As we look to the New Year many of us make resolutions – getting healthier, learning a new skill, saving money, or making more time for family and friends. With 2018 just around the corner, the challenge now is to stick to that resolution and this is where many of us fail. Often the goal is too broad, or we don’t have a plan for achieving it. As security professionals we’re always resolved to look for ways to mitigate digital risk to our business and 2018 is no different. The trick to achieving this goal is to determine how to get the biggest return for our efforts and develop an action plan. To do this, let’s start by considering what the threat landscape will look like over the next 12 months and focus on two areas that will continue to present opportunities for attackers.

Supply chain and third-party vulnerabilities. These types of attacks have been common in 2017 and will continue to be a fruitful method for cybercriminals in the next year. Of note, intrusions resulting from the compromise of software suppliers have been the most detected. Software supply chain attacks that were reported in 2017 alone included the June 2017 NotPetya attacks, the ShadowPad backdoor that was distributed through NetSarang software, the distribution of trojanized CCleaner software and modification of the Windows event log viewer called EVlog. Suppliers are attractive initial targets as they either have privileged access to customer networks, or provide regular software updates to customers. This means compromised software versions (containing malware) will be whitelisted or overlooked by customer security teams and systems.

Wormable malware. Some of the biggest cyber incidents in 2017 revolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. We’ve also see the Bad Rabbit ransomware that reportedly spreads via a combination of Windows Management Instrumentation (WMI) and Server Message Block (SMB) protocol. A wormable Trickbot banking trojan was also reported in Jul 2017. We can expect malware modified with self-replicating capabilities to continue in 2018, particularly given the disruption caused by WannaCry and NotPetya which is inspiring similar attacks.

With these two types of threats likely to continue into 2018, here are five concrete things you can do to focus your efforts and keep your resolution to mitigate digital risk.

1. Hold suppliers to certain standards. Suppliers and third parties are often seen as easier entry points for attackers, especially as many do not have adequate security maturity levels. Define a supplier management policy that classifies vendors and identifies appropriate controls based on access granted to sensitive data and critical systems. Regularly audit and enforce these security measures.

2. Apply privilege management measures. Suppliers are often given much broader access to company networks than internal users are offered. Instead, organizations should apply privilege management measures. For example, separation of duties ensures no single individual can perform all privileged actions for a system, and least privilege provides only the bare minimum level of access to perform their jobs.

3. Address vulnerabilities. Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. For example, Microsoft has issued a patch that prevents the exploitation of the SMB network service for lateral movement within target networks. In addition, disabling unneeded legacy features will reduce the scope of work and further mitigate risk.

4. Restrict communications. Network isolation, segmentation and limiting communication between workstations can keep supply chain traffic separate from other internal traffic. This approach can also prevent attacks, like WannaCry and NotPetya, from propagating across networks to reach their intended target.

5. Understand and backup data. Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions. For critical data and systems, use cloud-based or physical backups and verify their integrity. Ensure that backups are remote from the main corporate network and machines they are backing up.

Remember that cybercriminals will shift targets and evolve their tactics, techniques and procedures (TTPs) throughout the year. Plan to proactively monitor the open, deep and dark web for mentions of your company or industry to know if you’re being targeted. Also monitor for suppliers’ names to uncover if threat actors have set their sights on key partners and if such activity may put your organization at risk.

Whatever happens in 2018 and beyond, cybercrime will continue to be a problem. We can improve our chances of sticking to our resolutions by focusing our efforts in a few manageable areas. Even just one of these activities can help you better manage your digital risk. And with continuous monitoring, when something bad does happen, you will know quickly and can deal with it more effectively.

Scammers, hackers and identity thieves are looking to steal your personal information - and your money. But there are steps you can take to protect yourself, like keeping your computer software up-to-date and giving out your personal information only when you have good reason. Update Your Software. Keep your software – including your operating system, the web browsers you use to connect to the Internet, and your apps – up to date to protect against the latest threats. Most software can update automatically, so make sure to set yours to do so.

Outdated software is easier for criminals to break into. If you think you have a virus or bad software on your computer, check out how to detect and get rid of malware.

Protect Your Personal Information. Don’t hand it out to just anyone. Your Social Security number, credit card numbers, and bank and utility account numbers can be used to steal your money or open new accounts in your name. So every time you are asked for your personal information – whether in a web form, an email, a text, or a phone message – think about why someone needs it and whether you can really trust the request.

In an effort to steal your information, scammers will do everything they can to appear trustworthy. Learn more about scammers who phish for your personal information.

Protect Your Passwords. Here are a few ideas for creating strong passwords and keeping them safe:

• Use at least 10 characters; 12 is ideal for most home users.
• Try to be unpredictable – don’t use names, dates, or common words. Mix numbers, symbols, and capital letters into the middle of your password, not at the beginning or end.
• Don’t use the same password for many accounts. If it’s stolen from you – or from one of the companies where you do business – thieves can use it to take over all your accounts.
• Don’t share passwords on the phone, in texts or by email. Legitimate companies will not ask you for your password.
•  If you write down a password, keep it locked up, out of plain sight.

Consider Turning On Two-Factor Authentication. For accounts that support it, two-factor authentication requires both your password and an additional piece of information to log in to your account. The second piece could be a code sent to your phone, or a random number generated by an app or a token. This protects your account even if your password is compromised.

Give Personal Information Over Encrypted Websites Only. If you’re shopping or banking online, stick to sites that use encryption to protect your information as it travels from your computer to their server. To determine if a website is encrypted, look for https at the beginning of the web address. That means the site is secure.

Back Up Your Files. No system is completely secure. Copy your files to an external hard drive or cloud storage. If your computer is attacked by malware, you’ll still have access to your files.

When HDMI first arrived on the scene, everyone rejoiced at no longer having to use bulky SCART connectors, or the confusing component video cables, ever again.

Instead HDMI offered high definition video with a connector that was just a little bigger than a standard USB plug.

Over the years the HDMI standard has seen continuous improvement, with extra features being added as the needs of televisions have changed.

HDMI 2.1 is the next step in that process. The headline feature here is support for 8K content at 60fps, but there are also a number of minor features that add up to a much more capable standard such as support for Variable Refresh Rates, Dynamic HDR, and Quick Media Switching, which should make it faster than ever to change between the devices attached to your television.

Higher resolutions and refresh rates

The new HDMI 2.1 cables will allow faster refresh rates, including 8K resolution video at 60 frames per second and 4K at 120 frames per second – and it's that second feature that will be the real selling point for gamers and home cinema geeks, at least at first.

"We've increased resolutions and frame rates significantly," Jeff Park, Director of Marketing at HDMI Licensing, said at CES 2017, adding that the Tokyo 2020 Olympic Games are going to be a driver for 8K TV content.

"NHK [Japan's national public broadcaster] is going to push 8K120 as an actual broadcast stream, and many consumer electronics manufacturers want to hit that target, so we're laying the pipe to give the industry flexibility. It's practical stuff."

Although it's about keeping HDMI at the bleeding edge, HDMI 2.1 actually goes ever further, supporting resolutions as high as 10K at 120Hz.

When will be see the first HDMI 2.1-ready TVs?

With the new standard having been confirmed as late as November 2017, it's unlikely that TV manufacturers will have time to implement the new technology in 2018's televisions (most of which are due to be announced at CES 2018 in January).

Does it matter if your next TV has HDMI 2.1 or not? For most of us, probably not; an 8K at 60Hz-capable television isn't going to be of much use for a while yet. But for gamers and movie-lovers, the prospect of a 4K 120Hz TV supporting scene-by-scene dynamic HDR will be tempting.

A file containing hundreds of thousands of RootsWeb users' email, login information, and passwords was found externally exposed, genealogy site says.

Ancestry's RootsWeb.com server, which hosts a free genealogical community site, exposed a file containing emails, login information, and passwords of 300,000 users, Ancestry stated in a blog post over the weekend.

An outside researcher informed the company of the exposed file on Dec. 20, according to Ancestry.  And while the 300,000 accounts were affiliated with RootsWeb.com's surname list service that it retired earlier this year, 55,000 of the user names belonged to both the free RootsWeb.com site and also to Ancestry.com, which charges for some of its genealogical services.

The company noted that 7,000 of the emails and log-in credentials belonged to active Ancestry.com users.

RootsWeb does not host sensitive information like credit card and social security numbers, the company stated, further noting it has "no reason to believe that any Ancestry systems were compromised."

The company is currently in the process of notifying all affected customers and is working with law enforcement on the matter. Ancestry.com subscribers who had their information exposed will need a new password to unlock their account, according to the company. Additionally, RootsWeb.com has been taken temporarily offline to enhance its infrastructure, the company notes.

Although the company is seeking to retain all the data on RootsWeb.com, it notes it may not be able to preserve all the user-supplied information that is hosted on the free community site. However, RootsWeb's email lists will not be affected by the temporary shutdown of the site, according to a report in the Legal Genealogist.

Read more about Ancestry's security incident blog post here.

Unwanted commercial email – also known as "spam" – can be annoying. Worse, it can include bogus offers that could cost you time and money. Take steps to limit the amount of spam you get, and treat spam offers the same way you would treat an uninvited telemarketing sales call. Don't believe promises from strangers.

How Can I Reduce the Amount of Spam I Get?

Use An Email Filter Check your email account to see if it provides a tool to filter out potential spam or to channel spam into a bulk email folder. You might want to consider these options when you're choosing which Internet Service Provider (ISP) or email service to use.

Use the iPhone Unsubscribe Button in the Apple Mail App Apple’s Mail app now has algorithms built into it capable of detecting if an email is part of a mailing list or not. It may not pick up on every single email that is a part of a mailing list, but most legitimate mailing lists should be recognized, such as a coupon mailing.

When you tap on the unsubscribe button, what you’re actually doing is allowing the Mail app to send an email on your behalf from your email address to the specified mailing list’s unsubscribe email. This lets the mailing list service know you want to be removed and you should stop receiving emails from the mailing list service once they receive your request.

Limit Your Exposure You might decide to use two email addresses — one for personal messages and one for shopping, newsletters, chat rooms, coupons and other services. You also might consider using a disposable email address service that forwards messages to your permanent account. If one of the disposable addresses begins to receive spam, you can shut it off without affecting your permanent address.

Also, try not to display your email address in public. That includes on blog posts, in chat rooms, on social networking sites, or in online membership directories. Spammers use the web to harvest email addresses.

Check Privacy Policies and Uncheck Xoxes Check the privacy policy before you submit your email address to a website. See if it allows the company to sell your email to others. You might decide not to submit your email address to websites that won't protect it.

When submitting your email address to a website, look for pre-checked boxes that sign you up for email updates from the company and its partners. Some websites allow you to opt out of receiving these mass emails.

Choose a Unique Email Address Your choice of email addresses may affect the amount of spam you receive. Spammers send out millions of messages to probable name combinations at large ISPs and email services, hoping to find a valid address. Thus, a common name such as jdoe may get more spam than a more unique name like j26d0e34. Of course, there is a downside - it's harder to remember an unusual email address.

How Can I Help Reduce Spam for Everyone?

Hackers and spammers troll the internet looking for computers that aren’t protected by up-to-date security software. When they find unprotected computers, they try to install hidden software – called malware – that allows them to control the computers remotely.

Many thousands of these computers linked together make up a “botnet ,“ a network used by spammers to send millions of emails at once. Millions of home computers are part of botnets. In fact, most spam is sent this way.

Don’t let spammers use your computer You can help reduce the chances that your computer will become part of a botnet:

• Use good computer security practices and disconnect from the internet when you're away from your computer. Hackers can’t get to your computer when it’s not connected to the internet.
• Be cautious about opening any attachments or downloading files from emails you receive. Don't open an email attachment — even if it looks like it's from a friend or coworker — unless you are expecting it or you know what it is. If you send an email with an attached file, include a message explaining what it is.
• Download free software only from sites you know and trust. It can be appealing to download free software – like games, file-sharing programs, and customized toolbars. But remember that free software programs may contain malware.

Detect and Get Rid of Malware

It can be difficult to tell if a spammer has installed malware on your computer, but there are some warning signs:

• Your friends may tell you about weird email messages they’ve received from you.
• Your computer may operate more slowly or sluggishly.
• You may find email messages in your sent folder that you didn't send.

If your computer has been hacked or infected by a virus, disconnect from the internet right away. Then take steps to remove malware.

Report Spam

Forward unwanted or deceptive messages to:

• the Federal Trade Commission at spam@uce.gov. Be sure to include the complete spam email.
• your email provider. At the top of the message, state that you're complaining about being spammed. Some email services have buttons that allow you to mark messages as junk mail or report them spam.
• the sender's email provider, if you can tell who it is. Most web mail providers and ISPs want to cut off spammers who abuse their system. Again, make sure to include the entire spam email and say that you're complaining about spam.

If you try to unsubscribe from an email list and your request is not honored, file a complaint with the FTC.