Recent Blog Posts
What is the CMMC? The CMMC, fully known as the Cybersecurity Maturity Model Certification, is a security evaluation and verification benchmark for defense companies working for the Department of Defense (DoD). Several bodies created the CMMC, which was targeted at many businesses that make up the Defense Industrial Base (DIB). The CMMC was first introduced in January 2020. The goal is to evaluate each DIB company’s security posture to safeguard them from cyberattacks and prevent sensitive information from being stolen by foreign adversaries or cybercriminals. How Is CMMC 2.0 Different From CMMC 1.0? The first version of CMMC (V1) featured five degrees of security compliance: Basic (Level 1), Intermediate (Level 2), Good (Level 3), Proactive (Level 4), and Advanced (Level 5). Over time, all five levels proved very costly for most small organizations, which is how CMMC Version 2 came to be. With the launch of CMMC 2.0 at the end of 2021 in November, the prior standard was updated and consolidated into just three levels of security: Foundational (Level 1), Expert (Level 2), and Advanced (Level 3). The ability of an organization to defend itself against cyberattacks is evaluated on a scale of 1 to 5, with level 5 in the older CMMC version or level 3 constituting the highest in the new CMMC version. CMMC 2.0 Objectives Like CMMC 1.0, the main objectives of the new CMMC version are to secure sensitive data and assess your institution’s security procedures. In contrast to CMMC 1.0, CMMC 2.0 aims to: Clarify cybersecurity legislative, policy, and contractual obligations and streamline CMMC. Urge DoD to increase monitoring of the standards of conduct for third-party evaluations. Urge organizations that assist crucial initiatives in the aviation and defense industries to emphasize third-party audit regulations and the most effective cybersecurity safeguards. CMMC 2.0 Levels Level 1: Foundational This fundamental certification level entails several procedures that closely correlate to the essential safety requirements established in the Federal Acquisition Regulation (FAR). The 17 fundamental cybersecurity procedures that comprise Level One include establishing access control, identification, and authentication. Anyone wishing to secure a DoD contract must comply with the requirement, whose primary goal is to safeguard federal contract data. Commercial off-the-shelf (COTS) suppliers who do not acquire intelligence about federal contracts are the only ones who will not be required to reach Level 1. Level 2: Advanced In level 2, you need to offer documented guidelines for every one of the 17 procedures included by the accreditation in the first level. It also requires proof that the guidelines have been completed for every practice. The National Institute of Standards and Technology, NIST SP 800-171 prerequisites, a subsection of this complete set of security procedures, safeguard government classified data in the information technology of federal subcontractors and suppliers with 55 additional security practices. For any institution with CUI, which necessitates better security levels than a company having only FCI, the objective is to create a fundamental understanding of internet security. Level 3: Expert The last level requires a company to create and sustain a strategy to implement CMMC’s standards. All of the processes from the prior levels are included in Level 3, along with 58 more practices. They are specifications from NISA SP 800-172 and NISA SP 800-171. The main goal is to strengthen the security procedures set up in […]
The use of remote access has skyrocketed as a result of the coronavirus epidemic. Many businesses are finding it lets employees connect more easily. They will want to keep it in the cases where it works best. Remote access has to be done right to produce good results. If it’s done haphazardly, productivity and security will suffer. Employees will complain about inconsistent treatment. What’s needed is a comprehensive, fair policy. It will let employees know what their company offers and what is expected of them. A good remote access policy gives management and employees guidance in unusual situations. Eligibility Not every kind of job lends itself to remote work. Some tasks require an on-site presence. Some employees need to work at the business location to do their jobs well. Management may not want to trust inexperienced employees or ones with poor records to work remotely. A consistent set of criteria is necessary to avoid accusations of unfairness. If some people can’t use remote access, they deserve to know why. Sometimes remote work doesn’t work out well, and it’s necessary to withdraw authorization. Again, it has to be done according to clear rules, with a way to handle disputes. Family situations, Internet connectivity, and the requirements of the job can all be considerations in whether remote access is a viable option for an individual. Equipment The equipment for remote access needs to live up to certain standards. If the connection is too slow, work will be frustrating. If a device is too old for proper support, it’s a security risk. A company can let employees use their own computing equipment or lend its machines to them. Issuing equipment to employees is more reliable but more expensive. Providing employees with equipment requires setting clear terms. The devices have to be returned in good condition when requested. Employees may have to cover them with their household insurance, in which case the company needs to compensate them. Any restrictions on personal use need to be clear up front. If employees use their own equipment, the IT department should review it for suitability. If it’s too old to run modern operating systems and applications, it will cause problems. Not only will it fail to run required software, it could have security issues that can’t be patched. Any equipment which connects to the company network should meet some reasonable standards. Software For the same reasons, the software needs to be trustworthy. It has to be regularly patched, whether by local auto-updating or by being pushed from the company’s servers. There should be a requirement for anti-malware software on machines that access the network. In many cases, those machines will need to run software under the company’s license. Issues of license management may come up, and there might have to be limits on personal use. The employees need to understand that the software is on their computers only at the company’s discretion and could be removed when the situation changes. Internet connection Employees need a reliable Internet connection to do their jobs remotely. If employees are just working on files that they upload or download, the quality isn’t critical. If they’re expected to participate in video conferences, the connection’s reliability and bandwidth become important. Speed is less important than consistency; if an employee suffers from […]
Why classify data All large organizations today, from corporations to universities, health care organizations, and nonprofit membership organizations, routinely practice data classification. Why? Data classification is the indispensable first step in ascertaining the required levels of security. The status of the data, as we will discuss, dictates the level of security. Why? Most organizations have requirements for data security imposed by governments, business groups, and associations. These requirements range from individual privacy and confidentiality to the highest levels of national security. Organizations face consequences that they categorize from “compromising,” to “seriously compromising,” to “catastrophic” when certain data security is breached. Think of the national news stories on the “catastrophic” breach of customer data security at Verizon. All employees require access to data and the easier the access the better. But not all employees require access to legally private, confidential, or proprietary data. Managing access to information is much simpler and cheaper if “public data”?the lowest level of data classification?is segregated from data at higher security levels. It costs money to keep data systems secure?and that should not include public data. The first step, then, is classification. And the first decision to be made by a business is what classifications are relevant to the business. Let’s look at a classification system that is “classic,” but nevertheless does the job for even larger organizations. Each classification implies that the data in the class will require a different level of security. These are three data “sensitivity” levels or categories: Restricted Data (the highest level of security). This means that unauthorized disclosure, alteration, or destruction of this information could put your business at significant risk. For some organizations, this category includes, for example, data protected by state or federal privacy regulations. Or data protected by industry, association, or other confidentiality agreements. Private data (middle level). This means that unauthorized disclosure, alteration, or destruction of the data could result in a moderate level of risk to the business. In this category goes all data that is not restricted but not “public”?and thus essentially requiring no security. Public data (the lowest level). This means that unauthorized disclosure, alteration, or destruction of the data would present little or no risk to the business. Examples of public data might be press releases, catalogs, public announcements, and such. The only concern for a business’s public data is that the stored data not be deleted or destroyed. In many organizations, an employee (or a department in large organizations) is assigned responsibility for classifying data and protecting it with the requisite levels of security. This is sometimes called the “data steward,” but, whatever the title, the responsibility of the position is for the “life cycle” of the information. That means responsibility for the data from the time the business acquires it, through its applications to the business, to the end of the period of its usefulness when it is discarded. Making data classification work The two challenges to data classification and data security are reviewing and classifying large and constant influxes of new information and maintaining security of the classified information at appropriate levels. Computer data security at various levels is a well-develop specialty. Here, we will focus on the specifics of data classification. Given the three broad classifications, and the need to associate all data with one of those […]
Benefits of BYOD First, let’s dive into the pros of integrating employee devices into your workflow. BYOD is most appealing to startups and small to medium businesses that do not have warehouses of spare equipment or large budget margins. In most cases, your employees already own devices that are up to the job and many even prefer to use their personal, familiar, devices for work and personal means. Accelerated Mobility For companies that are expanding, mobility is key. Working through mobile devices gives you the opportunity to work in and out of the office, hire remote employees and allow telecommuting, and stay location-flexible. By encouraging your employees to work with their own devices, your company gains this mobility much sooner than if you were budgeting (and sometimes shipping) company devices. Lowered Hardware Cost Speaking of budgeting, a unified set of company devices is a considerable investment. Many companies completely side-step this expense by inviting employees to use their own devices. Because most professionals have smartphones and other devices already, there’s no need to invest in a rack of company devices that would only have employees carrying two phones. Increased Productivity Employees often use their phones for work on the side. By enacting BYOD policies and helping your employees configure and use their devices for work, you can increase the office’s natural productivity. A good set of BYOD policies let employees know they are welcome to use devices and make them more efficient when device-use is appropriate. Employee Device Comfort Finally, employees are generally more comfortable and independently efficient with their own personal devices. They are familiar with the interfaces, app collection, and how to quickly take care of tasks on their own devices. Considerations of BYOD Policies If the benefits of a BYOD policy align with your business needs, then it’s time to consider logistics and implementation. BYOD, like any policy, has strengths and weaknesses to account for as you move forward. Employee Device Ownership The first consideration is that you can’t guarantee that every employee will have a sufficient mobile device. While it’s rare, not everyone owns a smart phone, a tablet, or a laptop. Most people have at least one, but you can’t necessarily require employees to buy a device or hire based on device ownership. It’s important to remember this when planning to implement BYOD policies. Lack of Standardization Next, consider that not all employee devices will be the same. You will inevitably have devices of several brands, operating systems, and software configurations. Any operations that require devices to be the same, or similarly configured, are likely to fail. But if you don’t need homogenous devices, BYOD is quite effective. Conflicting Operating Systems In any BYOD office it is almost inevitable that there will be both Android and Apple phones. There may even be a few smaller-brand alternatives. The trouble is that different operating systems do not work with the same apps. You will need two versions of every app and function and a way to unify functionality between operating systems. Unsynchronized Software Another concern is control and synchronization of software. From phone firewalls to accessing your work databases through a custom app, BYOD is more challenging to coordinate on a software level than company devices. Reduced Security Employee-owned devices are also more challenging to keep secure. Data security is quite porous with most personal […]
The Anatomy Of Social Engineering Attacks “Social engineering attacks” refers to tricking people into giving up sensitive information or access to systems. In many cases, social engineering attacks are far more successful than traditional hacking techniques because they exploit human weaknesses instead of technical vulnerabilities. This is because while more organizations are aware of the numerous threats posed by hacking, they’ve mostly upgraded their systems ? i.e., the technical aspect, and forgotten about the key and most vulnerable factor, humans?the most crucial cog in any enterprise or organization. Unlike computer hardware/software, humans have emotions that greatly influence their actions. For instance, a policy may prohibit downloading or opening attachments on company computers. However, the urge to follow instructions from superiors may compel junior staff to download an attachment, even when they know organizational policy. In most cases, there’s the fear of being reprimanded for insubordination or the assumption that superiors know better and that their instructions/orders override standing policy. This is the gap/weakness attackers know and exploit. Attackers often use various forms of deception to gain their victim’s trust. They may pose as a customer service representative, for example, or pretend to be someone from the victim’s company. Once they’ve gained sufficient trust, they can start collecting sensitive information or gain access to an organization’s systems. Whereas soft-handed tactics have been the norm, attackers are getting bolder. They may employ brutal tactics like blackmail to force or manipulate victims into providing information or granting access to an organization’s systems. All types of social engineering attacks share one common goal: trick or manipulate victims into knowingly or unknowingly revealing information or granting access that they would not typically give. Types Of Social Engineering Attacks They can broadly be categorized into four main types: Phishing attacks Vishing attacks Smishing attacks Impersonation attacks Each type of attack has its unique characteristics. Still, all are designed to trick victims into providing compromising information or carrying out an action that would grant the attacker access to an organization’s data or systems. Phishing attacks are the most prevalent social engineering attacks. They typically involve attackers sending out mass emails that look like they’re from a legitimate company or organization. Such emails usually contain malicious links that direct victims to login into what they believe are genuine sites, but in essence, the code would direct their login credentials to the attacker’s server. Vishing attacks are similar to phishing attacks, but instead of using email, attackers will use phone calls to try and trick victims. They might pose as a customer service representative from a bank, credit card company, or IT support firm associated with the victim’s organization. Smishing attacks are social engineering attacks that use text messages instead of email. The ploy is that the message is from a trusted organization like a bank or government agency, and they usually contain a link that leads to a fake website. Impersonation attacks are more targeted than phishing or smishing attacks. In these attacks, attackers will pose as a trusted individual, like a co-worker or friend, and try to manipulate the victim into divulging privileged information or carrying out an action, i.e., clicking on a malicious link. Similarly, attackers may disguise themselves as IT support staff or maintenance crew to gain physical access to a company’s systems. […]