![]()
Since late last year, Fractional CISO has published a new article every Thursday morning. We try to be more than just another business blog that talks about how great we are – every article contains actionable cybersecurity advice for business leaders. It is our goal that every article we publish has something somebody can take away and implement at their own business.
Plus, our entire team contributes to the blog. While we have a team of cybersecurity experts, everyone has their own areas of specialist knowledge that they can write about.
With 2021 coming to a close and 51 new blog entries in the books, we are going to engage in our now-annual practice of revisiting the top articles we published this year.
6. Scariest Vulnerability: Log4Shell
Breaking in just the last few weeks of the year, the serious Log4Shell vulnerability in Java’s Log4j tool is the scariest cybersecurity vulnerability to come out since Heartbleed or Shell Shock. It’s a shame it didn’t get a more evocative name to communicate just how scary it is – it’s literally one of the scariest and most dangerous vulnerabilities ever. Of all time.
Log4Shell allows attackers to easily perform remote code execution attacks on servers with Java applications that use Log4j (so basically all of them). Quite literally billions of devices are affected by this vulnerability.
We still don’t know the full ramifications of this vulnerability. It has been in the wild for years and likely will continue to be because not every Java server will be updated accordingly to patch it out. While the little article we published is our fast-response tips, it’s likely more news will come about protecting yourself from unpatched devices. Watch this space!
Also: the image at the top of this section is a Log4Shell logo we had created to help spread awareness about the vulnerability. It’s released under an Apache open-source 2.0 license – please feel free to use it! All we ask is that you give credit to Fractional CISO.
There are a lot of really great, free security tools available to everyone these days, so we write about them sometimes. Canarytokens can help notify you of something that goes wrong, Mozilla Observatory can scan and grade your website’s security, and DNSTwister can determine if someone is typosquatting on domains similar to yours. This is just scratching the surface!
EmailSpoofTest really stood out from the crowd though. It allows users to perform a sort of self-penetration test on their email inbox. Specifically, it tests an email server’s protection against spoofing attacks. Spoofing is a trick attackers use to try and disguise phishing emails, making them look as if they come from a legitimate source.
EmailSpoofTest will expose holes in your configuration, so you can patch them up. We also produced a video, showing you how to use the tool!
Who would you rather buy a hot dog from: Bob’s Dogs on the left? Or Messy Mike’s on the right?
When buying goods or services from a vendor, whether it’s a hot dog or software, you are exposed to some risk from that vendor. Do they have good health and safety/security practices? If not, you could be harmed.
In cybersecurity, vendor management is especially critical because almost every vendor brings some level of risk to the table. Every company needs a vendor management program, period, and in the article this image comes from serves as a guide to get started.
Microsoft Office 365 is responsible for all sorts of important data and services for the company’s that use them. Therefore, it is incredibly important to try to avoid having an attacker compromise your environment. Unfortunately, Microsoft’s so-insane-it-requires-a-five-page-matrix licensing system and their terrible security defaults make it easier for attackers than it should be.
This article serves as a handy guide. Send it off to the person in charge of an Office 365 environment, and they can change MS’s settings from “not secure” to “most secure.”
One other piece of advice for Office 365 businesses: use an email security tool such as Mimecast or GreatHorn. Microsoft’s phishing defences are weak and the extra defense is desperately needed to keep phishing emails out of your employee’s inboxes.
2. Hottest on Social: XKCD Password Advice
Source: xkcd
Okay, this actually wasn’t a blog, it was a video! This video racked up over 6,000 views on our founder Rob Black’s LinkedIn page. It provides a brief critique of XKCD’s famous “correct horse battery staple” password advice, and explains the better alternative: password managers.
Bottom line: all businesses should be using password managers!
1. Most popular: Should you hide your WiFi SSID?
This article was actually published on December 22, 2020, too early for us to know that it was going to be the most popular article for the next year here at Fractional CISO. With that in mind, we’re giving it the recognition it deserves now!
This article comes via Samantha Rutledge, where she argues the security pros of hiding the SSID don’t outweigh the usability cons of doing so. In summary:
Pros:
- Makes your network less of a “low-hanging fruit” – less likelihood of casual attacker.
- Makes it harder for bad guys to use your WiFi signal to determine the physical location of your company.
Cons:
- Advanced bad guys can still easily find your network.
- Said bad guys might be interested in seeing what your hidden network is hiding.
- Hiding your network inconveniences users.
Ultimately, we don’t think the drawbacks of hiding your network SSID outweigh the benefits, but as we say here at Fractional CISO: there is no one-size fits all solution to security! Your business may want to make another choice.
Tales from the Click
Thank you for reading Fractional CISO’s blog this year. If you’d like this kind of content delivered to your inbox, please consider subscribing to our newsletter! Otherwise, you can check out our blog every Thursday for new, actionable cybersecurity advice for business leaders.
