Cybersecurity New Years’ Resolutions

New Years is a great time to reboot your life habits, including diet, exercise, relationships, and more. To keep your systems safe and your personal information private, consider adopting one or more of the following News Years’ resolutions:

• Use strong passwords – On each website and service you use, construct strong passwords, consisting of lower case and upper case letters, numbers, and one or more special characters.
• Use unique passwords – Use a different password for each service you use. This will help prevent a compromise of one service (where cybercriminals are able to obtain its users’ login credentials) from spreading to others.
• Use a password manager – If you use strong, unique passwords, you’ll need a password manager such as Password Safe or KeePass to store them. I recommend you NOT use your browser to store passwords.
• Use multi-factor authentication – when available, select multi-factor authentication, whether by a text message (SMS), or an authenticator app such as Google Authenticator. Doing so will make it more difficult for criminals to break into your accounts.
• Install OS security patches – Configure your operating system (Windows, macOS, ChromeOS, iOS, Android, etc.) to automatically download and install security patches. This helps prevent criminals from compromising your device. When security patches are no longer available, you’ll need to upgrade your OS to keep your system safe.
• Keep applications up to date – Configure your system to update all of the applications you use. This helps keep your system and your data safer by fixing security flaws that criminals can exploit.
• Be wary of spam and phishing – Be wary of all incoming email, so that you can better spot scams and fraud. If someone you know has sent you a strange looking email, confirm by calling them (but not by replying, as the reply could go back to the fraudster who is trying to con you). Resist the temptation to click on “too good to be true” links and attachments.
• Use a VPN – If you frequently go online at hotels, restaurants, airports, and other public places, install a VPN software package to help protect your network traffic from prying eyes. It can be surprisingly easy for cybercriminals to see your network traffic while on a public Wi-Fi network. Avoid free VPN services as they likely eavesdrop on your traffic.
• Upgrade your home Wi-Fi router – If your home Wi-Fi router is more than four years old, chances are good that it has exploitable vulnerabilities that the manufacturer will not fix. These vulnerabilities can make it easy for criminals to take over control of your router, resulting in eavesdropping and routing your traffic through their systems to help them steal your data.
• Move your home’s smart devices to your guest Wi-Fi – Often, smart devices are vulnerable to attack by cybercriminals. Some smart devices do more than they advertise, looking around on your network for other targets. Moving your smart devices to your guest network prevents them from accessing your computers and smartphones.
• Check your credit report – Cybercriminals are exceedingly good at identity theft. The best way to stay on top of this is to periodically check your credit report, and even to put a freeze on your credit to make it more difficult for criminals to open credit accounts in your name. Freezing your credit may be a minor inconvenience when you try to open a new account, but this is minor when compared to the inconvenience of having your identity stolen.
• Place transaction alerts on all your credit and debit cards – Log in to your online banking and set up alerts (texting, email, or both) to notify you of every transaction. If any of your cards have been compromised, you’ll know it when you see transactions that you did not authorize.
• Learn more about these and other kinds of risks – Visit the National Cybersecurity Alliance at www.staysafeonline.org to learn about more steps to protect your network, systems, and identity.

CISSP For Dummies 7th edition Published

The latest edition of CISSP For Dummies, the 7th edition, is now available from Amazon, Barnes & Noble, Walmart, Target, and other booksellers.

Co-author Lawrence Miller and I completed this latest revision early in 2022. This revision covers the new CISSP Common Body of Knowledge that was updated in 2021. In addition to updates reflecting changes in the CBK, numerous other changes were made, reflecting advances and changes in cybersecurity practices, risks, threats, and regulations.

The publication of this 7th edition is a celebration of TWENTY YEARS of CISSP For Dummies. Larry and I wrote the first edition of CISSP For Dummies in 2002.

CISSP For Dummies is the only CISSP study guide approved by (ISC)², the organization that manages the CISSP certification worldwide. This is a testimony to the quality and completeness that only CISSP For Dummies provides to security professionals who aspire to earn this prestigious certification.

Clément Dupuis

This announcement would be incomplete without a grateful shoutout to Clément Dupuis, founder of CCCure, the well-known training organization for technology professionals. Clément passed in 2021, but not before providing valuable research material to Larry and me as we created this edition of the book.

Lower Maturity Organizations and The Great Resignation

In the final months of 2021, a record number of workers were quitting their jobs. This will lead to a spike in the workforce turnover in many organizations. I want to focus briefly on a specific risk that is not getting a lot of airplay.

Organizations with lower process maturity rely on tribal knowledge to get things done. During the Great Resignation, a replacement worker often does not receive cross-training from their predecessor. Instead, replacement workers learn about their routine duties through studying policy, process, and procedure documentation.

In many (and perhaps most) organizations, there is often little documentation to rely upon. And, often, other co-workers are not familiar with the details of their departed colleagues’ duties. The result: organizations stop performing routine activities correctly, and many activities stop altogether.

This is a particular problem for cybersecurity-related activities. Security activities are detective and protective in nature: they protect core business operations, but they are not those core business operations. When cybersecurity activities such as scanning, patching, reviewing access, event monitoring, alerting, and response cease to function, core functions delivering the organization’s goods and/or services continue, for a while at least. As more organizations fall even further behind on these essential activities, the likelihood of successful attacks increases.

The cybersecurity workforce shortage has been a problem for years, and I fear it’s getting far worse with the Great Resignation. I fear that many routine and essential cybersecurity-related activities will simply stop in instances where security professionals resign and take other jobs – particularly in organizations with lower maturity.

This phenomenon will make it easier for cybercriminals to successfully attack and compromise organizations, particularly those less mature.

The fix for this is not easy: many organizations are already short-staffed, and taking remaining persons offline to document their processes results in other essential work not being performed. Organizations with lower maturity are often unaware of the need to document critical activities, particularly those related to cybersecurity. Squeezed by tightening profit margins, hiring outside experts is often not a viable option. Instead, the silent indicator of risk will continue to increase, and the inevitable will occur.

In terms of cybersecurity and ransomware, most organizations are anti-vaxxers

Prologue: There are many opinions and points of view with regards to the origin and nature of COVID, response to the pandemic (or plandemic if you prefer) and vaccinations. I’m not here to express any opinion, but will borrow from these events as I briefly use vaccinations as a metaphor. And thanks for my former colleague Jason Popp for coining the phrase that I’m borrowing.

In a comment to a LinkedIn post about ransomware, Jason said, “If ransomware is a pandemic, then most organizations are anti-vaxxers.”

Brilliant.

I’ll state this another way: the tools and techniques for ransomware prevention have been around for decades. Decades. By and large, organizations hit with ransomware are not employing these techniques effectively, if at all. Implicitly, most organizations choose not to employ the safeguards that would prevent most ransomware attacks.

Why? Good question. Perhaps it’s normalcy bias. Or that cybersecurity is too expensive, or inconvenient to users, or that it’s too hard to find good cyber persons. Or, cybersecurity is a distraction from the organization’s mission (and ransomware isn’t?).

Ransomware presents several challenges. First, most companies that pay ransoms still don’t get their data back. And, more recently, the U.S. Treasury department Office of Foreign Assets Control (OFAC) has cited that paying ransoms to cybercriminals is a violation of OFAC laws.

The solution? Perform or commission a risk assessment. Hire cybersecurity professionals who knows how to fix deficiencies and manage effective security governance, operations and response.

Or, just stop using computers.