Happy October and Happy Halloween! Since October is Cybersecurity Awareness Month, at the beginning of the month I made a personal commitment to post at least one tweet per day on the topic of security tips, awareness, and/or guidance with the #CybersecurityAwarenessMonth hashtag. I had some fun with this, waking up every morning and thinking: “what helpful thing could I offer today”… I’m proud of myself for sticking with it and hope that these little bits of security information can help colleagues, friends, customers, and casual passers-by.
Again, I hope these awareness tips and guidance provides some useful information for you. As you’ll soon see these tips span across the main tenets of information security including Identity, Data, Device, Application, and Access.
Let’s jump right in.
“A passphrase is the same as a password, but harder to crack, while easy to remember”!
“Apitsaap,bhtc,wetr”! <—here’s one: of the sentence above!
Does your company use multi-factor authentication (MFA) to protect user-accounts? You should!
@Microsoft said 99.9% of account-compromise incidents they dealt with could have been blocked by using any MFA. #Cyber #Security #Awareness
Do you reuse the same password for all of your accounts? Don’t do that!
Create unique, complex passwords for each of your accounts, use a good password mgmnt tool (e.g.,
@1Password, @LastPass, or other) to manage them. #Security #Cyber #Awareness
Did you know that “passwordless authentication” greatly improves user-experience, security, and eliminates password threats.
Password theft isn’t possible with passwordless authentication because they would no longer be part of the equation.
When reading/responding to email, slow down!
Check sender’s email address, any links in the body, (hover over them to see reality) before opening any attachments. Even then, if an email looks strange (esp. from a coworker or boss) then call them!
Protect privileged user accounts by implementing PIM (privileged identity management) & MFA (multi-factor authentication) for all admin accounts. It takes the rug out from under lateral movement attacks & it’s good practice. Ask us how! #Security
Be careful when charging your phone and devices on public USB charging stations because your data can easily be exploited. It’s called #JuiceJacking. Get a USB data blocker to isolate your data from the charging station. #Cyber #Security #Awareness
Always keep your credit cards stored in RFID Blocking Sleeves or a wallet with protection built in. Bad guys can steal your identity and money just by walking beside you. It’s called #RFIDSkimming. Sleeves and RFID wallets prevent this. #Security
Keep your devices updated to the latest patch levels. You can set auto updates for your personal devices. Your work may have a different process. The more vulnerabilities you have, the bigger the target you become #Security #Patch #CyberSecurity
Create a #BreakGlass admin account for emergency use
- Store in a vault w/ a strong password, change after each use
- Work around Azure MFA service outages
- Resolves lock outs by errant Azure AD Conditional Access rules
#Security #M365 @Azure
Did you know that passwordless auth, device mgmt, removal of legacy protocols, and risk-based conditional access rules all interact seamlessly to improve user experience, strengthen security posture, and apply #ZeroTrust principals? #Security #M365
The bank calls: asks you to confirm the 6-digit code in the text message your phone just received. What happened?
Hang up & reset your password. That caller? The bad-actor not the bank. Your account was compromised & bank’s MFA saved you! #Security
Your users, data, apps, IT infra are more secure in a “properly configured” Cloud like @Microsoft #M365, #Azure, #D365 than what’s in your data center/colo.
We can help you envision it, see it, biz-justify it, and execute! #Security @BeQuisitive
Learn to spot phishing emails: Subtle things like misspelled domain in sender’s address or link, poor grammar in the body, aggressive wording to get you to click.
The better you spot phishing, the less you’ll fall for it.
#Security #Cyber #Phishing
Sometimes it’s lessons learned from our fails. I clicked! A simulated phishing-test my company ran. Even us pros fail! The message: link to an internal SharePoint site – something I see routinely.
All on my SmartWatch. Don’t do that! #Security
Be aware both in and out of work regarding conversations by email, phone, or in-person where you’re asked for detail outside of your area of responsibility. Remember, you DON’T HAVE to answer to anyone you don’t know. #SocialEngineering #Security
Did you know email or file w/ credit card detail, spreadsheets w/ clients’ credit cards, or equiv sitting unprotected on your systems violates #PCIDSS. You can be banned from taking credit cards as a form of payment to your biz #Security #PCI #Cyber
If you’re a c-level exec who’s traveling, going on vacation, or attending a special VIP event, try not to tweet about it so much! Bad guys use this intel to conduct fraud, fake wire xfers, impersonation attacks against your company #Security #Cyber
For my contribution today, I suggest you view this very insightful short video entitled, “Can you recognize the 7 stages of a cyberattack?” Nicely done, @wef !
We are all part of the cybersecurity solution!
#Security #Cyber #Awareness
Learn more: http://ow.ly/pYrq50LbOz1
Using VPN is good, except when it’s hosted by the bad guys!!! It can reveal everything you’ve got.
Be careful when choosing a personal VPN (free could be costly). Best to use only VPN services offered or approved by your company. #Security #Cyber
Find a USB thumb drive on the ground in your workplace parking lot? Don’t plug it into your PC!
Sure, you’re curious to see what’s on it. Exactly what the bad guys want. Plug it in, and presto bad guy in!
Like a teleporter for malware. #Security
…around 40% of ethical hackers (good guys), says @SANSInstitute, can break into most environments they test, if not all. Nearly 60% said they need <5 hours to break into any corporate environment once they find a weakness. #Security #Cyber #Hacker
If you’re in healthcare, listen up… Did you know that a breach of unsecured protected health information (PHI) of 500 or more individuals, requires you report to US HHS and get on the “wall of shame”?
Also, with curiosity to see the patterns, I quickly created a @MSPowerBI report to visualize the entire historic record of HHS reported breaches of all types since 2009 through 2022. Yikes!
#Security #Cyber #CantUnseeThat
Great seeing results of @Microsoft’s dedication, rigor, investment, veracity, and excellence in #Cyber #Security payoff. Look where #MicrosoftSentinel landed on @Gartner’s #SIEM magic quadrant.
@Quisitive #DRIVEs hundreds of these implementations
Many #CISO leaders routinely ask me, “How does @Microsoft #Sentinel stack up against #Splunk, #LogRhythm, #Rapid7, etc. ?”. The same CISOs value @Gartner research and the MQ. I use my previous Tweet to connect the dots w/ volumes of secure reference clients! #Security #Cyber #SIEM #Spyglass
Neither your bank, nor your IT department, should ever ask for your password or PIN. These are “something you know”, meaning only you. Be concerned, and don’t give in, if anyone ever asks for your password or PIN. #Security #Cyber #GoPasswordless
Did you know that with @Microsoft Purview Information Protection, you can automatically tag (classify) and protect (e.g. restrict exfil, encrypt at rest, restrict display, etc.) any sensitive data in your enterprise.
#Security #Cyber #SensitiveData
Incident Response is more than just technology solutions. That’s one part.
Other parts include non-technical things: who’s your team, who does PR, when to bring in your legal team, do you practice, etc? Ask us! @Quisitive
#Security #Cyber #CERT
Here’s a good overview on the two most common Incident Response frameworks #NIST and @SANSInstitute
We help clients choose a framework that fits best, then implement, test, and learn (@Quisitive)
#Security #Cyber #CERT
2021 Incident Response Steps for NIST and SANS Framework | AT&T Cybersecurity (att.com)
Data breaches happen: sadly much too often. Ever wonder if your email address (commonly User ID) or phone were among the breached data? Well, check this out: https://haveibeenpwned.com
Great tool by @troyhunt to help us stay alert!
Work at home? You may think encrypting your home Wi-Fi is unnecessary. You’ve got nothing to hide, right? Think again!
Your home Wi-Fi can be a “bad-guy pipeline” to your work via your home PC.
Encrypt your Wi-Fi w/ WPA-2
Does your company do #cybersecurity awareness training? Does it periodically #PhishTest to see who reports or who clicks? It should!
We (@Quisitive) do. We learn and develop muscle memory to spot these better and faster. Ask us!
Be leery about installing any apps on your smartphone that come from random websites, email, or @Facebook ads. Bad actors often bury data-stealing malware inside benign-looking utility apps. Be careful!
#Security #Cyber #ConsentPhishing #Malware
Truth… Happy #SpookySzn
Report phishing sites here: https://cisa.gov/uscert/report-phishing
If you must store sensitive personal information (#PII, #PHI, #PCI), then properly protect it: classify, encrypt, limit access, and properly dispose of it when it’s no longer needed. #Security #Cyber #GDPR #Data
Worth repeating since 90% of all data breaches have a phishing component. Learn to spot phishing: misspelled domain in sender’s address or link, poor grammar, aggressive wording. Get good at it!
#Security #Cyber #Phishing
Again, I hope these awareness tips are helpful.
Until next time,