IT NEWS

If it takes a village to raise a child, apparently it takes Facebook a team to tell you what data the company keeps about you and where they keep it.

In the recently unsealed transcript of a hearing led by “Discovery Special Master” Daniel Garrie, an expert appointed by the court, two Facebook engineers were grilled regarding what user data the company keeps about its users and where they are. To everyone’s frustration, their response was, essentially, “We don’t know.”

The hearing is part of an ongoing lawsuit concerning the Facebook-Cambridge Analytica scandal.

Garrie has attempted to get Facebook to reveal where personal data is stored in its 55 subsystems, but two veteran Facebook engineers—Eugene Zarashaw and Steven Elia—who were present at the hearing, couldn’t give satisfying answers.

“I don’t believe there’s a single person that exists who could answer that question,” Zarashaw said, according to the transcript. “It would take a significant team effort to even be able to answer that question.”

The Intercept, which first reported this story, has noted Garrie’s seeming disbelief over simple questions left unanswered. However, the engineers’ inability to give solid answers as to where Facebook user data is kept doesn’t surprise Dina El-Kassaby, a spokesperson from Meta. In a statement, she said, “Our systems are sophisticated and it shouldn’t be a surprise that no single company engineer can answer every question about where each piece of user information is stored.”

“We’ve built one of the most comprehensive privacy programs to oversee data use across our operations and to carefully manage and protect people’s data. We have made—and continue making—significant investments to meet our privacy commitments and obligations, including extensive data controls.”

The engineers not knowing where user data is kept also lends credence to an internal document leaked in April 2022, claiming Facebook can’t tell where all the data it gathers comes from or is stored.

This internal document was written in 2021 by Facebook privacy engineers on the Ad and Business Product team, the group tasked to build and maintain the social network’s ads system.

“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And, yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation,” the document read.

Vulnerability Assessment:

Patch Management: 

More resources:

What is patch management?

What is vulnerability assessment?

Podcast: Why software has so many vulnerabilities

The in-person cybersecurity conference has returned.

More than two years after Covid-19 pushed nearly every in-person event online, cybersecurity has returned to the exhibition hall. In San Francisco earlier this year, thousands of cybersecurity professionals walked the halls of Moscone Center at RSA 2022. In Las Vegas just last month, even more hackers, security experts, and tech enthusiasts flooded the Mandalay Bay hotel, attending the conferences Black Hat and DEFCON. 

And at nearly all of these conferences—and many more to come—cybersecurity vendors are setting up shop to show off their latest, greatest, you-won’t-believe-we’ve-made-this product. 

The dizzying array of product names, features, and promises can overwhelm even the most veteran security professional, but for one specific group of attendee, sorting the value from the verve is all part of the job description. 

We’re talking today about managed service providers, or MSPs. 

MSPs are the tech support and cybersecurity backbone for so many small businesses. Dentists, mom-and-pop restaurants, bakeries, small markets, local newspapers, clothing stores, bed and breakfasts off the side of the road—all of these businesses need tech support because nearly everything they do, from processing credit card fees to storing patient information to managing room reservations, all of that, has a technical component to it today.

These businesses, unlike major corporations, rarely have the budget to hire a full-time staff member to provide tech support, so, instead, they rely on a managed service provider to be that support when needed. And so much of tech support today isn’t just setting up new employee devices or solving a website issue. Instead, it’s increasingly about providing cybersecurity. 

What that means, then, is that wading through the an onslaught of marketing speak at the latest cybersecurity conference is actually the responsibility of some MSPs. They have to decipher what tech tools will work not just for their own employees, but for the dozens if not hundreds of clients they support. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with two experts at Malwarebytes about how MSPs can go about staying up to date on the latest technology while also vetting the vendors behind it. As our guests Eddie Phillips, strategic account manager, and Nadia Karatsoreos, senior MSP growth strategist, explain, the work of an MSP isn’t just to select the right tools, but to review whether the makers behind those tools are the right partners both for the MSP and its clients. 

As Karatsoreos said:

“You need to do your research… Do they have the right background to match what you’re offering? Do they have training for you? Do they have integrations? … Do they have a partner program? Because, as we know with MSPs, they don’t just want a product that just gets installed… They need that support of the partner program. Do they allow you to have a trial or a demo to make sure that it works in your environments? Are they constantly updating? And what does their security system look like? Are they protected?”

She continued:

“These are all things behind the technology that an MSP really needs to consider when considering those vendors.”

Tune in today to listen to Karatsoreos and Phillips discuss the many responsibilities of being an MSP today. 

Last week on Malwarebytes Labs:

• Phishers use verified status as bait for Instagram users
• Microsoft will disable Basic authentication for Exchange Online in less than a month
• Zero-day puts a dent in Chrome’s mojo
• Update now! QNAP warns users DeadBolt is exploiting Photo Station vulnerability
• Don’t share the WhatsApp ‘Martinelli’ phone hacking alert: It’s a hoax
• YouTuber on the run after allegedly swiping $55m from followers
• Instagram receives record fine of $400M for abuse of children’s data
• InterContinental Hotels’ booking systems disrupted by cyberattack
• Warning issued about Vice Society ransomware targeting the education sector
• Sextortionists used mobile malware to steal nude videos, contact lists from victims
• How to set up an Android for your kids
• YouTube transparency report shows battle against misinformation
• Evasive Shikitega Linux malware drops Monero cryptominer
• Your HP Support Assistant needs an update!
• Vulnerability response for SMBs: The Malwarebytes approach
• Ransomware review: August 2022

Stay safe!

The North Face clothing brand, which specialises in outdoor and heavy weather outerwear, has experienced a “large-scale” credential stuffing attack. This has resulted in no fewer than 194,905 accounts being compromised. What is credential stuffing, and how did it affect The North Face customers?

What is credential stuffing?

Credential stuffing is an attack reliant on service users being a little lax with their password practices. If users of Site A reuse their password on sites B and C, this is a problem. Should Site A ever be compromised, those login details are exposed. They might end up on data dumps, or forums, or anywhere else you care to imagine. People with access to the credentials from Site A will then try them on sites B and C, often via automation. If the user has reused their password, the accounts on those additional sites will also be vulnerable.

Indeed, sometimes people will also reuse credentials from one site as their password for their email address too. This provides attackers with further inroads for all accounts tied to the address, and could end with a user losing access to many more of their online accounts.

Password reuse is tempting, because it’s impossible to remember a different password for each online account. That’s why people are encouraged to use tools like password managers, as they make it easy to generate and remember all your passwords. With this in place, victims are limited to “just” the fallout from the initial attack and can quickly take appropriate action.

Which details are at risk from attackers?

According to Bleeping Computer, the North Face attacks began on July 26, with site operators detecting unauthorised activity on August 11. The attacks were shut down completely by August 19. Some of the information potentially accessed includes:

• Name
• Billing address
• Purchase history
• Shipping address
• Telephone number

No payment details were accessed, which is very good news for anyone impacted by the stuffing attacks.

Please notice this breach

Data breach notices are being sent to anyone affected. Additionally, passwords have been reset and new login details will be required. Hopefully users will take note of the following suggestions:

Please change your password at thenorthface.com and other sites where you use the same password. We strongly encourage you not to use the same password for your account at thenorthface.com that you use on other websites. If a breach occurs on one of those other websites, an attacker could use your email address and password to access your account at thenorthface.com.

In addition, we recommend avoiding using easy-to-guess passwords. You should also be on alert for schemes known as “phishing” attacks, where malicious actors may pretend to represent The North Face or other organizations. You should not provide your personal information in response to any electronic communications regarding a cybersecurity incident. We have included below further information on steps you may consider taking to protect your credit.

It remains to be seen what the fallout from this one will be. With the type of data listed above, it’s fair to say that phishing and social engineering will likely be close to the top of the follow-up threat pile. Stay safe out there!

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

As expected, LockBit remained the dominant ransomware variant in August, as it has all year. At the other end of the scale REvil’s revival in slow motion continued with a single victim listed, RansomEXX posted its first victim for four months, and Snatch posted a single victim after fourty days of inactivity. Intriguingly, the victim listed on the Snatch site was also listed by REvil in April. It’s not unusual for victims to be attacked multiple times, so this is not necessarily a sign of cooperation.

As we wrote in June, part of LockBit’s success comes from avoiding the kind of fatal missteps made by rivals like Conti, REvil, and DarkSide, all of whom attracted a great deal of public attention from US law enforcement. We cannot help wondering how long that will last though. LockBit has been the most active ransomware threat for all of 2022 and it is impossible to imagine there isn’t a team of FBI agents somewhere plotting its demise.

Over the last six months, between March 2022 and August 2022, LockBit has racked up 430 known attacks in 61 different countries, including 128 in the USA. In that period it was responsible for one in three known ransomware attacks—more than the next four most active gangs combined, and 300 more than its nearest rival. Between March and August it averaged about 70 known attacks per month, while the median average for the gangs we monitor has never exeeded seven.

The USA continues to bear the brunt of ransomware attacks, although its preeminence likely reflects the size of its service economy and the large number of potential vicitms rather than a deliberate targeting. Few countries escape attention and the 175 known attacks in August spread across 43 countries as diverse as Luxembourg, Qatar, and Gabon.

The future of ransomware

Two events in August hinted at how ransomware gangs’ tactics may evolve beyond “double extortion”, the biggest innovation in ransomware tactics in recent years.

Originally, ransomware encrypted files and its operators demanded a ransom in return for a decryption tool. It was all but impossible to decrypt the files without the decryption tool, but victims could avoid paying a ransom by restoring encrypted files from backups.

In late 2019 the group behind Maze ransomware began stealing files from its victims before encrypting them, and then threatened to leak the stolen files on a dark web website. This gave victims an incentive to pay the ransom even if they could restore their system from backups. The tactic was quickly copied and it is now standard for large ransomware groups.

Triple extortion

In August, LockBit stole data from security company Entrust in a double extortion attack. According to LockBit, which spoke to VX-Underground, the victim’s unusual response was to prevent LockBit from publishing the stolen data by launching a distributed denial of service (DDoS) attack against the group’s leak site.

The attack delayed the leak but does not seem to have prevented it. However it does seem to have inspired LockBit to try the same thing. Having seen how effective DDoS attacks can be, the group took to a hacking forum to explain that it is now planning to use DDoS as a third stick to beat victims with, alongside encryption and extortion.

The utterings of ransomware gangs should always be taken with a pinch of salt, but the idea is worth taking seriously because it isn’t new. In fact DDoS extortion is an older tactic than encrypting files and demanding a ransom. It has simply fallen out of favor in recent years.

The end of ransomware?

Data leaking has been such a successful tactic that some groups, like Karakurt, don’t bother to encrypt files at all and rely entirely on the threat of leaked data. We believe that we will see more gangs taking this approach in future.

Since ransomware gangs started adopting “big game” tactics about five years ago, the skills required for a successful attack have changed. In a “big game” attack the encrypting malware is a commodity—the expertise that determines an attacker’s likely success are their ability to find a target, understand its value, and then break into its network and operate undetected.

This has led to significant specialization, with some criminal groups providing the software, some working as initital access brokers, and others actually performing the attacks. The skills that access brokers and attackers have developed have lucrative uses beyond deploying ransomware, such as surveillance, sabotage, espionage, and data exfiltration.

If encrypting ransomware ceases to generate significant revenue, its operators will simply pivot to other forms of attack. The pressure to do that started with improved backups triggering the switch to “double extortion”, and has increased as a result of Russia’s war in Ukraine. Since the start of the war, ransomware gangs have found it harder to get paid because of the threat of sanctions, and one of the most high profile gangs has disappeared completely as a direct result.

Ransomware operator Mikhail Matveev was asked in a recent interview with The Record if he thought ransomware will remain the best monetization model for cybercriminals over the next three years. His response: “ransomware will soon die—not in three years, but sooner. Literally, everything has changed over the last six months. Since the beginning of the special operation in Ukraine, almost everyone has refused to pay.”

Some members of the security industry have gone further, predicting ransomware’s imminent demise.

We believe that while the long term trend may see gangs moving away from encryption, we don’t expect a sudden change. The reality is that some groups find it difficult to obtain their demands without the use of encryption, and encryption is still the tactic of choice for 2022’s most successful ransomware group, LockBit.

New groups

It seems that some cybercriminals haven’t received the memo about the imminent end of ransomware-as-a-service, and a handful of new groups appeared in August, just as they did in July. The new groups are D0nut, IceFire, DAIXIN, and Bl00dy. Unusually, Bl00dy doesn’t have a leak site and instead use the Telegram messaging app.

In a statement filed at the London Stock Exchange, InterContinental Hotels Group PLC reports that parts of the company’s technology systems have been subject to unauthorized activity. The activity significantly disrupted IHG’s booking channels and other applications.

The InterContinental Hotels Group, also known as IHG Hotels & Resorts, operates 17 hotel brands around the world, including established brands like InterContinental, Regent, Six Senses, Crowne Plaza, and Holiday Inn. IHG has over 6,000 hotels in more than 100 countries.

Ransomware?

Obviously, ransomware is not the same as “technology systems have been subject to unauthorized activity,” but in cases like these it is an automatic reflex to assume that it’s a ransomware attack. Especially when—as reported by BleepingComputer—the Lockbit ransomware group last month claimed an attack on Holiday Inn Istanbul Kadıköy, one of the hotels operated by IHG.

IHG didn’t disclose whether the attack was the result of ransomware or some other malware. For now, it is in the process of notifying authorities about the intrusion, and working with their technology suppliers. In addition, experts from outside of IHG are being brought in to help with the investigation.

Booking system

The unavailability of the online booking system must be a major pain for IHG. The website is unresponsive and a message in the booking system says the company is working to resolve the issues as quickly as possible, suggesting customers with questions to call the hotel directly.

“At this time, you may have challenges booking a new reservation, accessing information about your upcoming reservations and accessing your IHG One Rewards account.  We’re working to restore all service as soon as possible. If you have an urgent request for an upcoming stay or need to make an urgent reservation, you can call the hotel directly to make, amend or cancel a booking. Thank you for your patience.”

The company says IHG’s hotels are still able to operate and to take reservations directly.

How to defend against ransomware

A complete set of defenses against ransomware should cover three stages:

• Prevention and detection

The least painful time to thwart a ransomware attack is before it can do any harm. Use anti-malware software, and keep all operating systems, software, and firmware up to date. (Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.)

Block and/or flag emails that could contain malicious links and attachemnets. And educate and train your staff about how to handle such emails.

• Monitoring and containment

Authentication policies can help to limit the lateral access that ransomware operators often exercise before they actually deploy the ransomware. Segment networks to prevent the spread of ransomware and disrupt lateral movement. Identify, detect, and investigate abnormal activity with a network monitoring tool. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. Disable unused ports.

Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.

• Recovery and removal

Put your backups outside of the reach of attackers, and make sure they work by testing that you can restore working systems from them. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Some security solutions offer built-in ransomware rollback options.

A complete removal is key if you want to prevent the threat actor from coming back. It’s not just about closing the door they got in through, they could also have planted a backdoor they can leverage to come back. Many of the tools they deploy are legitimate, but will still have to be removed or disabled for unauthorized access.

Customer data

At this point it is unclear whether any customer data were compromised, but we will keep you updated.

The intel you need to secure your business—delivered straight to your inbox

From industry tips and best practices to the latest Malwarebytes product releases and how-tos, our Business newsletter is chock-full with the best of our business blog. Subscribe to our Business newsletter today.

At Malwarebytes, we understand that small-and-medium sized businesses find it uniquely difficult to quickly respond to vulnerabilities. Often, these organizations simply don’t have enough resources to keep up with the volume of patches. 

The stakes are obviously high: According to Ponemon Institute, almost 60% of low-security maturity organizations suffered a data breach because “a patch was available for a known vulnerability but not applied”. 

At first glance, the solution to SMB patching challenges seems pretty simple. With increased automation and security staff, organizations can significantly reduce the time it takes for businesses to respond to vulnerabilities—and we all know that time is of the essence in the patching world.

However, most SMBs don’t have the budget to hire an IT team dedicated to patching. On top of that, automated patch management tools typically aren’t integrated into businesses’ security stack. That means IT teams can find themselves hopping from one security tool to the next, losing visibility, speed, and efficiency in the process. 

The Malwarebytes approach

How we approach vulnerability response at Malwarebytes directly reflects the pain points of SMBs, and it all starts with an intuitive user experience.

Intuitive

With Malwarebytes Vulnerability Assessment, IT teams can easily identify, classify and prioritize vulnerabilities in drivers, applications, macOS, and Windows server and desktop operating systems (OSes). 

Our cloud-native Nebula management console is easy to-use and provides broad visibility across your attack surface, so you can rapidly identify security gaps and eliminate attack vectors. 

The following information is displayed for each endpoint vulnerability.

• CISA recommended: Shows if the vulnerability is found in the CISA managed catalog of known exploited vulnerabilities.  Provides a link to the CISA catalog for the vulnerability if recommended in the column. 

• CVE: Shows the CVE number as reported in the National Vulnerability Database. You can click on the CVE number to view additional vulnerability information and recommended remediation steps. 

• Description: Description of the vulnerability and how it is used to exploit the application. 

• Endpoint: Host name of the vulnerable endpoint.

• Identified date: Date the vulnerability was detected on the endpoint.

• OS platform: Operating system platform of the endpoint.

• OS type: Type of operating system installed on the endpoint.

• Severity: Severity level of the detected vulnerability. Severity is set using the CVSS standard. For more information, see CVSS Score System. 

• Vendor: Vendor name of the installed software which is vulnerable.

Effective

We use the Common Vulnerability Scoring System (CVSS) to automatically assess the degree of risk associated with detected vulnerabilities. From within the dashboard in our Nebula cloud-based console, users can see at a glance which endpoints are at risk and the projected degree of risk for each: High, Medium, or Low.

You can install available system patches with our Patch Management module. The following information is available for each patch:

• KB ID: Knowledge base ID of the patch.
• Description: Short description of the patch.
• Category: Type of patch.
• Endpoint: Host name of the endpoint.
• Identified date: Date the patch was detected on the endpoint.
• Size: Size of the patch.
• Restart required: Requirement of a restart to complete installation of the patch.
• Vendor: Vendor of the patch.
• Patch: Name of the patch.
• Severity: Severity level of the patch.

To apply a system patch, all you have to do is select all or check specific boxes for system patches you want to install and then click “Apply patch”. Done.

You can also install updates on outdated software programs. On our Software Inventory page, you can deploy software code revisions across OSes and a wide range of third-party legacy and modern applications, including Adobe, Chrome, and cloud storage apps (such as Box).  

In addition, with our advanced scheduling feature, users can pick and choose which applications to include in scheduled updates and which OS patches get deployed based on a combination of category and severity.

Inclusive

Not only do you gain instant visibility into potential vulnerabilities in your applications and operating systems, but you can do so all from the same platform you use for your endpoint protection.

Our VPM is built on the cloud-based Nebula security platform, making it easy to manage all your Malwarebytes solutions from a single platform: Malwarebytes Incident Response (IR), Endpoint Protection (EP), and Endpoint Detection and Response (EDR). 

The Nebula security platform provides an intuitive guided user interface; next-generation threat intelligence; multi-layered security, including industry leading remediation; and easy integration with SIEM, SOAR, and ITSM solutions to simplify detection and response and resolve IT tickets with ease.

Intuitive, effective, and inclusive vulnerability response for SMBs

A combination of factors is responsible for SMBs not doing timely patching, but can mainly be chalked up to a lack of automation and dedicated IT patching staff. In fact, vulnerability and patch management activities for most SMBs are either only partially deployed or not even planned or deployed at all. 

That changes with Malwarebytes VPM modules. 

Our approach to vulnerability response is designed for SMBs with limited IT staff, and who understand how valuable automation is in the patching process. Not only that, but our VPM modules are add-ons to the cloud-based Nebula security platform, making it easy to manage all your security solutions in a single pane-of-glass.

Want to see Malwarebytes Vulnerability Assessment and Patch Management in action? Watch the demos:

Vulnerability Assessment:

Patch Management: 

More resources:

What is patch management?

What is vulnerability assessment?

Podcast: Why software has so many vulnerabilities

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint  Cybersecurity Advisory (CSA) after observing Vice Society threat actors disproportionately targeting the education sector with ransomware attacks.

Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable.

This CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. After issuing advisories about MedusaLocker and Zeppelin ransomware, this is the third CSA of 2022 which aims to provide technical information on ransomware variants and ransomware threat actors.

Vice Society

Vice Society is believed to be a Russian-based intrusion, exfiltration, and extortion group. Malwarebytes has been tracking the group since December 2020. Due to similarities in naming and tactics we suspect there is a tie to the HelloKitty ransomware group. Both use the .kitty or .crypted file extension for encrypted files. According to CISA, the Vice Society actors do not use a ransomware variant of unique origin. Instead, the actors have deployed versions of Hello Kitty/Five Hands and Zeppelin ransomware, but may just as easily deploy other variants in the future.

The group also operates a so-called ‘leak site’ where exfiltrated files are made available if the victims decide not to pay the ransom.

Tactics

Vice Society has been known to exploit known vulnerabilities in SonicWall products, and the set of vulnerabilities commonly referred to as PrintNightmare. The CSA also mentions the gang exploiting internet-facing applications without providing details.

Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrate data. Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike in order to move laterally.

Los Angeles Unified school district

In a recent example of a school district targeted by ransomware, the huge Los Angeles Unified School District fell victim to a ransomware attack. LAUSD is the second largest school district In the US, and the attack targeted the LAUSD’s information technology systems during the Labor Day weekend. Authorities moved to shut down many of the district’s most sensitive platforms over the weekend to stop the spread and restrict the damage, and by Tuesday most online services — including key emergency systems — were operating safely.

The attack resulted in staff and students losing access to email. Systems that teachers use to post lessons and take attendance also went down.

An investigation involving the FBI, the Department of Homeland Security and local law enforcement is underway. 

Mitigation

From the example above we can see that constant monitoring and adequate intervention helped to limit the impact.

Besides IOCs and attack techniques, the CSA provides a lot of mitigation advice. Since the techniques used by the Vice Society group are far from unique, the advice is worth repeating because it works against a lot of similar ransomware operators.

But you should also realize that while it’s easy to say that you need reliable and easy to deploy backups, for example, it’s not always easy to follow that advice. It is well worth pursuing though, since it may save your bacon at one time or another.

Backups

Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Maintain offline backups of data, and regularly maintain backup and restoration. This makes it less likely that you will be severely interrupted, and/or only have irretrievable data, in the event of a ransomware attack.

Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

In a nutshell: Put your backups out of the reach of attackers, and make sure they work by testing that you can restore working systems from them.

Authentication

Require all accounts with password logins to meet the required standards for developing and managing password policies:

• Require multifactor authentication wherever you can—particularly for webmail, VPNs, and critical systems
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege
• Implement time-based access for accounts set at the admin level and higher
• Use long passwords (CISA says 8 characters, we say you can do better than that) and password managers
• Store passwords using industry best practice password hashing functions
• Implement password rate limits and lockouts
• Avoid frequent password resets (once a year is fine)
• Avoid reusing passwords
• Disable password “hints”
• Require administrator credentials to install software

Software

Use anti-malware software, and keep all operating systems, software, and firmware up to date. (Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.)

Networks

Segment networks to prevent the spread of ransomware and disrupt lateral movement. Identify, detect, and investigate abnormal activity with a network monitoring tool. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. Disable unused ports.

Email

Consider adding an email banner to emails received from outside your organization.

Disable hyperlinks in received emails.

Scripts

Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.

Stay safe, everyone!

Last week, we gave you some tips on how you can set up a new iPhone for your child to use as they start this school year. Today, we’ll look at doing the same for Android phones.

Setting up an Android isn’t very different from setting up an iPhone as both platforms follow a similar logic to making devices child-friendly. This makes it easier for you if you have children with different preferences for phone brands.

1. Set up a screen lock

With your child, figure out the best way they can screen lock their phone and open it quickly if needed. This could be a PIN, pattern, or password.

Opting to unlock with a swipe only may get your child to the home screen quicker—and stops them from making accidental calls or texts while the phone is in their pocket—but it’s not going to save them from anyone who wants to deliberately access their phone, especially if they do it behind your child’s back.

Android Help has a page on how to set a screen lock.

2. Ensure Find My Device is enabled

Google has a “Find My” feature baked into its Android OS. It’s called Find My Device, formerly Android Device Manager.

This feature automatically turns on if you’re signed in to a Google account on Android. To ensure the device can be found, Google lists what needs to be turned on for the Find My Device to work. You can check out the list and how you can go about ticking them off on this page.

You can also use Find My Device to make the device make a sound (in case it’s lost in the house somewhere), secure the device by locking it down remotely, and wiping the device from afar (hopefully, the last resort) if the device is truly lost or stolen, and you don’t want any of your child’s data ending up in someone else’s hands.

3. Set up parental controls

A built-in parental control feature can be found in the Google Play Store app. It’s not on by default, so you have to enable this on your child’s phone. Your child won’t be able to turn this off again as you’ll be asked to create a PIN, which needs to be entered before anyone can fiddle with the parental control settings.

Here, you can restrict the apps (not the content) your child sees on the Play Store based on their age (PEGI rating). 

If you need a step-by-step guide, Google has you covered.

4. Download and set up Family Link

Family Link is an additional Google parental control app. Download it from the App Store, and set it up. This offers parents and guardians more granular restrictions and limitations for their children.

Note that Family Link accounts are different from standard Google accounts. Once the app is installed, it’ll walk you through setting up that account. 

As you go through the setup process, it’s worth talking to your child about what limitations you are putting on them when using the device, such as screen time, what apps they can use, purchase controls, etc., and why.

Allow them to share their thoughts about these limitations and restrictions. Create a dialogue with them so they feel listened to.

5. Use YouTube Kids instead of regular YouTube

For parents with young kids who don’t want them to see things they’re not supposed to see, YouTube Kids is an alternative to YouTube. It only plays kid-friendly content, doesn’t show ads, and doesn’t allow comments.

Of course, there’s always the possibility of some videos slipping through the filters. In one case, a video that overtly says it’s not for kids was falsely categorized by YouTube’s AI. Thankfully, it didn’t end up on YouTube Kids, but it’s still good practice to watch with your child every now and then, or you can sit them in the same room while they watch.

If you want better control over apps, like you want to block them than restrict them fully, and you can’t get that from Google’s apps, you can seek help from third-party apps.

Finally

Navigating the internet is already tricky enough, and you need all the help you can get when introducing your kids to new territories as they grow up.

So, research, read a lot, and get expert opinions. Handing your child their first phone only happens once, but what happens afterward is a crucial stage of adjustment for your child and you!

Good luck!