Security Protection – Harry Waldron MVP Rotating Header Image

Microsoft Security Updates – NOVEMBER 2014

Critical Security updates to Microsoft Windows, Internet Explorer,  Office and other products became available on Patch Tuesday. This is a large security update and users should promptly update to enjoy best levels of protection. So far, no issues encountered in early use after installation.  

https://isc.sans.edu/diary/Microsoft+November+2014+Patch+Tuesday/18941

http://technet.microsoft.com/en-us/security/bulletin/ms14-nov

Leadership – Thanksgiving reflections

For IT Project Managers, this the John Maxwell blogs are exellent resource

http://www.johnmaxwell.com/blog/happy-thanksgiving-1

QUOTE: Here in the United States, tomorrow is Thanksgiving. For most of us, that means time with family, great food, and a chance to reflect on what we’re thankful for from the past year. When I look back on this year, I can’t help but be thankful for some amazing blessings. Among them…

* Spend time with my 93-year-old dad and his wife, Betty.
* Healthy family and wonderful grandchildren.
* My team, who make me better than I am.
* The best year that my companies have ever had.
* Grateful for your support, your focus on personal growth, and your willingness to journey with me in creating lives of impact and significance.

Microsoft OOB update – MS14-068 Kerberos security patch

A few days ago, Microsoft released an out-of-band update  and this is beneficial to apply

http://blogs.technet.com/b/msrc/archive/2014/11/19/security-bulletin-ms14-068-released.aspx

 
Today, we released an out-of-band security update to address a vulnerability in Kerberos which could allow Elevation of Privilege. This update is for all supported versions of Windows Server and includes a defense-in-depth update for all supported versions of Windows. We strongly encourage customers to apply this update as soon as possible by following the directions in Security Bulletin MS14-068.

Mozilla Firefox – v34 to feature advanced search

As a complementary browser, v34 will provide improved security and functionality in next release

https://blog.mozilla.org/ux/2014/11/find-it-faster/

http://venturebeat.com/2014/11/25/mozilla-unveils-firefox-will-soon-offer-one-click-buttons-for-all-your-search-engines/

 
How often have you done a web search, already knowing that you would click the first result that looked like a Wikipedia page? Quite often? Then Firefox is about to make your life easier. With the new one click searches, you can instantly find what you are looking for across the web. When typing a search term into the Firefox search box, you will notice two new things: first, we improved the design of search suggestions to make them look a lot more organized. And second: there is an array of buttons below your search suggestions. These buttons allow you to find your search term directly on a specific site quickly and easily. We are shipping Firefox with a set of pre-installed search engines that are tailored to your language. You can easily show and hide them in your search preferences.

Leadership – Importance of positive attitude

John Maxwell’s Leadership blog is a favorite resource for Project Management advice.

QUOTE: A positive attitude can be a person’s greatest asset. In fact, an upbeat attitude can take people to places that their ability could never carry them on its own. Attitude acts like a booster rocket, lifting people to a higher altitude than they could otherwise climb.

While attitude alone won’t guarantee success, attitude is a difference-maker. All else being equal, attitude gives an advantage or edge over the competition. Therefore, whenever you have a choice to make between two business partners, vendors, or job candidates with similar credentials, pick the one with the better attitude.

A person’s attitude is more apparent in some conditions than in others. Here are three situations in which a person’s true attitude is likely to surface.

1.When they experience negative feelings
2. When they must deal with mundane details
3. When they face adversity

FaceBook – New Anti-Spam controls for NOV 2014

Facebook has recently improved anti-spam controls as noted below

http://facecrooks.com/Internet-Safety-Privacy/Facebook-Tells-Page-Owners-Stop-Spamming-News-Feeds.html/

http://newsroom.fb.com/news/2014/11/news-feed-fyi-reducing-overly-promotional-page-posts-in-news-feed/

QUOTE: Facebook announced this week that it has once again tweaked its News Feed algorithm based on a user survey, and will now devalue “overly promotional page posts.”

According to Facebook, they want to get rid of spammy page posts that push people to buy a product or download an app, encourage them to enter contests or sweepstakes and posts that simply reuse content from Facebook ads. Though concerns have already been raised that this change is simply a way for Facebook to boost its own revenue by moving advertising from promotional posts to Facebook ads, Facebook vehemently denied the new algorithm will lead to any more ads.

“This change will not increase the number of ads people see in their News Feeds,” the site wrote in its announcement. “The idea is to increase the relevance and quality of the overall stories – including Page posts – people see in their News Feeds. This change is about giving people the best Facebook experience possible and being responsive to what they have told us.”

FaceBook – New Privacy policy as of NOV 2014

FaceBook – New Privacy policy as of NOV 2014

Facebook has recently updated & improved their privacy policy.  Users may be prompted to review settings, which is always valuable over coming days (as I received notification this morning)

http://blogs.wsj.com/digits/2014/11/13/facebook-gives-its-privacy-policy-a-makeover/

http://facecrooks.com/Internet-Safety-Privacy/Facebook-Simplifies-Privacy-Policy-%e2%80%93-Again.html/

https://www.facebook.com/about/terms-updates

 
This week, Facebook announced another tool designed to further simplify its privacy policy and make it understandable to the layperson. The feature, called “Privacy Basics,” is a set of interactive guides that walk users through basic security questions, like how to delete content from the site and how to limit visibility in search. In addition to the new look, Facebook also edited the language in its privacy policy to make it less legal-sounding and complicated. It has also been dramatically shortened, down from about 9,000 words to only 2,700. “The idea here is to give people more accessible information about how Facebook works,” Erin Egan, the company’s chief privacy officer, told The New York Times. “It’s simpler, it’s easier to read.”

AntiVirus Trial Kits – Microsoft NOV 2014 study

Some users may not be versed in AV renewal process which requires users to pay for and activate annual licensing renewals promptly and accurately in trial version products.  There is danger in not keeping up after in the changing landscape of malware attacks.

http://blogs.microsoft.com/cybertrust/2014/11/12/your-antivirus-protection-has-expired-so-what-you-might-be-surprised-microsofts-new-cybersecurity-report-explains/

http://securitywatch.pcmag.com/security-software/329462-is-your-antivirus-running

QUOTE:    Do you have antivirus protection? “Of course I do,” you may say, “It came with the computer!” Don’t be so sure. Most pre-loaded antivirus products require renewal in three or six months. If you don’t renew, the product expires, and your protection takes a nose-dive. A recent blog post from Microsoft’s Tim Rains reveals that systems “protected” by an expired or out-of-date antivirus are almost as prone to infection as systems with no antivirus at all.

Looking specifically at consumer-owned computers, rather than those belonging to enterprise domains, Microsoft researchers determined that the MSRT removed malware from 0.6 percent of computers that have an active, correctly-configured antivirus installed. (Yes, they could dig deeper and identify which antivirus products missed malware, but that information isn’t something they release publicly).

The percentage of infected PCs with no antivirus at all was considerably greater—2.4 percent. Looking at PCs with antivirus protection present but disabled, they found 2.2 percent infected. That was also the percentage of infected PCs with expired antivirus. When the antivirus wasn’t expired but antivirus definitions were out of date, the infection rate was 1.9 percent.

In his blog post, Rains observed that “there was only a .2 percent different in the number of systems Microsoft cleaned of malware when comparing those that were not running security software to those that had expired security software.” In other words, an expired product is almost worthless. “In light of this information,” continued Rains, “we encourage people to verify that they are running up-to-date security software on their system. If they aren’t, there are many different free or paid options available.”

Security Awareness Podcasts – Social Engineering security site

The link below features 62 podcasts, most of which are around one hour in length:

http://www.social-engineer.org/category/podcast/

QUOTE: Welcome to the Social-Engineer Podcast! The second Monday of each month we will be releasing a new and exciting episode, each with its own specific topic of the month.

Security Awareness Training Techniques for 2014

From the Social Engineering blog, excellent advice is shared for designing security awareness training programs

http://www.social-engineer.org/how-tos/change-education-working/

QUOTE: What’s the big band wagon that everyone is scrambling to jump on? It’s simple. Train employees on social engineering tactics. The article points out that more than half of security professionals say that social engineering tactics work so well because employees are not educated enough to combat them. Let’s break down what makes training effective according to learning theorists and social psychologists:

(1) Connect and Interact – You have to make a connection with your audience before they will care. Canned presentations don’t work as well as personal interaction.

(2) The right motivation – Training by itself is only a temporary patch because enough people want to believe it can’t happen to them.

(3) Lather, rinse, repeat: At the most, studies indicate that a phishing campaign with an educational message if “hooked” is only effective for about six months. Lessons need to be repeated and generalized. Rotate the types of phishing emails going out and give up-to-date education advice.

(4) Policy: It’s the ugly word that no one likes to talk about, but at some point it’s going to have to be addressed. If any employee consistently fails social engineering pentests despite education and mentoring, it is a good time to look at the effectiveness of your education program and the role that employee is allowed to play with  regards to company data.