers. The bad actors are usually one step ahead of security patches.

To end this security nightmare, Adobe set Flash’s official termination date to December 31, 2020. Expect your browsers, Firefox, Chrome, Edge, etc. to disable and remove Flash on or before that date.

That helps security, but Flash’s demise could negatively impact your organization. If one of your websites requires your customers to use Flash, it is time to convert the content asap. Unless you are sure, meet with your web development team and confirm your visitors and customers do not need Flash to use your sites. If so, your developers can convert your content to use supported technologies.

Additionally, ask your IT professionals if your team members rely on sites that require Flash. If so, now is the time to work with those providers to spur them to transition away from Flash. If they refuse to move, you need to find other options.

While frustrating to many, especially frustrating to attackers, the ultimate demise of Flash helps make the world a safer place!

Please forward this to your friends in case they aren’t aware that Flash’s termination date is December 31, 2020.

The post Adobe Flash Stops on December 31, 2020. Are You Ready? appeared first on Mike Foster, CEH, CISA, CISSP.

California’s CCPA act went into effect on January 1, but you have until July 1, 2020 when it is enforced. Get started now. First, you need to

Add a footer to all of your web pages to the effect of “The CCPA requires us to notify you that we could sell your data unless you opt-out here” and provide them a link. Do it even if you don’t sell data.

CCPA applies to you if:

• At least half of your organization’s revenue is from the sale of personal data, or
• Your organization stores personal data of fifty thousand people or more, or
• Your organization has at least twenty-five million dollars annual revenue

If one of those applies, then:

• If a consumer in California asks, you must be able to give them copies of all of the data you collected about them.
• You must be able to tell them if you sold their data and to whom.
• Consumers can demand that you delete their data. Scouring their information from all of your applications and tools can be difficult because you have to remove them from your contact list, accounts receivable, order history, and everywhere else you store any information about them or their activities.

Protected data includes contact information and anything that can identify a household, including GPS locations.

Confusion abounds in the CCPA. For example, if consumers choose to opt-out, an organization cannot discriminate against them by blocking or offering a lower level of service. But some companies provide services based on their consumers’ data, so how can they give the same level of service to consumers who do not provide data? Another example is that employers need to keep some data on employees. What if an employee asks to have all their data, including their social security number, erased everywhere, but want to continue their employment? There are extensive attempts to address these issues, but the rules are confusing.

You’ll need to involve your lawyer to help wade through the issues, and that leads to the obligatory disclaimer: Do not misconstrue this to be legal advice. Check with your lawyer.

The CCPA is only the beginning. Expect to see similar laws in other states and at a national level too. Please forward this to your friends and associates, so they know they only have until July 1, 2020, to prepare.

The post Information that You Need to Know About the California Consumer Privacy Act appeared first on Mike Foster, CEH, CISA, CISSP.

The post Executives Appreciate it when IT Professionals Communicate Effectively appeared first on Mike Foster, CEH, CISA, CISSP.

The city of San Francisco just declared a state of emergency over the Coronavirus. Other cities will follow suit – maybe yours.

I’m in San Francisco right now at the RSA cybersecurity conference. Hand sanitizer is everywhere, and people are using it.

Italy shut down some towns. There is a possibility, however remote, and perhaps not for months, that US cities might shut down too. Prepare for the potential impact on your organization. For example, if schools shut down, will some of your workers, including IT team members, be unable to come into work because they need to stay at home to watch their youngsters?

Make sure all of your network users can work from home concurrently. Your IT team might need to increase the capacity of your servers to handle the additional workload. Can your workers use their phones to conduct business remotely? Does your IT team need to set up remote VoIP phone clients? Are IT team members cross-trained to be able to cover other workers’ duties? Does everyone know who to contact at your company for the most current information?

Even if your workers can work, they will put the safety of their families first. When Italy shut down some towns, the grocery stores ran out of food and supplies quickly. Encourage workers to stock up on food and products they usually buy, including non-perishables. They need to have enough medications. Once their family is taken care of first, then your workers can devote attention to work.

Prepare for loss of, or delays in, sales and income. Develop contingency plans. Would the loss of one of your primary suppliers devastate your business? Are you prepared if some essential piece of machinery, or network server, needs repair and you cannot get spare parts? Assign someone or develop a team at your company to focus on the risks and develop contingency plans. Remember IT.

Warn your workers that there will be an increase in spam and phishing as bad actors prey on their worries of the virus. They must be vigilant to spam and fake news.

For more information, Homeland Security offers suggestions at ready.gov/business/implementation/IT CDC provides a useful document at CDC.gov/flu/pandemic-resources/pdf/businesschecklist.pdf

Notice signs of things to come including a potential reaction to the virus. The falling stock market is a sign, Italy closing cities is a sign, and San Francisco declaring a state of emergency is a sign. Prepare now in case things start happening rapidly.

Please forward this to your friends so they can prepare their organizations for possible public panic and quarantines over Coronavirus.

The post Prepare Your Organization for a Reaction to Coronavirus appeared first on Mike Foster, CEH, CISA, CISSP.

The rapidly changing situation of potential school closures, self-quarantines, and public reaction to the coronavirus guarantees that at some point you will have employees who need to work from home.

If the employee’s computer isn’t secure, your organization’s security is at risk. Attackers can compromise a home user’s device to gain a pathway into your organization’s network and data. Whether the attacker installs ransomware, steals sensitive information, or shuts down your entire network, you can suffer greatly. Therefore, you need to take essential steps to protect yourself, your employees, and your organization. Here are some key suggestions to help you navigate this crisis.

Remote Access Tools:
Your employees need to securely access email messages, applications, and data. You may need them to participate in secure meetings. They may need a phone that behaves as a secure extension as if they were at the office.

If you already have remote workers, your main concern will be to ensure your servers are powerful enough, your connections to the Internet fast enough, and that you have enough licenses to support the increased volume of activity.

There are so many choices of platforms and tools. Each has its own cybersecurity concerns. You might hear about remote access solutions such as Citrix, GoToMyPC, LogMeIn, Remote Desktop, Splashtop, Terminal Server, and VNC. For meetings you may use BlueJeans, GoToMeeting, Join.me, Microsoft Teams, Skype, and Zoom.* There are others too. Let your IT team use the one they are most familiar with so they can deploy and troubleshoot solutions much quicker. You might ask them to share the pros, cons, and expenses of different solutions, but act as quickly as your risk appetite allows. It is difficult to predict how quickly the reaction to the coronavirus will accelerate.

A VPN Is Not Enough:
There is a worldwide misconception that VPNs provide security. By themselves, they do not. What VPNs do provide is privacy. Think of them as a tunnel that protects data from observation, deletion, and modification while the data travels inside the tunnel. But attacks can lurk at both ends of the tunnel. Therefore, both sides of the VPN connection must be secure. VPNs are useful to protect privacy, and there are other ways to help ensure privacy too.

Connections to the Internet:
Your remote workers need secure connections to the Internet. When they are working from home, they may share their network with less secure family members or compromised IoT devices. That’s why connecting at home might be too risky. Connecting to a coffee shop, hotel, or another public place is reckless unless you mandate compensating controls.

Sometimes the best way to resolve many security risks associated with the remote computer’s connectivity to the Internet is to provide them with a mobile hot spot. All the major phone carriers provide hotspots and most smartphones have the capability of behaving as a hotspot, enabling employees to connect via mobile phone data plans. Beware that even unlimited data plans are limited; once the user goes over a certain amount of data, the phone provider can throttle the speed of the data to an unacceptably slow connection. If you need unlimited data without throttling, consider a solution such as calyxinstitute.org.* Bear in mind that as more people work from home during the outbreak, mobile data speeds may deteriorate due to congestion. Evening and late nights will usually be faster, not only due to a drop in demand, but also mobile phone providers often allocate more bandwidth to data at night and reallocate bandwidth back to voice calls during the daytime.

Home Wireless Networks:
These days, it’s common that your users already have long wireless passwords and use at least WPA2 encryption on their Wi-Fi network. Disable a feature called WPS. WPS is designed to make it easy for people to connect new devices. Unfortunately, it also makes it easier for attackers to connect. If the user needs WPS to connect a new device, they can enable WPS temporarily. There is an option called MAC filtering that permits your user to specify what devices are allowed to connect to the access point so that, in theory, no unauthorized devices can connect. Beginner hackers know how to bypass MAC filtering, but you could use it to stop less savvy neighbors if you want.

Firewalls:
If your team connects from home networks, the protection from the modem their Internet Service Provider gave them has limited security. Bear in mind that the ISP’s primary goal is to eliminate compatibility issues with anything home users connect, so they avoid tight security controls that could upset a customer or cause more support calls. If possible, it is a great idea to tell the firewall to block specific content. For example, you could tell it to block known malicious sites, sites known for phishing, and websites with content about drugs. You can block traffic from all countries except the ones you need. If you use cloud applications, you may be surprised which countries that software takes you to.

For a secure connection, your IT department might equip your remote employees with smaller SOHO firewalls for their homes that run behind the users’ own firewalls. This can effectively isolate your users from the rest of their home network. If your employee must use a public network such as a coffee shop, your IT team can set up a hardware bridge to help protect their connection. Avoid the temptation to ask your IT team to examine and update consumer firewalls at users’ homes, as that can be enormously time-consuming depending on how many users you have.

Passwords and Cloud Security:
It is essential that you implement two-step verification for all your users. In the most basic form, a person enters their username and password, and then their phone receives a text message with a code they enter to finish the login process. The idea is that even if a bad actor learns someone’s username and password, they will not have access to the person’s mobile phone. To save time and reduce frustration, some websites feature a checkbox to remember that device in the future.

It is essential that your user locks their phone and prevents an unauthorized coworker, family member, or any other person from gaining access to their phone. Use text messages if that is the only option, and know that, while difficult, attackers who know the password might gain access to the text message too. Other options for the second step include phone callbacks, physical USB hardware token keys, authentication apps on phones, and one-tap login solutions. Common choices include YubiKey, Authy, Duo, Google Authenticator, Microsoft Authenticator, and RSA SecurID.* There are many others.

Password managers are helpful; there are many pros and few cons. Ask your IT team their preference, and you may choose to allow your remote workers to use, or not use, password managers the way they do now.

Computer Security Updates and Firewall Patches:
One of the best ways to increase security is to stay current with the most recent security updates for computer operating systems and programs. Security patches for firewalls are often overlooked with potentially devastating results. While at the office, your IT team can usually manage and deploy updates and patches. Your team might need extra tools to manage the updates on remote devices.

If your IT team won’t have time to manage the remote equipment, it is common to configure remote computers and firewalls to automatically install critical security updates. A big pro is that you can be more secure from known security threats. One con is a slight chance that patches that install automatically might cause a user’s device to malfunction. Security patches are so essential that you are probably better off applying them. Whether or not to apply updates automatically is a choice for executives to make depending on their risk appetite. Using golden images (see below) can reduce the potential negative impact of a misbehaved update.

Golden Image:
What if it is the middle of the night, or what if your IT team is unavailable, and the user’s computer is malfunctioning? Ask your IT team to provide employees with an external USB hard drive containing a clean backup image of how their computer should be configured. If the worker’s computer malfunctions, show the users how they can reinstall the golden image the IT team created when the computer was new. When a user restores this “golden image,” it is, from a software and operating system perspective, as if the user just received a brand-new computer. Beware that users must backup any local data files prior to restoring an image because the reset is so thorough that existing data will be removed. Another benefit is that if the user suspects there may be a virus on their computer, they can restore the golden image to reset the computer to a clean, fresh start.

Data File Backup to Local Removable Media:
Please do everything possible so that users do not need to store any local data on their computers. If they don’t need to carry files to and from the office, and if they don’t need data stored on their computer because it is on the network or in the cloud, that’s the best scenario. But you may want them to be able to work from home even if their Internet connection fails, or there may be another reason you need them to have files stored locally on their computer. If that’s the case, then the user should be able to back up their data files to local removable media. Examples include a USB memory stick or USB external hard drive. Your users need to save copies of their data files that are stored on their computer, if any, frequently. The duplicate copies of the files protect the user’s local data. If they need to apply a golden image, or if ransomware encrypts their local files, they need to have their important documents backed up.

It is essential that your IT team configure the backup drives so they are encrypted. It is too great a risk that one of the memory devices falls into the wrong hands and the data is compromised. Windows users can encrypt the devices with BitLocker. Note that if the user’s home version of Windows isn’t big enough to permit them to use BitLocker to encrypt their drives, IT can still encrypt the drives at work. Any version of Windows can access drives once they are encrypted with BitLocker. Mac users can use File Vault to encrypt an entire drive, but encrypting individual files is more secure on a Mac. There is another option for drive security that can be easier for your Windows and Mac users. Multiple vendors offer USB hard drives and memory sticks that have number keypads built into the device. Your users can literally type in a code to the device to lock and unlock the data.

Local Account is Standard User:
This is a crucial setting to stop hackers. Your IT team has hopefully had time to fix this setting on the company-issued computers. But if the user will use their home computer, someone needs to make this change on their personal device. Your IT team can fix this for them, making changes in the “control panel” under “users.” If you want to try this at home, the steps are: 1) Create a new user as a local account. Name it something like “Superhero.” 2) Change that user’s account type to be a local administrator. 3) Change your account type to standard. Now use your standard account from now on. Login to the account you always do. In case you have Mac users, the process is similar.

Reduce the Attack Surface:
Every program on a computer is a potential attack vector. The more programs you remove, the more secure a computer becomes. If the user is on their home computer, they probably have many non-essential programs. Attackers can exploit Flash and Java to execute malicious code, so it is best to remove both from all computers. Many people find that the websites that are essential work fine without Flash or Java. If they need Flash or Java again later, users can download fresh versions from https://get.adobe.com/flashplayer/ or java.com.

Computer Anti-Virus and Software Firewall Settings:
If your employees have company-issued devices, chances are that your IT team configures and maintains their anti-malware solution. If employees will use their home computers, they must be sure their anti-virus is working properly and is up-to-date.

It is essential that they configure the software firewall program component of their anti-virus product, or the software firewall built into their computer’s operating system, to refuse all incoming connections. Some firewalls and Macs provide an option called “stealth mode.” When you activate this, you may get a scary warning that if you configure the computer to hide, it becomes difficult for outside parties to connect to the computer. Yes, that’s the point! Block everyone. Nobody needs in except your IT professionals, and they already have a way in.

Physical Security:
If an attacker gains physical access to a user’s laptop, computer, phone, tablet, or other devices, compromising the security is magnitudes easier. Calculate the impact if a user’s device is compromised, allowing attackers access into your network. The repercussions to your organization might be devastating. If necessary, provide your users with pick-proof locks for their doors. You can ask them to take photos of their home locks to send to you, and you might want to send a member of your facilities team, or a specialist, to examine their home’s security.

Sometimes companies issue outside security cameras and inexpensive alarm systems to their employees. While those sound like a good idea, they primarily detect, not prevent, break-ins. Deterrents are certainly good, including alarm stickers on doors and windows. But remember to implement preventative controls including high-quality deadbolt locks, reinforced door jambs, and sliding door security bars. Exterior motion-sensing flood lights can be very effective too. Having tight security can even enhance your employees’ and their family’s personal safety. Giving them added peace-of-mind during this crisis is helpful.

UPS Battery Backup:
If the coronavirus response becomes very serious, it is possible users might experience loss of power. If there is a loss, hopefully it will be short. Consider providing battery backup devices to users with desktop computers, printers, and home modems. If the user has a charged laptop and a charged battery-powered hotspot, and no printer, the battery backup is often unnecessary.

Special Security Training about Coronavirus:
Warn your workers that there will be an increase in spam and phishing as bad actors prey on their worries of the virus. They must be vigilant to spam and fake news. Recent hacks provided attackers with detailed information about families and histories, so that phishing can be more convincing than ever. Manually visiting, rather than clicking links to, ready.gov and CDC.gov contain information about how to prepare and find status updates.

Test Remote Access:
All of your users need to engage in a “pretend it is real” run through. Once they are configured, they need to test performing all of their job functions working from home to be sure everything performs as expected. Solve problems that come up. If one user has an issue, take preemptive action to be sure it doesn’t happen with the others. This is too important to not test out ahead of time. Your workers may wake up one morning and find out they have to stay at home that day. Every night they need to take what they’ll need to work from home just in case. If they are able to come to work the next day, they’ll need to haul all that stuff back and forth. Minimize as much as possible what they’ll need to take.

Additionally, give your employees guidelines on what to do if they lose connectivity to the office, and what to do if they feel like their remote computer might be under attack. Consider that, if your IT team is busy tackling bigger challenges, they may not be available to help that user right then.

Show Extra Gratitude to IT:
Finally, throw a big party for your IT team that made all of this happen. Chances are they’ve invested more energy and patience than you know because they make it look so easy. Tell them that you recognize the amount of expertise they needed to get you to the point of accomplishing this list. A little gratitude goes a long way.

All your preparations are worth it. The World Health Organization is already saying there will be more viruses in Earth’s future. You are preparing for the future too. Good job implementing these recommendations now. The increase in the number of people who must work from home because of coronavirus could accelerate quickly at any time.

Please forward this to your friends so they can prepare their organizations too.

*The Foster Institute, Inc. does not receive any compensation from, nor does it endorse, any products or companies mentioned in this article.

The post Recommendations for Cybersecurity for Remote Workers During Coronavirus appeared first on Mike Foster, CEH, CISA, CISSP.

Warn your users about three ways attackers continue to exploit the COVID-19 crisis:

USB: A new ploy is bad actors mailing USB devices, appearing to be from your company to your users. Once plugged in, they can open up a channel that permits unauthorized remote control and capturing keystrokes, including passwords.

Fake Login Prompts: Remind your users to beware of login screens when they don’t expect them. Attackers create persuasive prompts that ask your users passwords for their logon, VPN, or Microsoft Office 365 login, and more. Sometimes the windows tell the user that their connection dropped, and to provide credentials to reestablish their link. Your Users must ignore those prompts and notify your IT team immediately.

Fraudulent websites and apps: Sites may have useful coronavirus information, but they also contain malicious attack software that strives to infect computers. Attackers create bad apps offering online statistics, tracking of the virus spread, and more.

Please forward this to your friends so they can alert their users too.

The post Alert Your Team – USB Devices, Login Prompts, and Apps appeared first on Mike Foster, CEH, CISA, CISSP.

This video is for non-technical people who need to make Zoom more secure today. So, if that’s you, open up your zoom account settings on your screen, and keep this video where you can see it side-by-side. Pause the video when you need to.

Some people say, “Mike, tell us what settings to change to increase our Zoom security.” If that’s you, then you are going to love this video. It walks you through your Zoom account settings so you can follow along.

I know that some of you will want to fine tune the settings more than this. This video is not designed to replace your IT Pro; they know more about your specific system and requirements. Monday, there will be a brand new video that provides you with a concise explanation of Zoom security settings and how to use them to your advantage.

The post Follow Along to Set Zoom Security Settings appeared first on Mike Foster, CEH, CISA, CISSP.

Every business is concerned and should be, about cybersecurity during online meetings. Due to its popularity, Zoom is an attractive target for the bad actors. There are hundreds, maybe more, people working all the time to break Zoom’s security.

To help address the security problems, Zoom now offers a reward for anyone who finds a way to break in. The payoff, for bad actors and researchers, is enormous. A sobering thought is that maybe the attackers already have full control over Zoom. However, they might have complete control over GoToMeeting, Microsoft Teams, Skype, TeamViewer, WebEx, and any other virtual meeting platform. I certainly hope not.

Zoom is Making Improvements

Zoom says they’ve configured the system to avoid sending meetings through China’s servers. Otherwise, the Chinese government might require disclosure of your communications.

If you use Zoom on a Mac, then if a bad actor has your computer, they could take over your camera and microphone. Additionally, Zoom exposed information that could reveal Windows passwords. Zoom says they fixed those problems.

After Consumer Reports raised red flags, Zoom improved its privacy policy and practices. Zoom still has problems. A notable issue is that there is no end-to-end encryption during meetings. Security best practices dictate protection from each participant to every other.

You and Other Companies can Help Protect Meetings

For example, if you permit your users to record the meeting, encourage them to password protect the recordings, especially if they upload them to a cloud storage service. Otherwise, anyone with access to the recording can play it back.

Require passwords and require waiting rooms per new default settings. The goal is to stop intruders from interrupting a Zoom meeting with disruptive or disgusting content.

Configure the meeting so that only the host can share their screen. Then intruders cannot share theirs.

Never use a personal meeting room ID for scheduling meetings. Use the default setting to generate a meeting ID randomly.

Alert users to expect fraudulent email meeting invitations attempting to trick users into typing their Zoom username and password.

Enable two-step login requirements to protect accounts even if a bad actor does discover usernames and passwords.

Or, you could ditch Zoom all together. Options include FaceTime, Signal, Teams, and many others. But who knows which one could get hacked? No matter how secure it is, all it takes to destroy security is for one person on the call, or an attacker with remote access to their computer, to record the conversation using third party screen recording software.

To help protect your Zoom meetings, watch other videos that concisely cover the security settings available in a paid Zoom account, configuring the two-step login feature, and a run-through of paid account settings so you can follow along:

Zoom Security – Set Up Two-Step Login

Zoom Security Settings – The Concise Details

Zoom Security – Follow Along to Set Settings

The post Zoom Security Issues – Protect Yourself appeared first on Mike Foster, CEH, CISA, CISSP.

Zoom has many security settings. This is a detailed but concise guide to the settings and how they work.

The post Zoom Security Settings – The Concise Details appeared first on Mike Foster, CEH, CISA, CISSP.

Protect your Zoom account. If someone discovers your username and password for Zoom, two-step login should block them from logging in as you.

This video walks you through setting up the two step login feature of Zoom.

To help protect your Zoom meetings, watch other videos that cover concerns about using Zoom:

Zoom Security Settings – The Concise Details

Zoom Security Issues – Protect Yourself

Zoom Security – Follow Along to Set Settings

The post Zoom Security – Set Up Two-Step Login appeared first on Mike Foster, CEH, CISA, CISSP.

CEOs and Executives: Avoid installing video conferencing software on your computer just because some other company tells you to. When you launch video conferencing programs, many of them ask you to install a program or app on your computer or device. What if the program is a virus?

Here is another essential tactic to help protect your remote workers.

There’s a company in Saint Louis that ran into a problem your organization might face too.

Their remote workers must attend many video conference calls, online meetings, webinars, and online training sessions. Their IT Pro doesn’t want to install different programs on his users’ computers if he can avoid it.

As you know, a significant way to improve cybersecurity is to uninstall nonessential software, not to add more programs.

The company’s savvy IT Pro discovered an excellent solution. He found that all of the video conferencing and training tools his team needs can run inside their already-installed browsers. They don’t need to download and install extra software. They have Zoom already, but workers use their browsers for other kinds of meetings. They may not get all the advanced functionality, but they can still participate in the sessions just fine.

Please forward this to your friends so that they know, to improve cybersecurity, avoid installing software or apps whenever possible. Their IT Pro may find that workers can participate in many meetings using their browser only, without needing to increase the attack surface by installing more software.

The post Video Conferencing – Avoid Installing Meeting Programs When Possible appeared first on Mike Foster, CEH, CISA, CISSP.

Everyone is concerned about video conferencing security, and they should be. But when the hardware and software are not working right, safety seems like a distraction.

Use at least two monitors. You can often separate the presentation so that you see slides on one screen and all the participants’ faces on another. When you buy new, seek 4K resolution. Investigate 15-inch portable monitors if you need to move around, or 27-inch screens if portability isn’t necessary.

Second, straining to hear someone’s voice over a poor connection is very distracting. Rather than using your computer’s built-in mic, consider using a suitable USB Microphone. Position the mic close to your mouth. Some people prefer headset mics – especially if they are in a noisy environment. I wear a wireless lapel mic when presenting online keynote speeches and webinars. All of those provide better sound than a laptop’s built-in mic.

Please forward this to everyone you know because, when their video conferences run smoothly, they can pay more attention to security and being mindful of what they say. Stay safe!

The post Two Tips to Make Your Online Meetings Better appeared first on Mike Foster, CEH, CISA, CISSP.

You’ll make your computer less attractive to attackers, and it limits the window during which they can attack. You have nothing to lose, and you might even reduce your power bill!

Please forward this to all of your friends, so they know this simple step to protect themselves.

The post Power Down to Boost Security appeared first on Mike Foster, CEH, CISA, CISSP.

Because of so many work from home users, the Internet is like a box of chocolates for attackers.

Step 1: Attackers compromise work-from-home users.
Step 2: They gain access to their company.
Step 3: They bite into the company to discover what’s inside.

There are so many work from home users; this is a target-rich environment.

1. You must harden remote users’ systems against attacks. Secure their connections.
2. When possible, issue laptops, so your IT team has more control over your remote users’ security.
3. Implement user training and phish testing. Please say if you’d like us to provide phish testing and online training for your users. We do all the work so your IT teams can focus on their other tasks.

Please forward this to your friends so they realize their remote users must be more secure than ever, and attackers target them indiscriminately.

The post Your Work From Home Users are Like a Box of Chocolates appeared first on Mike Foster, CEH, CISA, CISSP.