The Cybersecurity Maturity Model Certification (CMMC) is a unified standard intended for implementing cybersecurity across DoD contractors.

The CMMC has been in development for a number of years, but the first details on the framework were released in January 2020. The framework makes use of a “maturity” model, in which audits will be conducted by third-party assessors. Firms will be assigned a “level” that represents the cybersecurity protections, or maturity level they have demonstrated.

Breach Report and predicted loss by 2024

A recent study predicted that business losses due to cybercrime will exceed $4.5 trillion by 2024. The threat to the Defense Industrial Base (DIB)--the network of more than 300,000 businesses, organizations, and universities that research, engineer, develop, acquire, design, produce, deliver, sustain, and operate military weapons systems--is especially alarming due to current cyber warfare activities by cybercriminals and state-sponsored actors.

Security is a foundational component of acquisition

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S) recognizes that security is a foundational component of acquisition and that some contractors are trading security to benefit cost, schedule, and performance. It's estimated that the DoD supply chain consists of more than 300,000 businesses and organizations, all of which are targets. Most of these organizations are small to mid-size businesses, which are the most vulnerable to cyber-attacks. Based on over 100 Data Breach Investigation's CyberSecOp recognized that organizations between 100 -300 employees are prime victims for cyber criminals because of lack of security controls.

CMMC Model Structure

The goal of CMMC is to provide a framework for the improvement of cybersecurity in DIB sector organizations. CMMC currently defines 17 domains of technical capability, each with five levels of certification (L1 through L5) and specific practices. The DoD will require an organization to have CMMC Level 3 certification before it can receive Controlled Unclassified Information (CUI) in any domain.

CMMC Domains

CMMC Leveled Practices

The majority of the practices (110 of 171) originate from the safeguarding requirements and security requirements specified in FAR Clause 52.204-21 and DFARS Clause 252.204-7012. The practices fall into five levels:

• Level 1 represents basic cyber hygiene, and focuses on the protection of federal contract information (FCI). It consists of practices that correspond only to the basic safeguarding requirements specified in 48 CFR 52.204-21 ("Basic Safeguarding of Covered Contractor Information Systems").

• Level 2 is a transitional step in cybersecurity maturity progression to protect CUI. Level 2 consists of a subset of the security requirements specified in NIST SP 800-171, as well as practices from other standards and references.

• Level 3 focuses on the protection of CUI. It encompasses all of the security requirements specified in NIST SP 800‑171, as well as additional practices from other standards and references.

• At Level 4, the model begins to focus more on the proactive activities an organization can take to protect, detect, and respond to threats. These practices enhance the organization's ability to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by advanced persistent threats (APT)s.

• Level 5 focuses on the protection of CUI from APTs. The practices increase the depth and sophistication of cybersecurity capabilities.

CMMC Cyber Compliance Services

DOD has made the effort to simplify CMMC, but it is surely still complicated. CMMC is based on several other standards, including DFARS, CERT RMM, 800-171, AU ACSC Essential Eight, UK NCSC Cyber Essentials, ISO 27001, CIS Critical Security Controls, and the NIST Cyber Security Framework. Utilizing all the above information security standards make it very challenging for most DOD contractors to copy with CMMC. Get compliant with CyberSecOp CMMC Assessment, Security Program & Advisory Services.

Author: Kaushik Reddy

A newer type of attack that is gaining momentum on the WFH revolution is Consent Phishing, which seeks the user’s permission as opposed to password.

With today’s widespread use of cloud applications like Webex, Zoom, and Box for increased productivity, the average person has no doubt ran across an application that asks for consent. Attackers have leveraged this familiarity to create malicious applications that request permission for access to sensitive data. Once the user has granted the application access it’s Game Over.

How it works

While each attack method varies, it usually comes down to the following steps:

1. Threat actor registers a malicious app with an OAuth 2.0 provider, such as Azure Active Directory, AWS, or Google Cloud

2. The app is configured in an inconspicuous way that makes it seem legitimate

3. The threat actor gets a link to pop up for the user which may be done through conventional email-based phishing, by compromising a non-malicious website

4. The victim clicks the link and is shown the familiar-looking consent prompt asking them to allow the application permission to sensitive data

5. Once the user clicks accept, they have granted the application permissions to access sensitive data

6. The malicious application receives an authorization code, which it then redeems for an access token, and potentially a refresh token

7. The access token is used to make API calls on behalf of the user

How to protect against this type of attack

• Advanced endpoint protection

• User awareness, if the application consent prompt contains misspelling or grammar errors, those are telltale signs that it may be malicious

• Configure your organization to only allow applications that are published and verified

• Configure policies to whitelist only certain apps for use

Author: Carlos Neto

‘Prepping’ for Work from Home

For the past few years employees and employers alike extolled the virtues of working from home (‘WFH’). We’ve heard the stories of how it leads to a happier and more productive employee, less overhead for the employer, and just more flexibility overall. Most people knew a shift would come eventually – kind of like the shift to IPV6- but it stalled and stalled. Then the pandemic happened and WFH had been thrust upon us with such force that businesses were, and still are, scrambling to get the pieces in place for an effective remote staff.

It is no longer a secret that WFH is here to stay. Many businesses including Fujitsu and Twitter have just gone ahead and implemented WFH ‘forever’. With this change come challenges. One of those is the security of routers in the millions upon millions of homes that now serve as working offices.  According to a study by Germany’s Fraunhofer Institute for Communication, vendors have failed to fix hundreds of vulnerabilities in their consumer-grade routers, leaving hundreds of thousands of users exposed to a wide range of attacks. "Nearly all were found to have security flaws, some of them very severe," the Fraunhofer Institute said in a press release. "The problems range from missing security updates to easily decrypted, hard-coded passwords, and known vulnerabilities that should have been patched long ago."

 Advice on next steps

So what should we do? The first step is to know the make and model of your router. Research it for any known vulnerabilities, as there may be some cases where the device is so insecure that even patching it still leaves it vulnerable. Once you’ve decided if it is worth keeping the device make sure that it automatically installed firmware updates. If not you may need to manually update it. A task that is well worth the effort. Another task is to make sure that the administrator password for the router has been changed from the default admin password. Many routers now have unique default passwords for their routers- but there are still plenty out there that don’t.

WFH Users should use complex passwords on their routers including:

·         Uppercase and Lowercase

·         Numbers and Symbols

·         At least 8 characters long

You should also use the strongest Wi-Fi encryption your router supports. WPA3 (Wi-Fi Protected Access Version 3) is best.

You may have children working, playing, and streaming while you are home. Ensure they use their own devices and do not surf on your work devices.

Router configuration and device hardening are just one of the many layers of security that businesses need to adapt and expand to their remote workforce. We here at CyberSecOp would not be surprised if, sooner rather than later, companies begin purchasing, installing, and administering home routers to ensure a secure endpoint to endpoint networking. Until then remain vigilant and patch patch patch!

Author: Carlos Neto

The COVID-19 pandemic has alerted many organizations to gaps in their information security infrastructure heretofore unrealized. Most of these deficiencies have been revealed as a direct outcome of the shift from a workforce-in-place physical environment centered around a fixed and determinable worksite location to a distributed, unstructured environment where most employees and individuals are working remotely.

At CyberSecOp, we can help your organization address these, as well as other concerns related not only to the current operating environment but also pertaining to any and all operating challenges you may face as part of your ongoing operations.

The lack of a centralized workspace raises a multiplicity of information security concerns, including but not limited to the following:

1.      Does the company have an established Work-From-Home (WFH) information security policy, and if not, how is remote worker security managed?

2.      Are employees adequately trained to work remotely, and do they have the appropriate tools at their disposal to ensure the preservation of the security environment?

3.      How does the organization manage mobile device and laptop security, including encryption?

4.      Control and testing of the commercial VPN?

5.      Does the organization maintain a comprehensive data loss protection policy?

6.      How, if at all does the organization address data loss protection?

7.      Does the organization have a breach response plan for mobile and remote WFH employees?

At CyberSecOp, we can help your organization address these, as well as other concerns related not only to the current operating environment but also pertaining to any and all operating challenges you may face as part of your ongoing operations. Our skilled team of information security professionals can provide a comprehensive assessment of your information security framework and suggest remediation and complementary additions to your existing framework, as the case may be.

There are several things to consider if and when the time comes for firms to return to the office. CyberSecOp recommends:

• Third-Party network risk assessment

•   Operational Responses to Security Incidents

• Work from Home Security

• Virtual Meeting Applications

• Updates and Patches

•   A full virus scan on workstations returning to the office

• Full Windows/Mac updates

• Review Wi-Fi connections on returning devices: Some people may come back and still connect to Optimum Wi-Fi (This can be very risky)

• Delete any accounts not for company use

• Provisioning devices employees may have bought in haste (Hardening AV adding to the domain)

• Mobile device management strategy for new mobiles, or devices that employees are using more

• Pandemic Policy, Cybersecurity Policy Wireless policy

It is important for organizations to foresee possible consequences transitioning from working remotely to returning to the office. CyberSecOp can help facilitate this transition.

AUTHOR: Michael Young

For any company, especially technology-oriented ones, being aware about the cyberthreat landscape is critical. There is often the mindset that most cyberattacks can be warded off by procuring and implementing the latest security technologies, and relying on consultants and internal resources to police implementation.

While this passive strategy may yield a certain level of effectiveness, it also takes a high level of active, participatory security awareness on part of both employees and management in order to 100% fortify the lines of defense around the business or corporation.

STEPS TO ACHIEVE AN EFFECTIVE SECURITY AWARENESS PROGRAM

1.     The Major Orienting Components – A comprehensive, participatory information security awareness program should have as its three foundational pillars the principles of confidentiality, integrity, and availability.  While the first two terms speak for themselves, the third is often misapprehended.  Here, it refers to the organization maintaining a comprehensive system of controls over information security such that employees can be assured of having access to all information necessary to perform their roles without risk of breach.

2.     The Protection of Corporate Resources - “Corporate resources” does not just refer to digital assets — it also refers to physical assets, such as paper documents. A security awareness checklist should include the proper usage of document-shredding machines and how the shredded documents should be disposed of.

3.     Protection of Corporate Facilities - Employees should be trained not only in how to look for suspicious behavior from the outside, but from the inside as well.  This will ensure against unauthorized personnel gaining access to the premises for purposes of mounting internal attacks against the information infrastructure.

4.     The Formal Security Awareness Training Program – The corporation should maintain a comprehensive security awareness training program and all employees, irrespective of position with the organization and/or function, should regularly participate.

5.     Determining Levels of Responsibility and Segregation of Duties – All employees involved in the day to day management of security over the corporation’s digital and physical information assets should have their roles clearly defined and responsibilities enumerated and documented in a comprehensive ‘R & R’ policy.

CyberSecOp Security Awareness Courses specializes in helping employees understand the mechanisms of spam, phishing, spear-phishing, malware, and social engineering and are able to apply this knowledge in their day-to-day job. Our Security Awareness training solutions effect meaningful, sustainable changes in any workforce. With CyberSecOp Security Awareness Training, employees are not just aware of the dangers presented by an ever-changing threat landscape: they’re empowered to protect your organization from them.

AUTHOR: RICH FIORE