CyberSheath CEO, Eric Noonan, provides commentary for Catherine Herridge of CBS Evening News on the latest ransomware attack.
CyberSheath CEO, Eric Noonan, provides commentary for CBS’s Jeff Pegues on an episode of America Changed Forever, taking a deep dive into the Colonial Pipeline hack and the lack of regulations that leave our critical infrastructure vulnerable.
To understand just how consequential president Biden’s executive order on cybersecurity is for federal contractors, look no further than the Wall Street Journal article that bluntly explained how the new order will impact federal contractors:
“Contractors that fail to comply with the baseline standards would essentially be prohibited from selling their products to the federal government, a black mark that could be crippling to a company’s commercial viability as well.”
Mandatory Baseline Standards for all Federal Contractors
Aggressive timeframe for implementation.
The executive order calls for mandatory baseline standards for all federal contractors to replace the patchwork of inconsistent and unenforced agency-specific policy that exists today. However, unlike many executive orders, this isn’t just a call to action, the clock already started ticking, and common baseline standards are to be here within 120 days. Current federal contractors doubting that the federal government can do anything within 120 days should remember that the Cybersecurity Maturity Model Certification (CMMC) was published and made federal acquisition law within nine months.
Effects the largest supply chain in the world.
The executive order mandates that within less than six months, the largest supply chain in the world, which includes many hundreds of thousands of large and small privately held companies and trillions of dollars of committed federal contracting dollars, will be required to meet baseline cybersecurity standards to do business with the federal government. This is one of the most common sense and consequential actions to improve cybersecurity ever proposed and largely in this administration’s control. They have tremendous influence over federal acquisition regulations. Many Americans might be surprised that we didn’t already have mandatory cybersecurity minimums for government contractors. I expect special interest groups to ask who is going to pay for this immediately. Still, in many instances, like defense contractors doing business with the Department of Defense (DoD), these mandatory minimums have been in place for nearly a decade; they just haven’t been enforced. For defense contractors, in some cases, the cost of cybersecurity should have been paid for as far back as 2015.
To meet this level of protection the cost on organizations is unavoidable.
The executive order does not leave very much room for federal contractors to find a way out of implementing mandatory cybersecurity minimums on their corporate networks. In many ways, the arguments around cost are nonsensical. Americans are paying for this one way or the other, be it the OPM hack, the Equifax hack, Colonial pipeline, SolarWinds, etc. the list goes on and on. Yet, nobody asks who paid for the fire alarms in their house or pays for the regulation to implement fire safety code in retail outlets, or even who pays for the antilock brakes and airbags mandated in our vehicles. We accept that the cost for all these things is built into the products and services we consume. We expect these protections and don’t even ask questions about their existence. We know they have to be baked into the product or service we are buying before it comes to market.
This level of expectation around minimum protections just became the new standard by which all federal contractors will be measured before the end of 2021. The federal government isn’t going to buy contractors products and services if they don’t come with assurances that you have met the mandatory minimums for cybersecurity. Certainly, you can argue with the fire inspector why you have no fire alarms in your house or the acquisition official for your federal contract about who will pay for your corporate cybersecurity, but it’s an argument you are going to lose.
On the heels of Solarigate and Hafnium, companies are once again evaluating their overall IT and security posture. While ransomware has grabbed much of the attention over the past three years, it’s increasingly obvious nation state-related attacks infiltrating organizations and exfiltrating their data have not faded away. In fact, these efforts have just become more sophisticated and targeted.
Companies that are part of the Defense Industrial Base are being pushed due to requirements around NIST and CMMC, but the details to become compliant often do not give a clear path to being secure. As such, these companies should re-evaluate these two critical things:
- Cloud Strategy
- Security Toolset
For many smaller companies, it should be clear that the speed that technology changes and the continued exploits of zero-day attacks that on-premise architecture puts IT teams at a considerable disadvantage. Even with known vulnerabilities, the discipline and effort to consistently apply a patch management strategy has been challenging to apply among a sprawling patchwork of different vendor operating systems and tools. And, ironically, the Solarigate attack targeted the same software that was meant to assist with on-premise monitoring and management.
Increasingly there are other reasons for companies to manage on-premise infrastructure and services. Especially in the post-COVID world, where companies have now had a crash course in managing and granting access to a remote workforce, a cloud-first strategy becomes increasingly realistic. Leveraging services continually monitored and patched by the vendors, especially with Government Community Clouds now available, should be the primary go-forward strategy for small and medium-sized businesses.
The security vendor landscape is still a jumbled mass of products offered by multiple vendors, many of which overlap. Purchasing strategies have swung back and forth like a pendulum in approaches from ‘best of breed’ to a single vendor approach. Wherever your organization is hanging at this point, you must be implementing these essential technologies:
Endpoint Detection and Response
Traditional endpoint anti-virus is no longer sufficient for security teams to leverage in their environment. Endpoints are now distributed throughout many geographic locations, and the ‘hard and crunchy outside’ provided by legacy IT infrastructure designs no longer exist as employees work from home en-mass. Security analysts must have the capability not only to see alerts from signatures but also to investigate anomalous activity while potentially needing to isolate the host to prevent the threat actor from doing additional damage or exfiltrating damage.
Security Information and Event Management (SIEM)
Data is critical to determining what is happening in your environment. The purpose of the SIEM is to collect, correlate, and assist with analyzing the massive amounts of data generated by endpoints, network devices, and security tools. As threats emerge, the SIEM becomes one of the primary tools to determine if those threat indicators exist in your environment. However, the effort that goes into tuning and normalizing the data to be useful, not to mention analyzing the data even after data correlation, is a large lift for many organizations. Not utilizing a SIEM capability can make it very difficult to understand the full scope of attacks you are facing.
CMMC: Understand How It Fits into the Overall IT and Security Strategy
To conclude, companies subject to CMMC should take this time to understand how it fits into the overall IT and Security strategy and not have a myopic focus on just achieving compliance. Recent coordinated hacks are having a significant impact on the operations of many companies. Organizations must leverage new ways of approaching traditional IT challenges that also reduce their overall security exposure.
CyberSheath has long recognized that a large part of IT delivery, things like patching and asset management, are foundational to NIST 800-171 and CMMC compliance, which is why we are offering a force-multiplying solution for Managed IT services. This offering is only available to defense contractors and can be paired with our Security solution to make CMMC and NIST 800-171 compliance a natural outcome of day-to-day operations.
The SolarWinds hack and the subsequent Senate hearings attended by principal players in that event have made supply chain cybersecurity a national discussion. Some of the questions being asked suggest that America is for the first time considering how to protect our supply chains, form effective public/private partnerships, share cyber threat intelligence and enforce mandatory breach disclosure among a relevant group of stakeholders. However, it is not the first time; many parts of the federal government have been working hard to answer these questions with considerable progress for a long time. Specifically, I can speak from my nearly thirteen-years of experience and the progress I have witnessed firsthand between the Department of Defense (DoD) and the Defense Industrial Base (DIB).
A Public/Private Partnership
The public/private partnership between the Department of Defense, the largest procurement authority in the world, and its supply chain has substantially answered nearly every salient question being asked in the wake of the SolarWinds breach. The partnership has spanned four presidential administrations and gained a decade of bipartisan support. The parties have operationalized threat information sharing, breach disclosure, and mandatory minimums for supply chain cybersecurity. Some of the very people I worked with more than a decade ago when the DoD, Intelligence Community and Industry came together for the first time are now leading the way for the current presidential administration. Anne Neuberger, for example, has been appointed to lead the government’s response to the SolarWinds hack for President Biden. Anne has been on the front lines of these issues since at least 2009 when I worked with her as a part of the Defense Industrial Base Cybersecurity initiative (DIBCSI), and she understands the issues inside and out. Anne knows the legal limitations of our intelligence agencies domestically, has heard all of the industry’s concerns and has long been a part of the teams working through these issues.
DIBCSI, initially led many years ago by Victoria Morgan, an unsung heroine who dragged along reluctant defense industry prime contractors, questioning, “who is going to pay for this?,” to a partnership with DoD, has evolved into the Cybersecurity Maturity Model Certification (CMMC). Led by another DoD heroine, Katie Arrington, CMMC has answered the cost question, made the program law, and dramatically increased awareness of the responsibilities that come with being a defense contractor. Defense contractors have had a seat at the table for more than a decade in this partnership and have helped DoD and the federal government answer many of the questions being posed in the wake of the SolarWinds breach.
Let’s look at the critical questions being asked and the answers that the DoD and their supply chain have collectively crafted throughout the decade-plus partnership.
Threat Information Sharing and Breach Disclosure
The DoD and industry partnership produced DFARS clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, which mandates rapid reporting of cyber incidents to DoD. Specifically, the clause requires:
(c) Cyber incident reporting requirement.
(1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall—
(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and
(ii) Rapidly report cyber incidents to DoD.
(2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements.
(3) Medium assurance certificate requirement. In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents.
(d) Malicious software. When the Contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the malicious software to the Contracting Officer.
(e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.
(f) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.
(g) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this clause.
CMMC: A Framework that has Considered and Solved Legal, Logistical, and Operational Issues
Looking at this list of reporting requirements, we have a framework that has considered and solved many legal, logistical, and operational issues around threat information sharing and breach disclosure. Many elements of the law have been in place for almost six years now, with some having been implemented voluntarily for more than a decade. It changes the behavior of the largest supply chain in the world and was created to answer many of the questions currently being asked before important government bodies.
The U.S. has to up-level its cybersecurity. That’s the gist of what we’ve been hearing from multiple sources, including congressional commissions and the Department of Defense (DoD). The alarm bells — and the calls for more stringent security practices — will only grow louder.
The Cyberspace Solarium Commission used the U.S. COVID-19 response as an opportunity to assess the nation’s preparedness for a major, debilitating cyberattack. It highlighted the need to implement more than 30 recommendations from a previous report, as well as five more based on its findings around the pandemic.
Eric Noonan, CyberSheath’s CEO, will be speaking about those kinds of preparations for a national cyberattack against the U.S. on a panel at Cybersecurity Forum 2020. He will be joined by Paul Anderson of Port Tampa Bay, and Michael Wee of Northrop Grumman to talk about lessons learned from the pandemic, the state of cybersecurity planning and organization, and where to focus efforts to better prepare for a major attack. Register for the event here and tune in on Wednesday, September 16 at 2:15 pm ET, if you’d like to learn more.
Another ongoing effort to shore up security is the Cybersecurity Maturity Model Certification (CMMC). This is the DoD’s effort to ensure all defense contractors are practicing and maintaining the proper level of security to better protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
As founder and CEO of CyberSheath, the Title Sponsor of Cybersecurity Forum 2020, Eric is well versed in the goals and efforts behind the CMMC. CyberSheath has been delivering audit-ready, compliance-focused managed services for NIST 800-171 requirements for 8+ years, and the CMMC is the next evolution of those standards.
It’s one of the most comprehensive and impactful moves by the DoD to better secure sensitive data that resides on defense contractors’ systems and networks. As a new set of requirements, many defense contractors are still working to understand the complexities and nuances of the standards, what they’re responsible for, and how to implement those changes.
CyberSheath launched our compliance managed services for CMMC to assist DoD contractors through the process. Through our managed services, we’re able to meet contractors where they are, identify gaps in CMMC compliance, implement the changes, and maintain and assure their compliance at the proper level.
We wanted to be the Title Sponsor of Cybersecurity Forum 2020 because it’s advancing important conversations around the state of security and where we can go from here. In particular, we are looking forward to keynote speakers Senator Marco Rubio, who will give an overview of the risks of national cyber breaches; and Katie Arrington, CISO for the Office of the Secretary of Defense for Acquisition and Sustainment, who will speak on what’s needed for CMMC compliance.
While the U.S. faces cyber threats from around the world, we have plenty of lessons to learn from other disaster responses and a new bar for effective cybersecurity. We don’t know what attacks might be coming, but we do know how to prepare. We hope this year’s conference will spur all in attendance to advance the cybersecurity goals that will defend American innovation and infrastructure.
The US Department of Defense (DoD) has one of the largest supply chains in the world, scaling to hundreds of thousands of different vendors and partners. While valuable, these vital partners in our nation’s defense infrastructure pose a huge cyber risk. Today that risk is largely unchecked and unregulated as contractors can “self-attest” to their ability to protect Controlled Unclassified Information (CUI).
Commercial companies are the lifeblood of any economy and the circulatory system of modern day societies. They provide needed innovation, new discoveries, critical high-value support as well as materials and quick solutions to a myriad of problems. From the most arcane to the most mundane, the US Defense Department has needs in nearly every aspect of procuring commercial services, but this lifeblood paradoxically may imperil the entire system by leveraging companies with little respect for cybersecurity controls. In fact, in this connected world, no government or company can perfectly protect all its data from hackers and rival states. Even so, it is astonishing that, from January 2016 to February 2018, nearly 6 percent of U.S. military and aerospace contractors reported data breaches (according to Stars & Stripes).
And experts feel this is just the tip of the iceberg – the vast majority of security incidents are never uncovered. The Pentagon needs to tighten cybersecurity across its vast contracting operations and hold contractors accountable for minimum standards of care around cybersecurity. Essentially that is the goal behind the Cybersecurity Maturity Model Certification (CMMC) and the ambitious effort to secure the DoD supply chain. The CMMC effort is not without its critics but who can argue that real change wasn’t urgently needed? Learn More about CMMC
Let us review some major breaches of national security that hopefully can be prevented in a post CMMC world so that you might be the judge:
Example One – Jan-Feb, 2018: Comprise of US Navy “Operation SEA DRAGON” – Chinese hackers stole sensitive U.S. Navy submarine plans from Rhode Island DoD contractor
Citing unnamed U.S. officials, the Washington Post reported in June of 2018 about a very disturbing cyberattack of a US DoD contractor. Evidently Chinese government hackers compromised the computers of a U.S. Navy contractor and stole a large amount (approximately 600+ Gigabits) of highly sensitive data on undersea warfare, including plans for a supersonic anti-ship missile for use on U.S. submarines.
The breaches took place in January and February, the officials told the Post, speaking on condition of anonymity about an ongoing investigation led by the Navy and assisted by the Federal Bureau of Investigation.
The U.S. Navy and an unnamed defense contractor are/were working on a new missile which the Navy says will give its submarines a new, “disruptive offensive capability” to take on enemy ships. The previously unknown weapon, known as Sea Dragon, supposedly combines an existing U.S. Navy platform with an existing capability, is likely a new version of a versatile air defense missile capable of pinch-hitting as an anti-ship missile.
Example Two – March 2019: US Navy Review Concludes it is “Under Siege” by Chinese Hackers & Attackers
An internal U.S. Navy review concluded that the service and its various industry partners are “under cyber siege” from Chinese hackers who are building Beijing’s military capabilities while eroding the U.S.’s advantage, The Wall Street Journal reported Dec 2018 – Mar 2019. Chinese hackers have repeatedly hit the Navy, defense contractors, and even universities that partner with the service. “We are under siege,” a senior Navy official told The Journal. “People think it’s much like a deadly virus — if we don’t do anything, we could die.”
Three particularly worrisome recent incidents (2018-2020) were the theft by China of highly sensitive information on naval projects left on an unclassified network (2019), last year’s breach of private information on 30,000 Pentagon employees(2018), and the exposure of 60,000 files on a publicly accessible server involving a subcontractor to Booz Allen Hamilton (2018), the firm that employed Edward Snowden. And perhaps most embarrassing was the 2016 theft of sensitive plans for the F-35 fighter — a plane that will cost taxpayers $1.5 trillion over its lifespan. A small Australian subcontractor on the project had reportedly never changed its Windows passwords from the defaults “admin” and “guest.”
Example Three – Sept-Dec 2019: Compromise of Emails and LinkedIn Accounts of military defense companies
In a report released in June 2020 by Slovakia-headquartered ESET cybersecurity company who said the cyberattacks of mainly European aerospace and military defense firms were launched between September and December 2019. A collaborative investigation with two of the affected European companies allowed them to gain insight into the operation and uncover previously undocumented malware.
To compromise their targets, the attackers used social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus, job offers. Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools. Besides malware, the adversaries made use of living off the land tactics, abusing legitimate tools and OS functions. Several techniques were used to avoid detection, including code signing, regular malware recompilation, and impersonating legitimate software and companies.
According to their investigation, the primary goal of the operation was espionage. However, in one of the cases we investigated, the attackers attempted to monetize access to a victim’s email account through a business email compromise (BEC) attack as the final stage of the operation.
As part of the initial compromise phase, the Operation In(ter)ception attackers had created fake LinkedIn accounts posing as HR representative of well-known companies in the aerospace and defense industries. In our investigation, we’ve seen profiles impersonating Collins Aerospace (formerly Rockwell Collins) and General Dynamics, both major US corporations in the field.
With the profiles set up, the attackers sought out employees of the targeted companies and messaged them with fictitious job offers using LinkedIn’s messaging feature, as seen in Figure 1. (Note: The fake LinkedIn accounts no longer exist.)
Once the attackers had the targets’ attention, they snuck malicious files into the conversation, disguised as documents related to the job offer in question.
Example Four – 2017-2020: The Chinese APT Threat to Cleared Defense Contractors
In a report published in June of 2020, cyber-security firm Lookout said it found evidence connecting Android malware (APT 15) that was used to spy on minorities in China to a large government defense contractor from the city of Xi’an.
Lookout’s 52-page report details a years-long hacking campaign that has primarily targeted the Uyghur ethnic minority, living in western China, but also the Tibetan community, to a lesser degree.
The campaign infected individuals in these communities with malware, allowing government hackers to keep an eye on the activities of minority communities in China’s border regions but also living abroad in at least 14 other countries.
“Activity of these surveillance campaigns has been observed as far back as 2013,” Lookout researchers said. The company attributed this secret surveillance to a hacking group they believe operates on behalf of the Chinese government.
The fact that Lookout linked an APT15 malware sample to a Chinese defense contractor is not a novel discovery. From 2017 to 2019, four other Chinese state-sponsored hacking groups have been linked to contractors hired by Chinese intelligence agencies operating in various regional offices.
APT3 – linked to a company named Boyusec operating on behalf of Chinese state security officials in the province of Guangdong
APT10 – linked to several companies operating on behalf of Chinese state security officials in the province of Tianjin
NEW! APT 10 – Xi’an Tianhe Defense Technology, a large defense contractor in the city of Xi’an, in central China.
APT17 – linked to several companies operating on behalf of Chinese state security officials in the province of Jinan
APT40 – linked to several shell companies operating on behalf of Chinese state security officials in the province of Hainan
Based on previous threat intelligence reports published by cyber-security firms Recorded Future and CrowdStrike, the Chinese Ministry of State Security outsources hacking operations to outside contractors, who report directly to, and take orders from intelligence officials.
In an FBI warning in 2018, https://publicintelligence.net/fbi-defense-contractors-apt/, specifically cites examples against “Cleared Defense Contractors” and here is an excerpt of the alert:
“APT actors in the near future likely intend to target US Cleared Defense Contractors (CDC) via spear phishing campaigns or network infrastructure compromises, according to recent intelligence. Common spear phish targets may include individuals featured on internet-facing CDC Web sites and high-ranking CDC executives.
FBI has observed APT actors over the past two years precede spear phishing campaigns with open source research of targeted US company websites, particularly sections containing contact information for company officials which include names, titles, telephone numbers, and email addresses. In one case, an APT actor sent spear phishing emails within one-to-two weeks after researching the targeted US company.
Historically, APT actors have a strong desire to collect US defense and scientific intelligence to further their interests and advance strategic goals. As a result, US CDCs and research facilities may likely be targets for cyber adversaries due to their involvement in national security and their close relationship with the US Government.”
Example Five – Feb-June 2020: DCSA Bulletin – US Defense Focused
In a report published recently by politico, they suggest they obtained a Defense Counterintelligence and Security Agency (DCSA) bulletin marked “unclassified/for official use only” and warns that DCSA’s cyber division detected nearly 600 “inbound and outbound connections” from “highly likely Electric Panda cyber threat actors” targeting 38 cleared contractor facilities, including those specializing in health care technology. Moreover, the bulletin goes on to say, “Nearly 40 U.S. contracting facilities with access to classified information have been targeted by a hacking group with suspected ties to the Chinese government since Feb. 1”, according to a bulletin disseminated to contractors by the Defense Counterintelligence and Security Agency.
The so-called Electric Panda group is not new and appears to have been operating since at least 2016, according to one of the indicators listed by DCSA. The bulletin goes on to say that this group has been targeting contractors that specialize in cybersecurity, aerospace, naval, health care, power generation, IT systems, telecommunications, risk analysis, and space systems.
Conclusions: How to Solve the Problem?
Given this, how safe is the US DoD Supply chain from cyberattacks? From casual, publicly available information, there is strong evidence that the supply chain base of the US DoD system is under dedicated and constant attack, most probably needs dramatic investments in order to stay safe and sound from cyberattacks and to keep the US military safe.
The key to understanding the solution is to understand that the threat is immeasurably more serious as we must concern ourselves with the great possibility of a loss of life scenarios.
Let us hope that the new CMMC regulation is a very important step in accelerating the awareness of the real possibilities of these dangers, then to assemble a well-orchestrated cybersecurity risk and mitigation strategy for each attribute of DoD Supply chain may be placed in harm’s way.
If you have any questions or would like support as you ready your organization for CMMC, contact us. We also invite you to listen to Eric Noonan, CyberSheath CEO, in a recorded webinar to learn how to start preparing your organization for CMMC by leveraging the steps you have taken to be compliant under DFARS. Register Now
In this webinar you will learn:
- Mapping NIST 800-171 to CMMC
- Levels 1-5: Challenges and complexities to consider at each compliance level
- Step by step path to attaining CMMC
In today’s security landscape, threats to your IT infrastructure are constantly evolving. As you work to secure your IT systems and processes, penetration testing (pen testing) is an important component of your plan. Pen testing can help your organization gain a fresh perspective with a third party looking at your security from the viewpoint of an attacker.
What is a penetration test?
A pen test is performed by attempting to exploit any of your organization’s identified vulnerabilities or configuration flaws to determine if the protective controls of a given system can be bypassed. Penetration tests can have multiple goal-based scenarios, including PII hunting, database breaches, domain control, and more.
Following the initial compromise of a host or credential set, analysts performing the pen test continue the attack lifecycle by pivoting to other hosts in the network, and then work to show how a compromised host can impact your business.
Why should you run penetration tests?
Pen testing examines the subsystems, components, and security mechanisms comprising your organization’s infrastructure and identifies weaknesses. Penetration tests can help you:
- Validate the effectiveness of your environment
- Meet contractual requirements
- Satisfy compliance objectives (PCI)
- Test your system from multiple adversary roles including potential employees, external adversaries, and more
- Adopt an agile methodology and regularly examine your systems
How do you conduct pen testing?
- Use commercial tools, public domain utilities, and proprietary tools to examine the security posture of a system or application and apply numerous industry frameworks like OWASP.
- Conduct tests from both the vantage point of an unauthorized and authorized user. Working from both of these perspectives drives a more complete understanding of the threats to your organization’s security.
- Go beyond automated tools and use manual testing methodology. Manual testing involves verifying vulnerabilities identified by the automated scanners so that any false positives can be eliminated. It also shows the business impact of a reported vulnerability. Automated scanners lack the ability to detect business logic flaws in the application. A combination of automated and manual testing provides a more thorough analysis.
- Leverage the expertise of licensed, third party analysts holding the appropriate certifications to provide an outside view of those looking to infiltrate your systems. These professionals have no personal ties to the company, thus removing any negative theories.
- Know when to run pen tests. This can be at defined frequencies like annually for small businesses, twice-annually for mid-size organizations or quarterly for large enterprises. Note that PCI requires pen testing annually. It is also good practice to pen test during the development of new systems, such as applications, services, or platforms, when system components or modules are in a static pre-production state. This can address vulnerabilities before exposing a system. In addition, make sure to pen test after changes to system components that are expected to have an impact on the security of a system, including the launch of new technologies, major infrastructure or application changes, modification to authentication mechanisms, or logging capability adjustments.
- Document findings and know how to proceed. The results of the pen test should be incorporated into a report reviewing the results to ensure all findings and vulnerabilities are categorized and documented. This report should provide detailed results of the test including a summary of the findings and the technical details for significant findings per project task, in-depth conclusions identifying affected hosts or application identifiers (i.e. Internet Protocol addresses), recommendations for remediation for each significant finding, and other details such as testing limitations, tools used during the test, and any follow-on environment clean up requirements.
Other pen testing tips
- Ensure that the scope of your pen test is appropriate for what you are protecting such as internet exposed applications and services, internet exposed APIs, access gateways and mechanisms, supporting infrastructure (authentication services and management interfaces), and sensitive data sets existing on applications, databases, and unstructured storage repositories.
- Know and define your attacker’s perspective. An external internet-based attacker targets applications and network services exposed to the internet, whereas a malicious insider earmarks sensitive internal network applications or known network locations housing important datasets. Both types of attackers may or may not have credentials to your network and both may proceed with either a wide scope discovery or a pinpoint approach. Attackers can also test roles to see the impact of escalating privileges and pivot to other roles within an application.
Penetration testing is an important part of your security plan. Make sure you get it right. If you would like help from experienced security professionals on running penetration tests for your organization, contact us.
In today’s digital world, no matter what type of sensitive data you handle, attackers are hard at work developing ways to access it. The rash of high-profile security breaches making headlines every day is clear evidence of the struggle businesses face in trying to stay ahead of these sophisticated cyber attacks.
In response to these threats, local and federal governments around the world have begun to impose increasingly stringent regulations to force companies to re-examine their internal cybersecurity standards.
DFARS clause 252.204-7012, HIPAA, PCI DSS, and GDPR are just some of the many compliance mandates that companies are currently juggling. And considering the disastrous fallout of even the smallest breach, not to mention the heavy penalties associated with non-compliance, there’s no time to waste in getting up to date.
The Risks of Non-compliance
As early as 2005, former U.S. President Barack Obama voiced his concern about cyberattacks, calling them a “national emergency.” In the years following this call to action, Federal agencies continually increased the regulatory mandates for private contractors, and over half of the state governments in the U.S. passed laws to put in place punitive measures for companies that fail to sufficiently protect sensitive data.
These include hefty fines and in some cases, jail time. Of course, these punishments are minuscule when compared to the consequences of actually being hacked. The costs of penalties, legal fees, and possible compensation for damages pile up quickly and can completely change the financial outlook of your company. Most damaging, however, is the subsequent destruction of your company’s reputation and the irreparable loss of confidence from your customer base.
Entities with the proper vision and intelligence work exceptionally hard to avoid these outcomes at all cost by prioritizing day-to-day operational security. Not only does this protect the company as a whole, but it ensures that the satisfaction of government or contractual requirements is a natural outcome of day-to-day security practices.
An Industry Leader in Cyber Protection
The unfortunate truth is that, even though compliance is absolutely essential, it’s not easy. Combing through the myriad of regulatory requirements to assess which apply to your business, coupled with the complex processes of then actually meeting these standards, leaves many companies lost.
With the right support, businesses can dramatically simplify this process. An industry leader in cybersecurity, CyberSheath has developed the one-of-a-kind systematic Measure Once, Comply Many ® approach to cybersecurity, enabling companies to reach compliance by implementing a specifically tailored security strategy.
CyberSheath starts by expertly identifying the vulnerabilities in your network and then uses this information to plan and build a strategic security organization that optimizes your personnel, security processes, and technology. We then monitor your systems in real-time, providing you early threat recognition and proactive prevention that helps eliminate the risk of attacks.
By using this proven and patented method, CyberSheath paves the way towards both reaching regulatory milestones and achieving optimal operational cybersecurity.
Measure Once, Comply Many ® utilizes the following services to provide a full-service comprehensive security platform, keep your data safe and secure, and assure across-the-board compliance:
• Centralized 24/7/365 Security Operations Center (SOC) capabilities.
• SIEM, network IDS, host IDS, file integrity monitoring, vulnerability reporting and management, and more.
• Real-time security intelligence, including correlation directives, IDS signatures, NIDS signatures, and asset fingerprints.
• Full suite of compliance reporting, including DFARS clause 252.204-7012, NIST 800-171, HIPAA, PCI DSS, GDPR, and state data breach laws.
• Instant detection and notification of ransomware and other malware variants.
• Managed Privilege Account Management Services to stop security breaches involving privileged accounts.
With these advantages in place, you’ll never be caught off-guard, regardless of the current regulatory measures. Your business will not only take the necessary steps towards compliance, but you’ll also be able to continually read and react to the latest state-of-the-art threats. It’s all part of our patented system designed to achieve compliance as a result of committing to optimal operational security.
Assure Your Cybersecurity Now
Staying on top of your cybersecurity requirements can be overwhelming, but being hacked is undoubtedly even worse. Partnering with CyberSheath can help you gain peace of mind by putting a proactive plan in place to ensure your business is not just compliant, but also efficient and thorough in every aspect of cybersecurity. Contact us today to learn more about Measure Once, Comply Many ®.
On December 31, 2017, the deadline for compliance with the NIST 800-171, a mandate for contractors serving local and federal governments, came and went.
This Special Publication provided guidance on the processes and procedures needed to adequately safeguard controlled unclassified information (CUI), defined as any information created by the government or entities on behalf of the government that is unclassified, but still must be appropriately safeguarded.
While some companies were quick to adapt to these new regulatory measures, many companies fell behind because of a lack of resources, confusion over the head-spinning compliance process, or just downright procrastination.
With the deadline long gone and the Department of Defense (DoD) making it crystal-clear that NIST 800-171 is here to stay, becoming compliant is an absolute must for those looking to remain competitive in the industry.
A Common Problem
Unlike previous security mandates, this is the first that impacts sub-contractors working further down the federal supply chain. This means that for many companies, it’s the first time they’re having to figure out compliance.
If this describes your company, you’re by no means alone. Because these standards must be met by anyone who stores, processes, or transmits CUI for the DoD, General Services Administration (GSA), NASA, or other federal or state agencies, many contractors are struggling to wrap their heads around the complex process ahead.
As it’s critical to a supplier’s ability to win new business and keep current defense contracts, both prime and sub-contractors will want to confirm that they are, at the very least, on the path to compliance with NIST 800-171.
Of course, becoming compliant is easier said than done. The fact that there is no certification process for NIST means contractors work on the honor system, attesting that they have reviewed and heeded the applicable requirements specified in the regulation.
This also means that becoming compliant is not a one-time achievement. Rather, it’s an ongoing process of continuous evaluation. Here are the three key actions you can take to get started…
Assess Your Compliance Level
First, you’ll need to do due diligence in identifying CUI as it applies to you. Check with your contracting officers or look through your contract to see if CUI has been clearly defined. In many cases, it may not be, and you’ll have to review the CUI registry to find similar examples of CUI.
Once you’ve clearly defined what you need to protect, you can begin to figure out if it’s actually being protected sufficiently. You’ll have to carefully review your critical systems, including servers, laptops, storage devices, network devices, end-user workstations. You’ll also need to assess the physical security of those devices that contain CUI to make sure they are properly safeguarded.
Design a Plan of Action
Chances are there will be a gap between where you are now and where you need to be. This is common so don’t worry!
Fortunately, clause 3.12.4 allows for the submission of a Security System Plan (SSP) and a Plan of Actions and Milestones (POA&M) to buy yourself some time as you work towards your compliance goal. Since many contractors are not yet compliant, these documents are required to show procurement officials you are heading in the right direction.
An SSP will provide an overview of the security requirements needed for every system you use, describe the curent controls you have in place, and outline the expected behaviors of all who access them. Your POA&M will show a clearly defined corrective strategy for exactly when and how you plan to resolve any security weaknesses.
All this planning and assessing means nothing if you don’t step up and deliver! Once you’ve put milestones in place, you’ll need to train your staff and ensure they adhere rigorously to these deadlines. You’ll also need to document critical advancements in your quest for compliance, properly maintaining your records as you go.
Still Nowhere Near Compliance? Don’t Panic!
If you missed the December 2017 deadline and you’re starting to feel the pressure, don’t panic. CyberSheath’s Managed Security Services can help you to define your CUI obligations, create a plan of action, and move step-by-step towards full compliance. Contact us today for a free consultation.
More than two years ago, the Department of Defense (DoD) sounded the alarm for increased cybersecurity with a new set of controls designed to raise the level of safeguarding standards across the industry.
The requirements specified in Defense Federal Acquisition Regulation Supplement (DFARS) provision 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting”, were gleaned from Special Publication (SP) 800-171, authored by the National Institute of Standards and Technology (NIST).
A non-regulatory government agency designed to promote U.S. innovation and industrial competitiveness, NIST identified a set of 110 security control requirements, appropriate for non-government organizations, to be implemented by December 31st of 2017. But even with the deadline long since passed, many contractors are still struggling to meet these standards. Here are the three main reasons why…
Lack of Resources
NIST’s daunting to-do list has left many small to medium companies wondering how they’ll close the gap between what is required and what they can afford to implement.
Put at a disadvantage by budget and workforce limitations, companies find themselves falling behind due to a lack of cost-effective solutions and an inability to dedicate the manpower to keep their cybersecurity standards up-to-date.
Companies must report any shortcomings or gaps in their compliance to the DoD’s Chief Information Officer (CIO) within 30 days of any contract award. That means that the time and resource constraints are only exacerbated if the people in charge don’t have an intimate understanding of the NIST SP 800-171 security controls.
These companies need help but don’t know where to turn. As a result, they’ve found themselves exposed to increasingly advanced cybersecurity threats and will continue to accrue non-compliance penalties until they can find the assistance they need.
In an attempt to provide flexibility, make the controls technology-neutral, and allow for contractors to implement whatever solutions best fit their company, NIST has inadvertently made it difficult to know whether your company has actually achieved compliance or not.
The first challenge contractors face is assessing whether or not an information system is processing covered defense information (CDI). CDI is defined by the registry maintained by the National Archives and Records Administration and includes Controlled Technical Information (CTI) and Controlled Unclassified Information (CUI).
If these information systems are precisely specified in the awarded contract, the process is simplified. But DFARS has also included CUI that is “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”
This opens the door for large chunks of information that have been created or are received by contractors, but not marked, to also be considered CDI, making the process of identifying which systems process this information much more difficult.
On top of this, the DoD does not currently have any system in place to certify compliance and has not authorized any third-party certification process, leaving it up to you to accurately assess where you stand at any given moment.
As with any complex set of rules, the risk for human error also enters the mix. In the midst of wrapping their heads around a barrage of complicated regulations, many people simply drop the ball.
In companies that are already struggling to dedicate the necessary human resources to compliance, the overwhelm of adjusting to a whole new world of security requirements can lead to small errors that pave the way for much bigger problems.
In cases like these, it’s essential to have an extra set of eyes on the details to make sure problems don’t snowball and create an avalanche down the line.
Rising to the Challenge
If you’re a defense contractor struggling to keep up with NIST 800-171 requirements, performing a compliance assessment should be your top priority. CyberSheath’s Managed Security Services can help you identify the roadblocks on your path to NIST compliance and find cost-effective solutions to overcome them. Contact us today for a free consultation to find out more.
Every day, hackers and thieves are becoming more sophisticated, daring, and aggressive in their attempts to turn stolen data into substantial paydays. And with criminal entities regularly on the prowl for cyber weaknesses to exploit, it’s no wonder that the number of data breaches is growing at a record pace. Partially in response to this rise in cyber attacks, Ohio Attorney General Mike DeWine’s CyberOhio Initiative has introduced The Data Protection Act, signed into law by Governor John Kasich on August 3rd 2018.
Whereas most of the preceding cybersecurity legislation has sought to motivate businesses with punitive and disciplinary action, the DPA is a looking to take a new approach by giving companies a positive and confident push forward towards a more secure future.
The first law of its kind in the nation to provide an affirmative legal defense, the DPA is an absolute boon to any company involved the handling of sensitive data. Beneficial for all involved, it’s designed to inspire a proactive approach to cybersecurity to make the exchange of sensitive information safer and more comfortable for everyone.
The law incentivizes businesses to further protect themselves against cybersecurity risks by providing legal protection to those who deal with personal information in case of a breach, provided that they comply with a designated cybersecurity framework.
A Safe Harbor
Fairly or not, people affected by data breaches often look for a scapegoat. In many cases, they end up trying to hold the breached company liable for losses or damages they’ve incurred.
With even the smallest attack leaving a business vulnerable to serious legal consequences, this bill represents a valuable tool for those looking to limit their liability. Although it doesn’t provide immunity to your company if you comply, it does afford you a ‘safe harbor’ against tort claims that failed cybersecurity measures resulted in the data breach.
Both businesses and consumers should be set to benefit from this development as companies become more motivated to up their game and meet industry standards for cybersecurity.
How to Comply
As of November 2nd, 2018, your business can trigger the ‘safe harbor’ provided that you adopt a cybersecurity program designed to:
- Protect the security and confidentiality of personal information;
- Protect against any anticipated threats or hazards to the security or integrity of the personal information; and
- Protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.
Since no two companies are alike, the law does acknowledge that the above guidelines are not meant to be a one-size-fits-all approach to cybersecurity. An effective program will have to be scaled to match:
- The size, complexity, and nature of your business and its activities;
- The level of sensitivity of the personal information your business possesses;
- The cost and availability of tools to improve your security and reduce vulnerabilities; and
- The resources your business has at its disposal to expand on cybersecurity.
Further guidance also advises businesses to ‘reasonably conform’ to one of the following industry-recognized frameworks:
- The National Institute of Standards and Technology’s (NIST) Cybersecurity Frameworks;
- NIST Special Publication 800-171, or Publications 800-53 and 800-53a;
- The Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework;
- The International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards;
- Center for Internet Security’s Critical Security Controls for Effective Cyber Defense;
- The Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) for healthcare industry businesses subject to HIPAA oversight;
- The Federal Information Security Modernization Act of 2014 (P.L. 113-283); and
- The Safeguards Rule of the Gramm-Leach-Bliley Act, for certain financial institutions.
If you accept card payments, you’ll also have to comply with the Payment Card Industry’s Data Security Standards (PCI-DSS).
Although guidelines have been provided, demonstrating full compliance may prove challenging since many of the specified frameworks lack standard certification processes.
Also, since some data security laws have more flexible requirements than others, questions remain over how to demonstrate complete conformity, or which aspects to comply with to ensure the best legal defense. For this reason, when attempting to implement frameworks, it’s a wise move to consult with cybersecurity experts like CyberSheath.
Our Managed Services enables compliance with the Ohio DPA to ensure comprehensive, framework based compliance. We’ll guide you through the process from assessment through remediation, integrating your existing people, processes, and technologies with your chosen frameworks.
A Win-win for Your Business and Your Customers
Not only will CyberSheath’s managed services help you to achieve full compliance and reduce your legal liability, but you’ll also see a demonstrable improvement to your day-to-day operational security — a true win-win for your business and your customers.
You’ve made the three decisions necessary to start building your privileged account management (PAM) plan. The next step is to build consensus and create stakeholder buy-in by having four pivotal conversations with key members of your executive, business process, and IT teams.
Who You Should Talk to – And What You Should Say
Executive Team – Lead with, “It’s time to make privileged account management a priority.”
Getting Ready & Intel
- Secure buy-in from the top – The initial deployment will require senior leadership to understand the risks of unsecured privileged accounts, and just as importantly they will need to specify deadlines by which all privileged accounts need to be compliant. The prioritization of a successful PAM project will be driven from the top down. In addition to establishing accord with the CIO/CTO/CISO, It’s important that you have engagement with the compliance and financial executives.
- Garner support to obtain budget and resources – Executive leadership can rally employees to make your PAM initiative an organizational priority, impart a sense of urgency and ownership across the organization, and prevent it from being derailed by minor issues.
- Analysis of high-profile breaches – Describe how privileged access controls factored into particular breaches and relate it to your company’s own risk profile.
- Penetration testing results – Assess how long it would take for a skilled adversary to compromise your organization’s privileged accounts. Show what assets an attacker can get to.
- Benchmarking – Reference industry practices for securing privileged access.
- Compliance requirements – Outline the privileged access regulations applicable to your organization.
- Proof-of-concept results – Do a proof-of-concept in which you implement increased privileged account monitoring and report on the results.
Business and IT Process Owners – Lead with, “Let’s optimize how privileged credentials are used.”
Getting Ready & Intel
- Emphasize teamwork and desire to increase task efficiency with initiative – Privileged accounts will be involved at some level in almost every critical business and IT process. For the most part, improving the security around privileged accounts will not deeply affect existing processes. Work closely with the owners of these processes to understand the underlying credential usage, and bring that knowledge into the design of controls and see opportunities to improve security, streamline tasks, and reduce errors.
- Make business users allies – By helping leaders in business and IT to improve the security and efficiency of their processes, your security team can gain important allies. If prominent leaders in business and IT are champions of the initiative to improve privileged access controls, it can influence the privileged users within their groups.
- Who needs elevated privileges and when – Review how privileges are used as an opportunity to reinforce the principle of least privilege.
- Feasibility of restricting an account’s use of certain commands – Talk about automated privileged access technology and how granular restrictions can be enforced.
- Risks and process change necessities – Balance the level of protection with the need to meet other business goals such as efficiency.
- Principle of separation of duties for this process – Look for ways to redesign processes so that technology automatically enforces separation of duties.
- Preventable error patterns – Talk about configuring controls to ensure certain steps require approval.
- Applications in use – Uninstall applications with embedded credentials if the application is no longer used.
- Session script requirements – Consider redesigning a script so that it requires shorter privileged sessions.
IT Admins and Other Privileged Users – Lead with, “We’re going to change privileged access procedures for the better.”
Getting Ready & Intel
- Show empathy and challenge perceptions – Buy-in from IT Admins is essential for the success of your PAM initiative. The “default” view of IT administrators is that they could do their job better with unfettered access and freedom to choose their own tools. They may see any additional steps or restrictions as making their job harder and slowing them down.
- Select security team spokesperson wisely – The team member that you put in charge of this type of conversation needs to articulate the threat and technical knowledge of the platforms and applications involved. If your security team doesn’t deal with objections at a detailed technical level, it’s possible that the process will be derailed.
- Know that other privileged users are typically more accepting – Staff in non-IT roles who have privileged access – such as those who need to work with financial reports and bank accounts – tend to be more accepting of new controls.
- Changes to workflow – Demonstrate that the PAM effort will streamline some tasks and make how they operate with credentials much more efficient .
- Strong executive mandate – Discuss the importance of the initiative and persuade administrators to accept changes.
Developers – Lead with, “How can we better secure the use of privileged credentials in these apps?”
Getting Ready & Intel
- Acknowledge that refactoring applications can be a challenge – Many applications, scripts, and configuration files include hardcoded privileged credentials. There are inherent difficulties in updating older code and platforms make it hard to operate with less than the highest possible permissions.
- The right level of privilege for each application – Work together to determine the privilege rights for all your organization’s applications.
- Understanding least and excessive privileges – Discuss the principle of least privilege. Help developers understand the consequences of excessive privileges.
Be prepared to manage objections that may emerge during deployment.
- “You can’t take away those rights – I need them!” – Often you will need to convince people that the privileges they are losing are not necessary. Point out that the change protects them by reducing the risk that their accounts will be compromised.
- “I tried it and it doesn’t work.” – As changes to controls are implemented, users may report problems. Proactively set up a process ahead of time for responding to concerns. Be responsive as people adopt new processes and technologies. Maximize usability of the control design.
- “I don’t have time for this.” – When you encounter pushback, strong executive sponsorship of the initiative is extremely important. Focus on the value you bring to users and help them to see the benefits.
- “This feels like Big Brother.” – Administrators can be sensitive about increased monitoring. Reassure them and address governance issues such as what reports are run when and by whom.
Technical expertise and soft skills are needed to pull off these conversations. The third and final blog will expand on the skillsets you need to be successful and will explore some of the elements of an effective PAM deployment.
And if you’d like assistance from our team on how to have these conversations with your stakeholders, contact us. We’ll here to help.
With cyberattack headlines in the news each week, it’s more important than ever to do everything possible to safeguard your systems and data. One way to accomplish this to prevent the theft of highly privileged credentials. Better managing access to privileged accounts can help prevent cyber adversaries and rogue insiders from going after privileged credentials as a way to gain broad and undetected access to your information systems.
How do you improve your privileged account management?
This blog is the first in a series of three articles where we walk you through decisions you need to make to power your strategy, conversations you should have to create stakeholder buy-in, and resources you require to launch your privileged access initiative. Let’s start by discussing the core decisions your organization needs to make at the outset of the process.
- What should you do and when? You need to prioritize what accounts require better protection and be aware of when to make changes. A focus on privileged accounts must be done within the context of your overall security strategy and weighed against other goals. Be aware that if privileged credentials are not properly secured, other controls meant to protect the infrastructure could be rendered ineffective.
- Conduct an initial “baseline” discovery of privileged accounts. Before beginning privileged account management (PAM) deployment, perform an initial discovery of the privileged accounts in your environment. Using a tool such as “DNA” from CyberArk can give you valuable insight into the types of accounts that exist at your organization. Having a good baseline report will help you create a phased approach to securing the privileged accounts.
- Evaluate risks and prioritize implementation. Determining order of priority requires identifying which accounts represent the biggest risks. Focus on accounts that provide elevated access to the organization’s most critical systems and build your PAM plans from there. Engage the compliance department early, to understand the requirements behind reporting and various security controls.
- Plan the timing and rollout of your PAM project. Once you’ve conducted a discovery, you may be in for a surprise as to just how many privileged accounts you have. Given the scope and reach of the project, it will make sense to adopt a phased approach. Deploy at least a limited proof-of-concept demo to help you identify any immediate limitation in the vendor’s platform that may require custom development for your organization. We’ll be discussing how to plan your rollout in further detail in the third blog in this series – so stay tuned for that valuable information.
- What’s the best mix of controls? There are many options for how to proceed. The right approach for your organization requires intelligently deploying the most effective controls for each privileged account access use case.
- Take a layered approach. Reducing the risks around privileged accounts requires a layering of preventive and detective controls. Preventive controls can help stop the unauthorized activity. Detective controls can help to discover it when it occurs, either maliciously or by mistake before any significant damage occurs and/or provide an audit trail and accountability.
- Use detective controls to avoid over-limiting access. The use of detective controls can often help in achieving the balance between enabling and restricting access. Rather than putting in place preventive controls that may be overly restrictive, in some cases, a better approach would be less restrictive access that is carefully monitored for any violations. Detective controls are especially important in cases where increasing restrictions is simply not feasible.
- Secure credentials used by applications and scripts. Credentials used by applications and scripts often need better security controls. If possible, applications should meet the following requirements:
- The credentials for the account should be stored securely.
- The account password or SSH key should be changed regularly.
- The application should be designed using the principle of least privilege.
- Use compensating controls for embedded credentials. For applications that cannot be refactored right away, compensating controls might be appropriate such as:
- Configure the account to be non-interactive and unusable for logging on.
- Increase monitoring on the accounts.
- Use analytics to detect possible misuse of an application’s account.
- How much is enough? Controls should provide better security without encumbering business processes.
- Make sure you select a PAM solution that will scale with our business. Pick a vendor that can scale with your organization. A PAM solution may become the cornerstone of your company’s security posture, eventually requiring all IT personnel to engage with it. A great PAM solution will have SDK (Software Development Kits) and APIs (Application Program Interfaces) so that you can extend your investment into the platform to meet the complex requirements of tomorrow.
- Seek a win-win situation. Security and usability need not always be in conflict. Unlike many other types of security controls, better processes and technologies for privileged access management can offer the business improved productivity and user satisfaction.
In our next blog, we’ll cover the four pivotal conversations you need to have with your stakeholders to help your project succeed.
If you’d like assistance launching a PAM project to help secure your enterprise, contact us. We’ve got the experience and expertise to help build you a solution to meet your privileged account access needs. Contact CyberSheath today!
Major data breaches and an always evolving cybersecurity threat and fraud landscape mean that the financial sector is under constant pressure to keep customer and corporate data safe from hackers.
Last year saw the biggest data breach in UK history with over 20,000 Tesco Bank customers losing money from their accounts. Also in 2016, hackers used hijacked privileged credentials to steal $81 million from vulnerable customer accounts at The Bangladesh Central Bank.
It’s a tough cybersecurity landscape out there – and financial institutions need to stay ahead of hackers. Cybersecurity leaders recently gathered at the SWIFT Business Forum in London to discuss the challenges faced by banks including:
- Changes in targets and tactics – JF Legault, cybersecurity global head at JP Morgan, spoke about the changing nature of cybersecurity threats stating, “We saw the advent of malware targeting wholesale banking platforms. Criminals stopped going after simple, low-value monetary amounts and shifted to high-value payment platforms. The reason they did that was a lot more yield on the crime(s) they committed. We also saw a shift toward business email compromise… [and] a high number of breaches affecting the financial sector that led to fraudulent messages.”
- False positives – Banks are wasting valuable time flagging activities in the anti-money laundering monitoring systems that are not actually fraudulent. These “false positives” take time away from strategic activities. Anthony Fenwick, global head of treasury and trade solutions and AML compliance at Citi Group, pointed out, “Our biggest problem in this industry is false positives…the use of electronics and AI have to go hand-in-hand with the best humans. The idea that we remove all human activity from this process misses the point of what we are trying to do.”
- Insider threats – Regional vice-president for UK, Ireland, and Northern Europe at CyberArk, Matt Middleton-Leal, underlined that banks most fear attacks that hide behind insider privileges. “They allow cybercriminals to appear as legitimate users, giving them unprecedented freedom to work their way up to their most valuable financial assets.” Gottfried Leibbrandt, CEO at the financial messaging vendor SWIFT chimed in that, bank customers “will always be the weakest link, but at the same time the response should not be ‘let’s fix the weakest link’ but you have to take an end-to-end view.”
- Consumer-friendly usability – According to Royce Curtin, managing director of global intelligence at Barclays, big breach is a huge concern, but that must be balanced with providing customers with solutions that want to use. “We work very hard and take very seriously the responsibility of building systems and trust for services that people feel comfortable using.”
How Banks Can Overcome These Issues
- Improved communication – Better communication and intelligence sharing at financial institutions is a good first step toward building a more robust cybersecurity program.
- Multiple-layered security – Concentrating on multiple-layered security also helps safeguard valuable bank information.
- Actionable insights – Many banks are looking for intelligence that can be quickly turned into an effective response, especially when it comes to landscapes where breaches are more likely to occur. Create actionable intelligence inside the banks and publish it out. Take a strategic view and identify suspicious behaviors (i.e. here is a set of accounts and a volume of transactions that we should be mindful of) so that proper security alerts and timely, effective responses can be undertaken.
How CyberSheath Can Help
CyberSheath can help companies in the financial sector address many of these issues with security consulting services and expert guidance. We provide Privilege Account Management, which provides strong protection inside the perimeter, security assessments, and best practices recommendations based on experience solving security-related problems for major financial clients. Contact us for your FREE security assessment.
Achieving compliance with NIST 800-171 before the mandatory December 2017 deadline can look like a daunting task. With only 6 months left in the year, time is running out to understand, evaluate, and implement the more than 100 DFARS controls. Where do you start – and how do you efficiently deploy resources to ensure success?
Here are 4 Simple Steps to Assess, Implement, Measure, and Maintain Compliance
- Conduct a gap assessment of your current security program. Using a trusted third party or internal resources, perform a binary, pass/fail assessment and make sure results are supported by artifacts and technical validation. Taking a pass or fail approach to each required control ensures an honest assessment and efficient process. Countless vendors have “proprietary” assessment methodologies that are ultimately subjective marketing documents. The NIST 800-171 controls are either implemented or they aren’t. This approach saves you time and endless debate that doesn’t move the needle on compliance.
- Turn your gap analysis into a remediation plan. Review your assessment results and start the process of remediating non-compliant controls. The project plan should identify the people, processes, and products required for control implementation. Your plan should be a “project management 101” kind of document that gives you a realistic view of cost, schedule, and performance. If you have budget constraints, look for opportunities to implement manual processes until you can automate with tools. Be sure to account for the documentation of your policies and processes as part of the plan.
- Execute your plan. Run your implementation of NIST 800-171 like a project with dedicated internal or third party resources if the workload requires them. Track project progress weekly and keep management informed. Be sure that after a control is fully implemented you have a way to continuously measure compliance. Like any other regulatory mandate, DFARS compliance is an ongoing requirement and not a one-time effort. This monitoring can be done manually or with a GRC (Governance, Risk, and Compliance) tool like RSA Archer or TraceCSO. If you are budget-constrained, use Excel or SharePoint to get the job done.
- Maintain compliance across your enterprise. Implement dashboard views of near real-time compliance and a process for on-boarding new contracts with CUI/CDI (Controlled Unclassified Information/Covered Defense Information). Budget for and perform an annual assessment to validate your compliance.
The Bottom Line
NIST 800-171 is an effective cybersecurity hygiene guide for DoD contractors. Controls like multi-factor authentication and encryption are heavy lifts initially but relatively easy to maintain after implementation. The interpretation of the controls may seem intimidating, but the pragmatic approach laid out above will go a long way in helping you meet the December 2017 deadline.
Get started! It’s likely your team is already overburdened with other work and adding this to their plate with only 6 months of the year remaining won’t be easy. That’s why CyberSheath exists. We’ve helped dozens of global companies achieve compliance – and we can help your organization too. Contact CyberSheath today for a FREE consultation.
Chances are if you are involved in maintaining your organization’s cybersecurity, you’ve had more than a few sleepless nights after hearing the disastrous consequences of another entity’s breach. This story is no different.
DNS Hijack and Extremely Well-executed Spoofed Sites Fool Bank Customers
Earlier this month, the security firm Kaspersky detailed the wholesale takeover of a yet unnamed bank in Brazil. The attack itself was a quintessential DNS hijack where the attackers took over several of the bank’s domains. For a period of five hours, customers were directed by NIC.br (the company that manages the bank’s DNS service and, incidentally, the domain registrar for the Brazilian top-level domain, .br) to spoofed versions of the bank’s legitimate sites. The spoofed sites were reportedly near perfect down to having their own valid SSL issued in the name of the bank.
Hackers Obtained SSL Certificate for Rogue Sites
After they could exercise control over the domain, the attackers applied for an SSL certificate from the non-profit certificate authority Let’s Encrypt. In an interview with Wired.com, Josh Aas, founder of Let’s Encrypt, states that entities are issued certificates when they can properly demonstrate control of a domain – which in this case the attackers were able to do.
Per the Let’s Encrypt website (letsencrypt.org), the company only offers domain validation (DV) certificates which are sufficient for HTTPS. Kaspersky’s ThreatPost write-up of this incident revealed that the certificates were issued the day before the spoofed sites went live, suggesting that the attackers could exercise a level of control over the bank’s domains in the days leading up to the attack.
Countless Bank Customers Duped into Providing Account Details
These days, consumers are much savvier regarding how, when, and where they share their confidential information. With the HTTPS designation and the seemingly identical spoofed sites, a large number of bank customers were tricked into providing their account details on the spoofed sites.
How to Make it More Difficult for Attackers to Infiltrate Your Organization
There are several lessons to learn from this hack. First of all, it is important for organizations to work to stay ahead of hacker tactics. Perhaps if the bank in Brazil had followed the tips listed below, the bank and its customers would have been protected from a breach.
- Include external accounts in your privilege access management strategy. When identifying privileged accounts in your organization include internal accounts as well as external accounts that could pose a risk to your organization. Locking down internal root and administrator accounts is not sufficient. Privilege access management must include all accounts that provide elevated access or could impact your organization’s system or reputation, including those for your social media presence; or in the bank’s case, the organization’s DNS service provider. If the affected bank had included their NIC.br account in their privileged access management solution, they may have been able to prevent this attack.
- Rotate passwords frequently both in your organization and with your personal accounts. Also, two-factor authentication should be used when possible. Had this bank rotated the password more frequently, there is the possibility they may have been able to protect themselves from this attack. If the password for their account at NIC.br changed frequently, the attackers would have needed to compromise it each time.
- Get organization validation (OV) or extended validation (EV) certificates when appropriate for your organization. Certificates are not created equally. In this case Let’s Encrypt offers Domain Validation (DV) certificates, not OV or EV certificates. To the general public the nuanced difference between these is likely lost especially when their browser simply displays a site as “secure”, but the reality is theses certificates have significant differences. OV and EV certificates offering more validation and provide more trust.
Don’t let a hack happen to you. Contact Cybersheath to learn more about our recommendations for safeguarding your organization. Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!
There’s a lot at stake right now with your company’s DFARS / NIST 800-171 compliance. What you do – or don’t do – in the next six months could impact your ability to secure and execute DoD contracts.
Is your company compliant with all 110 security controls in NIST 800-171?
As a supplier, chances are you’ve received a letter from one of your Prime’s asking if you are compliant with the DFARS mandate and reminding you of the compliance deadline of December 31, 2017. If your Prime uses Exostar as their sourcing and collaboration tool as the major Defense Contractors do, you will have to fill out a DFARS questionnaire before a PO can be issued for your part of the contract.
There are three ways to handle the situation:
- Misrepresent the truth about your organization’s infrastructure security and answer the questionnaire in a knowingly untruthful way and claim compliance in the hopes that the truth is never discovered and that your firm is never flagged for a security audit.
- Determine where you are non-compliant and develop a plan to become compliant by year’s end.
- Write a letter to the DoD explaining where you are not compliant, and why.
Of these options, I think we can agree that the first is ill-advised, and the third is not a way to build trust and foster confidence in your firm. That leaves the second option – becoming compliant. How do you proceed?
What exactly is the DFARS mandate and why it’s important?
NIST Special Publication 800-171 Protecting Covered Defense Information in Nonfederal Systems and Organizations, otherwise known as DFARS (Defense Federal Acquisition Regulation Supplement), details the fourteen families of security requirements for protecting the confidentiality of Covered Defense Information (CDI). This document outlines each of the controls your firm needs to meet in order to be able to continue providing services and products to your Prime and ultimately to the DoD.
The fact is, the controls outlined in DFARS are security measures that your firm should already be implementing as part of maintaining good security hygiene. Each item on the checklist helps your firm safeguard important information and, ultimately, helps your firm protect the confidentiality of CDI.
What should you do to keep your current contracts?
Right now your firm is probably compliant with about half of the 110 controls within NIST 800-171. Chances are the areas your company is deficient in include:
- SIEM (security information and event management)
- Multi-factor authentication
- Applied encryption, both at rest and in-transit
- Policies and written authentication for your security procedures and protocol
While addressing these deficiencies may seem onerous, it’s important to remember that becoming compliant is good for your company – and good for your bottom line. Perhaps you think you don’t have the resources, budget, or buy-in needed to move forward. Keep in mind that the path to compliance is the only viable option you have. Here is a plan on how to address and achieve DFARS compliance:
- Get a security assessment to help you interpret what is required and if your company is in compliance with each of the 110 controls.
- Create a plan to achieve compliance on all the items identified as deficient in your security assessment. Your remediation plan should solve for operational issues as well as protect covered defense information in a manner that demonstrably shows compliance. Note that remediation typically takes about 6 months – so you need to get started now.
- Partner with a trusted, experienced company that:
- Has truly walked a mile in your shoes and has experience implementing the controls required for DFARS compliance.
- Tailors the control implementations to fit your reality and achieve compliance.
- Understands the practical realities of implementing controls like multi-factor authentication in an operational environment on a limited budget.
CyberSheath uniquely understands the DFARS security requirements and can assist you with assessing compliance with these DoD mandated security requirements and creating a road map of how you can become compliant by December 31, 2017.
The clock is ticking. Get started on your DFARS compliance today.
Don’t scramble to do research to address your security shortcomings. Get your current security state assessed now and formulate a plan to become compliant – before your Primes come to hold you accountable to this new mandate.
Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!
In December of 2016 the National Institute of Standards and Technology (NIST) finalized the first revision to it’s Special Publication 800-171, Protecting Controlled Unclassified Information (CUI) in Systems and Organizations. The updated document, NIST SP 800-171 Revision 1 is the new standard for which government contractors who store, transmit or process CUI, are required to comply with by the December 2017 deadline for compliance.
While many of the updates are verbiage changes to clarify the defined scope of the current controls, there are two major changes that need to be noted by those who are required to adhere to the regulation.
In the original 800-171 release, Control 3.1.19 specified the requirement to encrypt CUI on mobile devices. In the updated revision, the control is amended with the additional stipulation to include mobile computing platforms. Further, mobile devices and mobile platforms are more clearly defined to include smartphones, tablets, E-readers, and notebook computers. This additional specification is intended to remove any doubt as to the scope of the control. Encryption of mobile devices and mobile computing platforms is an instrumental step to help limit a data breach as these devices are often lost or stolen. If you are interested in additional information I have covered the importance and scope of the encryption of data at rest requirements required by the 800-171 in a previous blog post.
At the time of the original release, in June of 2015, NIST SP 800-171 was published with 14 Control Families which contained 109 security controls in total. The newly released revision publication has added just one control bringing the total number to 110. This added requirement is contained in the Security Assessment Control Family (3.12) and is defined as follows:
3.12.4- Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Additionally, SP 800-171 Rev 1 notes there is no prescribed format or a specified level of detail for ‘system security plans’. However, organizations must ensure the required information in Control 3.12.4 is appropriately conveyed in the plans that are developed.
Aside from the requirement being imposed to have a formally documented security plan, having such a plan is a good indicator of the maturity of your organization’s overall security program. No matter how large or small your company is, it is important to have a plan to define the security of your information assets. The plan development process will help make you think more holistically about your organization’s security and will bring the many elements of your security model to one place. This will help provide the framework for keeping your company at the desired security level required by the 800-171.
It is important to understand the new control requires the following components in a security plan:
- Documentation of its systems and environments of operation, including boundaries
- Description of how security measures are implemented to satisfy the controls of the regulation
- Definition of relationships with, and/or connections to other integrated systems
While these elements meet the minimum requirements for the new control, it is imperative to recognize this is only a baseline. A security program plan is never ‘done’ per se and should be a living document. The new control further reinforces that thought by requiring organizations to ‘periodically update’ the plan. This concept is also true for the 800-171 regulation itself, shown with the release of the current revision we are discussing. The ever-changing nature of the document ensures your organization is continuously adapting to the dynamic IT environment and the associated threats that we are faced with every day.
Does your organization need assistance becoming compliant with NIST SP 800-171 before the December 2017 DFARS compliance deadline? CyberSheath has the expertise to provide you with the specialized guidance you need and deliver industry-leading solutions. We have a specialized team of Cybersecurity Professionals with proven experience to guide and assist your business in achieving compliance.
Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!
On Friday of last week, Europol reported that a worldwide attack using a piece of ransomware known as “WannaCry” hit more than 150 countries and infected at least 200,000 victims. Europol Director Rob Rainwright said that “the global reach [of the attack] is unprecedented. The attack appears to be targeting businesses and large corporations in the healthcare, financial and infrastructure sectors; these sectors have highly sensitive information ripe for a hostage.
Ransomware is malicious software, a virus, that has two purposes. The first is to encrypt the contents of a machines hard drive, preventing the user from accessing the information without entering a unique key or password. The second purpose is to act as a worm and spread to as many machines as possible. With a large footprint of infected machines, the attacker can then hold the data for ransom, promising to provide the password or key to decrypt the data once the ransom is paid in bitcoin (untraceable digital currency).
The WannaCry ransomware appears to exploit a vulnerability in the Microsoft XP operating system that was discovered as a result of the recent NSA tool dump. It’s unclear at this time whether the ransomware was developed by the NSA or just as the result of the NSA’s day one exploit stockpiling. Microsoft president and chief legal officer Brad Smith responded to the attack stating that it “provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem”. Smith continued his comment stating that “this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action.
While IT and Security teams have no doubt been working around the clock over the weekend to prevent the spread and manage the fallout, some key actions organizations should take in the immediate fallout are as follows:
- Immediately backup important and sensitive data in case you are infected soon.
- Update to the latest Microsoft security patches.
- Update all anti-virus and conducting immediate scans.
- Scan all inbound and outbound emails for malicious attachments.
- Send out a companywide awareness email warning employees about the attack and to be cautious of scams and malicious emails.
Moving forward, organizations should consider a more proactive approach to dealing with ransomware as opposed to reactive. In August of last year, CyberSheath Security Engineers wrote about the rise of ransomware and how using sandboxing techniques in daily operations can be 100% effective against malware attacks when used in combination with least-privilege. Adding to defense in depth, implementing a privileged account management solution can be used to prevent ransomware from spreading to critical servers by securing privileged accounts, and in combination with isolating critical servers with a secure jump host such as CyberArk’s PSM, can be a highly effective combination in combating malicious threats.
Let the security professionals at CyberSheath help you become proactive, not reactive. You can learn more about our approach by viewing our Privileged Access Management service area or clicking the button below to download our detailed Privileged Access Management datasheet.
Last week’s global ransomware attack on unpatched computer systems, labeled a “cyber pandemic” by the Wall Street Journal, once again pointed out that basic cybersecurity defense is still being ignored. While not all breaches are preventable, most of the ones that make news headlines are. Below we’ll discuss what Board of Directors should be doing differently.
The current landscape of cyber defense is dominated by OEM’s pushing tools onto under-resourced security teams who don’t have a battle plan for success. It’s like going to Home Depot and buying all the tools and materials to build a house and architecting the build as you go. It’s expensive, inefficient and the ad-hoc nature of this approach is guaranteed to disappoint.
What is the Best Cybersecurity Defense Approach?
Cybersecurity defense should be approached like every other business problem where you develop a strategy that you can execute against and measure your success. Human Resources has a plan and supporting processes to manage and measure employee hiring, onboarding, retention, and engagement. Finance has a plan and supporting processes to manage and measure revenue, profits, cash, orders and a host of business-relevant metrics. Cybersecurity should steal a page from these mature business supporting functions and develop the same. Pick a framework or control set (NIST 800-53, NIST Cybersecurity Framework, there are many to choose from, just pick one!) and identify, assess and manage your cybersecurity risk.
Why take this approach instead of following the marketing noise? For starters, organizations like the National Institute of Standards and Technology (NIST) have no profit interest in your implementation of their work. Their publications are the result of years-long collaboration between the government and private sector and are continuously being reviewed and updated. NIST accurately summarizes the benefits of the Cybersecurity Framework in saying:
“Utilizing the Framework as a cybersecurity risk management tool, an organization can determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.”
Surely any company utilizing this framework would have identified unpatched systems as critical service delivery and a priority in the operational execution of cybersecurity. As last weeks “cyber pandemic” proved, this isn’t the case.
Cybersecurity Added Benefits
An added benefit of managing your cybersecurity program against a defined framework or set of controls is the ability to explain to your Board or Executives your priorities and resource requirements. This demystifies cybersecurity and enables them to make informed business decisions rather than a decision to fund a specific tool. In-time decision making is transformed from tactical to strategic and allows the organization to take a proactive, rather than reactive, approach to cybersecurity.
Compliance requirements like SOC Type 1 and 2 reporting, DFARS, Sarbanes Oxley, HIPAA, and others can be integrated into your chosen framework to align and simplify management of cybersecurity compliance and operations. As practitioners well know, the scope of these compliance audits is often so narrow by design that it becomes an exercise to just ‘get through’ rather than a data point for holistic risk management.
If you are on a Board don’t accept a compliance audit, penetration test or vulnerability scan as evidence of cybersecurity effectiveness. Push for the implementation of a framework and give the accountable teams the resources to succeed.
Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!
Type “EHR” and “information security” into Google and you will find tons of Internet websites, news articles, and even YouTube videos on touting the various plusses and minuses of electronic health records, or EHR. In the last few years, the EHR has become the physician’s best friend, as it helps provide better care, better population health and lower heath care costs. While EHRs might be changing the way hospitals and practice offices operate, there are still issues with using EHRs securely. According to the HHS Office of Inspector General, nearly “60 percent of hospitals participating in the federal meaningful use incentive program reported an unplanned disruption in their record systems in 2014 and 2015.” [Note that the meaningful use program is a federally backed program designed to encourage adoption of EHRs by doctors and hospitals]. It is also important to note that most of the reported unplanned disruptions were caused by hardware failure, not from cyber attacks. While hardware failures are a concern, cyberattacks should also be at the top of the list. Hospitals are facing an increasing number of directed cyberattacks aimed at disrupting and disabling the IT and health record infrastructure.
Having a contingency plan in place to deal with unforeseen events, such as disruptions from hardware failure or loss of patient data because of a cyber attack will ensure that your organization can plan and be ready when the inevitable strikes. According to the HHS report from July 2016, many of the medical practice organizations investigated, including hospitals and practice offices, followed HIPAA requirements for its contingency plans, including backing up data, having a disaster recovery plan, having an emergency-mode operation plan and testing and revising the contingency plan. The recent cyberattacks on hospitals have had a profound effect on the security of EHRs. Earlier this year, a hospital in California fell victim to a ransomware attack that disabled its network and EHR system for a week, which led to delayed patent care and required patients to be moved to other facilities. In March, MedStar Health reported a suspected ransomware attack that required the healthcare network to take its all of its computer systems offline.
During cyber attacks and hardware failures, healthcare organizations rely on backup data in order to return to operations quickly. Without a contingency plan in place, cyberattacks and outages will cause major headaches for the healthcare provider. The HIPAA Security Rule requires that covered entities protect and secure the confidentiality, integrity, and availability of electronic protected health information (ePHI), of which EHR is one of many applications that store such data. Securing this type of data is important as its loss can be a significant financial burden on the healthcare organization.
While the report emphasizes the need for contingency plans, it does not address other areas of security requirements under HIPAA. HIPAA is required for federal entities, and the HHS Office of Inspector General (OIG) has previously recommended that OCR “fully implement a permanent audit program to assess compliance with HIPAA requirements.”
Whatever your organization’s requirements are, let CyberSheath help you prepare for the unplanned disruption.
On July 26, the Obama administration released a framework for incident handling around cyber-attacks. The framework is part of the Presidential Policy Directive on United States Cyber Incident Coordination and action plan that was released in February of this year. It provides a clear standard of when and how government agencies will handle cyber security incidents. Included in the directive is a new color-coded scale that assigns specific colors and response levels to the danger of a cyber-attack.
The intent of the color-coded scale and directive will ensure that the agencies that are responsible for handling cybersecurity, respond to incidents and threats with the “same level of urgency and investment.” The scale is broken out into different levels, each representing a severity. Level 0 (White), is considered unsubstantiated, while level 5 (Black) is considered an emergency and the attack poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of US persons. An incident that ranks at level 3 or above is considered significant and triggers the coordination of the Departments of Justice and Homeland Security, as well as the Office of the Director of National Intelligence. Also, the organizations that are involved in the incident contribute to the response of the attack.
How will your organization be able to respond to a cyber-attack? Let CyberSheath assess your capabilities so you can move your security program from a reactive to a proactive, well-defined security operation.
Business owners rely on internet connectivity for everything from business operations, productivity and collaboration services to maintaining customer relationships. Unfortunately, the reliance on internet connectivity and cloud services also increases the risks and enhances the exposure to the threat of cybercrime. In addition to stealing money by fraud and deception with things like ransomware, cybercriminals can also cause damage to your businesses reputation and put you out of business completely depending on the impact and headline worthiness of an incident. As a small business, the risk of a cyber incident or breach can be much more impact on your ability to do business than a large enterprise that has the ability to absorb the costs that incident response may present.
A business can never be completely safe from the threat of cybercrime but most cyberattacks can be mitigated with some basic security practices. Online security should be taken as seriously as locking the doors of your business and storing cash and valuables in a safe location. Clients have the expectation and right to the security of their data and it’s essential that steps are taken to prevent it from being exposed on the internet due to poor security practices. The following tips will enhance your defenses against cyber attacks:
1) Use strong passwords, credentials, and manage your access.
Strong authentication mechanisms are an essential layer of protection. All staff should understand the need to have suitable passwords and the risks of writing them down or sharing them. A long password with a mix of letters, numbers and other characters is well known as a best practice. Common words, names, and consecutive numbers are particularly vulnerable to hackers. Depending on the nature of the business and the information and data used or derived, consider applying multi-factor authentication as an additional measure of password protection. Additionally, ensure that you understand the extent of authentication services utilized by your business. You may use Gmail or Active Directory as your core authenticator and manage password requirements in those areas, but also consider cloud or internet-based services that have authentication not connected to your core authentication service. Ensure all authentication services are managed and audited, meaning that users access provisioning and deprovisioning should occur by a formal process as the employment status of your staff changes.
2) Use cybersecurity tools.
A firewall and antivirus software can mitigate many cyberattack risks and are better than no security tools at all. Don’t cut corners with your protection mechanisms as you put your business at risk if you connect to the internet without them. Antivirus software and any signature-based security tools must be updated on a regular basis to ensure the latest forms of malware identified and deleted. Also consider tools that provide additional capabilities such as host intrusion prevention, file integrity monitoring, and web browsing protection. From a network standpoint, many firewalls also have packaged capabilities like network intrusion prevention and malware detection.
3) Restrict personal use of company IT assets and company work on personal IT assets.
Accessing non-work email accounts and social media on company computing assets can increase the likelihood of compromise. Staff should be given clear acceptable use instructions on their cybersecurity responsibilities and the dangers of accessing websites not related to company business. Malware can be hidden in online games, apps, and attachments sent with emails. Staff members using personal assets for work tasks present different risks, with unmanaged IT assets potentially processing sensitive work-related information that can be compromised by an attacker due to unknown vulnerabilities or the potential for an employee acting as an insider threat, leaving the company with your sensitive business information.
4) Understand and protect your web presence.
Your website and the internet services you use are valuable resources that must be protected. Hackers may attempt to corrupt information on a website or use your computing resources for their own needs (i.e. attack pivoting, distributed denial of service campaigns, or bitcoin mining). Privileged level access should be tightly controlled as this is one of the routes cybercriminals leverage in attacks. Hackers are constantly scanning websites and web services for vulnerabilities and sensitive information. Software on your website should be updated regularly to make sure they are the latest versions, vulnerabilities should be assessed, and your security tools and configuration should be appropriately applied. For other web services such as cloud collaboration tools such as Slack, development platforms such as GitHub, understand how these services are being used and the potential for data exposure then ensure these tools are used in a secure way.
5) Be cautious and proactively apply security.
Cyber attacks are becoming increasingly more sophisticated with attack methods constantly evolving, and evasion techniques to circumvent security tools. Your protection mechanisms may not protect against all of the strategies they use and you must be prepared for the inevitability of security incidents by proactively planning to manage them. For example, cybercriminals might copy the identity of legitimate businesses and use these to deceive you. Common sense and caution are as valuable as antivirus software when it comes to cybersecurity. Keep your staff aware of cybersecurity risk with regular training, move away from security being an afterthought, and consider security in all aspects of your business.
6) Plan for security failures.
Security standards and regulations advise that planning and preparing for an attack are critical. Does your business have the subject matter expertise and resources to manage a cybersecurity incident? If not, do you have a relationship established or even contacts for a firm who can assist when such a situation arises? Having a response plan and capability can make the difference between a few days downtime or significant long term impact on your ability to do business. Ensure that all incidents and incident response tests include lessons learned and corrective actions for adequate incident preparation.
The threat landscape is constantly changing with business becoming ever more entwined with the internet and technology. Smaller businesses are well known as being less protected by cybercriminals and steps should be taken to mitigate the likelihood of becoming a successful target of attackers. Know your threat profile, know your exposures, know your risks, know what you’re protecting, know your regulatory and contractual security obligations, and let CyberSheath help you apply a cybersecurity strategy accordingly.
In addition to these two zero-day exploits, over 100 organizations in North America last month fell victim to a tailored spear-phishing campaign aimed at the retail, restaurant, and hospitality industry. The campaign would send emails that contained variations of Microsoft Word documents with embedded macros. If enabled, the macros would then download and execute a malicious downloader called PUNCHBUGGY. PUNCHBUGGY is a DLL that can interact with compromised systems and move laterally across the environment. In addition, PUNCHBUGGY could take advantage of a previously unknown elevation of privileges (EoP) exploit and a point of sale memory scrapping tool dubbed PUNCHTRACK by FireEye. According to FireEye, in some victim environments, “the threat actor exploited a previously unknown elevation of privilege (EoP) vulnerability in Microsoft Windows to selectively gain SYSTEM privileges on a limited number of compromised machines.”
Microsoft and Adobe have both released patches for all vulnerabilities: CVE-2016-0168, CVE-2016-0167, and CVE-2016-4117. If you haven’t downloaded and installed the recent fixes, please do so as soon as possible.
CyberSheath can help protect your assets. Contact us to learn more about our throughout information security assessments and other security-related program development.
According to the latest Kaspersky Labs report, financial institutions have had approximately $1 billion (£648 million) stolen in the cyber attacks starting in 2013 and are still ongoing. The report identifies a cybercriminal group named “Carbanak” consisting of members from Russia, Ukraine, and China. Carbanak is also suspected as the group behind for the major retail breaches with Bebe Stores, Sheplers, and Staples. Carbanak leveraged well-known vulnerabilities in Microsoft Office in nearly all of their attacks against financial institutions. The average attack was carried out over a period of 2 to 4 months, entailed a 100+ compromised internal systems, and resulted in up to $10 million in stolen financial assets.
“Advanced control and fraud detection systems have been used for years by the financial services industry (…) However, these focus on fraudulent transactions within customer accounts. The Carbanak attackers bypassed these protections, by for example, using the industry-wide funds transfer (the SWIFT network), updating balances of account holders and using disbursement mechanisms (the ATM network). In neither of these cases did the attackers exploit a vulnerability within the service. Instead, they studied the victim´s internal procedures and pinpointed who they should impersonate locally in order to process fraudulent transactions through the aforementioned services. It is clear that the attackers were very familiar with financial services software and networks (…)”
The Kaspersky Labs Report
The big take away from this report is that spear phishing attacks and old exploits (for which patches have already been released) remain effective against medium to large sized companies. Most businesses are simply not set up to defeat skilled attackers as most their cybersecurity is built around compliance or to put it more simply, to combat auditors and regulators. To sufficiently protect competitive customer advantages and shareholder values, businesses must adapt their approach to cybersecurity to keep pace. In our experience at CyberSheath, businesses that take a sustained approach to cybersecurity also take better advantage of the latest innovative technologies in mobile, social media, and cloud, which help a business maintain its competitive edge and drive growth.
This post will be broken into multiple parts…taking readers through my experience from the customer side of the equation and how to derive real value out of security assessments.
Before I get too far into this posting let me provide a disclaimer similar to a financial pundit who has to disclose the stocks he/she owns as they pontificate on the merits of said stocks. DISCLAIMER: One of the services my company sells is assessment services and I think they are invaluable, not because I sell them but because in past lives I’ve used them to literally transform the organizations I was leading. Assessments tell you where you are and provide the map that will get you where you want to go.
Security professionals share a common trait, they all have more work than resources and that is not likely to change anytime soon. So, every day is spent fighting fires and you end up “living” on the hamster wheel of security. Fun, right? Because there is always so much to do its difficult to know what to do first, then second, then third….so that eventually you have strung together a series of investments that measurably improve your security posture. More likely than not you will make a series of investments in response to a series of crisises and probably not have the time or system of management in place to measure the effectiveness of those investments. Assessments can change that paradigm, permanently and for the betterment of your entire company, if you do them correctly.
The assessment is not an audit so don’t describe it that way; socialize it appropriately with your management and your team. How? Every culture and set of circumstances is different but something along the lines of, “We’ve got a good understanding of what we need to do in security to better align with the business and we are using this assessment to validate that thinking and create a multi-year investment strategy that will drive measurable improvement as opposed to the one off point solution improvements.” If this assessment is going to be transformative you need to build support before it starts and ultimately you will have a burning platform off of which you can launch your strategy. The assessment is a tactic that will enable the execution of your strategy.
Don’t do the assessment yourself; you won’t have the time to do it justice and somehow having a third party conduct the assessment is always more effective. When you select a third party make sure they invest the time to know what you want to get out of this assessment. Lots of mediocre companies can produce assessments that follow a boiler plate template and answer all of your obvious question leaving you no better off than where you started and a little poorer. Take time up front to write a statement of work that forces your provider to deliver real value and not just a 100 page report. What’s real value?
In my next post I’ll take you through my experience as a customer and how I derived transformational value from security assessments, multiple times…
Security assessments can be of transformational value for your organization or they can be shelfware, the determining factor on what you end up with is a matter of leadership and strategy. Here just one example of how an assessment can be transformational.
Several years ago I came into an organization with 5 separate security silo’s, all reporting independently of one another with almost no unifying set of objectives or control framework. One thing all 5 groups had in common was their belief that “the business just doesn’t get it”, it being security. When the 5 “families” got together the debate was fierce, discussions academic and action towards improvement nonexistent. If only we had more money, more tools, more people, more, more, more…then and only then could we be effective. I’m simplifying the story a bit to fit into a blog posting, but not by much.
Having the advantage of being new to the organization I recognized that part of the problem with the state of security was security. If you listened to the groups the sky was falling but they had no data to support their assertions. They had no way to demonstrate, with facts and figures, that the company was taking on more risk than was reasonable.
We needed a quantifiable way to give the business actionable data and let them come to the right conclusions around investments in the security arena. So with my enormous team of 1 which eventually grew to 3 (including me), we set out to educate the business as to the risks they were taking and make the company more secure. It’s not an exaggeration to say that the effort to transform security at a global Fortune 500 company began with 3 people and an assessment.
We knew that we needed a way to measure security and to do that we had to select a control framework that could withstand scrutiny and provide an actionable baseline against which we would measure improvement year over year. The two candidates were NIST and ISO and there were passionate arguments for and against each. In my opinion, this is an area that can be “overthought”, meaning you can always change your mind later but the most important thing is taking action now. In fact, we did exactly that by selecting ISO and then reverting NIST.
Contrary to what many people might think the next step was not to start the assessment. For the assessment to be effective the business would have to understand how and why it was important to their business and making them ISO or NIST experts was not in the cards. We had to select the parts of ISO and NIST that were relevant to the business from a regulatory compliance perspective. The business understands compliance, be it with HR (Employment law), workplace safety (OSHA), finance (SOX) and or any other functions that support the business. Security, however, had never taken the time to map the work they were doing back to regulatory requirements in a language the business could understand.
So we set out to do that mapping….long before we started engaging vendors to do an assessment. In my next post, I’ll share some of the challenges with doing the mapping and how we ended up selecting a vendor.