products:

Sorry,

there are no posts to show...


Helpful Resources

News:

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks. 

CyberSheath can help. We offer services to build on all the great work you have already done to safeguard your information and your IT infrastructure. 

 

What these services are and why you need them

Anti-spam and phishing protection

Your organization needs to guard against threat actors delivering unwanted emails and trying to engage people to perform dangerous activities, like downloading and installing infected applications. To limit the ability of these threat actors to send email to your employees, you should have the right spam tool with the right settings in place. 

 

Solution: Microsoft 365 Defender helps stop phishing attacks. This tool, which is part of Microsoft’s XDR solution, leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, building a complete picture of each attack in a single dashboard. It offers two options, with both plans providing configuration protection capabilities, anti-phishing, and real-time detections. The more robust Plan 2 layers on additional capabilities like automation investigation or remediation, and education capabilities.

 

Endpoint detection response (EDR)

An important step to protecting your network is securing all your endpoints, including servers, individual workstations, and remote laptops. There are many ways these nodes can be inadvertently compromised, paving the way for a threat actor to install ransomware on one of your endpoints, lock it up, and encrypt critical files.

 

Solution: Microsoft Defender for Endpoint allows your team to minimize the damage to your environment by providing traditional signature-based antivirus protection where the tool identifies a bad program based on certain characteristics and then neutralizes that program before it causes harm. This solution also stops heuristic threats, and helps you gain visibility into potential malicious or anomalous behavior. In the event that malware is installed on an endpoint, Defender for Endpoint can also isolate a workstation before it becomes a malware host.

 

Domain name server (DNS) filtering

The next step to securing your infrastructure is to restrict access to websites serving potentially dangerous content. Issues could arise when users are accessing a new website and are mistakenly redirected to a different site, or when ad servers on a frequently visited site are compromised.

 

Solution: Cisco Umbrella provides DNS filtering for security protection from these issues. This solution keeps a record of all the websites that are known to be malicious and prevents employees from accessing those sites. Default DNS services do not possess this capability.

 

Spam, endpoint, and DNS tools all work together to make sure that your employees don’t download anything harmful and that nothing compromising is accessed. Even though they come from different solution providers, they are able to play in the same sandbox.

 

Our skilled team can install, configure, and monitor any of these tools. Contact us today to get started.

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.

 

What is DNS filtering and why do you need it?

Domain name server (DNS) filtering is a tool that identifies malware and harmful content and then restricts access to the websites serving that potentially dangerous content. Issues could arise when users are accessing a new website and are mistakenly redirected to a different site, or when ad servers on a frequently visited site are compromised. 

 

Cisco Umbrella can help

Cisco Umbrella provides DNS filtering for security protection from these issues. This solution keeps a record of all the websites that are known to be malicious and prevents employees from accessing those sites. Default DNS services do not possess this capability. With many team members working from home these days without the protection of a traditional firewall, DNS filtering is particularly important. If Cisco Umbrella is installed on an endpoint, whether a laptop or other workstation, when that user tries to access something that is potentially harmful, it gets blocked.

 

If a phishing email is delivered with dangerous links, Cisco Umbrella can prevent people from accessing a site that has been redirected or that is going to try to deliver malicious payload. These threat actors also rely on something called ‘command and control’. If a team member downloads something to their computer that seems innocuous, the program will then reach out to the threat actor’s command and control server. Stopping those communications is another way that Cisco Umbrella can protect your endpoints, as it detects these queries in real time. 

 

When these outside agents reach out to compromise your IT systems, be prepared. Partner with CyberSheath and enlist the assistance of our 24/7/365 security operations center, where we monitor this traffic and flag any suspicious activity. Our skilled team can also setup and configure Cisco Umbrella. Contact us today to get started.

 

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none of those communications are harmful, directing employees to share security information or download damaging files?

What spam and phishing are–and why they are dangerous

A threat actor can deliver something via email that can then be downloaded and installed on the recipient’s computer, or convince unwary employees to take an action that could be detrimental to themselves or their company. These unwanted emails are called spam and the action of trying to engage people to perform dangerous activities is called phishing.

Often the nefarious entities sending this spam are looking for financial gain, but in the case of the defense industrial base (DIB), they could want to gain access to information in your possession that could benefit the entity that they may be working for.

There are different avenues they take, but it’s all about using email to get you to trust them and then take action. Here are a couple of examples.

  • An email received from a Gmail account stating that it is from the CEO and he has been locked out of his account. The communication would then direct the reader to call a number or download software.
  • A communication could mimic a partner company, perhaps misrepresenting themselves as Microsoft, and directing the recipient to download a software update to protect themselves from a threat.

Since life these days is chaotic and we are all engaged more hours than we are on the clock, we might not be sitting in front of our computers, but instead be rushing off on an important errand when we glance at our phones and notice an email, purportedly from our boss. Any one of us could take the action requested by the spammer, and not realize until much later the error in judgment.

Protecting your business from these threats

The solution is to limit the ability of these threat actors to send email to your employees by having the right spam tool with the right settings in place. In some cases, a company might have a good tool in place, but it might not be optimally deployed.

In a nutshell, companies should configure everything with ‘anti’ in the name (anti-malware, anti-phishing, anti-spam), and set up features with ‘safe’ in the name (safe links, safe attachments). These actions help ensure that attachments are scanned before they are delivered to your endpoint. Realistically speaking, you want to support digital interactions as you are mitigating risk through the proper setup of these types of tools.

Microsoft 365 Defender helps stop attacks

This solution, which is part of Microsoft’s XDR solution, leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, building a complete picture of each attack in a single dashboard. It offers two options.

  • Plan 1 – This option provides configuration protection capabilities, such as establishing safe attachments and safe links. It also performs anti-phishing and real-time detections.
  • Plan 2 – This option takes those basic anti-spam capabilities and layers on additional capabilities like automation investigation or remediation, and education capabilities. Since the education piece is critical, our experts recommend Plan 2. With the evolving security landscape, this solution has dynamic features which can accommodate the threats of today and meet future challenges.

As a Microsoft partner, we are skilled in implementing and optimizing Microsoft 365 Defender to help you safeguard your organization. Reach out to us to get a quote. We can provision licenses, implement the tool, and push out solid security policies in your Office 365 environment. If you already have the licenses, we can also maximize the entitlements that these licenses have. Contact us to get started.

 

Scrutiny of defense industrial base (DIB) cybersecurity has never been higher. The costs and impacts of security lapses are on full display in the wake of the SolarWinds breach, as federal agencies continue to investigate the full scale of the intrusion, likely the work of Russia.

Even before recent events, Cybersecurity Maturity Model Certification (CMMC) loomed large among the DIB. We took a snapshot this fall of where DoD contractors stand, surveying more than 200 senior executives to find out what work still needs to be done, the risks and challenges they face, and how to ensure long-term security and compliance.

The results reveal new opportunities, including mitigation and investment strategies, and highlight some of the biggest remaining unknowns that the DIB must quickly address.

This report is designed to help the DIB, the US DoD, and the general security community better understand the level of compliance, the acceptance of new rules, the level of understanding of the cyberattack threat landscape, and current levels of preparedness and business impacts.

Once you learn what DoD suppliers are thinking, find out what they’ve been doing for the past five years. We’re opening the vault on data from the hundreds of Prime and Sub-contractor assessments we’ve completed and scored, sharing trends and benchmarks to help contractors better navigate the road to CMMC compliance. Join our free webinar on February 3, 2021 for all the findings.

 

Among the key findings of the Fall 2020 executive survey:

 

Finding 1: 21% of DIB companies surveyed have experienced a cybersecurity incident

 A little over one-fifth of DIB companies indicated that they have been a victim of a cyberattack, highlighting the risk that CMMC aims to curb. But as the demand for security professionals outpaces supply, executives are increasingly looking to public cloud and key DIB partners to assist in managing security.

Public cloud infrastructure offers some of the best bets, and allows DIB companies to compete effectively in today’s digital world and stay secure. Moreover, as cyberattacks become more rampant, DIB C-Suite professionals are looking for active management and continuous monitoring of all infrastructures.

 

Finding 2: 82% of DIB contractors are handling CUI, a Critical Element in DFARS Compliance (CMMC / NIST 800-171)

Of DIB companies surveyed, 82% understand that they process Controlled Unclassified Information (CUI) as first defined by a ruleset under the Obama administration. As a result, they inherit the most onerous requirements of CMMC and NIST 800-171 security standards, which are critical to ensuring future DoD revenue.

Executives are concerned about the impact security threats can have on business performance, pointing to the potential loss of customers, brand reputation, and operational productivity. Many report adjusting budget priorities to better secure networks and prevent attacks.

The impacts of attacks on DIB corporate networks can vary depending on the industry in which companies compete. Manufacturers that have long embraced automation to boost production efficiencies now plan to integrate artificial intelligence in security measures with a corresponding shift in their IT budgets.

Events that most influence how executives view their companies’ security vulnerabilities include high-profile data breaches and nation-state attacks on peer companies, cyber-attacks on their organizations, and government regulations.

 

Finding 3: 93% of DIB companies are aware of CMMC

The DIB C-Suite research reveals that nearly all companies in the sector – 93% – are aware of the new CMMC rules and the important sector trends. DIB companies are attempting to educate themselves about the effects of recent rule changes on security requirements. Suppliers of all sorts need to consider documentation, adherence, and, in some cases, transformation of their security practices to protect and comply with the requirements of the new DoD rules.

Fortunately, only 13 of 201 respondents cited that they were unaware of the CMMC rules. Unfortunately, many in the DIB are ill prepared to actually implement them.

 

Finding 4: A third of DIB companies don’t know which CMMC level to focus on

 The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” The intent is to incorporate CMMC as a requirement for contract award.

While 56% of respondents said they’re focused on Levels 1-3, with 42% focused on Level 3 alone, a large portion of respondents still don’t know which level to focus on. Some 33% of respondents said the level they would focus on is “uncertain.” That will limit their speed in adopting and certifying their compliance with the level they eventually must meet.

 

Finding 5:  More than half of DIB companies outsource IT and security functions

DIB C-suite executives face tough choices when deciding where to invest resources to propel their businesses forward. At least 4 in 10 respondents identify increasing infrastructure complexity, digital transformation plans, integrations of artificial intelligence, and migration to the cloud as putting pressure on security planning and budget allocation.

Executives understand that compliance to DFARS, NIST 800-171, and CMMC is paramount and to transform their businesses, they must embrace the integration of new technologies.

At the same time, they’re facing an internal skills gap. One-third of respondents report dependence on their internal IT talent, promoted from within, which can create a knowledge gap in security strategy.

The internal skills gap is not easily solved because the demand for security professionals outpaces supply. As a result, more executives report the need to look to outside security vendors for assistance.

In fact, more than 54% of executives report outsourcing both IT and IT Security to gain traction on competent and quick compliance. They’ve decidedly moved toward public and private cloud environments, and the survey data also reveals a shift of network security budgets toward technologies that employ more automation, more technology integration, and the ability to operate from a sovereign US environment on government-certified FedRAMP environments.

 

Finding 6: China and Russia aren’t the only risks on DIB companies’ minds

DIB C-Suite executives face tough choices when deciding where to invest resources to propel their businesses forward. As the threat of network attacks becomes a question of when, not if, chief executive officers and chief security officers must carefully evaluate the risks associated with security vulnerabilities and the costs of implementing effective security solutions.

At least 4 in 10 respondents identify these factors as putting pressure on their organizations’ security planning and investment:

  • Increasing infrastructure complexity
  • Threat from China, Russia, and Iran
  • Compliance to new regulations
  • Migration to the cloud

 

Finding 7: 40% of DIB companies estimate the cost of an attack at more than $1 million

Data breaches are expensive. They rack up monetary costs that directly affect companies’ bottom lines, but more troubling is the damage inflicted to intangibles such as brand reputation and customer trust.

Almost 40% of respondents estimated the hard cost of every attack to be more than 1 million USD/EUR/GBP, with cost estimates surging to more than 25 million USD/EUR/GBP for 5% of respondents. While soft costs are difficult to quantify, it is likely their impact is much higher over the long run than hard costs.

Hard and Soft Costs

Executive-Ranked-Top-3

 

About the Research

On behalf of CyberSheath, BAO surveyed 201 Executives from July to September 2020. To participate in the 2020 DIB C-Suite Compliance Security Survey, respondents were required to be a company who contracts with the US DoD and by design, the survey required at least half respondents to be C-level executives, though this year’s research attracted far more C-level corporate leaders. About 2/3rds of the companies in the survey have less than 500 employees.

 

Don’t forget: Sign up for our free webinar on February 3, 2021 to learn what high- and low-scoring organizations have in common, variables that negatively affect most businesses, and characteristics of companies attaining compliance. Don’t miss it!

How Secure is the DIB Supply Chain?

With the deadline for compliance with DFARS Clause 252.204-7012 having passed on December 31st 2017, many companies are still scrambling to catch up. But in their haste, many may be ignoring a vital aspect of the mandate.

Chiefly designed to ensure adequate security in safeguarding “covered defense information” (CDI), DFARS requires Department of Defense (DoD) contractors and subcontractors to implement controls to protect sensitive data “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”

However, it also includes clearly specified mandates for cyber incident reporting, when a contractor or subcontractor discovers that CDI has been compromised or adversely affected within their networks. In addition to safeguarding CDI, it is imperative that companies follow these prescribed reporting requirements if they experience a cyber incident.

Report Rapidly

Collecting information on cyber incidents allows the government to investigate key details in order to monitor and hopefully contain future cyber threats. As such, DFARS cyber incident reporting mandates are designed to assure businesses turn over this information quickly.

According to DFARS, a cyber incident is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” If you have determined that a cyber incident has taken place, then in accordance with the “Rapid Reporting” requirement you must:

(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and

(ii) Rapidly report cyber incidents to DoD at http://dibnet.dod.mil within 72 hours of discovery.

The DFARS provision defines a compromise as the “disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.”

Although there has been some debate as to what reporting triggers define the start of the 72-hour timeframe, implementing a clear cyber incident response plan can create a track record of internal consistency that would prove responsibility if a contractor’s reporting methods were ever to be scrutinized.

A full list of what to report can be found on this page of the DoD’s DIB Cyber Incident Reporting & Cyber Threat Information Sharing Portal.

Detect Malware

In the event that malicious software (malware) is found on a compromised system, the contractor must also collect information about the malware and submit it using a malware submission form to the DoD Cyber Crime Center (DC3) “in accordance with instructions provided by DC3 or the Contracting Officer.”

Preserve Your Media

The DoD may also choose to conduct a thorough post-incident investigation, also known as a damage assessment. To allow for this, they require companies that have been breached to “preserve and protect images of all known affected information systems” and “all relevant monitoring/packet capture data” for at least 90 days following the discovery of an intrusion.

Advice on Reporting

Opening up the lines of communication with the DoD prior to any incident ensures that the process is less complicated and helps you to report in a timely fashion.

In addition, making sure your forensics tools and procedures meet the DoD collection requirements will also ensure that you’re able to quickly gather the required information and report all the pertinent details in full.

Preparation is key. Make sure to practice using your forensics collection procedures so you can quickly report and recover without missing a beat. It’s also important to note that any report of a cyber incident must have a DOD-approved medium assurance certificate. Information on how to obtain this certificate can be found at  iase.disa.mil.

Need Assistance?

If you’re looking for someone to stay on top of your reporting so you don’t drop the ball, or if you just need further assistance understanding the complex process of reporting a cyber incident, Contact Cybersheath today for a free consultation.

 

 

Researchers and security experts at Kaspersky Labs and Symantec have identified a new type of malware platform that has been so advanced and secretive that very few details are just coming to light now.  ProjectSauron as the malware has been named has been active since at least 2011. What distinguishes ProjectSauron from other APTs and zero-day exploits is that it has operated virtually undetected for five years and has multiple modules that can be installed based on needs of the attacker(s).  Security professionals are stopping short of naming its country of origin but suspect that the advanced persistent threat (APT) malware could “…probably have been developed only with the active support of a nation-state,” according to ARS Technica.

Researchers have also discovered that ProjectSauron is difficult to detect using traditional anti-virus due to the fact that much of the malware resides in computer memory and written in the form of Binary Large Objects.  The way ProjectSauron works is still being learned about, but the clues left behind by the program’s software artifacts are unique to its targets.  According to ARS Technica and Kaspersky, unlike “…many malware operations that reuse servers, domain names, or IP addresses for command and control channels, the people behind ProjectSauron chose a different one for almost every target.”  This means that each instance of the malware is uniquely tailored to its environment.  Both Kaspersky and Symantec researchers feel that this is just the beginning.  Currently, more than 30 organizations have been attacked and that number is expected to rise.  The targets have been government agencies, scientific research centers, military organizations, telecommunication providers, and financial institutions.  So far, no US-based organizations have reported being infected with the malware, but it has appeared in Russia, Iran, Rwanda, China, Sweden, Belgium and possibly in Italian-speaking countries.

ProjectSauron itself is made up of many different modules that will do various things based on the target.  According to an FAQ published by Kaspersky, in a discovered instance of ProjectSauron, it “registers its persistence module on domain controllers as a Windows Local Security authority password filter.”   A password filter is a common tool used by system administrators to enforce password policies and validate new passwords against complexity and length requirements.  ProjectSauron inserts itself in this process and starts every time any network, local user, and even an administrator logs in or changes a password.  Then ProjectSuron harvests the password in plain text. In instances where domain controllers lack direct internet access, the attackers can install additional modules on “other local servers which have both local network and Internet access…” and passes through a significant amount of network traffic.  These nodes are then set up for silent and inconspicuous data exfiltration that blends in with legitimate traffic, using the high volume of network traffic as a disguise.  ProjectSauron’s modules are installed as “sleeper cells,” which means that they will not activate until commands are received through the incoming network traffic.  Researchers believe this is why the APT malware has survived this long in the wild without discovery.

ProjectSaruon can also infect air-gapped networks. In situations where networks are isolated, Kaspersky identified a scenario where a toolkit was specially designed to move data from air-gapped networks to Internet=connected systems via infected removable USB devices.  To do this, the attacker first comprises an Internet-connected system, waits for the user to attach a USB, then a ProjectSauron module is installed on a partition on the USB disk that reserves an amount of hidden data where custom-encrypted partitions that aren’t recognized by the common OS such as Windows.  It should be noted that this method can also bypass many DLP products that disable the plugging of “unknown USB devices based on DeviceID” because in this case, the USB was known and recognized as a genuine USB drive.

For more information on ProjectSauron, please read the Kaspersky report.

CyberSheath stands with you in your effort to defeat advanced persistent threats.   Let us help you shore up your security by conducting an assessment today.

FAQs:

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO