info@qualityplusconsulting.com l +1 262-553-6510

Special note for Ubuntu users

Breakfast Bytes podcasts are streaming MP3. In order for Firefox on Ubuntu to play the streaming MP3, install the GStreamer extra plugins that list MP3 as one of the supported formats. GStreamer can be obtained through the Ubuntu Software Center.

Breakfast Bytes - Learning from Others Mistakes

11/17/2017, 12/2/2017

 

 

Learning from the Mistakes of Others



Adobe Acrobat 11 - End of life and what to do about it

KRACK wireless vulnerability and what to do about it

Mistakes with endpoint protection that costs you dearly

MP3 - KRACK wireless vulnerability and endpoint protection

MP3 - Lessons learned from the mistakes of SMB leadership

 

 

 

Summary

  • Adobe Acrobat 11 is end of life / end of support
  • KRACK wireless vulnerability
  • How to make sure that your endpoint protection is not security theater
  • The state of nearly every business that does not have competent, ongoing IT security engineering support is a disaster.
  • Real world examples of several businesses and what you can learn from their mistakes
  • Don't try to do IT or security on your own, and never bootleg software
 

Adobe Acrobat 11 is end of life

This means you cannot use the product anymore. It is very unwise to use software for which patches cannot be obtained.
So if you still need Adobe Acrobat Pro, you should purchase Acrobat Pro 2017.
If you don't still need Acrobat, then uninstall it and use Adobe Reader instead.
http://m.info.adobesystems.com/nl/jsp/m.jsp?c=%40gZ6OVKGzLdcMeKwip2fXqzaqTjS2T%2FRn%2BBeaghm4VoY%3D

There really are no PDF editing and management tools that are viable replacements for Adobe Acrobat Pro.
And the Standard version is very neutered in functionality that the vast majority of people that use Acrobat have found that Standard just does not have the feature set required. As a result, I would advise obtaining Acrobat Pro instead of Standard.

 

 

KRACK wireless vulnerability

The big KRACK vulnerability for wireless should not be patchable on all platforms.
WatchGuard and WiNG have released patches for all of their platforms as of the first week of November.

The question is whether or not you have installed the latest firmware updates for your wireless infrast5ructure.
AND it is never that simple. After the update, you need to ensure that your update the gateway wireless controller configuration to block KRACK vulnerable clients. Ensure that roaming is enabled per-SSID.
And check all wireless SSID to make sure the TKIP is not being allowed anymore. Why? Because TKIP has finally had the nail put in its coffin. I have not been using TKIP for over 6 years, but the international security community has stated that TKIP is officially so weak that it cannot be used anymore.

All of this is a fine example of why you have to have an ongoing relationship with a security expert like QPC. It is impossible to stay updated on all of these topics by yourself.
https://www.watchguard.com/wgrd-blog/krack-update-protecting-unpatched-devices

 

Real world examples of the state of businesses lacking comptent IT engineering support

Earlier this week, I went to a new client location on a first visit. It was a typical scenario that I encounter. A business run on a shoestring with microscopic amounts of IT having been done by the business owner themselves or some dabbler tech with little to no skills. The result is a disaster.

  • No backups
  • No security
  • No patching
  • Everything is outdated
  • The network has no security and has no design
  • Name resolution does not work (DNS)
  • The email system is a wreck and does not facilitate business processes.

When business owners think they are saving money by going down this road, they are saving on external costs or hard costs at that very moment, but they are wasting their time and their employees' time. That is a hard cost also. I always surprised to see how long a company can last with absolutely no security and no viable backups.

Endpoint protection - security theater

Two weeks ago, I removed ESET from a company's computers. ESET had been on their computers from the time those computers were put into service. ESET never once found any malware. The was no reporting, no logging, no notifications.
The day after I put Trend Worry-Free Services agents on all the systems, I got a report of the multitude of malware that was found and removed.
So just because your endpoint security client is not finding anything does not mean that it is doing its job.

There is a company out west I work with and they have been using AVG for many years. As issues come up or as their PCs are being replaced, I a providing them with Trend Worry-Free Services licenses for the new computers.
Two weeks ago, I was working on one of their PCs and I spotted an active malware by looking at the behavior of the computer. AVG not only did not detect it, but it could not remove it. I convinced the business to get a Trend agent for that computer. The Trend agent was installed, and the malware was detected, removed, and reported on.

Logging and reporting capabilities for endpoint protection is MANDATORY

The value of logging and reporting cannot be understated. In HIPPA, PCI, or really any environment where you have a compliance requirement or you just want to know what is going on, you MUST have an endpoint protection client that logs and reports. I'm astonished that not all products do this because it is such a basic requirement.

I am not surprised though that MANY people who call themselves IT consultants have NO knowledge of these compliance or common sense requirements. These dabblers seem to only care about a price point for the acquisition cost of the software, and care nothing of its effectiveness.

I have been to security people conferences and encountered consultants who tell me that they choose endpoint security products based upon the products that produce the least amount of service tickets for them. WOW! What an admission!
That statement effectively means they don't care about what is best for the client, or that the product is effective. They only care about a product that does not generate logs, messages, alerts, or reports, and certainly does not find anything, because that would generate a service ticket they would need to action. So they would rather collect their monthly fees and have security theater.

Security theater - light your money on fire

Security theater is extremely widespread and very dangerous. And it's not limited to the IT world. You have probably seen the recent news items about how about 80% of the time, the TSA FAILS to detect a security threat. So their system is failing 80% of the time. That is security theater.

The same thing happens in the IT industry. Putting an endpoint protection agent in place and having it not be managed effectively is security theater. You might as well have lit your money on fire. Management of the product and the system is essential.

But I don't want to pay for server maintenance

I recently met with a business owner who told me that he did not want to ever have to pay for server maintenance. He can want that, but it is way beyond all levels of realism. This is not a matter of a choice between a physical or a hosted cloud server. In both circumstances, the system has to be maintained. Of course, what I found when I looked at the server was a system that was never setup correctly to begin with, and one that was a complete disaster from a security, backup, and risk mitigation standpoint.

His business critical accounting system was hosted on this server. The server was a glorified souped up PC rather than a real server. There was no endpoint protection agent on it. There were no backups. AND, most egregious of all, the entire server was setup for anonymous access full control. I'm not joking. So any device that gained access to the network in any way, or any one of the PCs that have NO protection and are most assuredly currently hacked, well any process running on any of those systems can easily steal, exfiltrate, delete, or alter ALL OF THE DATA on that server without any restriction.
And there are no logs of any activities, and no egress controls to stop such malicious activity. There are no preventative security controls to stop that from happening to begin with.

200 networks later - it's the same old story every time

And this is exactly what happens when people try to wing-it on their own. I have fixed over 200 networks that look like this. Businesses MUST get competent help, and I grant that competent help is hard to find. Like your trusted lawyer or your trusted CPA, your IT security architect is equally as valuable, and you cannot balk at the rate they charge. That IT security architect will be the difference between you being in-business or out-of-business.

 
 
Linkedin