Just a weekly advisory that I send out to my clients at the end of the week.

This week's advisory:

1. US-Cert Advisories concerning Russian brute-force attacks against infrastructure; 7-Zip vulnerabilities; Outlook vulnerabilities; MsOffice 2013 exits mainstream support.

2. GMail gets a facelift. New features and capabilities being rolled out over the next few weeks.

3. My commentary on browser-based vs thick client email. 

Hey!

So you want to protect yourself while browsing online?

Great!

You say you're not technical and don't really want to bother with too much complexity.

Right on.

You want a minimalist, multi-platform solution that doesn't slow down your browsing experience on any computer?

Okay!

And you've no issues with Google - you generally trust the company?

Cool.

Here's what you need to do now.

1. Use Google Chrome. Yes, it's still the safest and most secure browser.

2. Delete all of your current extensions. You will want to manage/remove any existing Chrome extension that isn't from Google or that you're not familiar with.

3. Add the Chrome Extension HTTPS Everywhere. This extension will automatically try to secure your web browsing by using SSL encryption where it's available. You don't even have to think about it or know was SSL encryption is to take advantage of it.

4. Add the Chrome Extension Privacy Badger. Provided by the Electronic Frontier Foundation, Privacy Badger attempts to negate third party tracking techniques that spoil your privacy.

5. Add the Chrome Extension Adblock Plus. This tool is used to block ads from appearing in your browser and potentially harming you.

6. Add the Chrome Extension DOT-VPN. A virtual private network tunnels your traffic through another server and encrypts your communication. This tool automatically handles the heavy-lifting making the use of a VPN relatively easy. DOT-VPN is free; ExpressVPN can be used by ExpressVPN customers but is also a great extension.

Naturally, there's a lot more you can do but these are reasonable, easy steps to help safeguard your Internet browsing activity.

R

Yes.

We’ve recently learned of some very bad microcomputer vulnerabilities that even Google is calling the worst in a decade: Spectre, Meltdown, and - in the last 24-hours - a new BIOS-level attack against a machine has been announced.

Still, if we’re to borrow some excellent advice from Douglas Adams, Don’t Panic. Stay froody, grab your towel, and order a Pan-Galactic Gargle Blaster. It’s going to be what it’s going to be.

You have to get kind of Zen over computer vulnerabilities and here’s the reason why.

There is no spoon.

Well, actually, that’s from The Matrix but it’s the first thing that comes to mind.

There is no such thing as absolute security.

This is a true axiom in many things. We’re at risk the moment we sit behind the wheel of a vehicle; when we walk down the street in a public square; when we decide to start a business. There are always risks. And there’s a lot of rapidly-evolving risks with microcomputers. That’s the way it’s always been, and that’s the way it’ll always be.

If you accept that distributed computing is always going to be risky and that security isn’t absolute, you’ll be in a better position to manage the recent news. It isn’t scary. It just is.

The fact is that the safeguards that we implement today are the same safeguards we implemented yesterday, and that we’d continue to implement tomorrow. If you’re a small business, the strategy for safeguarding your IT assets is a constant.

1. Strong Administrative Controls - Vigilance. Management directives in the form of policies and procedures govern a company’s reaction to these kinds of problems. Your business should have a documented approach to managing IT assets that help weather risk. Follow your directives. Manage user expectations. Manage your assets. Pay attention to risk and slightly alter your course where it’s necessary.
   

2. Solid Technical Controls. You’ve got strong passwords, 2FA, intrusion detection and prevention, good firewall rules, a standardized process for managing user access, a view of the assets under your control. All of these are technical factors that help secure your computers and networking equipment. Although we’d be fools to assume we’ve enough safeguards to counter all risk, we’re still conscious of our controls and put faith in their ability to protect our systems.
   

3. Updates and Patches. Security in the microcomputer arena is an ever-moving target. It’s best practice to constantly apply new updates and patches from software providers and hardware OEM’s. It’s just the right thing to do. If we keep managing those updates, we’re going to receive the necessary software to improve our security posture.
   

4. Planned Retirement and Acquisition. All computers die. All networking equipment eventually ages. There should be a plan to retire assets according to a managed schedule. Some assets may be older and - indeed - more vulnerable, but we should already have a process in-place to both plan for the acquisition of new equipment and the disposition of old machines, so that our company is less-vulnerable over time.
   

5. Audit and Corrective Action. Finally, we can’t rely entirely on assumption. We can’t assume that everything we do (from crafting good policies, to implementing strong technical controls, to updating our systems regularly, and from retiring older assets) is perfect. Remember: there is no spoon. We need to check on it. We need to validate that what we’re doing is working. The only way to do that is to investigate the results of our strategy, report on our mistakes or misfortunes, and implement stronger controls to prevent the bad stuff from happening again.

Nothing of what I’m saying here is new. If it is, then you’re likely more at risk anyway because you’ve made some assumptions about your security posture and you’re not verifying those assumptions. You’re hoping that everything will be okay. That’s not management. Managing implies control, oversight, the awareness of risk, organizational learning.

So don’t sweat the bad news. Don’t Panic. There’ll always be more bad news.

The good news is - if you’re following these five guidelines - you’re as prepared for it tomorrow as you were yesterday. Everything is going to … be.

R