Security Awareness Training—The Importance of Phishing Your Users
Whether your company has ten employees or one thousand, the risk of social engineering attacks is always relevant in today’s world. Users receive hundreds of spam emails per day, and although most of these emails are filtered out by current advanced filtering, some emails still slip through the cracks and are a large threat to your users. Some users click on all links or attachments found within emails. Others never click a link unless it is confirmed to be legitimate by the sender. Phishing your users using custom phishing emails created by someone within your organization will make users more aware of what they are clicking on. Most users who click on a phishing link will never do it again. It’s better to have that one click be on an email your company created that will do no harm, than an email that could cost your company thousands of dollars. The risk associated with phishing emails has only increased due to the COVID-19 pandemic. IBM reported that between March and April of this year, they saw a 6,000% increase in spam attacks, and many of these attacks leveraged the current situation around the world involving the pandemic. Now it is more important than ever to make sure that your users will not fall for these types of scams. Creating your own tests that your users can learn from is one of the best ways to do so. Source: USA Today Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Connor Karek
Security Awareness Training—Training Your Users In Social Engineering
As a business, it’s your responsibility to provide training to your users that will aid them in completing their everyday tasks. In almost every industry, users will experience social engineering attacks while performing their duties. It is imperative that your users are trained in these attacks so that they do not fall victim to them and cause damage to your company. Here are some ways that you can train your users to aid them in recognizing these types of attacks: Conduct In-House Phishing Attacks There are many free or paid tools on the web that allow you to conduct phishing tests to users. These tools provide valuable hands-on examples that your staff will have to interact with. These are great to see what your users may be susceptible to click on, or to show you what users within your organization may require some additional training to make sure they understand these attacks and how to avoid them properly. Conduct User Training (Webinar, policy reading, interactive training, etc.) There is a large variety of information and training materials online that can be accessed for free that you can use to train your users. This training could be in a webinar format, an interactive training module that users must complete, or a simple reading that they must complete that goes through the dangers of social engineering attacks and what to look out for. Making sure your users are prepared is imperative when it comes to social engineering. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Connor Karek
Cybersecurity for Manufacturers—What is CMMC and What Should I Be Aware Of?
Manufacturers are under mounting scrutiny from both cybercriminals and regulators. Due to limited resources and budgets, manufacturers (especially small to medium sized) need cybersecurity guidance, solutions and training that is practical and cost-effective. Should a hacker manage to infiltrate a manufacturers’ systems and data, the cybercriminal has the potential to shut down operations and render them unable to fulfill client requests and contracted orders. This in turn leads to lost clients, lost revenue, and inability to pay employees. Not good. The Department of Defense (DoD) recently announced that contractors who provide services and products in the Defense Industrial Base (DIB), will have to comply with the CMMC (Cybersecurity Maturity Model Certification). Lots of abbreviations – stay with us. There are 5 levels of the CMMC that have specific requirements and controls, mostly taken and modeled from the NIST SP 800-171 framework. The level that each manufacturer will have to comply with will depend on the types and size of the contracts that they are bidding on. Key dates to be aware of for CMMC: As the CMMC is still in its infancy in terms of rollout, a lot of the key dates and audit information is TBD (hence the large 5 year gap in rollout). The required controls have been released though, and it is only a matter of time until the DoD begins clamping down on the requirements in Requests for Proposals (RFPs). Next steps to take? We are suggesting that if you are a defense contractor and believe you will have CMMC requirements to comply with, that you get ahead of the game. A good first step is to perform self-assessment with the controls of the level of CMMC you are required to comply with. The next step after completing a self-assessment is to contact an RPO and perform a readiness assessment. This will get you in good shape security-wise, and let you know where the gaps currently are in terms of CMMC compliance. After meeting the criteria that the RPO states you need to fulfill to comply, you can contact a C3PAO for the audit and gain the certification. Unfortunately, the C3PAO cannot provide both a readiness assessment and an audit (and vice-versa for the RPO). Please contact DataSure24 if you have any CMMC related questions. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Max Winterburn
Cybersecurity—Where to Start and How
Every business, no matter the type or size, needs cybersecurity right now. When it comes to cybersecurity, businesses should be taking a proactive approach, rather than reactive approach. You do not want to be questioning your businesses’ cybersecurity capabilities during a cyber incident. By having a strong cybersecurity program in place, you will not only be able to quickly and effectively respond to a cyber incident if one were to occur, but you will also mitigate many cyber risks and attacks prior to being the target of a cyber-attack. Here is what you and your business should know in order to create a quality cybersecurity program without needing to spend a large amount of money. The first objective you want to do when building a cybersecurity program is to identify your sensitive data and where it resides. Whether it is your customer’s private information or your organization’s information, it is your responsibility to protect it. You should also determine your mission critical assets. These are assets that are critical to your businesses operations and if the system were to be compromised, it would cause irreputable loss to your business. Once you have identified your organization’s sensitive data and core assets, you then want to focus on properly securing the data and core assets through the use of policies and technical controls. But now you might be wondering what steps to take to secure your sensitive data and core assets. Below are easy, but effective steps you can take to protect your sensitive data and core assets right now: Additionally, there are many cybersecurity frameworks that your organization can adopt to provide guidance for protecting your sensitive data and core assets. The framework that we recommend you check out is the National Institute of Standards and Technology (NIST) Special Publication 800-171 r2. This publication offers best practices for organizations in both the public and private sector. The publication also provides guidance on how to implement these best practices, so you can protect your information and organization. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Brendan Kenney
Department of Defense DFARS Interim Rule
On September 29th 2020, the Department of Defense (DoD) issued a Defense Federal Acquisition Regulation Supplement (DFARS) interim rule which was titled “Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)”. The new rule was highly anticipated, as it was to address the new Cybersecurity Maturity Model Certification (CMMC) that was released earlier this year and discuss the DoD’s implementation of the CMMC in the Defense Industrial Base (DIB). The interim rule added the following contract clauses: Many people were shocked to learn that the new DFARS interim rule also added two new cybersecurity contract clauses on top of the CMMC clause, that will affect new contracts starting November 30th, 2020. There has been a lot of talk about the new interim rule and its requirements, as well as misinformation about the new rule. We want to assure you, the new interim rule is not as scary as it sounds or as some people are making it out to be. With that being said, let’s take a closer look at the new interim rule. We will only be looking at the contract clauses 252.204-7019/7020 in this post. We will discuss the CMMC clause (252.204-7021) in a future post. If you want to learn more about the CMMC now, please check out this video where we introduce and explain the CMMC in detail: https://www.youtube.com/watch?v=1CKjn5ztXCs New DFARS Requirements The interim rule also added the following contract clauses: 252.204-7019 “Notice of NIST SP 800-171 DoD Assessment Requirements” and 252.204-7020 “NIST SP 800-171 DoD Assessment Requirements”. These two contract clauses have gone into effect starting November 30th, 2020, and unfortunately, there has been a lot of misinformation being spread about these two clauses. Please read below for an in-depth overview of everything that you should be aware of regarding the two new DFARS clauses 252.204-7019 and 252.204-7020. DFARS 252.204-7019 & DFARS 252.204-7020 Requirements: Who This Applies to: What is the Objective? The reason for all above requirements is to eventually become CMMC certified for CMMC level 3 (the CMMC maturity level that handles CUI). The CMMC will be rolled out over the next few years until September 30th, 2025. All contracts are expected to have the CMMC after that date. Our Suggestion Example Scenarios: Our hope is to help answer all of your questions regarding the new DFARS interim rule, and the three clauses that have been added. We strongly recommend that you read the interim rule for yourself, which can be found here. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Brendan Kenney
Why You Need to Train Your Employees—What Is the Worst That Could Happen?
With email and other forms of telecommunication becoming more prominent than ever in the workplace, these forms of communication can leave holes in a company’s cyber security platform. Email addresses and public profiles can be hotspots of information that an attentive attacker can look to for gathering information and developing strategies to target the end user with attacks utilizing phishing, vishing, and other forms of social engineering. This leaves the everyday employee at the highest risk for these types of attacks. As a defense, proactive and continuous measures can help end users identify any emails that could be suspicious or malicious and help cybersecurity professionals identify these types of attacks and work to mitigate the damages caused. Malicious attackers will target the end user with such tactics such as Social Engineering, trying to act as someone they are not and looking to trick these users to either transfer funds to them or divulge confidential information such as usernames and passwords in order to gain access to the victims’ credentials. With this they can look to further exploit a business or system, gathering business documents, companies’ data including names and private contact information. This can include customer data such as credit card or payment information, personal identification information and private contact information. These types of attacks, if successful, can also lead to ransomware encrypting information on the businesses network and “holding it for ransom”. These can be extremely dangerous and costly if they propagate over a network. The methods of encrypting the data are often times extremely hard to decrypt or figure out without paying for the key. Dealing with ransomware groups and providing payment will never guarantee that the ransomware group will provide the data or give the key even after the payment is made. Now you may be asking what can be done to defend against these types of social engineering, phishing and more complex attacks? The simplest and easiest answer is to educate your employees. Continuous and ever-evolving training can teach end users to look out for key giveaways to these types of attacks. It is important to have end users that can identify scam or phishing communications as they are sent. Having users understand how to react when receiving one of these emails can save a company in the long run. An educated end user base can act as a strong preventative defense against social engineering-type attacks and give the team who handles such attacks a heads up that these types of attacks are being launched. This simple idea of continuous and consistent security awareness training can be far cheaper than reacting after an end user was phished. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Kyle Rauschelbach
Where To Begin If You Have No Security Training Program
In today’s day and age, many companies are realizing that security training is necessary for all employees. After all, the employees within an organization are the weakest link and are the easiest to exploit when looking for confidential information or when looking to do damage to a target company. Many companies do not know where to start when discussing security training for their employees. Most end up hiring outside help to assist in this process. But for those companies that cannot afford outside assistance on this issue, or for those that would like to keep this training in house, here are a few tips to get your Security Training Program started. Provide Basic Security Awareness Training Sessions for Users Most employees in the workplace are not aware of the threats that we face online every day. Most people will go through their work life clicking on all the links they receive in their inbox or submitting personal information in online forms on multiple occasions. This type of behavior is something we want to stop or limit in the workplace and the first step to eliminating that behavior is educating your users on what to look out for. There is a plethora of online resources available such as whitepapers, free online lessons, and various articles across the internet where you can gain valuable information to pass on to your users. At some organizations, you may already have an Information Technology or Information Security staff member who already has this knowledge that can be passed on to others. Take the time to schedule in person or virtual meetings where your more knowledgeable staff members or leadership can teach your other staff members valuable tips and tricks and things to look out for online and in their inbox. Test Your Users with Phishing Simulations After educating your users you are going to want to test their knowledge and what they have learned in a real-world scenario. One of the best ways to do this is to create a Phishing Simulation for all your users. These Simulations send emails that mimic emails they may receive in the workplace from potential attackers and test how they react to the email they receive. Will they open the email and click on a link, potentially giving an attacker access to their systems? Will they see the email, reflect on what they learned and ignore or delete it? These simulations are the best way to see what your employees will do in those tough situations. There are many online providers that can provide these tests for free if you sign up on their website. An example would be KnowBe4, who provides a free phishing test if you sign up on their website. Ensure User Training Occurs Consistently New threats emerge each and every day, and the types of threats that emerge are evolving at a rapid rate. Because of this, it is important that your users receive training on at least an annual basis. This training can be done using your own staff as mentioned in this post, or if after a year you believe you do cannot constantly provide this training for your users, you may want to ask outside agencies for assistance. DataSure24 offers Security Awareness Training for all business sizes and provides full management of the service itself via one of our Security Analysts. Learn more about our Security Awareness Training here. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Connor Karek
Four Proactive Measures to Prepare for a Cybersecurity Incident
Benjamin Franklin once said, “If you fail to plan, then you are planning to fail”. The same is true when it comes to an organization’s data security program. An organization that is well prepared for a security incident with a robust data security program will not only reduce the likelihood of suffering a security incident, but also significantly reduce the cost of a security incident. Below are four proactive measures your organization can take to prepare for a security incident and reduce your organization’s overall risk. 1. Develop an Incident Response Plan An Incident Response Plan (“IRP”) will establish the method and procedure for identifying, responding, and reporting a security incident. An IRP will set forth, in writing, each key stakeholders’ role in responding to an incident and ensure that every stakeholder is on the same page. An IRP should include the following: 2. Test the IRP with Tabletop Exercises Once an organization’s IRP is established, an organization should regularly test its IRP. This testing can be done through tabletop exercises that simulate a security incident and test the strength of an organization’s IRP. Following the tabletop exercise, an organization can adjust its IRP to make it better equipped to respond to a security incident effectively and efficiently. The Ponemon Institute conducts one of the largest research studies on data security breaches every year and produces a yearly report on the cost of a data breach. Last year the Ponemon Institute reviewed over 500 breached organizations and found that the highest cost saver for a business suffering a data breach was incident response preparedness. Specifically, organizations with an Incident Response Team that also regularly tested its IRP saved, on average, $295,267 in incident response costs when suffering a data breach [i]. This cost savings underscores the importance of developing an IRP and regularly testing the plan with tabletop exercises. 3. Employee Training An organization’s security system is only as strong as its weakest link. That weakest link can be an organization’s employees if they are not trained in best practices for security. Employees should be trained in identifying and preventing a security incident with strong passwords and password management, as well as identifying and reporting phishing emails and malicious links. An organization should also train its employees on how to recognize a security incident and report the incident to the proper stakeholders within an organization. This will help an organization efficiently address a security incident. An organization’s employee training should be completed during the onboarding process as well as yearly so that employees continue to be diligent in their day‑to‑day practices to keep an organization’s systems secure. 4. Vulnerability Scanning and Pen Testing One of the best ways to reduce the likelihood of a security incident is to regularly test an organization’s systems. This can be done with regular vulnerability scanning and penetration testing. Vulnerability scanning will scan an organization’s systems for security weaknesses and determine the vulnerabilities within an organization’s systems. Penetration testing, also known as pen testing, takes a deeper dive into an organization’s system. Pen testing is where an ethical hacker attempts to gain access to an organization’s systems by exploiting its vulnerabilities. A good analogy is if an organization were considered a home, vulnerability scanning would test to see if the doors were locked and pen testing would open the door and see if the doors to the rooms inside the home were locked. It is recommended that an organization conduct vulnerability scanning at least twice a year and pen testing at least once a year. These preventative measures reduce the likelihood of a security incident because an organization can use the results from vulnerability scanning and pen testing to patch weaknesses and make system modifications to further secure its systems. In addition, the Ponemon Institute “Cost of a Data Breach” study found that organizations that conduct vulnerability scans reduce the cost of a data breach by $172,817 [ii]. Therefore, in addition to preventing a security incident, vulnerability scans and pen testing will reduce the costs of a security incident, if and when a security incident should occur. In sum, take proactive measures to reduce the risk of a cyber security incident, as well as reduce the costs of an incident when it occurs. An Incident Response Plan, employee training, vulnerability scanning, and pen testing, are a few proactive measures an organization can take to secure its systems and best prepare for a security incident. If you have questions on how this specifically relates to your organization Greg Gaglione of Rupp Baase Pfalzgraf Cunningham can help. As it is often the case in life, those that are proactive and prepare, will perform the best. The same is true for an organization and its data security program. DISCLAIMER: This article is for general information purposes only. The information in this article does not, and is not intended to, constitute legal advice. Contact a qualified attorney to obtain advice with respect to any specific issue or legal question.Attorney Advertising. [i] Ponemon Inst., 2020 Cost of a Data Breach Study 42 (2020)[ii] See id. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Greg Gaglione
Password Complexity – What Matters the Most?
The number of daily internet users is consistently increasing, which means the number of vulnerable passwords is increasing as well. As a result of users’ increased presence online, malicious attackers are looking to exploit the lack of complexity in user passwords. When creating a new account on a website, streaming service, etc., you often see specific password requirements for length and character complexity (certain length, special characters, capitalization, etc.). While sometimes this can seem overbearing and annoying, it is important to understand that a complex password is often a more secure one. To best explain how attackers look to exploit passwords, we have created a die scenario that we will walk through. Through this example, we will look at how the complexity and length of a “secret sequence”, can make it harder for a hacker to break into an account. The setup begins by selecting a sequence that we must keep secret; this secret sequence will be our password. For our example, our secret sequence will be “2145”. Using the dice shown (Image 1), it is impossible for someone rolling each one to come up with our secret sequence. No matter how many times the dice are rolled, there are simply not enough dice to match our sequence (there are 4 numbers in our secret sequence, therefore an attacker would need 4 die to guess our sequence). If our numbers were more limited, even by one die, an attacker would be able to guess our secret sequence with ease. In scenario 2 (Image 2), we have added 2 new dice to the sequence. Using the same secret sequence, “2145”, the number of dice now meets the length requirement to guess our secret sequence, but the highest number on the dice is only 4. So again, no matter how many times a person rolled this set of dice, they will never be able to guess our secret sequence. In scenario 3 (Image 3), we have increased the total number of dice to five and total number of sides on each die to six. This combination of the dice gives a person the chance to finally guess our secret sequence. With five dice with six sides each in total, someone randomly rolling the dice would eventually be able guess our secret sequence of “2145”. If you wanted to add more security to your number sequence, you would want to increase the length of the overall sequence and use more numbers than just 1-6. By making these easy and simple changes, you would increase the difficulty of guessing the secret sequence immensely. Now let’s take this example and apply it to passwords. Hackers regularly perform an attack known as a “Brute Force”, where they are attempting to guess account passwords. Hackers can use computer programs to automate this attack so they can attempt thousands of passwords in just seconds. These brute force attacks can be carried out where an attacker has the program randomly guess characters and numbers in a sequence until they obtain access to the account. Hackers frequently use a brute force method, known as a “Dictionary Attack”. This type of attack uses common words that one would find in a dictionary, to guess an account’s password. Hackers will include numbers and special characters with these words, so the chances of them guessing your password are increased. So, how exactly does one protect themselves from a hacker guessing their password or obtaining the password from a brute force attack? Just like in our example, we can increase the complexity of our passwords. By making simple changes to increase the complexity of your account passwords, such as using longer passwords, with more complexity in the characters (i.e. special characters, numbers, and a mixture of lower case and capitalized letters), you can reduce the risk of your account’s password being guessed by a hacker. This will protect your personal, business, or sensitive information from being stolen by hackers. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Kyle Rauschelbach with additional contributors Mike Harber, Brendan Kenney & Max Winterburn
Who Let the Hacker in the Front Door?
These days, it’s not enough to just have a well-secured system and network protecting your business in the world we live in. Equally as important, you need to ensure that your employees are not letting the bad guys in through your front door. It has been well documented by Law Enforcement agencies and many security professionals that over 90% of all Ransomware attacks can be attributed to actions taken by an employee. This is not to say they are a willing accomplice or that their acts were intentional. Simply by them clicking on a malicious email link, falling prey to a doctored-up email, or visiting an unfamiliar website can cause significant disruption and potentially jeopardize your business. Some recent trends you may not be aware of: (KnowBe4) Over the years, DataSure24 has worked on several incident response events where an attack was initiated almost immediately after an employee “clicked “on something they should not have. With each event, there was no Cybersecurity Incident Response plan in place, and the time to recovery was significantly impacted. Other attacks can vary where the bad guys embed themselves in your network and lie undetected for many months only to learn more about how to best inflict the most pain on your organization and to ensure their ransom will be paid, or your data will be removed. Some best practices that would improve your cybersecurity posture are: implementing a 24/7 Managed Detection and Response service, an ongoing Vulnerability Management program, and performing regular security assessments. One of the top seven things you can do in building a solid defense in depth strategy to protect yourself from a cyber-attack is developing a Security Awareness Training program (SAT). Keys to a Successful Security Awareness Training Program: To ensure your Security Awareness Training program’s success, it is recommended that you have early buy-in from senior management, including activeparticipation. Additionally, having someone with either a Security orTraining background (both would be a plus) within your organization to manage the program or contracting with an outside firm will help to ensure success. Not only do I believe strongly in the benefits of a good Security AwarenessProgram, but several prominent compliance organizations believe this as well. Manyorganizations have to comply with various compliance acts to increase protection and avoid violations and fees, as listed below: Implementing a Security Awareness Training Program for your employees is extremely important in order to reduce your exposure to potential threats. The DataSure24 team can assess your employees’ current cybersecurity awareness and develop a training solution that fits your organization and its culture. For more information, visit our Security Awareness Training page. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Peter Ronca