Categories
Information Security

Spam Email – Stop it before your users click on it

It doesn’t matter if you’ve trained them or yelled at them or had to fix their infected computers in front of them (or all of the above) ……..they’re still going to open that suspicious email, aren’t they?
Because who can resist the attachment that promises funny cat pictures, and who doesn’t have a slight panic attack when faced with a fraud alert from their bank?
Protecting your corporate network from malicious email is a never-ending battle and there’s no simple, one-size-fixes-all method to do so, either. There are three modes of defense, though, that are remarkably effective but we’ve recently realized that most small to mid-size companies are only using one or two of those methods.

  1. The first and most effective defense is simply user training. Every company, no matter the size, should inform and educate users as to the dangers of fraudulent emails. Provide examples, show warnings, and do it on a regular basis. Don’t numb them to the dangers but find a balance between over-lecturing and educating your users.
  2. The second most effective defense is desktop antivirus and anti-malware software. These programs won’t stop a zero-day exposure but they’ll prevent about 98% of anything that makes it as far as the desktop. They won’t prevent someone from entering their banking credentials on a fake website but they do a moderately decent job of preventing older malware from infecting your network.
  3. The third defense, and the one you may not be using, is a block list on your mail server. These block lists do exist and contain real-time updated lists of spam websites and domains. The most popular of these is the Spamhaus Project. In their own words: “The Spamhaus Block List (“SBL”) Advisory is a database of IP addresses from which Spamhaus does not recommend the acceptance of electronic mail. The SBL is queriable in realtime by mail systems thoughout the Internet, allowing mail server administrators to identify, tag or block incoming connections from IP addresses which Spamhaus deems to be involved in the sending, hosting or origination of Unsolicited Bulk Email (aka “Spam”). The SBL database is maintained by a dedicated team of investigators and forensics specialists located in 10 countries, working 24 hours a day to list new confirmed spam issues and – just as importantly – to delist resolved issues.”

Simply put, by taking advantage of the Spamhaus DNS block lists, you can set most modern mail servers to prevent many of those fraudulent emails from ever reaching your users. There are some limits on free usage of their offering but larger, heavier users can still pay for the service.
You can find more information about Spamhaus at the following url: https://www.spamhaus.org/

Categories
Computer & Network Security|Information Security

Java vs. Javascript

We field questions about Java security issues on a regular basis, and have noticed that users are often confused about the differences between Java and Javascript.

Java is a standalone application that runs separately from your browser, although it can be called on by your browser to run Java ‘applets.’ Applets aren’t that common any more, but the Java application is a different matter. Java has a history of being exploited for vulnerabilities, and updates have historically released on a somewhat tardy basis. Even more painful is that users have to manually watch for and install those updates unless they chose the “check for updates periodically” option during the original Java install. And even then, they’re required to manually download a patch file and run it. And we all know how users are so very diligent about that sort of thing……..

Javascript is something else altogether. It’s integrated into the browser, and although there have been security issues with it in the past, updates come in the form of operating system updates which are usually controlled by Windows Update settings or corporate patch agents.

Securit360’s recommendations for this sort of thing always follow the “least privilege” concept: if you don’t need it – turn it off. Just like every other piece of unused software, we recommend uninstalling Java unless it’s actually being used. We’re not singling out Java; this is our recommendation for every piece of software and application on the market. If your users really need Java to do their work, though, then make sure Java is configured to periodically check for updates and patches. On top of that, run regular security scans to confirm what version of Java is installed and update old versions when you find them.

Java is a fantastic program but needs some care and careful handling to prevent it from being a security issue for your organization. Keep an eye on it……

Categories
Computer & Network Security

Do you really need a smart toaster?

Even though you CAN buy it, you need to ask yourself if you really SHOULD you buy that Internet-connected appliance……..

Very few people would seriously consider this question before purchasing a brand new appliance or item that has all sorts of nifty and exciting ‘up-sell’ features, such as network or direct Internet-connectivity.

But for those of us who work in the computer and network security fields, this question is neither academic nor trivial.

It’s easy to understand why Internet-connected gadgets are tempting. Who wouldn’t want a dog collar with a GPS in it, in case Fido runs away? Who would turn down a tracking unit you could put in your child’s backpack in case they get lost or something more sinister happens? And who wouldn’t find some convenience in a video-capable home security system that was able to be monitored while you were at work?

The problem is that the security of these gadgets is questionable at best. Multinational, experienced software companies, such as Microsoft and Apple, have entire divisions devoted to securing their software and hardware, and yet potential and actual compromises are announced almost on a weekly basis. Most corporations have IT security teams who monitor and test systems on a regular basis but we read about corporate breaches almost daily.

In light of those observations, can we really trust the manufacturing company that creates a product that allows you to keep track of your child or pet via an Internet-based website? How do we know they’re performing due diligence to keep the location of your child safe? How can you be assured that a potential burglar isn’t watching for the next time you kennel your pets, giving them a good idea when you’re out of town? And who’s monitoring the log data to be sure that your home security system wasn’t shut down remotely for a brief period today and then reactivated? Or who’s making sure that your “private” video feed into your house isn’t quite so private after all?

Sometimes it pays to be a little paranoid and cautious. When purchasing a product with a network connection, do some due diligence. First, ask yourself if you really need it. Is it going to simplify your life or bring a reward that’s worth the risk? Second, do a little research. Find manufacturers with a proven track record or maybe those who have partnered with a security-conscious company. And above all, be careful. Be aware of what you have and practice common sense security precautions – change passwords, watch for anomalous behavior, and review and apply software updates.