tbgsecurity.com

The fact that rogue code inserted into the updates of a popular network monitoring tool, SolarWinds’ Orion product, could lead to total compromise at tens of thousands of networks, including many US government departments and leading companies such as Microsoft and FireEye, opened a lot of eyes to the potential risk of placing so much trust in third-party suppliers. The SolarWinds incident, described as “one of the biggest cybersecurity breaches of the 21st century”, made many of us think, perhaps for the first time, that simply finding a tool that met our needs, buying a license or subscription, and letting it loose in our networks was not good enough; anything we grant access to our most sensitive data is a potential danger, and the risk involved needs to be carefully weighed and measured before we dive in. With tens of thousands of companies large and small deploying Exchange to manage their email connectivity, and just about all of them exposed to attacks from any of a large set of attackers scanning the internet for targets, the list of victims is once again enormous, covering everything from mom-and-pop businesses to major government agencies, energy providers, and banking authorities. The only route left open is careful management of the risk involved – weighing the possible dangers and how an issue might affect a business, tracking the record of a proposed provider in terms of both quality and speed of response to emerging problems, choosing the right providers and ensuring that the right contracts are in place for implementation and ongoing support, mitigating potential hazards with technical or financial protections, these are all vital stages in acquiring any software or service, but can be time-consuming and require significant expertise.

It seems the organization failed to properly secure the passwords on its website, leading to the inevitable theft of members’ personal data. Eugene Hopkinson, the former director and technology officer at British Mensa, stood down this week, after revealing publicly that the organization had failed to protect its members. According to Forbes, Hopkinson claimed that the stored passwords of Mensa members were not hashed, potentially allowing hackers to unscramble them. A spokesperson for Mensa told the FT that member passwords had been encrypted and that the organization was in the process of hashing passwords.

Not the widower looking for love; not the person looking for information on covid, not the home user who accidentally visits an infected site, not the worker bee who clicks on a dodgy email link. According to an FBI’s Internet Crime Complaint Center (IC3) report issued last year, 2019 saw both the highest number of complaints and the highest dollar losses reported since the center was established in May 2000. If the employee is not compelled to check the download site and have the application vetted by IT, they could easily be duped into downloading a malicious executable file, and running it on the company approved laptop. None create a clear and accessible request system for new software Pretending to be a trusted service provider, or even a member of the IT or management team, in order to sway the worker into performing a specific action, such as divulging their password, or giving away snippets of information about the company, its staff or its systems, is hot business.

How we try to make up for this – through frequent video calls, more online shopping, sending heartfelt messages, buying “smart” gizmos for loved ones…. So here is a smattering of tips you can share with your people to help them sidestep those pesky online potholes and avoid Cyber Hell during the last month of 2020. End-to-end encryption means that there’s no way for the service provider (eg Zoom or Apple) to decrypt the content of your conversations when they are in transit between devices. Top Tip: create a Media alert – like google alert – for all the Smart IOT devices, including your router, your phones, your tablets, your Roomba, your Amazon Ring.