Computer Safety & News

In 2021, all executives must be digitally literate & involved as noted by another excellent article in Harvard Business Review:

Today’s CEOs Need Hands-On Digital Skills (hbr.org)

As business increasingly becomes digital and data-driven, many companies that once appeared to be built for success suddenly seem structured to fail. That’s evident in the lackluster results that recent digital transformations have delivered; according to a recent BCG study, over 80% of companies accelerated their transformation projects last year, but 70% fell far short of their objectives.

Because digital transformations change every process — from strategy to execution — and alter every function, they’re often challenging. To successfully pull one off, CEOs have to be digitally literate and get personally involved. This means understanding the nuances of the digital world and helping to shape product design, user experiences, and technology direction.

Fewer than 25% of CEOs and about 12.5% of CFOs in the sample could be regarded as digitally proficient, which comes as no surprise to me. Even among those leading the technology function, just 47% of CTOs and 45% of CIOs made the cut; the rest focus on IT infrastructure and back-office operations more than capturing value from digital technologies. Clearly, companies everywhere need to rethink the composition of their top management teams.

Updates for mobile cybersecurity best practices are shared in following CISA bulletin

CISA Releases Capacity Enhancement Guides to Enhance Mobile Device Cybersecurity for Consumers and Organizations | CISA

CISA has released actionable Capacity Enhancement Guides (CEGs) to help users and organizations improve mobile device cybersecurity. CISA encourages users and administrators to review the guidance and apply the recommendations.

• • The CEG: Mobile Device Cybersecurity Checklist for Consumers provides steps for consumers, including using strong authentication and enabling automatic operating system updates.
  • The CEG: Mobile Device Cybersecurity Checklist for Organizations provides steps to help organizations secure mobile access to enterprise resources.

There are so many “unknowns” plus sensationalizing of COVID  — that medical news gets politicized by all sides on what is next? or best treatments? new variants? etc.  Most key point shared below is to do your own research & verify developments 

Unsubstantiated COVID-19 treatment claims appear on social media platforms | FTC Consumer Information

Social media platforms have played a major role in conveying information about how to help stop the spread of COVID-19. But just because the information is running on a platform you use doesn’t mean it’s accurate or truthful. Right now, no one can afford to take information at face value. Before you act on a message you’ve seen or before you share it, ask — and answer — these critical questions:

• • Who is the message from? Do I know them? Do I trust them? Am I positive they are who they say they are?
  • What do they want me to do? Just know something — or are they trying to get me to act in some way? Do they want me to buy something, download something, or give up personal info?
  • What evidence supports the message? Use some independent sources to fact-check it — or debunk it. Maybe talk to someone you trust.
  • But always verify, using a few additional sources. Once you’ve done that, does the message still seem accurate? Approaching information by asking and answering these questions can help you sort out what’s helpful…and what’s a scam. So, for example, if the message is about a treatment or cure, you know where to go: Coronavirus.gov.

Bottom line: when you come across information, stop. Talk to someone else. Focus on whether the facts back up the information you’re hearing. Good, solid evidence will point you in the right direction.

Some of latest best practices for phone safety are shared by FTC. 

When scam calls target your client or loved one | FTC Consumer Information

Calls from scammers are annoying and can cause a lot of trouble when you realize, too late, that they’re scams. What’s even worse? When they target a client or loved one you’re caring for. So today, as part of National Family Caregivers Month, we’re talking about how to spot and block scam calls. Scammers might pretend to be with the government, a grandchild, tech support, or a potential love interest. Listen to this call from a scammer pretending to be with the Social Security Administration:

Here are some steps you can take to help your loved one get fewer scam calls:

• • Look into call-blocking. There are technologies and devices that can stop a lot of scam calls and illegal robocalls before they reach you. Cell phones, home phones that make calls over the internet (VoIP), and landlines each have their own call-blocking options. Just know that call-blocking services could block some legitimate calls.
  • Sign up for the National Do Not Call registry to stop calls from real companies. But know that the registry can’t stop calls from scammers.
  • If you answer one of these calls, hang up. If possible, tell the person you’re caring for to do the same. If the call is a robocall, don’t press any numbers or it could lead to more calls.
  • Warn your loved one about scams. If possible, talk to the person you care for about different types of scams that can happen over the phone.
  • Know when to report identity theft. If you find out the person you’re caring for gave their personal information to a scammer, go to IdentityTheft.gov to report it and find out what you can do next.
  • Learn more about unwanted calls at ftc.gov/calls.

ADMINS should pilot test & roll out recent critical updates for VMWARE as a leading virtual solution.  These updates usually occur more on quarterly than monthly basis as a fairly secure partitioning environment  

VMware Releases Security Updates | CISA

VMSA-2021-0027 (vmware.com)

VMware has released security updates to address multiple vulnerabilities in vCenter Server and Cloud Foundation. A remote attacker can exploit this vulnerability to obtain access to sensitive information.  CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0027 and apply the necessary updates.

Microsoft Authenticator adds two factor authentication including Phone Number Matching and GPS Location Capabilities

Microsoft Authenticator Gets Number Matching and GPS Location Capabilities — Redmondmag.com

New Microsoft Authenticator security features are now available! – Microsoft Tech Community

Last year, we shared ‘It’s Time To Hang Up On Phone Transports for Authentication’. Today, we are making Microsoft Authenticator even more secure for our users and easier to rollout for our admins.

1. Admins can now prevent accidental approvals in Microsoft Authenticator with number matching and additional context (Public Preview).
2. Admins can now setup GPS-location based Conditional Access policies using Microsoft Authenticator (GA).
3. Admins can now nudge their users to setup Microsoft Authenticator during sign-in using the Registration Campaign feature (GA).

Realistic but fake EMAIL attacks are still one of most important areas to safeguard during holiday season where online e-commerce peaks

Beware of the No. 1 scam on Black Friday – MarketWatch

Beware of hackers who impersonate your favorite brands this holiday season – MarketWatch

It’s an oldie, but a baddie. Supply-chain issues and shortages of certain electronics, toys and other products, the holiday season and letting off steam after a second year of a global pandemic have all created a perfect storm for would-be thieves.The Federal Trade Commission said there were 57,769 online shopping fraud reports from Jan. 1 to Oct. 18, followed by travel scams (46,458), diet scams (15,713), government imposters (12,491) and business imposters (8,794).

And the No. 1 way of contacting would-be victims? Believe it or not, it’s old-fashioned email. Those pesky phishing links were the point of contact resulting in 19,107 fraud reports over that same period. Emails were closely followed by fake websites (17,444), texts (16,742), phone calls (14,156) and social media (10,520). Shopping scams, most of which were online, accounted for losses of more than $47.3 million, the FTC said in a recent report.

The FBI, CISA, and other GOVT agencies encourage security ADMINS to monitor corporate or infrastructure attacks that might occur during holidays & esp. during vacations & office closings.  When ADMINs are away are an ideal time for security events to occur sometimes

Reminder for Critical Infrastructure to Stay Vigilant Against Threats During Holidays and Weekends | CISA

CISA and the FBI strongly urge all entities–especially critical infrastructure partners–to examine their current cybersecurity posture and implement best practices and mitigations to manage the risk posed by cyber threats. Specifically, CISA and the FBI urge users and organizations to take the following actions to protect themselves from becoming the next victim:

• • Identify IT security employees for weekends and holidays who would be available to surge during these times in the event of an incident or ransomware attack.
  • Implement multi-factor authentication for remote access and administrative accounts.
  • Mandate strong passwords and ensure they are not reused across multiple accounts.
  • If you use remote desktop protocol (RDP) or any other potentially risky service, ensure it is secure and monitored.
  • Remind employees not to click on suspicious links, and conduct exercises to raise awareness.

Additionally, CISA and the FBI recommend maintaining vigilance against the multiple techniques cybercriminals use to gain access to networks, including:

• • Phishing scams, such as unsolicited emails posing as charitable organizations.
  • Fraudulent sites spoofing reputable businesses—it is possible malicious actors will target sites often visited by users doing their holiday shopping online.
  • Unencrypted financial transactions.

An important security update is available for the Zoho ManageEngine ADSelfService+ facility where at least 4 different attacks have been developed so far.

Updated: APT Exploitation of ManageEngine ADSelfService Plus Vulnerability | CISA

The Federal Bureau of Investigation (FBI), CISA, and Coast Guard Cyber Command (CGCYBER) have updated the Joint Cybersecurity Advisory (CSA) published on September 16, 2021, which details the active exploitation of an authentication bypass vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService Plus—a self-service password management and single sign-on solution. The update provides details on a suite of tools APT actors are using to enable this campaign:

• • Dropper: a dropper trojan that drops Godzilla webshell on a system
  • Godzilla: a Chinese language web shell
  • NGLite: a backdoor trojan written in Go
  • KdcSponge: a tool that targets undocumented APIs in Microsoft’s implementation of Kerberos for credential exfiltration
• CISA encourages organizations to review the update the November 19 update and apply the recommended mitigations. CISA also recommends reviewing the relevant blog posts from Palo Alto Networks, Microsoft, and IBM Security Intelligence

TEAM Phone call changes may need to be factored into 2022 budgetary planning as noted below

New Microsoft ‘Teams Phone with Calling Plan’ Product Coming in January — Redmondmag.com

Microsoft on Friday outlined changes for organizations using Microsoft Teams for phone calls.  The company is introducing a new product, called “Teams Phone with Calling Plan.” It combines the “Microsoft 365 Business Voice” product offering with enterprise capabilities of the “Teams Calling Essentials” product. Those two products will get subsumed and will disappear after the new Teams Phone with Calling Plan product gets released.  These product changes are being done to simplify purchasing and bring “enterprise-grade capabilities to SMBs,” the announcement indicated.  The overall product changes and pricing are shown in the following diagram from a Microsoft FAQ document (Word doc download):