Cyber Security Awareness Month – Rolling up a Month’s Worth of Tips and Advice

Hi everyone,

Happy October and Happy Halloween!    Since October is Cybersecurity Awareness Month, at the beginning of the month I made a personal commitment to post at least one tweet per day on the topic of security tips, awareness, and/or guidance with the #CybersecurityAwarenessMonth hashtag.   I had some fun with this, waking up every morning and thinking: “what helpful thing could I offer today”…    I’m proud of myself for sticking with it and hope that these little bits of security information can help colleagues, friends, customers, and casual passers-by.

Again, I hope these awareness tips and guidance provides some useful information for you.     As you’ll soon see these tips span across the main tenets of information security including Identity, Data, Device, Application, and Access.

Let’s jump right in.

 

October 1

#CybersecurityAwarenessMonth

“A passphrase is the same as a password, but harder to crack, while easy to remember”!

“Apitsaap,bhtc,wetr”!  <—here’s one: of the sentence above!

 

October 2

#CyberSecurityAwarenessMonth

Does your company use multi-factor authentication (MFA) to protect user-accounts? You should!

@Microsoft said 99.9% of account-compromise incidents they dealt with could have been blocked by using any MFA. #Cyber #Security #Awareness

It works!

 

October 3

 

#CybersecurityAwarenessMonth

Do you reuse the same password for all of your accounts? Don’t do that!

Create unique, complex passwords for each of your accounts, use a good password mgmnt tool (e.g.,

@1Password, @LastPass, or other) to manage them. #Security #Cyber #Awareness

 

October 4

#CybersecurityAwarenessMonth

Did you know that “passwordless authentication” greatly improves user-experience, security, and eliminates password threats.

Password theft isn’t possible with passwordless authentication because they would no longer be part of the equation.

 

October 5

#CybersecurityAwarenessMonth

When reading/responding to email, slow down!

 

Check sender’s email address, any links in the body, (hover over them to see reality) before opening any attachments. Even then, if an email looks strange (esp. from a coworker or boss) then call them!

 

October 6

#CybersecurityAwarenessMonth

Protect privileged user accounts by implementing PIM (privileged identity management) & MFA (multi-factor authentication) for all admin accounts. It takes the rug out from under lateral movement attacks & it’s good practice. Ask us how! #Security

 

October 7

#CybersecurityAwarenessMonth

Be careful when charging your phone and devices on public USB charging stations because your data can easily be exploited. It’s called #JuiceJacking. Get a USB data blocker to isolate your data from the charging station. #Cyber #Security #Awareness

 

October 8

#CybersecurityAwarenessMonth

Always keep your credit cards stored in RFID Blocking Sleeves or a wallet with protection built in. Bad guys can steal your identity and money just by walking beside you. It’s called #RFIDSkimming. Sleeves and RFID wallets prevent this. #Security

 

October 9

#CybersecurityAwarenessMonth

Keep your devices updated to the latest patch levels. You can set auto updates for your personal devices. Your work may have a different process. The more vulnerabilities you have, the bigger the target you become #Security #Patch #CyberSecurity

 

October 10

#CybersecurityAwarenessMonth

Create a #BreakGlass admin account for emergency use

1. Store in a vault w/ a strong password, change after each use
2. Work around Azure MFA service outages
3. Resolves lock outs by errant Azure AD Conditional Access rules

#Security #M365 @Azure

 

October 11

#CybersecurityAwarenessMonth

Did you know that passwordless auth, device mgmt, removal of legacy protocols, and risk-based conditional access rules all interact seamlessly to improve user experience, strengthen security posture, and apply #ZeroTrust principals? #Security #M365

 

October 12

#CybersecurityAwarenessMonth

The bank calls: asks you to confirm the 6-digit code in the text message your phone just received. What happened?

Hang up & reset your password. That caller? The bad-actor not the bank. Your account was compromised & bank’s MFA saved you! #Security

 

October 13

#CybersecurityAwarenessMonth

Your users, data, apps, IT infra are more secure in a “properly configured” Cloud like @Microsoft #M365, #Azure, #D365 than what’s in your data center/colo.

We can help you envision it, see it, biz-justify it, and execute! #Security @BeQuisitive

 

October 13

#CybersecurityAwarenessMonth

Learn to spot phishing emails: Subtle things like misspelled domain in sender’s address or link, poor grammar in the body, aggressive wording to get you to click.

The better you spot phishing, the less you’ll fall for it.

#Security #Cyber #Phishing

 

October 13

#CybersecurityAwarenessMonth

Sometimes it’s lessons learned from our fails.  I clicked! A simulated phishing-test my company ran.  Even us pros fail!  The message: link to an internal SharePoint site – something I see routinely.

All on my SmartWatch. Don’t do that! #Security

 

October 14

#CybersecurityAwarenessMonth

Be aware both in and out of work regarding conversations by email, phone, or in-person where you’re asked for detail outside of your area of responsibility. Remember, you DON’T HAVE to answer to anyone you don’t know.  #SocialEngineering #Security

 

October 15

#CybersecurityAwarenessMonth

Did you know email or file w/ credit card detail, spreadsheets w/ clients’ credit cards, or equiv sitting unprotected on your systems violates #PCIDSS. You can be banned from taking credit cards as a form of payment to your biz #Security #PCI #Cyber

 

October 16

#CybersecurityAwarenessMonth

If you’re a c-level exec who’s traveling, going on vacation, or attending a special VIP event, try not to tweet about it so much! Bad guys use this intel to conduct fraud, fake wire xfers, impersonation attacks against your company #Security #Cyber

 

October 17

#CybersecurityAwarenessMonth

For my contribution today, I suggest you view this very insightful short video entitled, “Can you recognize the 7 stages of a cyberattack?”  Nicely done, @wef !

We are all part of the cybersecurity solution!

#Security #Cyber #Awareness

Learn more: http://ow.ly/pYrq50LbOz1

 

October 18

#CybersecurityAwarenessMonth

Using VPN is good, except when it’s hosted by the bad guys!!! It can reveal everything you’ve got.

Be careful when choosing a personal VPN (free could be costly). Best to use only VPN services offered or approved by your company. #Security #Cyber

 

October 19

#CybersecurityAwarenessMonth

Find a USB thumb drive on the ground in your workplace parking lot? Don’t plug it into your PC!

Sure, you’re curious to see what’s on it. Exactly what the bad guys want. Plug it in, and presto bad guy in!

Like a teleporter for malware. #Security

 

October 20

#CybersecurityAwarenessMonth

…around 40% of ethical hackers (good guys), says @SANSInstitute, can break into most environments they test, if not all. Nearly 60% said they need <5 hours to break into any corporate environment once they find a weakness. #Security #Cyber #Hacker

 

October 21

#CybersecurityAwarenessMonth

If you’re in healthcare, listen up… Did you know that a breach of unsecured protected health information (PHI) of 500 or more individuals, requires you report to US HHS and get on the “wall of shame”?

#Security #Cyber

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

 

October 21

#CybersecurityAwarenessMonth

Also, with curiosity to see the patterns, I quickly created a @MSPowerBI report to visualize the entire historic record of HHS reported breaches of all types since 2009 through 2022. Yikes!

 

#Security #Cyber #CantUnseeThat

 

October 22

#CybersecurityAwarenessMonth

Great seeing results of @Microsoft’s dedication, rigor, investment, veracity, and excellence in #Cyber #Security payoff.  Look where #MicrosoftSentinel landed on @Gartner’s #SIEM magic quadrant.

@Quisitive #DRIVEs hundreds of these implementations

 

October 22

Many #CISO leaders routinely ask me, “How does @Microsoft #Sentinel stack up against #Splunk, #LogRhythm, #Rapid7, etc. ?”. The same CISOs value @Gartner research and the MQ.  I use my previous Tweet to connect the dots w/ volumes of secure reference clients! #Security #Cyber #SIEM #Spyglass

 

October 23

#CybersecurityAwarenessMonth

Neither your bank, nor your IT department, should ever ask for your password or PIN. These are “something you know”, meaning only you. Be concerned, and don’t give in, if anyone ever asks for your password or PIN. #Security #Cyber #GoPasswordless

 

October 24

#CybersecurityAwarenessMonth

Did you know that with @Microsoft Purview Information Protection, you can automatically tag (classify) and protect (e.g. restrict exfil, encrypt at rest, restrict display, etc.) any sensitive data in your enterprise.

#Security #Cyber #SensitiveData

 

October 25

#CybersecurityAwarenessMonth

Incident Response is more than just technology solutions. That’s one part.

Other parts include non-technical things: who’s your team, who does PR, when to bring in your legal team, do you practice, etc?  Ask us! @Quisitive

#Security #Cyber #CERT

 

October 25

Here’s a good overview on the two most common Incident Response frameworks #NIST and @SANSInstitute

We help clients choose a framework that fits best, then implement, test, and learn (@Quisitive)

#Security #Cyber #CERT

 

2021 Incident Response Steps for NIST and SANS Framework | AT&T Cybersecurity (att.com)

 

October 26

#CybersecurityAwarenessMonth

Data breaches happen: sadly much too often.  Ever wonder if your email address (commonly User ID) or phone were among the breached data? Well, check this out: https://haveibeenpwned.com

Great tool by @troyhunt to help us stay alert!

#Security #Cyber

 

October 27

#CybersecurityAwarenessMonth

Work at home?  You may think encrypting your home Wi-Fi is unnecessary. You’ve got nothing to hide, right?  Think again!

Your home Wi-Fi can be a “bad-guy pipeline” to your work via your home PC.

Encrypt your Wi-Fi w/ WPA-2

#Security #Cyber

 

October 28

#CybersecurityAwarenessMonth

Does your company do #cybersecurity awareness training?  Does it periodically #PhishTest to see who reports or who clicks? It should!

We (@Quisitive) do. We learn and develop muscle memory to spot these better and faster.  Ask us!

#Cyber #Security

 

October 28

#CybersecurityAwarenessMonth

Be leery about installing any apps on your smartphone that come from random websites, email, or @Facebook ads.  Bad actors often bury data-stealing malware inside benign-looking utility apps.  Be careful!

#Security #Cyber #ConsentPhishing #Malware

 

October 29

#CybersecurityAwarenessMonth

Truth… Happy #SpookySzn

It’s #SpookySzn.

Report phishing sites here: https://cisa.gov/uscert/report-phishing

 

October 30

#CybersecurityAwarenessMonth

If you must store sensitive personal information (#PII, #PHI, #PCI), then properly protect it: classify, encrypt, limit access, and properly dispose of it when it’s no longer needed.  #Security #Cyber #GDPR #Data

 

October 31

#CybersecurityAwarenessMonth

Worth repeating since 90% of all data breaches have a phishing component.  Learn to spot phishing: misspelled domain in sender’s address or link, poor grammar, aggressive wording.  Get good at it!

#Security #Cyber #Phishing

https://iapp.org/news/a/verizon-study-90-percent-of-breaches-involve-phasing-social-engineering/

 

 

Again, I hope these awareness tips are helpful.

 

 

Until next time,

Ed