29. What Is An AUP, And Why Do You Need One?

Make sure EVERY employee knows what they can and cannot do with company technology. Ongoing training is crucial.
This Week's Security Tip: Make sure EVERY employee knows what is acceptable and what is not, regarding company technology. 

With so many access points, from cell phones to laptop and home computers, how can anyone hope to keep their network safe from hackers, viruses and other unintentional security breaches? The answer is not “one thing” but a series of things you have to implement and constantly be vigilant about, such as installing and constantly updating your firewall, antivirus, spam-filtering software and backups. This is why clients hire us – it’s a full-time job for someone with specific expertise (which we have!).

Once that basic foundation is in place, the next most important thing you can do is create an Acceptable Use Policy (AUP) and TRAIN your employees on how to use company devices and other security protocols, such as never accessing company e-mail, data or applications with unprotected home PCs and devices (for example). Also, how to create good passwords, how to recognize a phishing e-mail, what websites to never access, etc. NEVER assume your employees know everything they need to know about IT security. Threats are ever-evolving and attacks are getting more sophisticated and clever by the minute.

UPDATE to last week's Headlines:
  • Kasaya VSA breach – has been on their CVE for 3 months, also upon a third party security incidence response evaluation, they found their billing and customer support site, portal.kasaya.net, was, and has been since July 2015, susceptible to CVE 2015-2862, a "directory transversal attack – basically, even without credentials you could access server files and locations, including the web.config file, which includes usernames, passwords, and locations to other sensitive information..  Kasaya had updated their customer portal in 2018, but left their legacy portal alive.

  • Microsoft issues Emergency patch for PrintNightmare – We briefly mentioned this last episode, but the story goes:

    A security researcher publicly announced the initial vulnerability, allowing for the print spooler, which by default runs on all Windows versions by default with kernel level administrative rights, could be maliciously used to run remote executable code, potentially take over the entire domain.   In the next update, Microsoft issued a weak patch that only addressed the point of concept, but didn't really address the actual vulnerability.  Another research team then publicly reported a point of concept they too had reported to MS: a different CVE than the other, which in summary was an active exploit – so basically they published a how-to on a zero day.  SO then MS had to patch both the first CVE and second as fast as they could, and finally after a couple days did offer an out of band update which covers both

  • WD – to recap, A flaw for all WD MyBook external drives of a zero-day exploit was reported in 2020 prior to Pwn2Own Tokyo, but WD replied that the bug had been resolved in their new OS5 software.  The research team then posted a video of the proof of concept.  Go figure, tons of them in the wild were then (and probably still are) being wiped by malicious hackers. WD's initial response in March was to advise eveyrone with a MyBook on v3 upgrade to a dvice that can use v5 (basically a new one), and that they would not update the old versions with security patches.  Facing a backlash of angry customers, Western Digital also pledged to provide data recovery services to affected customers starting this month. “MyBook Live customers will also be eligible for a trade-in program so they can upgrade to MyCloud devices,” Goodin wrote. “A spokeswoman said the data recovery service will be free of charge.”
Next Week's Teaser:
What the heck is an AUP…and why do you want it?

Call to Action:
We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I’ll do it later). So what’s smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!