PodcastHealthcare ITHIPAAInformation SecurityLaw Firm IT

ProactiveIT Ep 3 SRA Myths, Law Firm Data Retention & BlueKeep

By November 8, 2019 No Comments
Episode 3 of the Proactive IT Podcast SRA Myths Law Firm Data Retention in CT and Bluekeep again fb

This is Episode 3 of the ProactiveIT Podcast.  On the ProactiveIT podcast we discuss the latest in technology news, Cyber Security, and compliance.

In this episode we discuss recent Cyber Security News:

  1.  LinkedIn Phishing Attempts Are On the Rise
  2. New York health system to pay $3 million HIPAA fine
  3. Angel Investor SIM Swap Lawsuit
  4. Connectwise Automate Reports that Malicious Attackers Are Targeting MSPs
  5. Two Security Testers Arrested for Doing Their Job

We discuss top 10 Security Risk Analysis Myths (Healthcare), EHR Remote Access Best Practices, Law Firm Data Retention Rules for CT

 

Episode 3 ProactiveIT SRA Myths Law Firm Data Retention in CT and Bluekeep again

Transcription

Everyone welcome to episode 3 of the proactive IT podcast this week the latest and greatest in it in cyber security news HIPAA compliant security risk assessment myths an HR best practices law firm data retention and reporting in Connecticut and finally last but not least blue keep rears its ugly head again

 

This podcast is brought to you by and watch check a HIPAA compliant client focused IT consultant located in sunny central Connecticut is very cold today by the way you could find a satin wash check.com that’s N.W.A jtech.com each week we talk about the latest in tech and cyber news compliance and more we also bring you real world examples to learn from so you can better protect your business and identity we’re not doing a hippo case or law firm case study today but we do have lots of stuff to share with you so you will not go without information today I can promise you so 1st as always we talk about Patch Tuesday updates so we’ll start with Microsoft Windows updates are being finalized possibly to be released to the wild on November 12th the November 2019 update is different than Microsoft’s usual major updates instead of requiring a large download and being delivered through a standalone released in November 2019 update will be delivered just like a normal Patch Tuesday release their November 2018 update doesn’t have as many new features as previous major updates instead of focuses on fixing bugs improving performance in introducing minor new features so no Microsoft Patch Tuesday update this week possibly next week looks like so by the time you hear this you may be getting ready to release some patches hopefully to fix some of the bugs in previous updates I have a laptop as I mentioned in previous episodes that if I let the updates install the laptop keeps blue screening there is one other update I do want to mention today last Friday so we could go as of this recording critical Google Chrome vulnerability was addressed by Google with the latest update so the latest version is 78 point 0.390 four .87 it’s really easy to update Google Chrome if it’s not already being managed by your IT just open Google Chrome click the three dots on the Top right click settings click about Chrome and it will begin the update process for you so make sure you’re up to version 78 point 0.3904 dot 8 Seven one of those vulnerabilities is being actively exploited so it is important to update immediately I sent an email to my email list yesterday letting them know to update immediately if you are in if you are managed by noise tech if you are one of our clients then you already been updated your updated as soon as the update came out alright so that’s it for Patch Tuesday in cyber security news we have quite a bit to share some good some bad some interesting so first I want to mention that on LinkedIn fishing I don’t think they’re calling it in Mail anymore but phishing attempts are on the rise so I have not received any but I know of quite a few peers who have received phishing emails in their inbox on LinkedIn now obviously if you’re using phishing anti phishing protection it’s not going to catch LinkedIn so that’s where the education comes into play it’s real simple the campaign we’re going to be launching sometime next year think before you click before you click on anything in LinkedIn or Facebook for that matter or any other social media platform think do you do you do you know the sender can you manually type in the address is it’s really something important um would a vendor contact you via those platforms things like that think before you click and so that’s going to be on a different website it’ll be think be the number 4 you click.com the domain at the website is is just the landing page for now but that will be coming next year so think before you click On LinkedIn with the rise in an uptick in phishing attempts via inbox on LinkedIn formerly known as in Mail I don’t know again if it’s called that still alright in actual news now New York health system to pay $3,000,000 in a HIPAA fine this was due to 2 incidents this is University of Rochester Medical Center in New York so normally when you hear the HIPAA fines it’s because of a data breach if somebody hacked in somebody gained access to email somebody grabbed paper records that they shouldn’t have had that’s the normal stuff this is a tale of why you should encrypt every device so in 2017 the Rochester Medical Center University of Rochester Medical Center reported that a flash drive was missing yeah it just says it reported abridged initially after Los other unencrypted flash drive so no no indication that it was stolen but you know it could have been and then shortly after that or girl kiss I’m sorry 2013 the flash drive was reported stolen so 6 years ago 2013 the flash driver stolen in 2017 or I’m sorry the flash drive was missing they don’t know if it was stolen or if it’s just missing it’s pretty easy to lose a flash drive into it sometimes myself my flash drives don’t contain pH either in 2017 on a laptop was also reported Las again no indication that it was stolen but here’s the thing those events by themselves wouldn’t have been fined by the OCR they would not have said OK here’s a fine 3 million dollars pay up force them to be fine with the fact that neither one of those devices was encrypted and it’s really simple to encrypt a flash drive you just need 3rd party software and there’s tons of it out there on a windows laptop if it’s if it’s a newer laptop and by newer I mean within the last few years then you should be able to set up BitLocker without an issue but even if you can’t set up BitLocker for whatever reason there are 3rd party encryption software out there so something that takes only a few minutes to set up cost University of Rochester Medical Center 3 million dollars now again this happened in 2013 in 2017 so obviously again it takes time for the OCR to investigate determine what the fine is potentially negotiate I don’t see any indication that those are negotiated um so you know it it yes you need Um so you know it yes you need to you need the security you need the education but you also need encryption on all of your devices especially ones that could walk very easily so again University of Rochester Medical Center find 3 million dollars because of two devices not being encrypted if they were stolen or you know reported lost as they reported and they were encrypted then probably wouldn’t be any fines next piece of news Angel investor sues over SIM swapping hacks so I talked really quickly last week I believe about Jack Dorsey’s incident where his Twitter account was compromised because of some swapping so SIM swapping essentially as a an attacker will call your cell carrier service provider so you know Verizon is AT&T is T mobiles of the world Sprint and say that basically port legitimate users Phone number to a new SIM an once they now have that access to that Phone number they are able to use two factor authentication so injectors this case you know they since they did a SIM swap scheme on him then they tried to log into Twitter uses 2 factor authentication it goes to a text message that the hacker the it’s not really or I guess it could be a hack but you know the attacker now is getting the two factor authentication text messages and they’re able to log in so the same thing happened to Greg Bennett an Angel investor he suit bit tricks to crypto currency exchange because is essentially what it comes down to is why are we using SMS for 2 factor authentication is what it comes out right why can’t we use softkeys why do twitter and Bittrex still use SMS for 2 factor authentication so he’s suing because of the SIM swap hack this the Crocs store 100 Bitcoin which is worth roughly $1,000,000 so quite a bit of money there that he lost he’s going he’s suing Bittrex claiming that bit tricks could have stopped but didn’t stop the attack which happened on April 15th so this is another case by the way of maybe like security April 15th is tax day in the United States so maybe they got they got ahold of somebody at cell carrier the service provider for their cell Phone who maybe their newer maybe their life staff because you know I don’t know if that we schedule those people on tax day but I do know that people may be focused on getting their taxes done rather than doing their actual job so crypto currency I’m sorry so you know Angel investor for crypto currency exchange Angel an Angel investor sues over SIM swapping hack um because his cryptocurrency exchange account was robbed of 100 Bitcoin so another case to get rid of SMS for 2 factor authentication this one I saw this morning so this is kind of more my industry managed service providers ConnectWise automate is reporting that malicious actors are targeting ConnectWise automate accounts and they’re recommending that you close up any ports that are not being used per their Internet best practices we’ve seen a few cases of this year of MSP’s being targeted through their remote monitoring and management software and so that’s what ConnectWise automate is an RMM and they are telling their users that they are being targeted and that you need to you need to close any ports that are not being used you know it’s over the Internet so if you have a port facing Internet that’s open and we’re going to talk about blue keep in another port in a little bit um then you need to close that and they have a you know they have best practices on their site so you should you should definitely if you’re using ConnectWise automate or if your IT vendor is using ConnectWise automate I would recommend that you make sure they are aware of this home and it should be of course following this cyber security framework and then sort of a weird incident I guess 2 cyber security 2 security testers so these are legitimate white hat ethical hackers there arrested because they while doing a job they weren’t they were engaged to do some penetration testing in Iowa and got arrested breaking into a courthouse so there were some confusion as to whether or not they should have been breaking into the to the courthouse uh because local law enforcement was not informed of this so whenever you’re doing a security basically a penetration test is what it’s called so penetration tests ahead of time you are a document is created 2 um so that all parties involved understand the scope of the penetration test so whether or not you could test physical uh physical property whether or not you can you know what you what what’s off limits what’s not is basically what should be agreed to before the penetration test begins and by all indications the company is security provider which is called coal fire um did review what was to be what was open to this penetration testing ahead of time however for some reason local law enforcement was not informed and because of that the 2 pen testers due to security personnel that were performing the tests were detained uh eventually they were released the coal fire took care of the bail money and they in there so they report that they did do this with another courthouse earlier and did not Tom did not get arrested so it’s not clear why the second time they did you know who knows but so there’s some work to be done there the point there is to make sure that if you have a security firm coming in to do penetration testing to make sure that you’re secure as possible there needs to be clear guidelines as to what is off limits and what is not and any party that could potentially be impacted needs to be advised now obviously with a pen test you also want to consider that what you’re really testing is are your employees or 3rd party are they are they prepared to handle and I guess in this case they were but are they prepared to handle any incidents and so you know obviously law enforcement was able to this time but there should have been some somewhere in the chain of command someone should have known that this was going on so hopefully that is the case and that this this whole thing goes away for those 2 security pentesters ’cause we wouldn’t i wouldn’t want to have that on my on my record going forward just simply doing my job so that’s it for cyber security news this week there was quite a bit of news that i did not report so maybe I’ll touch on it during the week maybe I’ll go Instagram live or LinkedIn or something I don’t know won’t be Facebook is just as of late it’s just too much drama with political stuff so I’ve not on Facebook quite as much

Alright so now the meat of our show we’re going to talk about a few different things that I hope you guys can take away and use in your IT and compliance and security life the first one for health care practices the Top 10 myths regarding SRA which is security risk assessment for health care practices so these are myths that were put together by healthit.gov and probably stuff I hear some of this sometimes so it’s probably stuff that they’ve heard and they want to clear up the 1st so Top 10 myths of security risk analysis or i said assessment but it’s security risk analysis the first one security risk analysis is optional for small providers this is false of course any even a one person provider needs to do a security risk analysis all providers who are covered entities which would be any medical any health care practice under HIPAA are required to perform a risk analysis in additional providers who want to receive EHR incentive payments must conduct a risk analysis so each are incentive payments if you’re using electronic health records there are there are incentive plans I think they’re not as much as it used to be when they first rolled out they were encouraging healthcare providers to use them the incentives were probably a lot higher. More health care practices are using them but they’re still not using the right way and what I mean by that is still ask patients to fill out documents in the waiting room take those documents and then put them into the HR there’s still a paper document floating around but you know that’s for another show #2 is simply installing a certified DHR fulfills the security risk analysis immune requirement this is also false even with a certified EHR you must perform a full security risk analysis along with a HIPAA audit by the way security requirements address all electric electronic protected health information you maintain not just what is in your EHR so again if you have paper documents or you may be using another’s off piece of software for your calendar we have emails that’s why you have to do a security risk analysis #3 my HR vendor took care of everything I need to do about privacy and security also false you reach our vendor may be able to provide information assistance in training on the privacy and security aspects of the HR product however each our vendors are not responsible for making their products complying with HIPAA privacy and security rules into solely your responsibility to have incomplete risk analysis conducted #4 I have to I have to outsource their security risk analysis this is also false you can do it internally if you have the resources to do it it is possible for small practices to do a risk analysis themselves using self-help tools however during a thorough and professional risk analysis that will stand up to a compliance review will require spread knowledge that could be obtained through services of an experience outside professional intent #5 a checklist will suffice for the risk analysis retire requirement also false checklist can be useful tools especially when starting a risk analysis but they fall short of performing a systemic I’m sorry systematic security risk analysis or documenting one has been performed #6 there’s a specific risk analysis method that i must follow obviously that’s false a risk analysis can be performed in countless ways OCR has issued guidance on risk analysis requirements of the security rule this guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to protect and secure EPHI so it’s electronic personal health information #7 my security risk analysis only needs to look at my EHR false review all electronic devices that store capture or modify electronic protecting protected health information including include your EHR hardware and software so if you have your HR hosted locally you’ll need to include that an device that can access your EHR so if you have an iPad that you’re accessing it with or laptop or even your smartphone then you need to include that in this security risk analysis remember that copier is also stored data there have been hacks of that in the past please CUS Department of Health and Human Services guidance on remote use so copiers is another big one it’s not hard or fax machines it’s not hard to not hard to get information off of those #8 I only need to do risk analysis once this is false to comply with HIPAA must continue to review correct or modifying update security protections for more on reassessing your security practices please see the reassessing your security practice and healthy environment so this is again this is an health.gov so if you want to and check out those different sections you know obviously do that if you are in health care because it’s important um it’s recommended to do the risk analysis continually so you identify things that need to be addressed you adjust them you do another security risk analysis until we’re at a point where it doesn’t need to be done continually and then you do it at least once a year #9 before I test for an EHR incentive program I must fully mitigate all risk also false so as i said it’s an ongoing process you find the risks you address them you do another analysis so false the HR incentive program requires correcting any deficiencies identified during the risk analysis during the reporting period as part of its risk management process turn each year I I’ll have to completely redo my security risk analysis this is false perform the full security risk analysis as you adopt any HR each year or when changes to your practice or electronic systems occur review an update the prior analysis for changes and risks under the meaningful use programs reviews are required for each EHR reporting period for EPS the EHR reporting period will be 90 days or a full calendar year depending on the EPS year of participation in the program so that’s the Top 10 myths for of security risk analysis so some good information there I hope that answers some questions this is up to date so I know HIPAA itself has not been updated in quite some time and probably could use a refresh because things are not what they were when HIPAA was was first put into place you know the ransomware running rampant the technology everywhere the ability to access almost anything with a smartphone all of these things were not present when hippo first rolled out so it doesn’t need to be updated a little bit it’s a lot of common sense stuff but common sense isn’t so common I guess these days I you know I worked with a mental health worker recently who and I’m being vague as possible here on purpose not using a HIPAA compliant you know they were using a FREE Email software we got them off of that we went to G suite they are now HIPAA compliant they have a business associate agreement they was the other thing or they were so we also they were using drop box which is HIPAA compliant but that’s assuming you’re doing everything else right and you have the BA which they did not know so now they have that in place this is a one person practice so some things are a little bit different you got it you got to treat it a little bit differently but they are now so a couple of things we need to address but they’re definitely a few And I went over some things with the provider themselves so if one person practice or 1000 person practice it doesn’t matter HIPAA is is all about patient care it’s all about protecting the patients it’s not it’s not really meant to be a pain in the you know what it’s meant to protect patients and we’re seeing it every day almost every day the breaches and the Phi that’s being exposed and so that needs to be addressed and taken care of all right so the next thing I want to talk about law firm data retention best practices this will be a little bit quicker but in Connecticut this is specific to Connecticut ’cause it’s in some states at 10 years in Connecticut at 7 years so all documents shall be kept 7 years from the date of completion of services rendered by an attorney now what that means is once a case closes then the attorney is required to keep those documents on file for 7 years and after 7 years then you can you can do it them as you know they usually get archive so I’ll tell you what I typically do at law firms with law firm clients these documents are being so the smaller ones that don’t have an on Prem server those documents are being saved in the cloud and then after 7 years so after they’re no longer active they get stored in in archival system and then after 7 years there still stored the cost to retain those documents even you know once the case is no longer active is extremely minimal so it’s not really costing any law firms too much money um then those that are stored locally they’ll have an offsite backup for the same with the same policies essentially um along the lines of data retention there are a few laws that went into effect a few years ago the 1st is if there is a breach there is a hard 90 day deadline to report that breach and that’s for any business that’s not just law firms so if you are breached you have 90 days to report there is some vague wording that says without unreasonable delay unreasonably delay is what it says no it says without unreasonable delay does the typewriter so that was in October 2015 who is to determine what unreasonable delay is that’s vague so in 2017 they changed it to say a hard 90 day deadline so all breaches should be reported within 90 days and who he reports who will would it be determined by what type of business you’re in so you know law firms are going to report to somebody different than health care and financial so you should know who you’re supposed to report to but you have 90 days to do it and the bridge could be worn record or million records it needs to be reported because the end user the record that’s breached needs to be notified PCI PCI DSS if you if you your credit card information has been breached we will talk about PCI compliance in another show but if your credit card records have been breached then you need to report that to those people that have been breached so if I’m a small mom and pop shop that for some reason I’m keeping credit card records on file you shouldn’t be but if you were then you’re going to want to report that breach even if it’s just one person in 90 days now one person probably less time than output reported um what are the guidelines can I tell you for law firm specifically OK again you have the 7 years notwithstanding any so here’s some guidelines file retention guidelines notwithstanding any of the other policies set forth the retention or destruction of documents may be determined by written agreement between attorney and client #2 a copy of document need not be kept after the original has been returned to the client or other owner 3 all documents shall be kept 7 years from the date of completion of services rendered by an attorney so i already mentioned that before all original document signed by the client and documents confirming or imposing legal rights or obligations shall be kept 7 years from the date of such signing or the succession of such rights or obligations whichever is longer no such document shall be destroyed until the client or owner is mailed written notice at least 30 days before destruction document so you cannot destroy documents without notifying the client at least 30 days before the five documents may be copied in retained in any medium which accurately depicts the original document an from which accurate copies can be made the originals of any documents so copied other than those documents set forth in paragraph 4 above so I’m reading this from the Connecticut Bar Association website at ctbar.org obviously this applies specifically to Connecticut but I would imagine that across the 50 states and anything United States of America would be pretty similar any document this is number 6 any documents which is kept as a permanent public record need not be kept efforts after it’s recording that’s because the stored as public record no such document shall be destroyed until the client or owner of the document is mailed written notice at least 30 days before destruction of the document and finally #7 subject to the above garlands upon termination of practice any document still being retained by the attorney should be returned to the client or the client notified of any successor attorney agreeing to take upon their obligations of retaining those documents so if the attorney goes out of business or what I see sometimes in Connecticut is a couple of attorneys will get together and form a bigger law firm those documents need to either stay with the attorney or go to the successor attorney or be returned to the client can’t just destroy them so that’s data retention and some data retention information for everybody to keep in mind when dealing with without a people’s daughter so most businesses have is a pie Pi personally identifiable information or Phi personal healthcare information you need to take care of it to make sure that it doesn’t get into the wrong hands and that’s uh that’s data retention for law firms all right Next up we have um remote access to electronic health records so why did this come up I’m seeing where I think I saw something about I mean so we’re going to talk about blue keep next where which has to do with remote desktop protocol which is a Microsoft protocol that allows you to remote into a windows computer from another location but there are some best practices for remote access to electronic health records so first of all remote access to anything should not be given to people that don’t need it so you’re office receptionist should not have remote access to to electronic health records they shouldn’t have access to electronic health records unless they’re also a nurse or a physician’s assistant but generally speaking they’re not and they shouldn’t have access to electronic health records but if for some reason the receptionist does or anybody else in the practice does here is remote access to electronic health record best practices first of all in this this applies to anything really and activate 2 step authentication for allowing remote access if you’re using any HR they should have 2 step authentication 2 factor authentication multifactor authentication in the best way to do that is either way they a softkey soft token which is an app you can put on your Phone Microsoft Google Authy biometrics are great so if you can set it up so that you know they have this off token on their phone and then a biometric log into the Phone then that would be best practice implement immediate session termination following clinician signing in and being inactive for a predetermined amount of time I know for a fact that people hate the session termination but it’s important to do it you get up you walk away you’re worn around you forget what you’re doing and your laptop is open you have records open with Phi and somebody else sits down and takes a look and it could be as innocent as you know your wife is working on record she gets up walks away here in the husband sits down and sees them or the kids go you know kids accidentally delete stuff for now you have a HIPAA breach inaugurate personal firewall software on all laptops and machinist or protected health information or connect to networks were protected health information may be stored so personal firewall software and security software should be installed play an embargo on clinicians from remotely accessing HR ‘s except in certain instances again this goes back to what i said earlier if They don’t need to access it then they shouldn’t it’s really that simple especially remotely just too much it’s harder to control what happens remotely versus what happens locally not to say that local you should be a little more LAX you shouldn’t but it’s harder to control remotely then if you are in the office in the in the healthcare practice so those are remote access to health care record electronic health care records best best practices so make sure that you’re following those an again it really should you really should use the least privilege um process so if they don’t need the access they don’t give it to them and then we’re going to talk about blue keep and you probably remember now I just launched this podcast it’s a couple weeks ago so it wasn’t discussed on this podcast but if you pay attention at all to the cyber security world then you’ve heard of blue keep in a few months ago blue cube was talked about primarily because of Windows 7 and Server 2008 vulnerabilities but that’s not to say that can’t be compromised any other way an what blue keep does is attacks the remote desktop protocol um an in exploits that So what is remote desktop protocol On Microsoft on windows machines most windows machines so let’s just say professional version enterprise version of desktops on Windows 10 Windows 7 Windows 8.1 so if you have a home windows home license you don’t have the option to use remote desktop protocol on your machine you can still remote into other machines and then server versions also have remote desktop protocol installed you can turn this feature on and then be able to remote in to that server or desktop most likely it’s a server OK so you can remote in and it looks like you’re actually sitting right there at the server or desktop so you have a window on your computer where just like a browser window essentially and you’re able to see the screen of your computer or server the same way you would if you were sitting right in front of it you have access to the same things you would have access to normally that’s remote desktop protocol remote desktop protocol uses TCP port 3389 I don’t know why it TCP escape my brain for a minute but he uses TCP port 3389 which just means that a rule needs to be created in the firewall to allow access through that port 3389 that’s the port that is normally used for remote desktop protocol and then so the rule gets created and gets forwarded to the machine that it’s allowed on that is being exploited um earlier this year the vulnerability was discovered but it wasn’t being exploited yet so there was a lot of a lot of news about the potential for the exploit people patched people did what they were supposed to do but nothing ever came of it so blue keep exploits the remote desktop protocol and then installs a crypto currency mining code on the machine that it exploited there’s been no activity until this past week so a British researcher Kevin Beaumont raised the alarm this weekend after discovering that blue keep honeypots he had set up to act as an early alarm that the vulnerability was being exploited began to crash and reboot themselves so a honeypot is sort of like a how can I put it so it’s it’s a way to attract I mean let’s put it in those terms so honey pot you’re trying to attract a bear right in this case you’re trying to attack you’re trying to attract an attacker to see if they’re actually on your system so so there are services and software out there where you create a document that might look appealing so I might create a document on my laptop that says password dot doc and so somebody who if I suspect that somebody’s on my network and I have this document that says password doc that’s going to be appealing to someone on my network ’cause now they think they’ve gotten a document with a list of usernames and passwords that’s a honeypot so this researcher Kevin Beaumont created honeypots to see if anybody would attempt to use the blue chip vulnerability and he noticed activity this week this was reported on the 4th so Monday or so yeah Monday so he wrote I built a worldwide honeypot network to spot exploitation which I called blue pot since then it has been remarkably quiet I’ve been keeping in contact with people at threat intelligence an anti-malware companies and essentially the protection built have been eerily quiet that isn’t this exploitation as it happened of course advanced threat actors would absolutely look to leverage this but there’s been a complete lack of dad it’s just suggest any kind of widespread exploitation that changed on October 23rd one of the blue keep honeypots crashed and rebooted over the followings all the honeypots crashed and rebooted except one in Australia with increasing regularity so meaning there’s activity OK um he shared the details of what happened to his honeypots with Marcus Hutchins of cryptos logic who determined that the attacks were using demo blue keep exploit code in an attempt to install crypto miner on to unpatched windows computers again a case for patching have Patch management have a patching program if you have an MSP like Nwaj Tech they have a program where they are patching on a regular basis um the good news is that the current attack appears to be flawed crash into computers it is attempting to infect rather than successfully installed in Accra scope that also means that they’re going to figure it out at some point news first broke a blue key Phone ability earlier this year when Microsoft took the unusual step of issuing patches for older versions of Windows so they updated Windows 7 alright I believe even XP at the time it was reported that almost 1,000,000 vulnerable PC’s were connected to the Internet and potentially open to exploitation the threat was considered seriously enough that the likes of the NSA urged administrators and users to Patch vulnerable computers so that’s why you might remember that because government agencies were telling everybody Patch or update so if you’re on Windows 7 your time is running out if you’re on Windows 7 still or Server 2008 because end of life is about 2 1/2 months away time to upgrade to just skip 8 and go right to 10 OK um let’s keep what can we do to prevent the blue keep owner ability from being exploited so it’s not in this article but i did post this a few times this week so I’m going to just go to my social media so I can share with you exactly I can tell you how to talk my head but there is the first thing is if you don’t need um if you don’t need remote desktop protocol don’t use it turn it off turn it off OK so on your windows machine disable it that’s really the best thing you could do for disable remote desktop protocol if it’s not being used if it is being used still looking for the post I shared if it is being used then you’re going to want to secure it so how do we secure it number one only give it to people that they do they should have access so it’s not everybody should have it it only the people that absolutely need it should have it if you’re going to remote desk user remote desktop protocol then do it over VPN use dual or some other type of multi factor authentication make sure make sure you’re up to date on patching so that’s something I talk about every week again if you’re still using Windows 7 or 2008 it’s time update block port 3389 on your firewall so I didn’t mention that block port 3389 on your firewall turn RDP off if it’s not if it’s not necessary so 3389 should not be open to the public you should not have it open on the firewall out to the public and if your machine doesn’t use RDP then it should be turned off and if it does you should be using VPN and then enable network level authentication this will give you another method of authentication being required before you can get it so you might be able to RDP into a machine but you still won’t have access to the whole network so that’s blue keep and  that that’s the vulnerability that since it’s already impacting honeypots I would imagine it’s also impacting other unpatched machines and they will eventually figure it out and then you can bet it’s going to be a big problem for some people Since the NSA and other government agencies warned about it many months before it was actually being actively exploited I don’t think it’ll be at the levels of WannaCry.  You may remember wannacry a couple of years ago and how many machines were impacted and mostly in Europe and Russia where a lot of businesses were impacted significantly a lot of lost productivity in a security researcher found a way to stop it and that was a whole not a big story so maybe I’ll do that as an episode that wanna cry story not enough time today to go over that but if you recall how big of a deal that was then I don’t think it will reach those levels but it is going to be impactful to some some businesses I’m sure they have not moved away from Windows 7 or Server 2008 or even in some cases XP though I think there’s like i still let out just under 2% usage of Windows XP And I have a Windows XP virtual machine but I don’t use it for anything except testing so Patch an and make sure you’re using every security method that there that’s available to you to make sure that you are not going to fall victim to blue keep alright that’s going to do it for episode 3 I thought we were going to be a little longer today but i got through it every i got through everything pretty quickly episode 4 actually until then have a great week stay secure stay educated and I will talk to you again next week if I don’t go live somewhere

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Leave a Reply