Mayra Cortes


Endpoint Security Best Practices

The proliferation of end-user devices and cloud systems in recent years has given rise to an increased volume and sophistication of cyber threats. Cyber attackers with malicious intents have developed new ways of infiltrating the data systems of all types of businesses and organizations.

In the 21st century, data is the most valuable asset of all companies and must be protected at all times. For this reason, many organizations are adopting endpoint cybersecurity services. Endpoint protection practices secure critical systems, intellectual property, customer data, employees, and guests of businesses. The following are the best practices for endpoint security.

Best Practices for Endpoint Security

  • Ensure Absolute Visibility of the Entire Network
  • Regular System Updates
  • Educate Employees
  • Enforce Least Privilege Access
  • Deploy SIEM solutions

Here is an Infographic Representation of (Endpoint Security Best Practices)

endpoint security best practices

Now let’s discuss them one by one:

Ensure Absolute Visibility of the Entire Network: It is vital to establish complete visibility of the entire network, especially the traffic to and from endpoints. Businesses should not only know what is traversing through their systems but also what it is doing. Fortunately, with real-time and historical data, they’ll have a clearer picture of their devices’ behaviours.

Regular System Updates: With more devices and applications on today’s networks and an ever-growing list of threats, patch management has become even more critical. You must establish a regular period to push updates to user workstations to protect against the vulnerabilities within your systems and thwart attacks.

Educate Employees: Employees are regularly targeted by cybercriminals to perform detrimental actions and divulge critical organizational information. The only way to stop this is by teaching every employee who has access to computers and the internet, basic security practices like the regular change of password, and ensuring their computers are locked when they leave their desk. It is also crucial to teach them how to detect the signs of emails and phone phishing scams.

Enforce Least Privilege Access: The least privilege approach to cyber threats involves restricting the access of every user and endpoint to only the minimum information and resources required to carry out its designated function. If a user tries to access something against the organization’s policy, it will immediately alert appropriate authorities. However, if elevated rights are required, the user must go through Multi-Factor Authentication in the process. Ensure that every event is logged correctly and looked through promptly and periodically to enable monitoring and improvement of existing systems guiding administration rights and ensure their accuracy and applicability.

Deploy SIEM solutions: It is often challenging for companies to keep track and manage hundreds or even thousands of endpoint devices and also anticipate risks that might occur. As a result, there is a need for a centralized system. Thanks to SIEM solutions, companies can now centralize documentation for monitoring and compliance purposes and predict security events by identifying vulnerabilities, calculating risks based on the likelihood of an event, and automating security responses.

Endpoint Security Risks

Phishing Attacks: Phishing attacks aim at gaining access to a company’s records and stealing vital customer data and information that can be used for blackmail purposes or published through the media to damage their reputation. The public image of the company can also be damaged and the customer base may decline as consumers tend to avoid products or services that seem incapable of protecting their sensitive information.

Malvertising: Malvertising affects a company’s website by introducing malware and malicious software that disrupts users’ visits to the website or redirects them to other sites where other attacks await. This endpoint threat can also reduce the productivity of employees, who have to deal with intrusive advertisements or redirections as they work. If not detected and solved, malvertising can cause the company substantial financial losses.

Unpatched Vulnerabilities: One leading cause of cyber hacks is long unattended and unpatched system vulnerabilities. Through this window of neglect, hackers can access relevant company data and sell it on the dark web or carry out any other malicious activity that might cost the company its reputation and in some cases lead to its closure.

Data Loss and Theft: Between 2015 to 2019, the number of U.S companies that experienced a data breach doubled, and the numbers will likely increase in the coming years. Ransomware demands, increased regulatory fees, investigation cost, damaged reputation are some of the devastating effects data loss and theft can have on a company.


In conclusion, considering the numerous negative impacts of cyber attacks on organizations, both small and large scale businesses need to embrace endpoint security and implement the practices outlined above. Also, remember that endpoint security requires consistent improvements to fight the risks mentioned above. Threats will keep evolving using advancements in technology, and your company must be up to speed with the most recent innovations and security systems to adequately combat the latest attacks with the best patches and solutions.

Read more
Voip Benefits

The VoIP (Voice over Internet Protocol) Benefits

What is VoIP (Voice over Internet Protocol)?

VoIP – Voice over Internet Protocol – allows users to make and receive calls over Local Area Networks (LANs) or the internet. Although VoIP has been around since the 1970s, it has soared in popularity in recent years due to the many advantages it offers over the traditional phone system.

Here are some of the top VoIP benefits everyone should know.

  • Lower Cost
  • Simplified Conferencing
  • Worldwide Access
  • Clear Voice Quality
  • Security 
  • Scalability 
  • Extensive Additional Feature

Now let’s Discuss these advantages in detail:

Lower costs:

A significant Benefit of VoIP service for businesses is that it can help your business save money. The initial setup and ongoing costs of operating a VoIP are far lower than that of operating a landline phone system (POTS). On average, a traditional phone system costs around $50 per line each month, and this figure is usually for local and domestic calls.

In contrast, a VoIP system is available for around $20, significantly cutting costs on domestic and international calls. It also helps eliminate other expenses such as up-front hardware purchases, repairs, and maintenance.

Simplified conferencing:

Another area in which VoIP benefits over traditional phone systems is conferencing. For instance, a traditional phone system can, of course, support conference calls but hidden costs may occur. VoIP eliminates such fees by including conference calls as an added advantage to the service you already paid for.

What’s more, it also improves video conferencing as you can transfer files while you participate in online presentations or meetings.

Worldwide access:

As the world continues to come to terms with the new trend of working from home, VoIP could help benefit your employees work remotely from anywhere in the world. With merely an average-speed data connection, your team can make and receive phone calls so you can stay productive regardless of the location.

And if that employee is temporarily unable to receive phone calls for any reason, calls can forward to a mobile phone, another person, or the voicemail can be received by email. Lesser mentioned VoIP benefits connected to this advantage is that your business will enjoy decreased utility costs as well as smaller office spaces.

Clearer voice quality:

One of the concerns of many business owners is the quality of calls using VoIP service. These concerns are not unfounded as poor call quality was one of the major disadvantages of VoIP as calls either ended abruptly for no reason or there was some level of distortion.

However, these issues no longer exist since we now have a fast and stable internet connection. Additionally, the VoIP telephone system offers HD voice that makes it nearly impossible for the person you are calling to tell whether you’re using VoIP or traditional landline.

Extensive additional features:

VoIP offers a range of beneficial features suitable for both small and big businesses. For small businesses, tools like auto-attendant and call transferring make it possible to project the image of a larger company.

In a similar vein, it can also help large businesses appear approachable since phone numbers with different area codes can be allotted to a company so that their customers can perceive them as local. Other notable features include call forwarding, call waiting, voicemail, caller ID, and many more you might expect.


One of the key Benefit of VoIP is that it is very secure thanks to the standardized encryption protocols that make it impossible for a third party to intercept the calls – a feature that’s non-existent on the traditional phone system.


When it comes to any kind of technology, most businesses are concerned about the possibility of scaling up or down. With VoIP, you can scale your phone system in accordance with the needs of your business while remaining productive and keeping costs down.

The reason is obvious: you don’t need to make a budget for any hardware as you only pay for what you need. You can either add a new line or eliminate some lines instantly without worrying that the decision will take its toll on your business.

Advantages of VOIP

Conclusion: The advantages of VoIP in the modern business world are enormous and this is why many small and large businesses are now migrating from a conventional telephone system. If you are ready to explore VoIP benefits for your business, then your best option is to contact Cynexlink. Cynexlink provides all the features expected of a modern-day phone system for your business.


Read more
Managed It services

Best Practices To Choose Managed IT Service Provider

Need For Managed IT Services?

Businesses need advanced technologies to meet the expectation of their customers as well as manage their operations.

But the problem is that they lack the extensive budget or IT staff to pacing up with ever-changing applications. 

Luckily, as technology expects more from small businesses, there are also great solutions available to meet their needs. 

And an MSP or managed services provider is one of them. Their key role is to manage and assume responsibility for providing a defined set of services to such businesses. This way, they play the role of an IT department or IT staff for them. 

However, it is not easy to choose the right one for your business.

The MSP landscape is dotted with many providers, making it challenging to choose an efficient one. Some might have limited services while some might charge you even for the services you don’t use. The last thing to worry about is their customer support. 

That’s why it is important to ponder over these practices when choosing a managed IT service provider.

Here are some it managed services best practices to choose an efficient MSP Provider:

1. Do their Services Fit Your Requirements?

First of all, make sure to assess your equipment or systems in place, and then think: where I need improvement? Where we have inefficiencies? Are we prone to the risk?

There are many solutions to choose from, and it is challenging to figure out the right fit when you have no ideas where to start. 

Many MSPs provide an auditing service to help you know your existing situation and identify potential threats. 

The point is here to assess your assets, requirements, and what the MSP has for you. This is an important part which also requires you to discuss with your consultants. 

2. What about Their Track Records and Past Performances?

This is also a critical factor to consider when choosing an MSP.

Examining their past and existing clients in similar businesses as yours gives you an idea of their quality. 

What do you find in their testimonials and reviews? Do they have a list of past projects and clients? Do they provide a list of references who you can contact? 

This homework will let you determine if they are right for you. After all, not all managed IT service providers are the same. Some might be more focused on accounting and not healthcare. Others may be affordable but have a small or inexperienced team. 

3. Do They Hold Expertise in Your Systems? 

Most managed IT service providers promise to offer a complete range of services. However, it is important to check their level of expertise with the applications you have. Are they an Amazon Web Services certified partner for example, and what other certifications and qualifications they own?

Also, take note of their personnel working at the MSP. After analyzing the expertise of each employee, review the weakness and strength of the provider. 

Don’t hesitate to ask questions if you want to know more about it. After all, a managed service provider company is as efficient as its staff. 

4. How efficient is their Customer Support?

A good managed IT support provider responds quickly to the problems. Make sure that they don’t forward queries to a call centre.

Instead, they should respond on time. Check their guaranteed response time. Also, check how they respond to after-hours support. Can they handle emergency issues 24/7/365? 

5. Are They Serious about Security? 

Security has become one of the topmost business priorities, thanks to the ever-increasing cyber incidents. Work with an MSP that can also offer effective security plans. With consolidated IT security, you can make sure that all your data is safe and secure. Efficient IT MSP assures this by protecting all your endpoints. 

6. Can They Grow With You?

Business growth is one of the key factors when choosing an MSP. Your business demands today might be as important to what you will have in upcoming months. Therefore, choose a service provider that can understand your dynamic business needs. 

An efficient managed service providers to deliver scalable services. It means that you can increase or decrease your MSP services according to your growth. 

7. How Long is Their Experience?

Experience also does matter in this industry. Experience service providers can understand who needs what and how to deliver it. This is also important as not all businesses are the same. Moreover, every company has its unique way to conduct the operations. Working with such managed service provider ensures that they can meet unique IT systems requirements.


managed it services
                 Managed It Services Best Practices

Bottom Line:

So these are some key factors to consider while choosing a managed IT service provider. You need to go the extra mile to choose the right one. After all, IT operations are the lifeline of your business.

You need an efficient outsourcing partner if you don’t have a big team and sophisticated resources as well. But not all MSPs are the same, and you should look for the one that can understand your business. What do you think? Let us know by commenting below! 

Read more
Single Sign on

Single Sign-On (SSO): Pros & Cons

Introduction to Single Sign-on:


MyFitnessPal had 151 million usernames and passwords stolen. For a third-party Facebook app, it was 540 million.

And First American Financial Corp., the largest real estate title insurance company in the U.S., exposed transaction records of 885 million individuals.

These were just a few of the largest data breaches from last year alone!

What if your organization could avoid such headaches altogether? What if your business managing all of its user logins through a leading SSO system or customized solution?

Who is going to take the time to hack your website when none of your user details is accessible once they get inside?

Welcome to Single Sign-On (SSO). If you’re using it, you know its power and benefits. If you have only heard of SSO but haven’t enabled it, the following information is for you.

Authentication Without SSO

Without SSO, each website or application maintains its own database of usernames and passwords. When a person logs in, the following things happen:

The service runs a scan to determine if you have already been verified. If so, access to the site is then granted.

If no authentication is discovered, the visitor is prompted to log in; the service then checks those credentials vs. what is on file in its own repository.

Once the user has logged in, the service ensures the identity verification info travels with the user he or she navigates the system, meaning that this same user has effectively verified each time a new page within the application is visited.

Such authentication info travels with the user either in the form of cookies with session data or as tokens, which do not track that specific visit and are therefore faster to process.

The SSO Comparison

By contrast to the scenario outlined above, SSO authentication relies on a trust relationship between different web services. Ever been asked to quickly register for a new website with the Google or Facebook account credentials you’re already logged in with? Bingo.

In that instance, the service allowing you to sign-in with another solution’s credentials is simply verifying your identity through the use of a single sign-on. Facebook says you are who you say you are? Good enough for us – come on in!

If the new domain can’t determine you have been authenticated by another website – again, thanks to SSO – you will be sent to the login page for the appropriate SSO service, where you enter the credentials that will provide you access.

Just like in the example above, SSO allows authentication data to move with you throughout the new domain, continually verifying your identity with each new page you visit.

Best of all, SSO authentication data runs as tokens, not cookies, which is good for speed and performance.

Moving forward, SSO continues to authenticate with a solution such as Active Directory, allowing you to visit new domains tied to that single sign-on provider. Because the next website also verifies your credentials with SSO, you pass through the next website without having to login yet again. Good stuff.

SSO Under the Hood

Let’s now dig even deeper into how SSO functions. As we have already learned, when a visitor logs into a new domain, that website or application provider will validate the user on its own. That process goes like this:

  1. As a visitor, you land on a page within, let’s say, which tries to authenticate your login status. If yes, off you go to the desired destination—your Yahoo email inbox, for example.
  2. If you’re not already logged in, it’s time to plug in your user/password combo on the login page.
  3. You fill in your credentials, runs those credentials against the data in its own tables. Depending on what it finds, the service either lifts the velvet rope or the bouncer says you can’t come in.
  4. If you can log in, will its method of tracking your visit. This could originate on the server or it might attach to you as a token.

Again, however you decide to navigate that site or service, that domain keeps checking to ensure that your credentials are valid.

That same process when powered by SSO, however, would go like this:

  1. As a visitor, you land on a page within, let’s say, which tries to authenticate your login status. If yes, off you go to the desired destination—your Yahoo email inbox, for example.
  2.  Not logged in yet? No problem! That new site,, then gives you choices for authentication through another app (Google, Amazon, Facebook, etc.). Click your favorite service and log into the new web app with those pre-existing credentials (let’s say Facebook in this case).
  3.  As far as authentication, Facebook does the authentication for that new website. Once Facebook says you are who you claim to be – and checks to ensure that is legitimate, both sites agree you’re ready to roll.The Facebook password database issues a token that becomes your passport to and through
  4.  By accepting that token from Facebook, verifies the user’s identity with more ease and confidence. Further, it can now associate the visitor with all other data that’s known about that person, things like preferences, history, shopping cart, etc.

Now let’s discuss the Single Sign-on  Pros and Cons

Single Sign-On(SSO) Pros

For organizations of all kinds, Single Sign-on has many advantages. Among them:

  • It cuts down on password fatigue

    Remembering just one password makes the lives of users or employees so much simpler. In truth, when challenged to use different passwords for different services, most people do not; the vast majority actually use the same password across multiple sites, creating an even bigger risk.

    And as a side benefit, the use of SSO usually results in unusually strong passwords since they only have to use just one.

  • Streamline the management of employee credentials

    When employees turn over, the use of SSO reduces both IT effort and the chances of mistakes. In one shot, departing users lose their login privileges across the entire organization.

  • Single Sign-on enhances identity protection

    With SSO, organizations strengthen identity security within their teams through the use of multifactor authentication (MFA).

  • It boosts speed where counts the most

    In highly regulated industries like healthcare, defence and finance, or large organizations in which many people and departments demand rapid and unfettered access to the same applications, SSO can be extremely helpful.

    It is in environments precisely like these where malware brought on by compromised credentials can literally mean the difference between life and death.

  • SSO relieves stress on helpdesks

    With far fewer employees calling in with password issues, IT teams can focus on critical work that saves the most time and money while also elevating security overall.

  • It reduces 3rd-party security risks.

    Connections between vendors, partners and customers present another threat surface, one which SSO can greatly diminish.

SSO Cons

Despite all the benefits listed above, companies do need to keep in mind possible drawbacks when considering an SSO implementation:

  • Very strong passwords must be demanded and adhered to. If one set of SSO credentials is unveiled, it potentially leads to a cascade of breaches under that user’s umbrella.
  • If SSO goes down, access to all connected services halts. Here is one important reason to exercise great care in choosing an SSO solution. It must be extremely reliable, and plans should be crafted for immediately dealing with any cracks which might present themselves.
  • If your identity provider goes down, so does Single Sign-on. Because your ID vendor’s vulnerability becomes your vulnerability, too, choosing the right set of vendors is of the utmost importance.
  • If your identity provider gets breached, all linked systems could be open to attack. Here is where advance planning is so important.A possible single point of failure like this needs to be considered, avoided it possible, and a response plan should be created in advance. If the right identity provider with top-flight security practices is chosen in the first, place, such planning should never have to be tested. Still, it is best to think through all possible vulnerabilities ahead of time. 
  • An investment of time is required for proper SSO architecture and setup. Because each environment is different, wrinkles in even the most well-thought-out plans can develop. Pause, document, compare vs. best practices and structure of the new system accordingly.
  • SSO is not the ideal solution for multi-user computers. If your team makes a habit of hot-desking, it can be both frustrating and unsafe for users to be constantly toggling on and off with one another.
  • Reduced sign-on (RSO) may be needed in some environments, leading to a greater cost. If a company needs to accommodate users with different levels of access, additional authentication servers may be required.
  • SSO based on social media credentials may not fit. If an employer blocks social media sites and government connections where censorship is involved, the problem here becomes clear.
  • Some SSO-linked sites actually share data with third-party entities. Understanding who’s who in this regard requires thorough homework – or the rock-solid advice of a trusted IT professional.

Providers aplenty

The playing field of leading providers is large and potentially overwhelming, including some familiar names you may be familiar with:

  • Okta
  • Citrix Workspace
  • Duo Security
  • OneLogin
  • LastPass
  • Keeper Password Manager
  • JumpCloud
  • Auth0

…to name just a few.

Cynexlink Can Help

There is no reason for any organization to create its own system or to develop deep SSO expertise. Cynexlink’s team understands available offerings and can help identify the best choices for your company. Contact us to learn more!

Read more
Network Penetration testing

Stay Safe with a Network Penetration Testing Checklist

Are you thinking about exploring what vulnerabilities exist within your network or applications?

You need what is known as a pen test. For a complete background, in this article, we provide a fundamental network penetration testing checklist for organizations to keep in mind.

We are going to look at a 5-step network penetration testing checklist that can be used to ensure your efforts deliver results.

Before we get into the details, here are 3 reasons why organizations should perform a network penetration test in the first place:

  • Network penetration testing will enable you to identify the security vulnerabilities and flaws that are currently present in your system.
  • After a thorough penetration test, you should be able to understand the level of security risk that your organization or business entity is running.
  • The reports from the network penetration tester will help you formulate a proper plan to fix and remedy the flaws that are discovered. At Cynexlink, we employ certified ethical hackers who act as though they are malicious actors, uncovering the vulnerabilities before the bad guys do first!

Also, some companies face regulatory requirements for conducting penetration tests (CMMC, SOC2, HIPAA, etc.).

Along with this network penetration testing checklist, we will also mention several network pen testing tools that help ethical hackers perform each task.

Now for the network penetration testing steps(checklist):

Step 1: Information Gathering

The goal of the first step in this network penetration testing checklist is to gather as much information about your target network as possible.

It should be information that can potentially be used to exploit vulnerabilities.

Primarily having IP addresses or URLs to work with initially, this is the point where technicians will use a tool like Nmap to enumerate the IP DNS records.

Nmap is an information-gathering tool that will get you DNS records of an IP address like A, MX, NS, SRV, PTR, SOA, CNAME records.

With these tools, we can detect all the hosts on the network, what services they are providing and the server software & versions they are running.

Because certain server software versions have known vulnerabilities, we’ll need this information in step 2 of this network penetration testing checklist.

Another very important piece of information needed before formulating an attack model is the open port’s availability.

Again using Nmap, we can discover and enlist all open ports in the entire network.

Open ports are the most commonly used openings for malicious hackers to gain unauthorized or backdoor access into a network and to install malicious scripts.

Step 2: Threat modeling

After collecting all the information we can about the target network, it’s time to use this information for something more active.

Step 2 of this network penetration testing checklist involves using this information to run tests on the target system, scouting for obvious vulnerabilities.

At this point, we are simply trying to enlist all the vulnerabilities available on the network, without necessarily moving forward to attack them and see if they are exploitable.

Note also that while you can use automated tests to scan for network system vulnerabilities, a more thorough process runs manual tests with live technicians, as well.

It is at this point, a network penetration test tool like the Metasploit framework gains critical information about security vulnerabilities on a target system. It generally finds all the loopholes and security flaws on a target with a very low percentage of false positives.

Another vulnerability scanner tool like Nessus is also great for finding software bugs and possible ways to violate software security.

With the information on operating systems and versions, you can use Nmap to then find known vulnerabilities for potential exploits on the target.

With information on all the possible vulnerabilities, let’s move to step 3 of this network pen testing methodology.

Step 3: Vulnerability Analysis

First, keep in mind that not all vulnerabilities are worth trying to exploit.

The vulnerability assessment tools used in step 2 of this network penetration test checklist exported some reports; it’s now time to look into these reports and categorize the security flaws with their level of severity.

It is by using such reporting that we’re able to formulate an attack plan to exploit the real-world attack vectors.

The vulnerability analysis step aims to identify suitable targets for an exploit so we don’t waste time performing unnecessary tasks.

It is at this point that we can also draw a network diagram to help you understand the logical network connection path. We also prepare proxies to use in step 4 to keep ourselves anonymous: testing the recognition and response to an attack is part of the pen testing process. Does the IT team of the targeted organization know if a hacker has gained access to their network? We’ll find out.

Having noted the attractive targets for exploitation at this point, it is time to determine the most appropriate attack vectors for the vulnerabilities identified.

Step 4: Exploitation

Exploitation means probing the networks’ vulnerabilities to ascertain whether they are exploitable. This is the most important step because it allows us to show clients which flaws they need to fix most immediately.

The tools we often use at this point for exploitation include Metasploit, Burp Suite, and Wireshark.

Depending on the project scope, we will also use password cracking tools like Aircrack or Cain & Abel, to explore the strength of network passphrases.

This network penetration test stage might also involve other heavy manual testing tasks that are often very time-intensive. Such vulnerability exploitation may involve SQL injection, password cracking, buffer overflow, and OS commands, among others.

Even social engineering might be employed at this stage, again depending on the project scope.

Here’s the bottom line about step 4: because this phase depends on savvy probing by a live pen tester, hiring the most experienced technicians is vital.

Step 5: Reporting

The delivery and reporting phase on network penetration testing is very important.

A good network penetration test report should not only give an overview of the entire penetration testing process, but it must also include the most critical network vulnerabilities that need to be addressed – in order of urgency.

Good reports will also include a summary of the vulnerability statistics together with screenshots of exploit attempts, and a well-written pen testing report will outline a clear plan fixing all vulnerabilities which were discovered.

Which is, of course, the point of network penetration testing in the first place.


It is always important to follow a proper network penetration testing methodology.

With this checklist, organizations should now understand how a properly trained technician will formulate a large-scale attack on a network without missing any gaps.

While there is no one-size-fits-all checklist for performing network penetration testing, the steps above should provide a good foundation for almost any organization that had been looking for a network penetration testing tutorial.

Read more

How to Get CMMC Certification : Everything you Need to Know About CMMC

The Cybersecurity Maturity Model Certification, or CMMC Certification, is the next step in the Department of Defense’s (DoD) efforts to properly secure the Defense Industrial Base (DIB). 
The loss of controlled unclassified information (CUI) from the Defense Industrial Base, or DIB (America’s defense contractors), increases the risk to national security. To reduce this risk, the Department of Defense (DoD) has finally created both rules and an auditing mechanism that will ensure the DIB practices good cybersecurity hygiene.

In the past, defense contractors could merely attest to their cybersecurity practices such as those outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171 but that is all about to change.

Starting later this year, aerospace and defense manufacturers will have to prove their cybersecurity practices are strong to bid on future DoD contracts.

What is CMMC and why is it Being Created?

CMMC stands for Cybersecurity Maturity Model Certification. The CMMC will encompass five maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract awards.

DoD is planning to migrate to the new CMMC framework to assess and enhance the cybersecurity posture of the DIB. The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as to protect CUI that resides on the Department’s industry partners’ networks.

More about CUI

We refer frequently to controlled unclassified information but what is it, exactly?

CUI, established by Executive Order 13556, is an umbrella term for all unclassified information that requires safeguarding.

CUI is information the federal government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at and includes organizational index groupings ranging from defense to taxes to natural resources. Contractors who are interested in learning more can find online training to better understand CUI at the following page on the National Archives’ website:

When Does CMMC Take Effect?

Members of the DIB who are still asking this question are frankly behind the curve.

The DoD released CMMC Model version 1.0 to the public on January 31, 2020, and has already issued a revision dated March 18th to correct administrative errors identified in the initial release. The itemized list of corrected errata, as well as a more accessible version of the model (i.e. tabular format in Excel), are provided with the release of CMMC Model v1.02.

The Department has made no substantive nor critical changes to the model relative to v1.0. Subsequent updates can be found on this defense department website:

Now, this does not mean that defense contractors today must already be CMMC certified but it does mean they should start preparing because CMMC certification will start appearing as a requirement in some DoD contracts later this year.

Currently, a new non-profit called the CMMC AB is training auditors, finalizing exams and creating processes for how contractors will become certified. Because CMMC levels 1-3 are composed of requirements under NIST 800-171, however, there is great clarity regarding what DIB members should prepare for.

Comparing CMMC and NIST

What is the relationship between NIST SP 800-171 rev.1 and CMMC?

CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev1. CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense” and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.

Unlike NIST SP 800-171, however, the CMMC model possesses five levels. Each level consists of practices and processes as well as those specified in lower levels, with levels 4 and 5 being reserved for the small percentage of DIB member companies that deal with the most sensitive systems, information and assets.

In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s institutionalization of cybersecurity processes.

Questions Regarding the Certification Process

So how does an organization become certified?

As mentioned above, The CMMC Accreditation Body (AB), a non-profit, independent organization, is starting to train and accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors.

The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs as well as other information. After the CMMC Marketplace is established, DIB companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.

What will certification cost – and what if it is too expensive for my company?

The CMMC assessment costs will depend upon several factors to include the CMMC level, the complexity of the DIB company’s network, and other market forces. That said, The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. And keep in mind that for contracts that require CMMC, you will be disqualified from participating if your organization is not certified. Consult with your tax advisor regarding cost reimbursement.

Can my company self-assess?

No – that is the point of this new regime. No longer will defense contractors merely be able to claim their cybersecurity practices were sound – and from what we have seen, they generally were not. Going forward, CMMC certification will be granted only by auditors who have been trained and certified by the CMMC AB.

Only CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors that have been accredited by the CMMC AB will perform CMMC assessments.

However, contractors are strongly encouraged to complete a self-assessment before scheduling their CMMC assessment – that’s the audit preparation process we here at Cynexlink can help with.

Who sees the results of CMMC audits and how often do we need to be re-assessed?

The results of a CMMC assessment will not be made public. The only information that will be publically available is that your company has a CMMC certification. The specific certification level will NOT be made public. The DoD, however, will have access to all DIB companies’ certification levels.

In general, a CMMC certificate will be valid for 3 years.

CMMC Levels and Bidding

How will companies know what CMMC level is required for a contract?

The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs). A CMMC-certified contractor may bid on contracts that require their certification level or below.

For instance, a company certified to CMMC level 3 can bid on contracts that require certifications at levels 1, 2 or 3 but cannot bid on an RFP requiring level 4.

As a general guideline for preparing now, NIST 800-171 is substantially equivalent to CMMC level 3. Companies that already practice cybersecurity hygiene up to NIST 800-171 can, therefore, feel confident in being able to reach CMMC level 3 certification.

CMMC Exemptions

Does an organization that does not handle CUI have to be certified, anyway?

If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1.

Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.

It should be noted that all of these rules apply both to contractors AND subcontractors.

So long as your company does not solely produce COTS products, it will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowing down from your prime contractor.

How to get certified?

Okay, I understand my company needs to become CMMC certified. What does that process look like?

The reason defense contractors should begin preparing now is that becoming CMMC certified can take 3 or 4 months, depending on which level they need to meet and the current state of their current cybersecurity practices. In general, however, contractors can think of the process in three phases:

Phase 1 – Assessment and Gap Analysis

First, a company must determine which of the 5 CMMC levels it intends to meet, then conduct a gap analysis – where does our cybersecurity hygiene stand today versus where it needs to get to? From there, a roadmap can be created. Contact us if your company needs help in conducting this gap assessment and roadmap.

Phase 2 – Remediation

Once all gaps are identified, fix them before setting a date with an auditor. For all of those issues that are IT-related, Cynexlink can help. Perhaps your company needs to establish multi-factor authentication (MFA) for the first time or has to begin 24/7 security event monitoring. Whatever the network or cybersecurity-related need, Cynexlink has the solution.

Phase 3 – Certification

Now the appointment with the certified auditor can be scheduled. If you have worked with Cynexlink on phases 1 and 2, you can enter this final step in the process with the highest degree of confidence possible.


In the end, CMMC represents a long-overdue evolution in better protecting America’s vital interests as they pertain to national defense. Becoming certified may seem like a daunting task but with proper guidance, this necessary step can be a manageable and cost-effective one for defense contractors of all sizes.

Read more
Cmmc Certification

DoD Warns Contractors: Watch Out for CMMC Fraudsters

DoD Warns Against  CMMC Fraudsters:

Memo to all companies within the Defense Industrial Base (DIB): you cannot reach CMMC certification – yet!

Today, DoD contractors of all sizes should identify the CMMC compliance level they need to reach, plan for performing a gap analysis and then remediating those gaps, but that’s all they can do for now. the roadmap they will follow to fill those gaps.

Why? Because as of yet there are no auditors.

What’s happening right now in the world of CMMC compliance is this: the Department of Defense is still in the process of finalizing the CMMC accreditation body.

Department of Defense

It is that accreditation body which will then train the many CMMC auditors, which will be known as third-party assessment organizations (C3PAO).

Only once those C3PAOs have been trained, which won’t happen until this summer, at the earliest, will defence contractors be able to then be audited and certified.

This is why DoD Under Secretary Ellen Lord warned this week about companies that are claiming to be able to provide CMMC certification to contractors. Not true!

In her words:

“Unfortunately, the Department has learned that some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DoD.  The requirements for becoming a CMMC third-party assessment organization (C3PAO) have not yet been finalized, so it is disappointing that some are trying to mislead our valued business partners. To be clear, there are no third-party entities at this time who are capable of providing a CMMC certification that will be accepted by the Department.” (source)

That accreditation body should be formalized soon. At that point, auditors who can provide certification will start being trained.

Status Of CMMC Certification:

Although it will be available sometime around mid-year, reaching CMMC certification is not possible today.

So again: can and should DoD contractors be preparing now for CMMC compliance right now? Yes, and they can take every step up to the point of being audited for certification.

But any company that claims it can get your organization to CMMC certification today is telling a whopper.

Now you know. 🙂

Read more
corona virus (covid 19)

With Employees Working Remotely, You Have New Security Risks

While emerging companies increasingly leverage remote workers, the COVID-19 outbreak has caused many companies to adopt the same practice en masse.

Hackers are well aware.

Not only did those bad actors immediately try to capitalize with an array of Coronavirus-related phishing emails, now their cute little stunt is sharing infection maps that are laden with malware:

As an aside, here is a safe version of such a map from the WHO:

Now, back to that new attack vector…

With so many employees working remotely, are you certain their devices are safe from attack? We ask because while many companies do a good job of protecting their network infrastructure (servers, domain controllers, etc.), security on the laptop or mobile device is often lacking.

If a company is unsure of the efficacy of its hosted endpoint security protection, NOW is the time to do a review. If you need some help, we’re here and are actively conducting such reviews on behalf of new clients; we have the expertise, know the vendors and their various feature sets to help find the right fit for organizations of all sizes.

In the meantime, let us also share some useful information below relating to COVID-19, links we provided to our clients recently. Feel free to copy and paste this information for sharing with your workforce… and stay safe out there!

– The Cynexlink Cybersecurity Team

Now, for those resources:

The U.S Department of Homeland Security has issued a warning with regard to the Coronavirus (COVID-19) outbreak and its impact on technology within personal, business and professional settings.

It is advised that individuals be on alert for scams related to Coronavirus Disease 2019 (COVID-19). Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19

The Hyperlinks below are to federal government websites and have been verified by us as valid/safe

The Cybersecurity & Infrastructure Security Agency (CISA) encourages individuals to remain vigilant and take the following precautions.

  • Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information.
  • Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.
  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
  • Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.
Read more

Who’s the Phish? Shark Tank’s Barbara Corcoran, it Turns Out

How phishing affects businesses?

Imagine you’re on the finance team for a mid-sized business, with regular duties that include accounts payable. Your boss sends an email instructing you to pay Client XYZ today and includes full wiring instructions, details with what the payment is for, etc. What do you do?

You might send that wire with no questions asked.

Problem is, the situation described above is becoming increasingly common, as Shark Tank’s Barbara Corcoran discovered recently:

“This morning I wired $388,000 into a false bank account in Asia,” the real estate mogul tweeted a couple of weeks ago. Here’s what happened:

Corcoran’s bookkeeper Christina received what appeared to be a routine invoice from Corcoran’s assistant Emily to approve a $388,700.11 payment to a German company called FFH Concept.

The bookkeeper replied asking, “What is this? Need to know what account to pay out of,” and the cybercriminal posing as Emily was able to give a credible, detailed response that FFH was designing German apartment units that Corcoran had invested in. Corcoran does invest in real estate, and FFH is a real company in Germany. (full article)

Poof! Money gone.

Now, in this case, there’s a happy ending, as you may have read a few days later: Corcoran Gets Her $400k Back

That said, such positive outcomes are rare – usually, the funds are not recoverable. Indeed, are you confident you can put the kind of pressure on a bank that Barbara Corcoran can?

And don’t just shrug your shoulders and decide it won’t happen to you. Hackers target smaller businesses precisely because their security is less sophisticated. Plus, scams are like these are pretty slick, as she explains:

“I lost the $388,700 as a result of a fake email chain sent to my company,” Corcoran told the outlet. “It was an invoice supposedly sent by my assistant to my bookkeeper approving the payment for a real estate renovation. There was no reason to be suspicious as I invest in a lot of real estate.”

How can you avoid such pitfalls?

First, better practices: have a process in place for confirming such requests with your team, usually by a live phone call. It’s time well spent.

Further, train your team to be better at spotting such phishing scams – in this case, there was a missing ‘O’ in the sender’s email address which should have provided the clue.

The best news is this: anti-phishing employee training from Cynexlink is very affordable and provides incredible bang for the buck.

Click here to learn more about the valuable service and don’t get caught off guard – it can happen to anyone!

Read more
Botnet Attack

Everything You Want to Know About a Botnet Attack

It is no secret that botnet attack have become significant security threats but what are they, exactly?

What is a Botnet Attack?

A botnet attack is performed by hackers using a collection of malware-infected devices, often termed as “zombies,” which are being controlled by the attackers. We often think of servers and computers being used in such an attack but increasingly, IoT devices like cameras, thermostats and more can help form botnet clusters.

Threat actors gain access to a device by using particular viruses to weaken the computer’s security system before executing “command and control software” to let them conduct their malicious activities on a large scale.

These activities can be automated to carry out countless simultaneous attacks, paralyzing infected devices for ransom or damage while also disguising their identity via the vast botnet network.

A botnet is used in many cybercrimes such as exploiting and making a financial gain, malware propagation, or just general disturbance of the Internet.

Botnet attacks are launched in many ways, including:

  • Spam Emails

The spamming process can be conducted by posing bots as a content server while others as SMTP servers. A spam campaign includes message templates, a senders list, and a recipient list.

  • Launching a DDOS Attack:

A Distributed Denial of Service Attack (DDoS) is another type of botnet attack launched on a website, company or government. This is conducted by sending many requests for content that overwhelms and shuts down the targeted server or website.

  • Ad Fraud

Cybercriminals can utilize the combined processing power of botnets to run fraudulent advertising schemes to attract clicks to get a percentage of ad fees.

  • Distributing Spyware, Malware, and Ransomware

Botnet attacks are also conducted to distribute spyware, ransomware, and malware.

  • Selling and Renting:

Believe it or not, botnets can be found for sale on the dark web to other cybercriminals to exploit!

How to detect a botnet attack:

Botnet attacks are very difficult to identify because they run with a key server controlling every bot in an order and control model. Such strategies often make it difficult to detect the botnet attack.

For such attacks, the first critical step is to recognize the attack immediately and track down that key main server. Inert analysis methods can be useful to spot contaminations in devices. These are run when the device isn’t executing any projects and include searching for malware marks and other doubtful associations with order and control workers that search for guidelines and suspicious executable documents.

The best antivirus programs can also help distinguish botnet attacks somewhat, yet most cannot spot tainted devices. Another intriguing strategy is utilizing honeypots, which are phony frameworks that lure a botnet attack through a fake penetration opportunity in order to help identify threats in the first place. For bigger botnet attacks, similar to the Mirai botnet attack, ISPs in some cases cooperate to recognize the progression of traffic and to find a way to stop the botnet attacks.

For most companies, it is critical to work with a cybersecurity firm with the expertise to recognize ongoing threats and compromised devices within the organization.

How to Prevent Botnet Attacks?

  1. Emphasize Cybersecurity Education

For companies of all sizes, training their people is key. Employees should be trained to report unauthorized emails to the IT team, how to spot phishing emails, not to use public Wi-Fi without using a VPN and more.

  1. Keep All Software Up-to-Date

Software patches should always be applied promptly – beyond your browser and operating system, don’t forget to update antivirus protection, too!

  1. Spam Filtering:

Email filtering solutions should be enabled to prevent most malicious messages from getting into the email inboxes. The more messages that are blocked, the less risk there is of your staff interacting with a phishing email.

  1. Avoid Downloads from File Sharing Networks and P2P

Botnets regularly capitalize on P2P networks and file-sharing services to exploit company networks. Make sure all files are downloaded only from trusted sources and they’re scanned before and after downloading.

  1. Control Access

Use multi-factor, risk-based authentication and other safe practices for access controls to prevent a successful botnet invasion on one machine from affecting the entire network.

Read more