Security Protection – Harry Waldron MVP Rotating Header Image

Uncategorized

Microsoft Security Updates – DECEMBER 2014

Critical Security updates to Microsoft Windows, Internet Explorer,  Office and other products became available on Patch Tuesday.  A patch for the Exchange server based product is also available.  This is a large security update and users should promptly update to enjoy best levels of protection. So far, no issues encountered in early use after installation at home & work.

https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+-+December+2014/19043

http://technet.microsoft.com/en-us/security/bulletin/ms14-dec 

Central Virginia CPCU Chapter – 20 Security Awareness slides



On November 11, 2014, Microsoft MVP Harry Waldron provided a 70 minute security awareness presentation at the Roanoke Country Club.  The 20 slides and documentation for this event are noted below:

BEST PRACTICES FOR INTERNET SAFETY FOR 2014
November 11, 2014 — Roanoke Country Club LUNCHEON MEETING (starts @ 11:45 am)

ROANOKE COUNTRY CLUB
http://www.roanokecountryclub.org/
3360 Country Club Drive NW
Roanoke, VA 24017
(540) 345-1508



DATE:     NOVEMBER 11, 2014 (Tuesday)
TIME:     11:45 am — 1:00 pm (Lunch & presentation)
COST:     Free to all CPCUs  ($15 for IT professionals & other attendees)
MENU:   Soup, Salad, Potato & Desert bar

BEST PRACTICES FOR INTERNET SAFETY FOR 2014
http://blogs.msmvps.com/harrywaldron/2014/10/16/best-practices-for-internet-safety-for-2014/

ABOUT SPEAKER
https://mvp.microsoft.com/en-us/mvp/Harry%20L.%20Waldron-9220



 

COPIES OF SLIDES USED IN PRESENTATION:

==========================

Slide 1 – COMPUTER SECURITY
BEST SAFTEY PRACTICES FOR 2014
CENTRAL VIRGINIA CPCU – NOV 11, 2014
Harry Waldron, CPCU, AAI
==========================

Slide 2 — MAJOR SAFETY PRINCIPLES
1. EDUCATION – KNOW THY ENEMY
2. TECHNICAL PROTECTION
3. HUMAN BEST SAFETY PRACTICES
==========================

Slide 3 – EDUCATED USERS SAFER
1. MOST ACTIVIES ARE SAFE
2. MANY DANGERS IN ONLINE ACTIONS
3. KNOWLEDGE LEADS TO PROTECTION
==========================

Slide 4 – SECURITY EXPOSURES
1. PHYSICAL (THEFT, USB, WIRELESS)
2. EMAIL, WEB & SOCIAL NETWORKS
3. E-COMMERCE & PRIVACY
==========================

Slide 5 – TYPES OF ATTACKS
1. PRANKS, HOAXES, NUISANCE
2. DATA MINING & HARMFUL ATTACKS
3. THEFT DURING E-COMMERCE
==========================

Slide 6 – METHODS OF ATTACK
1. LEGITIMATE LOOKING EMAIL/WEBSITE
2. SOCIAL ENGINEERING TRICKS
3. WEAK PASSWORDS OR DEFENSES
==========================

Slide 7 – ADVANCED ATTACK EXAMPLES
1. WEBSITE INJECTION (IMPLANT VIRUSES)
2. RANSOMWARE (HOLD HOSTAGE)
3. POINT-OF-SALES ATTACK (CREDIT CARD)
==========================

Slide 8 – SECURITY EDUCATION SUMMARY
1. CAT & MOUSE GAME (KNOW ENEMY)
2. ATTACKS OUTSIDE USA HARD TO STOP
3. EDUCATED USERS AVOID RISKS BETTER
==========================

Slide 9 – TECHNICAL SAFETY OVERVIEW
1. STAY UP-TO-DATE ON SOFTWARE
2. ANTI-VIRUS & SECURITY TOOLS
3. BACKUP FILES & DATA OFTEN
==========================

Slide 10 – UP-TO-DATE SOFTWARE
1. KEEP ANTI-VIRUS ACTIVE & UPDATED
2. PATCH WINDOWS, OFFICE, FLASH, ETC
3. ONE-THIRD OF ALL ATTACKS MITIGATED
==========================

Slide 11 – ANTI-VIRUS & SECURITY TOOLS
1. A/V BENEFICIAL – EXCEPT “ZERO DAY”
2. FIREWALLS, ENCRYPTION, ETC.
3. PHYSICAL SECURITY CONTROLS
==========================

Slide 12 – BACKUP EARLY AND OFTEN
1. USB HARD DRIVE, DVD, CLOUD
2. STORM IS NOT TIME TO PATCH ROOF
3. INSURANCE POLICY IN WORST CASE
==========================

Slide 13 – HUMAN SAFETY OVERVIEW
1. SEC-U-R-IT-Y (YOU ARE IT)
2. AVOIDANCE = OUNCE OF PREVENTION
3. THINK BEFORE YOU CLICK
==========================

Slide 14 – EMAIL SAFETY
1. EMAIL ADDRESS SPOOFING
2. DANGEROUS WEBSITE LINKS
3. ATTACHMENT DANGERS
==========================

Slide 15 – WEBSITE SAFETY
1. GOOGLE SEARCH DANGERS
2. PHISHING ATTACKS (FAKE BANK SITE)
3. MALICIOUS LINKS OR FLASH DANGERS
==========================

Slide 16 – DESIGNS TO GET FOLKS TO CLICK
1. FEAR (FAKE BANK, IRS, UPS CHARGES)
2. GREED (YOU HAVE WON A BIG PRIZE)
3. CURIOSITY (FAKE NEWS STORIES)
==========================

Slide 17 – FAKE PHONE & WEBSITE SCAMS
1. MICROSOFT & IRS DO NOT CALL USERS
2. SCAMS TO STEAL MONEY OR DATA
3. CHECK IT OUT BEFORE TAKING ACTION
==========================

Slide 18 – SOCIAL NETWORK SAFETY
1. LOCK DOWN PRIVACY & SECURITY
2. SHARE AS IF PRINTED IN NEWSPAPER
3. SHARE VACATION & EVENTS CAREFULLY
==========================

Slide 19 – ADDITIONAL USER SAFETY TIPS
1. COMPLEX & DIFFERENT PASSWORDS
2. WIRELESS ACCESS = HIGH-RISK
3. E-COMMERCE ON TRUSTED SITES ONLY
==========================

Slide 20 – SECURITY IS A PROCESS
1. BLEND OF TECHNICAL/HUMAN SAFETY
2. EDUCATION & RISK MANAGEMENT
3. BEST PRACTICES IMPROVES SAFETY
==========================

Windows 10 – Additional Announcements likely in early 2015

The initial preview launch for Windows 10 offered a high-level early look at many basic features. As this article from Information Week reflects, additional details are likely to emerge for other forthcoming features in early 2015

http://www.informationweek.com/software/operating-systems/windows-10-5-new-facts/d/d-id/1317919

 
Microsoft is done releasing Windows 10 previews until at least January, but details about the new operating system continue to leak. Early Windows 10 Preview builds have focused on mouse-and-keyboard features such as virtual desktops, but a touch-focused preview is on the way. However, several reports, all citing unnamed Microsoft insiders, claim Microsoft will reveal Windows 10 for smartphones and tablets at an event in late January. It’s possible Microsoft will reveal the mobile OS in January but wait a few months to release a public preview.  According to ZDNet’s Mary Jo Foley, who has a strong track record for pre-release Microsoft news, the version of Windows 10 revealed in January will be compatible with both ARM-based and Intel-based devices

Microsoft Press – 130 e-books available for FREE download

I’ve just discovered this new training and reference resource.  I have already downloaded a few “Windows 8.1″ and “Windows Server 2012 R2″ books for IT Professionals to review this offering.  The price is certainly right on these, as it makes a great online “non-paper” reference in some cases

Source: Microsoft Senior Sales Excellence Manager – Eric Ligman

BLOG – Eric Ligman, Microsoft Senior Sales Manager
http://blogs.msdn.com/b/mssmallbiz/

MAIN LINK — 130 e-books available for FREE download
http://blogs.msdn.com/b/mssmallbiz/archive/2014/07/07/largest-collection-of-free-microsoft-ebooks-ever-including-windows-8-1-windows-8-windows-7-office-2013-office-365-office-2010-sharepoint-2013-dynamics-crm-powershell-exchange-server-lync-2013-system-center-azure-cloud-sql.aspx

Some excellent “Windows Server 2012 R2″ e-books here also
http://blogs.msdn.com/b/mssmallbiz/archive/2014/10/13/windows-server-2012-training-lineup-starting-with-a-free-ebook.aspx

QUOTE:   FREE Microsoft eBooks! Who doesn’t love FREE Microsoft eBooks? Well, for the past few years, I’ve provided posts containing almost 150 FREE Microsoft eBooks and my readers, new and existing, have loved these posts so much that they downloaded over 3.5 Million free eBooks as of last June, including over 1,000,000 in a single week last year (and many, many more since then).

Given the amount my readers enjoy these posts and these free resources, I am sharing another post this year with over 130 more FREE eBooks, Step-By-Steps, Resource Guides, etc., for your enjoyment. Plus I’m also including links to the free eBooks I shared in the past so you have all of them here in one single post, making this my single largest collection EVER (Almost 300 total)! Please enjoy these FREE eBooks and resources, and be sure to pass this along to your friends, colleagues, peers, and others who you think would benefit from and enjoy them. After all, wouldn’t it be fun if we could surpass the 1,000,000 download mark within just one week again?

Mozilla Firefox – Version 34 released

Below is recap of major functional and security enhancements.  The support of SSL version 3.0 is also disabled by default in Firefox 34 providing improved mitigation against the “Poodle” SSL vulnerabilities.   

https://www.mozilla.org/en-US/firefox/34.0.5/releasenotes/

https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/

https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

http://techcrunch.com/2014/12/01/firefox-34-launches-with-yahoo-as-its-default-search-engine/

QUOTE:   Mozilla today rolled out Firefox 34. While most browser updates these days aren’t all that exciting, this one includes a couple of interesting new features. What most users in North America will notice right off the bat, however, is that this is the first version of Firefox with Yahoo as its default search experience.

It’s easy enough to change the default search engine in Firefox, and I would guess that most current users will quickly switch back to Google. The Yahoo Search experience, which the company specifically tweaked for Firefox users, is perfectly all right for most searches. But at the end of the day, it feels like it doesn’t have some of Google’s smarts, especially when it comes to queries that would usually trigger Google’s Knowledge Graph.

With today’s update, Mozilla is also moving its WebRTC-powered chat tool “Firefox Hello” out of the beta channel and into its mainstream release. The organization built this service, which allows you to start audio and video chats with other Firefox users right from the browser.

Other updates include an improved search bar for users in the U.S. and the launch of WebIDE in the stable release channel.  SSL 3.0, which has a number of known security issues, has been cut from this release.

IT Professionals – Best Resume Tips for 2014

This Network World slide show provides excellent advice for IT professionals or anyone seeking best practices in creating an effective resume

http://www.networkworld.com/article/2854043/careers/the-best-it-resume-tips-of-2014.html

 
Over the last year, our resume experts and career consultants have helped numerous IT professionals put their best foot forward. Here’s a quick look at some of the top resume tips from 2014’s IT Resume Makeover series. For a deeper dive on resume tips with expert commentary, please read, IT Resume Makeover: Top 11 Resume Tips From 2014.

E-Commerce Safety – Trend Labs best practices for 2014

Trend Labs shares two excellent resources for 2014 e-commerce safety during the forthcoming holiday shopping season

http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/staying-safe-from-online-threats-this-thanksgiving

http://www.trendmicro.com/vinfo/us/security/news/mobile-safety/a-guide-to-avoiding-cyber-monday-scams-on-mobile

QUOTE:   Every year during Thanksgiving, people look forward to filling their bellies with wonderful supper, dessert, and the warm company of family and friends. It’s also the time of year when people start combing the Internet for early Black Friday and Cyber Monday bargains. Like eager shoppers, cybercriminals are also preparing to pounce on users who could fall into social engineering lures via spam mail, phishing, click fraud, and other malicious offers.

If you are one of the millions of consumers who plan to shop from your mobile device this Cyber Monday, know that the combination of online shopping, mobile devices, and the holiday season makes for a tasty cocktail that’s rife with cybercriminal action.   One risky tap can cost a lot for mobile device users. “As of October, we reached a total of almost 11 million unique apps in our sample collection, 3.8 million of which we detect as Android threats,” says a recent Trend Micro mobile report. Nearly a third or 29% of all apps checked by a mobile app reputation software displayed malicious routines. These routines include spying, stealing data, and even subscribing phones to premium services.

POS Malware – New TSPY_POSLOGR.K attack surfaces during 2014 holiday season

Trend Labs documents a new Point-of-Sales Malware attack, which has surfaced during the 2014 holiday shopping season:

http://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/

 
We are currently looking into a new point-of-sale (PoS) malware family detected as TSPY_POSLOGR.K, which is making the rounds just in time for this year’s holiday shopping weekend.   Around this time last year, the U.S. retailer Target suffered one of the largest data breaches in history in a targeted attack that used the BlackPOS malware, a PoS RAM scraper malware family. Cybercriminals gathered roughly 40 million credit and debit card numbers as well as 70 million personal records of Target shoppers. Home Depot also suffered recently from a data breach, which has so far cost the hardware mart more than $43 million in expenses to investigate the breach.

FBI Warning – Destructive Malware used in USA cyberattack

FBI warning issued based on recent destructive Malware used in USA cyberattacks last week. 

http://www.msn.com/en-us/news/technology/exclusive-fbi-warns-of-destructive-malware-in-wake-of-sony-attack/ar-BBgd4ot

QUOTE:  The Federal Bureau of Investigation warned U.S. businesses that hackers have used malicious software to launch a destructive cyberattack in the United States, following a devastating breach last week at Sony Pictures Entertainment.

Cybersecurity experts said the malicious software described in the alert appeared to describe the one that affected Sony, which would mark first major destructive cyber attack waged against a company on U.S. soil. Such attacks have been launched in Asia and the Middle East, but none have been reported in the United States. The FBI report did not say how many companies had been victims of destructive attacks.

The report said the malware overrides all data on hard drives of computers, including the master boot record, which prevents them from booting up. “The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods,” the report said. Security experts said that repairing the computers requires technicians to manually either replace the hard drives on each computer, or re-image them, a time-consuming and expensive process.

AntiVirus Research – AV-Test checks self-production within products

AV-Test researched Antivirus Products in protecting the base product.  ESET was a strong finisher in the results.

http://securitywatch.pcmag.com/security-software/329844-which-antivirus-products-are-best-at-protecting-themselves

 
AV-Test researchers gathered 24 consumer-side security products and eight products geared toward business. For each product, they performed a simple census. They enumerated every executable file, dynamic link library, driver, and .sys file associated with the application and noted whether each module implemented DEP, ASLR, or both. They evaluated 32-bit and 64-bit products separately. As I mentioned, the results covered a wide range. ESET was the only consumer product with 100 percent coverage; Symantec was the only business product at that level. Avira, G Data, McAfee and AVG completely protect their 64-bit products with DEP and ASLR. However, coverage in their 32-bit editions ranged from 90 to not-quite-100 percent