During a client satisfaction survey conducted last year, we found that respondents were most likely to name security as their top priority for the upcoming year. In our continued effort to bring awareness to trending security topics and news, we will be issuing a security update on a monthly basis.
This update brings you information on our general security notes, trending news, and vendor patches. We welcome all feedback as we strive to keep our community safe and secure.
Security starts with people; Not products.
Ransomware, malware, and phishing attacks are in the news all the time. There are multiple solutions and products designed to protect against these types of attacks, but the most critical step to protecting your business against potential attacks is user education. Here are a few steps to keep in mind:
- Password Management. A great rule of thumb is to not use simple passwords that include family names, birthdays, pets, favorite sports teams, etc. These can easily be guessed and can leave yourself vulnerable. If you're looking for something complex, there are tons of free password generators that will create complex passwords for you.
Another best practice is to use different passwords for all online sites. If one gets hacked (and it will – see Cloudflare), you don’t want that hacker to have access to all of your sites. We also recommend rotating your password at least every 90 days.
- Social Engineering. A lot of attacks are now targeted in a way that involves some level of social engineering, which is the art of manipulating people so they give up confidential information. This isn’t just emails asking for money or passwords - it can be done via phone calls, Facebook, Linkedin, or any other social media site.
You know those Facebook posts that tell you your “Hollywood name” if you write in your mother’s maiden name and the street you grew up on? Those are forms of social engineering, trying to have you give away answers to top security questions used in “forgot my password” scenarios.
Always think twice about the information you are giving out and never give out more information than is needed.
- ”Wait, this doesn't sound like [enter name here]…” When reading emails, make sure to be cautious of any sudden change in tone, such as panic or someone rushing to get something done, or unusual grammar mistakes from a person who typically writes in perfect English.
This could be a phishing attempt, and someone impersonating your friend/colleague/loved one. If you’re not waiting for an email from them or something seems a bit off, it’s always best practice to follow-up with a phone call. Read our recent blog post on phishing emails for more things to look out for.
World Security News
Apple IOS 10.3 Beta is pushing Two-Factor Authentication
Security is on the top of everyone’s mind these days, and Apple is not different. Apple 10.3 Beta users are getting push notifications to enable two-factor authentication for ICloud and Apple ID. The notifications are going on the lock screen and Apple is making the users manually close them until two-factor is enabled. If you have an ICloud or Apple ID, we recommend you start thinking about enabling two-factor authentication if you have not done so already.
Google’s resarch team have succeeded in breaking SHA-1 encryption
The Google research team announced they have broken the SHA-1 encryption method that has been around since 1995. This method has been used to secure websites for years and was known to be weak, but was never broken into until now. Newer encryption methods like SHA-256 have been used in recent years and Google Chrome now marks sites as not secure if they are using SHA-1 encryption.
More LastPass exploits have been found
LastPass was in the news again and this time with Chrome and Firefox critical security flaws that would allow your passwords to be stolen. Luckily LastPass pushed out a fix to resolve the security flaws, but if you use LastPass we recommend changing your passwords and making sure your system is up to date.
Lloyd Patch Watch
- Microsoft released 17 patches in March with the most critical patch for closing a vulnerability in Server Message Block (SMB) that would allow a potential hacker to crash a Windows Server 2008 or above. Microsoft also released a patch to fix a vulnerability in Exchange’s Outlook Web Access to prevent remote code execution if a sender sends an email with a specially crafted attachment. Lloyd will be rolling these patches out as part of our monthly patching process.
- Cisco announced a vulnerability in Telnet for over 300 of their switches with no patch out yet. Lloyd Group does not allow telnet to client switches from outside the network. As a further precaution, we will be auditing our client switches and will disable Telnet where we can.
Thanks for reading!