Who’s Been Playing Solitaire on the Domain Controller?
It’s a classic scene. You’re sorting through the attic and you end up browsing through old memories: photos from a forgotten road trip, souvenirs, and trinkets from your world travels, old board games you bought in a flash of excitement and only played once. Things you once loved, but that now sit unused, gathering dust and taking up space.
In the workplace, computer systems often end up cluttered in the same way. We end up with stacks of unnecessary software sitting around in files and folders where we’ve long stopped looking. But unlike the charming, nostalgic relics laying around the attic, that unused software sitting on your computer might be leaving you open to danger in the form of vicious cyberattacks.
Cybercriminals are constantly looking for ways into your system. Software like browsers (Firefox, Chrome, Edge), plug-ins (Java, Adobe Flash, Silverlight) and random applications (games, messaging apps, etc.) are well-known to be extremely vulnerable to malware and other forms of data hacking, particularly if they’re out of date.
This begs the question: how many useless apps are lying around on your system right now, putting your business at unnecessary risk? Here’s how to find out, and what to do about it…
Inventory Your Software Assets
The first step is to dig through your systems and figure out what’s absolutely necessary — and what’s not. If you have a contract that requires compliance with DFARS 252.204-7012, a software inventory is required, but further, it’s just common sense: You have to know what you have before you can protect it.
Nowadays, there’s an app for everything. Chances are that you and your employees have loaded up on them in an attempt to find more efficient ways to manage time, stay connected, or even have more fun at work.
That schedule management software you downloaded may have seemed useful at the time, but if it’s no longer in use then it’s time to send it to the trash.
Any piece of software not essential to your business should be considered potentially harmful and promptly cleared from your system. Delete software installers, remove unnecessary browser add-ons and extensions, and of course, make sure to update any apps that will be sticking around.
Eliminate Redundant Apps
There are so many solutions available for every problem that you’ll often discover you have several applications doing the same job. Figuring out what pieces of software are currently being used to solve the same problem can help you see where you need to cut the fat.
Do you need three browsers, or would one be sufficient? If you’re using Google Hangouts for video conferencing, do you need to have Skype on your system as well?
It’s also a good idea to take a look at the software that was already installed on your device when you took it out of the box. Known as bloatware, many new computers, tablets, and mobile devices come pre-packaged with lots of this third-party software to increase revenue for the vendor.
If you have bloatware on your systems, you might find that many of these extra apps have sat unused since day one. And some bloatware behaves like spyware, sending information about you and your system to outside agents without your knowledge. If they’re not currently in use, or they’re performing simple functions you can do through more essential applications, consider getting them off of your systems ASAP.
Sometimes system clutter grows out of control simply because we’ve given too many people the green light to do whatever they please. For this reason, it’s probably best to adopt a tougher approach to access privileges.
Keeping your systems clean and organized is undoubtedly easier if you allow fewer people to access and install software. Consider using special permissions to allow only top-level decision-makers to install new software. Carefully monitor who is adding new applications and require that they justify why these programs are needed. And finally, terminate dormant accounts so that hackers can’t use them to infiltrate your system and install harmful malware.
Get Superior Protection Today
If cleaning house feels like a major job, it’s time to call in reinforcements! CyberSheath’s comprehensive managed cybersecurity services can help you to conduct a professional software risk assessment, simplify your systems, and save you from putting your business at unnecessary risk. Contact Us now to find out how.
Companies are becoming increasingly enamored with the advantages offered by cloud computing. However, many mistakenly assume that once you upload your data, it’s up to the cloud service provider (CSP) to keep it all safe and sound. In reality, most CSPs use what’s known as a shared responsibility model for security, meaning that only certain aspects of your cybersecurity plan are their responsibility. Ultimately, YOU are responsible for the security of YOUR data.
With cybercriminals attacking from every direction, it’s your responsibility to prevent misunderstandings that might lead to damaging data breaches. For this reason, having a full picture of the risks associated with your chosen CSP, along with a clear agreement on roles and responsibilities, is paramount if you hope to keep your sensitive data protected.
Review Your Security Documentation
In the excitement of exploring the capabilities of the cloud, it’s easy to be less than thorough in your assessment of your CSP’s security practices.
However, you need to be sure that your CSP is employing industry-leading incident response tools, consistently auditing its security systems, rigorously testing for weaknesses, and protecting against emerging threats. You can do this by taking a look at your provider’s System Security Plan (SSP).
Reviewing an SSP is the most accurate way to assess the security controls your CSP is implementing. As the main document in a security package, an SSP gives you a detailed report on security protocols and highlights any gaps that may need to be addressed.
If you have a contract that requires compliance with DFARS 252.204-7012, then your CSP must meet the standards set by the FedRAMP moderate level of protection, and support government incident response efforts.
Doing your due diligence and insisting on rigorous compliance certifications, such as SOC Type II or PCI DSS, will give you peace of mind that your CSP is following the latest regulatory measures and maintaining the highest levels of data security.
Treat the Cloud like It’s Your Home
Some businesses are under the illusion that, since the cloud is not an on-site system, it doesn’t need to be treated in the same way they’d treat their personal systems. If you’ve made that mistake, then it’s imperative that you start viewing the cloud like the extension of your business it truly is.
It’s critical to be proactive in this regard, as opposed to waiting for a problem to occur and then addressing your security gaps. In the same way that you don’t allow every employee unrestricted access to your in-house systems, it’s essential to manage and control access to the cloud within your company.
Create written guidelines that specify who can use which cloud services, what data can be stored there, and for which purposes the cloud is to be used. Train your staff on the risks of cloud use and make sure they are aware of the latest trends in cybercrime that affect cloud users.
Encrypting the data you move to and from the cloud is also an absolute must. You want to take particular care to ensure that data is encrypted during transit when it is most open to attacks. Also, verify that your CSP encrypts your data at rest and on backup media to prevent data leaks.
In short, make sure you’re treating the cloud-like you would your own home. Lock the doors, turn on the alarms, and train yourself on how to respond to emergencies, so you can sleep easy knowing you’re adequately protected.
Stay Alert About Your Cloud Vendor
The world of cybersecurity moves quickly and, in the event that there’s a breach or a threat concerning your specific vendor, it’s best that you know as soon as possible. If your cloud provider has security alerts, make sure you have notifications enabled, and check resources such as the US-CERT for announcements about threats that have been reported.
Looking for Secure Cloud Solutions?
If you want to stay ahead of developing cyber threats and you’re wondering how to implement strong security measures for your cloud services, let the cloud experts help you. CyberSheath’s cloud solutions are second to none, so contact us now and let us give you a helping hand to keep your business secure.
The demand for cybersecurity talent far outstrips the supply at present, something which will likely continue for the foreseeable future. This insatiable demand has created more and more opportunities than ever before for those interested in a career in cybersecurity.
That said, many aspiring cybersecurity professionals are left wondering how to make the transition. Where do I start? What should I read? Should I get certified? What qualifications do I need? These are just some of the questions I’m frequently asked by Uber drivers, waiters, and a host of other people looking to make the jump.
The good news is that, if you’re willing to put in the sweat equity and spend your free time working hard to learn what you need to know, there is a clear and rewarding path to your goal.
I’ve helped dozens of people get into cybersecurity over the years, largely by sharing my own personal experience of career transition. I’ve introduced people to potential mentors, pointed them towards self-paced educational tools and, many times, allowed them to use CyberSheath training resources at no cost.
In fact, one of the greatest joys of working at CyberSheath for me is being able to give smart, motivated people the opportunity and the tools to make career transitions, and then watching them go on great success in their new field. We have dozens of these success stories, so read on if you’d like to be one of them…
First, you must have initiative and drive. If you need to be spoon-fed instructions, you make excuses, or you’re too busy with work, life, school, kids, etc., then you’re simply not going to be able to put in the blood, sweat and tears needed to make this transition. If, on the other hand, you can think for yourself and you’re willing to do whatever it takes to make it work, you’ll likely find yourself reaping the rewards in no time.
Read incessantly and voraciously. If you’re looking for the magical reading list that will transform you into a cybersecurity pro, well…there isn’t one. Just take the initiative, pick up a book, and then pick up another, and read everything you can about cybersecurity.
You’ll have a slew of acronyms to learn, along with vendor jargon and security concepts, so any reading material that helps you to become familiar with these basics will give you a good foundation on which to build your cybersecurity knowledge. Vendor marketing materials, product installation manuals, blogs, research reports, and security frameworks are a great place to start.
You can’t become a security practitioner without practice. Set up a lab with whatever resources you can cobble together and do something, anything — it doesn’t matter what at this stage. If you’re stuck for ideas, there are endless online resources to help you get started.
I personally started in cybersecurity by approaching a company owner and convincing him that if he trained me, I could be a great employee. He provided the training, including the lab equipment and training materials, and I provided the sweat equity.
That was almost 20 years ago and nothing has changed. CEOs and company executives are still willing to invest in motivated people who are taking the initiative to better themselves. In fact, just like me, many of them will be happy to help if asked.
If you’re willing to take the steps outlined above, then you have the ingredients required for a successful career transition. If you’d like help making that transition, contact us today to learn about CyberSheath’s cybersecurity training and education resources.
On December 31, 2017, the deadline passed for defense suppliers to comply with NIST 800-171, a requirement specified in Defense Federal Acquisition Regulation Supplement 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
This mandate attempted to ensure a higher standard of security controls surrounding the processes and procedures for protecting controlled unclassified information (CUI). As defined by the National Archives, CUI is “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”
Confused? You’re not alone! Assessing what is and what isn’t CUI, as well as navigating the complex and potentially costly road to compliance, has left many contractors struggling to stay on schedule. Although the deadline has passed, a large number of companies are still standing around scratching their heads, wondering how to proceed.
Consequences of Non-compliance
Non-compliance is not going to be acceptable for much longer. Clause 3.12.4 of NIST 800-171 allows for the submission of a Security System Plan (SSP) and a Plan of Actions and Milestones (POA&M) to help companies define how they will bridge the gap, but it is also reasonable to expect that the U.S. Government will soon begin to terminate contracts that fail to meet the accepted requirements. Defense prime contractors will also begin to terminate non-compliant subcontractors and suppliers to avoid having to report themselves as non-compliant.
Because so many companies have fallen behind, those that have achieved this rare milestone will have positioned themselves to receive the lion’s share of future defense contracts. Simply put, if companies want to remain competitive, they must move as quickly as they can to get on track or risk falling behind their competition.
If your company has fallen behind, don’t get discouraged. The path to compliance is a confusing one, but it’s possible to find your way. Start by taking the following steps…
1. Define CUI
CUI is situation-specific and can be tricky to assess. In some cases, the information that needs to be protected are specified in the awarded contract. However, most of the time the definition is unclear.
In their own definition, DFARS has included CUI that is “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.” Information that has been created or received by contractors, but not marked, may also need to be appropriately safeguarded. Identifying what needs to be protected is the first step.
2. Identify where it lives
The next step is to figure out exactly where the CUI is being stored, processed, or transmitted from so that you know which systems need to be secured.
Creating a Data Flow Diagram (DFD) is a helpful way to begin figuring out how CUI is traveling through your network. It could also be useful to create a network diagram to identify what controls you already have in place that are effectively safeguarding your CUI. Together, these tools can help you identify the weak points you’ll need to address to close the gaps in your systems.
3. Document your progress
Having identified CUI and where it lives, you should now begin the process of referring back to NIST 800-171 to figure out the controls you will need to put into place.
As you forge ahead in making these updates, it’s critical to document what you’ve changed, how it will improve security, what controls are not applicable to your current situation, and why they won’t be needed.
This process will create a record demonstrating your ability to assess and safeguard sensitive information, moving you closer to your ultimate goal of declaring full compliance with the DFARS/NIST 800-171 mandate.
Your Competitors are Working on Compliance — Are You?
If you’re not currently working towards meeting the DFARS/NIST requirements, rest assured your competitors are! The window for implementing this essential security update is closing rapidly, so don’t lose your competitive edge — contact us now for a free consultation on achieving your compliance goals.
As cyber-attacks become more frequent and sophisticated, addressing tighter security needs has become a priority for the federal government. Enforcement of “Controlled Unclassified Information” (CUI) protection continues to intensify as private contractors and organizations are now required to upgrade their cybersecurity systems and overall procedures to keep up with these increasing threats. On April 24, 2018, the Department of Defense (DoD) issued draft guidance for assessing contractors’ System Security Plans (SSPs) and the implementation of security controls in NIST Special Publication (SP) 800-171. If you’re a defense contractor, you’re required to comply with these regulations and provide “adequate security” for networks where covered defense information (CDI) is processed, stored, or transmitted. DoD issued two draft guidance documents. The first, “Assessing the State of a Contractor’s Information System,” provides guidance on four different objectives. They include what must be in an RFP, how the source selection authority would evaluate the requirement, what resources are available for that evaluation, and the contract provisions that will be needed to implement the requirement during performance. The second draft guidance document, “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented,” was developed by DoD to determine the risks that an unimplemented security control has on an information system, and which of the unmet controls need to be prioritized. What does “adequate security” mean? At a minimum, defense contractors must implement the requirements in NIST SP 800-171 to become compliant. Contractors need to provide an SSP to prove the implementation of the security requirements, and also develop plans of action and milestones (POA&M) that describe how any unimplemented security requirements will be met.
Unimplemented Controls Receive a Value Rating
NIST 800-171 is comprised of 110 technical controls to ensure the best security policies and procedures. DoD has decided to assess the risk of unimplemented controls by assigning a “DoD Value” for each security requirement ranging from 5 (highest impact on the cybersecurity system) to 1 (lowest impact on the cybersecurity system). These priority codes are used for priority rankings that NIST assigns to the NIST SP 800-53 Revision 4 security controls that are used for government information systems and which form the basis for NIST SP 800-171.
Non-Compliance is Not an Option
In 2018, proposed DOD guidance is already moving to full enforcement of compliance. Compliance failures can lead to more serious consequences than a data breach. Failure to comply with DFARS can lead contractors to incur penalties either by the United States Government (civil, criminal, contractual actions in law and administrative), or by individuals and private organizations that were damaged by lack of compliance (actions for damages).
- Bid Protests: While SSPs and POA&Ms are important for determining “adequate security,” it’s still unclear the exact part they’ll play in bid protests and the implementation of NIST SP 800-171. After reviewing the implementation status during the pre-award stage, the DoD can make an unacceptable or acceptable determination, and ultimately decide if the contract should be rewarded. Another option is to evaluate implementation as a “separate technical evaluation factor.” During the pre-award process, contractors may choose to protest terms where a solicitation’s treatment of NIST SP 800-171 implementation fails to be consistent with DoD’s guidance. On the other hand, if a contract was rewarded to another contractor, disappointed offerors may consider challenging the award to another offeror where the assessment of the protester’s or awardee’s implementation of NIST SP 800-171 is inconsistent with the guidance documents. If the DoD notices inconsistencies between the implementation of NIST SP 800-171 and your SSP and POA&M, they could award the contract to another contractor. During 2018, contract protests awarded to higher-priced bidders were based in part on compliance with cybersecurity and employing more than the minimum security requirements in NIST SP-800-171.
- Termination Risk: The accuracy of your SSP and POA&M, along with providing proof that you’re moving toward full compliance, is crucial. For the most accurate evaluation, the draft guidance states that solicitations and contracts must include contract data requirements (CDRLs) to “require delivery of System Security Plan and any Plans of action after contract award.” Now that both SSPs and POA&Ms are a contractual obligation, failure to be in compliance may provide a basis for termination if compliance isn’t completed. Or, if the SSP does not accurately state the implementation status of the contractor’s cybersecurity.
- DCMA Audits: DoD has recently stated that as part of its audit function, DCMA will pull out all the stops to confirm all contractors have an SSP and POA&M. However, DCMA will not be providing an analysis if the SSP fully complies with the NIST 800-171 security requirements. It’s unknown at this point if the DCMA would leverage any of DoD’s guidance in its review.
- False Claims Act: If a contractor is audited by DoD and found not to have implemented DFARS/NIST 800-171, the contractor can be on the receiving end of numerous penalties. For example, if your SSP misrepresents your actual cybersecurity status, DoD can bring an action based on fraud, which is a False Claims Act violation. DoD may also be able to prove that the original SSP was key to the Department’s award decision. If DoD’s argument is successful, your earnings under the original contract are at risk, along with the reputation of your organization.
Make Compliance a Priority Before it’s Too Late!
At CyberSheath, we know that implementing these new security controls can seem like a daunting undertaking. We’ve successfully assessed and implemented the required NIST 800-171 controls for leading organizations in the defense industrial base supply chain.
Do a search for video games and information security and you will find countless comparisons to how these two seemingly disparate fields go hand-in-hand. I really like this article from last summer, as it examined not just video games, but organized sports and their influence on information security experts. In today’s world, video gaming is a billion-dollar industry, there are professional video gamers, amateur video gamers who record their reviews, critiques, and tips and put them on YouTube, and then there are the professionals (like me) who unwind from their day by playing a few rounds of Turning Point in Star Wars Battlefront.
While video games may heavily influence the world we live in, there are two specific video games that I think will help make your security program stronger. I will now explore how these can relate to your organization.
First: The Games
There are two specific games that I am going to be referencing. If these aren’t your cup of tea, no problem; they follow the same basic elements of many of the first-person shooter multiplayer games. Substitute your favorite.
EA/DICE’s Star Wars Battlefront
This game, released last November is a major hit wit 13 million units sold worldwide by the end of the 2015 quarter, allows players to play as rebel soldiers or storm troopers who square off against each other in a massive Star Wars environment.
EA/DICE’s Battlefield 4
This game, released in 2013, is one of the more popular military simulation first-person shooter games. Players assume the role of a soldier and face opponents kitted out with similar equipment. The in-game environment is set in a fictional conflict between China, Russia, and the US in the near future.
Second: How this Relates to Your Security Program
Both of these games, while simple in concept, require quite a bit of strategy and maneuvering of your in-game character to get a better position, a better vantage point, that puts you in control of the board. To do that, you need a roadmap and some general tips. Here are three tips and how they relate to your security program:
Playing the Objective/Security is Everyone’s Responsibility
In multiplayer games, especially Battlefront and Battlefield 4, there is a term that is commonly used: PTFO. PTFO if you haven’t guessed it, is Play the [EXPLETIVE] Objective. What this means is work with your team to take over control points to gain a stronger position within the board.
As security professionals, we understand, live, and breathe security. Our teammates in IT, HR, and accounting might not have that same deep understanding. Our desire is for everyone to play the objective, ensuring customer data, corporate data, assets and the network are secure. This is how security programs should be built, with a common objective in mind that all players can strive to capture.
Playing the objective requires teamwork. It is near impossible to be successful in Battlefront and Battlefield without the support of your team. Security for your organization is not possible without cooperation and teamwork. Security is everyone’s responsibility. As such, it is important to have a robust awareness and training program to drive home the concept of security. With security awareness, your teammates in HR, IT and accounting will receive the same basic security knowledge, understand what the threats are to your organization and what to do about it when an attempted intrusion occurs.
Know Your Strengths and Weaknesses
In Battlefield 4, you are given the option to play as an assault class, engineer class, support class or recon class. Each class has its own strengths and weaknesses, but choosing your character should be done for the good of the team. The assault class has the ability to provide revives and medical kits, while the engineer is great at repairing and destroying vehicles. Support players have the ability to supply other teams with ammunition and recon provides the ability to play overwatch and spot enemy targets.
In security, it is essential to know your strengths and weaknesses. Every decision and choice around security has to keep two things in mind: How does it improve security and how does it impact the business? In Battlefield 4, your character class choice should both benefit the team and draw upon its strengths. Are you playing a map with lots of vehicles? Then the engineer is your best choice. Lots of assault class characters on your team? Then support class is the way to go so they don’t run out of ammo. In security, your ability to build a functional security program relies on knowing which tools are weak, who among your personnel are strong in security and how the general corporate populace feels about security initiatives. To help identify the strengths and weaknesses, it is best to utilize an information security assessment. This will identify where you stand against a security framework and give you something to work towards and shore up those weaknesses and begin playing the objective.
Avoid Camping and Tunnel Vision/Avoid Security Complacency
Battlefront and Battlefield 4 are extremely active games. Everyone is moving about. Stand in one place for too long and an enemy sniper will take you out. Stare down your scope and get tunnel vision, you are likely to miss the enemy storm trooper sneaking up on your right. Camping is a term that is used in these games for players who sit in one spot. It can detrimentally affect the game, especially if the camper is sitting near a spawn location. In security, organizations have to avoid camping out and becoming complacent. Complacency is dangerous. Organizations who only check the box and rely on tools, or focus all their efforts only on meeting regulatory requirements are at risk of developing security complacency. For example, all of your attention is focused on meeting PCI needs, but you forgot about these two hundred other non-PCI systems that are just as vulnerable.
I see this quite frequently in a game mode in Star Wars Battlefront called Walker Assault. The premise of the game mode is simple; rebels have to activate uplink stations to call in a bombing run against the AT-AT Imperial Walkers, while the stormtroopers have to shut them down. Typically what happens in game, all the focus and attention is directed at one uplink station, leaving the other unguarded and vulnerable. While it may feel like you are playing the objective, in reality, it is only partially playing the objective. In real life, security should be applied across the board. While there might be critical systems that get addressed first, every system should initially be treated equally at a base level. In Walker Assault, players should really team up and defend or attack the uplink stations equally.
Knowing how and when to apply security across your organization is key to having a strong program. Planning goes a long way, identifying which systems are critical, which tools should be applied and how to implement security tools with minimal impact to business function are issues that security professionals tackle every day. This keeps your security organization moving and active. No camping and no complacency. The security team should be following a daily plan to ensure the success of the program.
Whether you are an active gamer or haven’t picked up a controller, the security principles described in this post apply broadly. Making security relatable, and accessible will drive home the importance of it. As I have said, security is everyone’s responsibility. Your program has to give the teammates the tools to be successful. Whatever state your security program is in, CyberSheath can help you capture the objective and secure your assets.
How Can CyberSheath Help Your Organization?
CyberSheath will work with your organization, large or small, to help secure your valuable assets. CyberSheath offers security assessments to help your organization begin with a clear understanding of where you stand in regards to industry standards and regulations.