Latest Articles

Single Sign on

Single Sign-On (SSO): Pros & Cons


Introduction to Single Sign-on:

 

MyFitnessPal had 151 million usernames and passwords stolen. For a third-party Facebook app, it was 540 million.

And First American Financial Corp., the largest real estate title insurance company in the U.S., exposed transaction records of 885 million individuals.

These were just a few of the largest data breaches from last year alone!

What if your organization could avoid such headaches altogether? What if your business managing all of its user logins through a leading SSO system or customized solution?

Who is going to take the time to hack your website when none of your user details is accessible once they get inside?

Welcome to Single Sign-On (SSO). If you’re using it, you know its power and benefits. If you have only heard of SSO but haven’t enabled it, the following information is for you.

Authentication Without SSO

Without SSO, each website or application maintains its own database of usernames and passwords. When a person logs in, the following things happen:

The service runs a scan to determine if you have already been verified. If so, access to the site is then granted.

If no authentication is discovered, the visitor is prompted to log in; the service then checks those credentials vs. what is on file in its own repository.

Once the user has logged in, the service ensures the identity verification info travels with the user he or she navigates the system, meaning that this same user has effectively verified each time a new page within the application is visited.

Such authentication info travels with the user either in the form of cookies with session data or as tokens, which do not track that specific visit and are therefore faster to process.

The SSO Comparison

By contrast to the scenario outlined above, SSO authentication relies on a trust relationship between different web services. Ever been asked to quickly register for a new website with the Google or Facebook account credentials you’re already logged in with? Bingo.

In that instance, the service allowing you to sign-in with another solution’s credentials is simply verifying your identity through the use of a single sign-on. Facebook says you are who you say you are? Good enough for us – come on in!

If the new domain can’t determine you have been authenticated by another website – again, thanks to SSO – you will be sent to the login page for the appropriate SSO service, where you enter the credentials that will provide you access.

Just like in the example above, SSO allows authentication data to move with you throughout the new domain, continually verifying your identity with each new page you visit.

Best of all, SSO authentication data runs as tokens, not cookies, which is good for speed and performance.

Moving forward, SSO continues to authenticate with a solution such as Active Directory, allowing you to visit new domains tied to that single sign-on provider. Because the next website also verifies your credentials with SSO, you pass through the next website without having to login yet again. Good stuff.

SSO Under the Hood

Let’s now dig even deeper into how SSO functions. As we have already learned, when a visitor logs into a new domain, that website or application provider will validate the user on its own. That process goes like this:

  1. As a visitor, you land on a page within, let’s say, xyz123.com which tries to authenticate your login status. If yes, off you go to the desired destination—your Yahoo email inbox, for example.

  2. If you’re not already logged in, it’s time to plug in your user/password combo on the login page.

  3. You fill in your credentials, xyz123.com runs those credentials against the data in its own tables. Depending on what it finds, the service either lifts the velvet rope or the bouncer says you can’t come in.
  4. If you can log in, xyz123.com will its method of tracking your visit. This could originate on the server or it might attach to you as a token.

Again, however you decide to navigate that site or service, that domain keeps checking to ensure that your credentials are valid.

That same process when powered by SSO, however, would go like this:

  1. As a visitor, you land on a page within, let’s say, xyz123.com which tries to authenticate your login status. If yes, off you go to the desired destination—your Yahoo email inbox, for example.

  2.  Not logged in yet? No problem! That new site, xyz123.com, then gives you choices for authentication through another app (Google, Amazon, Facebook, etc.). Click your favorite service and log into the new web app with those pre-existing credentials (let’s say Facebook in this case).

  3.  As far as authentication, Facebook does the authentication for that new website. Once Facebook says you are who you claim to be – and checks to ensure that xyz123.com is legitimate, both sites agree you’re ready to roll.The Facebook password database issues a token that becomes your passport to and through xyz123.com.

  4.  By accepting that token from Facebook, xyz123.com verifies the user’s identity with more ease and confidence. Further, it can now associate the visitor with all other data that’s known about that person, things like preferences, history, shopping cart, etc.

Now let’s discuss the Single Sign-on  Pros and Cons

Single Sign-On(SSO) Pros

For organizations of all kinds, Single Sign-on has many advantages. Among them:

  • It cuts down on password fatigue

    Remembering just one password makes the lives of users or employees so much simpler. In truth, when challenged to use different passwords for different services, most people do not; the vast majority actually use the same password across multiple sites, creating an even bigger risk.

    And as a side benefit, the use of SSO usually results in unusually strong passwords since they only have to use just one.

  • Streamline the management of employee credentials

    When employees turn over, the use of SSO reduces both IT effort and the chances of mistakes. In one shot, departing users lose their login privileges across the entire organization.

  • Single Sign-on enhances identity protection

    With SSO, organizations strengthen identity security within their teams through the use of multifactor authentication (MFA).

  • It boosts speed where counts the most

    In highly regulated industries like healthcare, defence and finance, or large organizations in which many people and departments demand rapid and unfettered access to the same applications, SSO can be extremely helpful.

    It is in environments precisely like these where malware brought on by compromised credentials can literally mean the difference between life and death.

  • SSO relieves stress on helpdesks

    With far fewer employees calling in with password issues, IT teams can focus on critical work that saves the most time and money while also elevating security overall.

  • It reduces 3rd-party security risks.

    Connections between vendors, partners and customers present another threat surface, one which SSO can greatly diminish.

SSO Cons

Despite all the benefits listed above, companies do need to keep in mind possible drawbacks when considering an SSO implementation:

  • Very strong passwords must be demanded and adhered to. If one set of SSO credentials is unveiled, it potentially leads to a cascade of breaches under that user’s umbrella.

  • If SSO goes down, access to all connected services halts. Here is one important reason to exercise great care in choosing an SSO solution. It must be extremely reliable, and plans should be crafted for immediately dealing with any cracks which might present themselves.

  • If your identity provider goes down, so does Single Sign-on. Because your ID vendor’s vulnerability becomes your vulnerability, too, choosing the right set of vendors is of the utmost importance.

  • If your identity provider gets breached, all linked systems could be open to attack. Here is where advance planning is so important.A possible single point of failure like this needs to be considered, avoided it possible, and a response plan should be created in advance.

    If the right identity provider with top-flight security practices is chosen in the first, place, such planning should never have to be tested. Still, it is best to think through all possible vulnerabilities ahead of time.

  • An investment of time is required for proper SSO architecture and setup. Because each environment is different, wrinkles in even the most well-thought-out plans can develop. Pause, document, compare vs. best practices and structure of the new system accordingly.

  • SSO is not the ideal solution for multi-user computers. If your team makes a habit of hot-desking, it can be both frustrating and unsafe for users to be constantly toggling on and off with one another.

  • Reduced sign-on (RSO) may be needed in some environments, leading to a greater cost. If a company needs to accommodate users with different levels of access, additional authentication servers may be required.

  • SSO based on social media credentials may not fit. If an employer blocks social media sites and government connections where censorship is involved, the problem here becomes clear.

  • Some SSO-linked sites actually share data with third-party entities. Understanding who’s who in this regard requires thorough homework – or the rock-solid advice of a trusted IT professional.

Providers aplenty

The playing field of leading providers is large and potentially overwhelming, including some familiar names you may be familiar with:

  • Okta
  • Citrix Workspace
  • Duo Security
  • OneLogin
  • LastPass
  • Keeper Password Manager
  • JumpCloud
  • Auth0

…to name just a few.

Cynexlink Can Help

There is no reason for any organization to create its own system or to develop deep SSO expertise. Cynexlink’s team understands available offerings and can help identify the best choices for your company. Contact us to learn more!

Read more
Network Penetration testing

Stay Safe with a Network Penetration Test


Are you thinking about exploring what vulnerabilities exist within your network or applications?

You need what is known as a pen test. For a complete background, in this article, we provide a fundamental network penetration testing checklist for organizations to keep in mind.

 

We are going to look at a 5-step network penetration testing checklist which can be used to ensure your efforts deliver results.

Before we get into the details, here are 3 reasons why organizations should perform a network penetration test in the first place:

  • Network penetration testing will enable you to identify the security vulnerabilities and flaws that are currently present in your system.
  • After a thorough penetration test, you should be able to understand the level of security risk that your organization or business entity is running.
  • The reports from the network penetration tester will help you formulate a proper plan to fix and remedy the flaws that are discovered. At Cynexlink, we employ certified ethical hackers who act as though they are malicious actors, uncovering the vulnerabilities before the bad guys do first!

Also, some companies face regulatory requirements for conducting penetration tests (CMMC, SOC2, HIPAA, etc.).

Along with this network penetration testing checklist, we will also mention several network pen testing tools that help ethical hackers perform each task.

Now for the network penetration testing steps:

Step 1: Information Gathering

The goal of the first step in this network penetration testing checklist is to gather as much information about your target network as possible.

It should be information that can potentially be used to exploit vulnerabilities.

Primarily having IP addresses or URLs to work with initially, this is the point where technicians will use a tool like Nmap to enumerate the IP DNS records.

Nmap is an information-gathering tool that will get you DNS records of an IP address like A, MX, NS, SRV, PTR, SOA, CNAME records.

With these tools, we can detect all the hosts on the network, what services they are providing and the server software & versions they are running.

Because certain server software versions have known vulnerabilities, we’ll need this information in step 2 of this network penetration testing checklist.

Another very important piece of information needed before formulating an attack model is the open port’s availability.

Again using Nmap, we can discover and enlist all open ports in the entire network.

Open ports are the most commonly used openings for malicious hackers to gain unauthorized or backdoor access into a network and to install malicious scripts.

Step 2: Threat modeling

After collecting all the information we can about the target network, it’s time to use this information for something more active.

Step 2 of this network penetration testing checklist involves using this information to run tests on the target system, scouting for obvious vulnerabilities.

At this point, we are simply trying to enlist all the vulnerabilities available on the network, without necessarily moving forward to attack them and see if they are exploitable.

Note also that while you can use automated tests to scan for network system vulnerabilities, a more thorough process runs manual tests with live technicians, as well.

It is at this point, a network penetration test tool like Metasploit framework gains critical information about security vulnerabilities on a target system. It generally finds all the loopholes and security flaws on a target with a very low percentage of false positives.

Another vulnerability scanner tool like Nessus is also great for finding software bugs and possible ways to violate software security.

With the information on operating systems and versions, you can use Nmap to then find known vulnerabilities for potential exploits on the target.

With information on all the possible vulnerabilities, let’s move to step 3 of this network pen testing methodology.

Step 3: Vulnerability Analysis

First, keep in mind that not all vulnerabilities are worth trying to exploit.

The vulnerability assessment tools used in step 2 of this network penetration test checklist exported some reports; it’s now time to look into these reports and categorize the security flaws with their level of severity.

It is by using such reporting that we’re able to formulate an attack plan to exploit the real-world attack vectors.

The vulnerability analysis step aims to identify suitable targets for an exploit so we don’t waste time performing unnecessary tasks.

It is at this point that we can also draw a network diagram to help you understand the logical network connection path. We also prepare proxies to use in step 4 to keep ourselves anonymous: testing the recognition and response to an attack is part of the pen testing process. Does the IT team of the targeted organization know if a hacker has gained access to their network? We’ll find out.

Having noted the attractive targets for exploitation at this point, it is time to determine the most appropriate attack vectors for the vulnerabilities identified.

Step 4: Exploitation

Exploitation means probing the networks’ vulnerabilities to ascertain whether they are exploitable. This is the most important step because it allows us to show clients which flaws they need to fix most immediately.

The tools we often use at this point for exploitation include Metasploit, Burp Suite, and Wireshark.

Depending on the project scope, we will also use password cracking tools like Aircrack or Cain & Abel, to explore the strength of network passphrases.

This network penetration test stage might also involve other heavy manual testing tasks that are often very time-intensive. Such vulnerability exploitation may involve SQL injection, password cracking, buffer overflow, and OS commands, among others.

Even social engineering might be employed at this stage, again depending on the project scope.

Here’s the bottom line about step 4: because this phase depends on savvy probing by a live pen tester, hiring the most experienced technicians is vital.

Step 5: Reporting

The delivery and reporting phase on network penetration testing is very important.

A good network penetration test report should not only give an overview of the entire penetration testing process, but it must also include the most critical network vulnerabilities that need to be addressed – in order of urgency.

Good reports will also include a summary of the vulnerability statistics together with screenshots of exploit attempts, and a well-written pen testing report will outline a clear plan fixing all vulnerabilities which were discovered.

Which is, of course, the point of network penetration testing in the first place.

Conclusion

It is always important to follow a proper network penetration testing methodology.

With this checklist, organizations should now understand how a properly trained technician will formulate a large-scale attack on a network without missing any gaps.

While there is no one-size-fits-all checklist for performing network penetration testing, the steps above should provide a good foundation for almost any organization that had been looking for a network penetration testing tutorial.

Read more

CMMC Certification : Everything Defense Contractors Need to Know About CMMC


The Cybersecurity Maturity Model Certification, or CMMC Certification, is the next step in the Department of Defense’s (DoD) efforts to properly secure the Defense Industrial Base (DIB). 
 
The loss of controlled unclassified information (CUI) from the Defense Industrial Base, or DIB (America’s defense contractors), increases the risk to national security. To reduce this risk, the Department of Defense (DoD) has finally created both rules and an auditing mechanism that will ensure the DIB practices good cybersecurity hygiene.

In the past, defense contractors could merely attest to their cybersecurity practices such as those outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171 but that is all about to change.

Starting later this year, aerospace and defense manufacturers will have to prove their cybersecurity practices are strong to bid on future DoD contracts.

What is CMMC and why is it Being Created?

CMMC stands for Cybersecurity Maturity Model Certification. The CMMC will encompass five maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract awards.

DoD is planning to migrate to the new CMMC framework to assess and enhance the cybersecurity posture of the DIB. The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as to protect CUI that resides on the Department’s industry partners’ networks.

More about CUI

We refer frequently to controlled unclassified information but what is it, exactly?

CUI, established by Executive Order 13556, is an umbrella term for all unclassified information that requires safeguarding.

CUI is information the federal government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at https://www.archives.gov/cui and includes organizational index groupings ranging from defense to taxes to natural resources. Contractors who are interested in learning more can find online training to better understand CUI at the following page on the National Archives’ website: https://www.archives.gov/cui/training.html.

When Does CMMC Take Effect?

Members of the DIB who are still asking this question are frankly behind the curve.

The DoD released CMMC Model version 1.0 to the public on January 31, 2020, and has already issued a revision dated March 18th to correct administrative errors identified in the initial release. The itemized list of corrected errata, as well as a more accessible version of the model (i.e. tabular format in Excel), are provided with the release of CMMC Model v1.02.

The Department has made no substantive nor critical changes to the model relative to v1.0. Subsequent updates can be found on this defense department website: https://www.acq.osd.mil/cmmc/updates.html

Now, this does not mean that defense contractors today must already be CMMC certified but it does mean they should start preparing because CMMC certification will start appearing as a requirement in some DoD contracts later this year.

Currently, a new non-profit called the CMMC AB is training auditors, finalizing exams and creating processes for how contractors will become certified. Because CMMC levels 1-3 are composed of requirements under NIST 800-171, however, there is great clarity regarding what DIB members should prepare for.

Comparing CMMC and NIST

What is the relationship between NIST SP 800-171 rev.1 and CMMC?

CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev1. CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense” and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.

Unlike NIST SP 800-171, however, the CMMC model possesses five levels. Each level consists of practices and processes as well as those specified in lower levels, with levels 4 and 5 being reserved for the small percentage of DIB member companies that deal with the most sensitive systems, information and assets.

In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s institutionalization of cybersecurity processes.

Questions Regarding the Certification Process

So how does an organization become certified?

As mentioned above, The CMMC Accreditation Body (AB), a non-profit, independent organization, is starting to train and accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors.

The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs as well as other information. After the CMMC Marketplace is established, DIB companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.

What will certification cost – and what if it is too expensive for my company?

The CMMC assessment costs will depend upon several factors to include the CMMC level, the complexity of the DIB company’s network, and other market forces. That said, The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. And keep in mind that for contracts that require CMMC, you will be disqualified from participating if your organization is not certified. Consult with your tax advisor regarding cost reimbursement.

Can my company self-assess?

No – that is the point of this new regime. No longer will defense contractors merely be able to claim their cybersecurity practices were sound – and from what we have seen, they generally were not. Going forward, CMMC certification will be granted only by auditors who have been trained and certified by the CMMC AB.

Only CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors that have been accredited by the CMMC AB will perform CMMC assessments.

However, contractors are strongly encouraged to complete a self-assessment before scheduling their CMMC assessment – that’s the audit preparation process we here at Cynexlink can help with.

Who sees the results of CMMC audits and how often do we need to be re-assessed?

The results of a CMMC assessment will not be made public. The only information that will be publically available is that your company has a CMMC certification. The specific certification level will NOT be made public. The DoD, however, will have access to all DIB companies’ certification levels.

In general, a CMMC certificate will be valid for 3 years.

CMMC Levels and Bidding

How will companies know what CMMC level is required for a contract?

The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs). A CMMC-certified contractor may bid on contracts that require their certification level or below.

For instance, a company certified to CMMC level 3 can bid on contracts that require certifications at levels 1, 2 or 3 but cannot bid on an RFP requiring level 4.

As a general guideline for preparing now, NIST 800-171 is substantially equivalent to CMMC level 3. Companies that already practice cybersecurity hygiene up to NIST 800-171 can, therefore, feel confident in being able to reach CMMC level 3 certification.

CMMC Exemptions

Does an organization that does not handle CUI have to be certified, anyway?

If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1.

Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.

It should be noted that all of these rules apply both to contractors AND subcontractors.

So long as your company does not solely produce COTS products, it will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowing down from your prime contractor.

The Certification Process

Okay, I understand my company needs to become CMMC certified. What does that process look like?

The reason defense contractors should begin preparing now is that becoming CMMC certified can take 3 or 4 months, depending on which level they need to meet and the current state of their current cybersecurity practices. In general, however, contractors can think of the process in three phases:

Phase 1 – Assessment and Gap Analysis

First, a company must determine which of the 5 CMMC levels it intends to meet, then conduct a gap analysis – where does our cybersecurity hygiene stand today versus where it needs to get to? From there, a roadmap can be created. Contact us if your company needs help in conducting this gap assessment and roadmap.

Phase 2 – Remediation

Once all gaps are identified, fix them before setting a date with an auditor. For all of those issues that are IT-related, Cynexlink can help. Perhaps your company needs to establish multi-factor authentication (MFA) for the first time or has to begin 24/7 security event monitoring. Whatever the network or cybersecurity-related need, Cynexlink has the solution.

Phase 3 – Certification

Now the appointment with the certified auditor can be scheduled. If you have worked with Cynexlink on phases 1 and 2, you can enter this final step in the process with the highest degree of confidence possible.

Summary

In the end, CMMC represents a long-overdue evolution in better protecting America’s vital interests as they pertain to national defense. Becoming certified may seem like a daunting task but with proper guidance, this necessary step can be a manageable and cost-effective one for defense contractors of all sizes.

Read more
USEFUL TACTICS TO PROTECT AGAINST COVID-19 CYBER SCAMS

Useful Tactics to Protect Against COVID-19 Cyber Scams


HOW TO PROTECT AGAINST COVID-19 CYBERSECURITY SCAMS?

Coronavirus (COVID-19) isn’t just a growing threat to public health – it’s also a growing threat to your company’s cybersecurity.

From using scary subject lines to adopting faux official letterhead, bad actors are scrambling to use the climate of fear and disruption caused by COVID-19 to their advantage.

Disasters, emergencies, and global pandemics provide a target-rich environment for cybercriminals to launch phishing attacks and employ other dirty tricks to gain access to your data.

It only takes one staffer opening a bogus email, clicking on a dangerous link, or downloading a malware-laden attachment for them to succeed.

Here are three ways that you can act immediately to prevent a potentially disastrous Coronavirus-related data breach.

1. Plan, Preserve and Protect

Use expert guidance from agencies like CISA to prepare your organization for risks posed by COVID-19.

Is your cybersecurity plan adequate for the unique challenges presented by increased virtualization if your staff is quarantined or working remotely for safety?

Two-factor authentication and other tools like VPN help keep your organization’s data and systems safe, even when workers aren’t in the office.

2. Trust but Verify 

Get updates about COVID-19, scams and frauds related to the Coronavirus pandemic, and its impact on cybersecurity from trusted, official sources.

  • Encourage your staff to only use vetted information for planning and communications.
  • Be wary of any email with a COVID-19-related subject line, attachment, or hyperlink.
  • Avoid sharing or clicking on social media posts, text messages, or IMs offering Coronavirus information, vaccination, treatment or cures.

3. Make Prevention a Priority 

  • Refresh every staffer’s training on how to spot phishing scams and online fraud.
  • Remind your staff that government agencies will never ask for sensitive personal, financial or business information via email.
  • Reinforce that clicking on links or opening attachments from unfamiliar sources is a quick way for scammers to infect your systems with malware.
  • Employee Security Awareness Training and Phishing Simulations can help make sure that your staff is ready to spot and defend against attack.

Constant vigilance against cyberattacks is a smart strategy for any business.

In these uncertain times, we’re happy to be your trusted source for the tools and strategies that you need to keep cybercriminals out of your business.

References: https://www.cisa.gov/sites/default/files/publications/20_0306_cisa_insights_risk_management_for_novel_coronavirus.pdf

https://www.consumer.ftc.gov/blog/2020/02/coronavirus-scammers-follow-headlines

https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams

https://www.consumer.ftc.gov/features/coronavirus-scams-what-ftc-doing

https://www.cisa.gov/coronavirus

https://www.consumer.ftc.gov/blog/2020/03/ftc-fda-warnings-sent-sellers-scam-coronavirus-treatments

Read more
Cmmc Certification

DoD Warns Contractors: Watch Out for CMMC Fraudsters


DoD Warns Against  CMMC Fraudsters:

Memo to all companies within the Defense Industrial Base (DIB): you cannot reach CMMC certification – yet!

Today, DoD contractors of all sizes should identify the CMMC compliance level they need to reach, plan for performing a gap analysis and then remediating those gaps, but that’s all they can do for now. the roadmap they will follow to fill those gaps.

Why? Because as of yet there are no auditors.

What’s happening right now in the world of CMMC compliance is this: the Department of Defense is still in the process of finalizing the CMMC accreditation body.

Department of Defense

It is that accreditation body which will then train the many CMMC auditors, which will be known as third-party assessment organizations (C3PAO).

Only once those C3PAOs have been trained, which won’t happen until this summer, at the earliest, will defence contractors be able to then be audited and certified.

This is why DoD Under Secretary Ellen Lord warned this week about companies that are claiming to be able to provide CMMC certification to contractors. Not true!

In her words:

“Unfortunately, the Department has learned that some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DoD.  The requirements for becoming a CMMC third-party assessment organization (C3PAO) have not yet been finalized, so it is disappointing that some are trying to mislead our valued business partners. To be clear, there are no third-party entities at this time who are capable of providing a CMMC certification that will be accepted by the Department.” (source)

That accreditation body should be formalized soon. At that point, auditors who can provide certification will start being trained.

Status Of CMMC Certification:

Although it will be available sometime around mid-year, reaching CMMC certification is not possible today.

So again: can and should DoD contractors be preparing now for CMMC compliance right now? Yes, and they can take every step up to the point of being audited for certification.

But any company that claims it can get your organization to CMMC certification today is telling a whopper.

Now you know. 🙂

Read more

Beyond IT: Fed Bailout May Cover Your Payroll for 4 Months


We’re IT guys, of course, but we wanted to pass along information from a different domain in case you didn’t see it.

Early this morning on CNBC, a host reported on an element of the Senate bailout package which companies with fewer than 500 employees will want to be aware of. That host said Larry Lindsey, former director of the National Economic Council, called this measure the “big bazooka” of the bailout package.

Here are the key elements:

  • Section 1105 of the bailout bill will provide small business loans to cover payroll
  • Covers employees earning up to $100,000/year
  • Loans are forgiven if a company maintains its payroll for 4 months

In short: for small businesses which can avoid making cuts to personnel, it looks like the Feds will pay those qualifying employees for you.

There’s a bit more info in this article from Politico: https://www.politico.com/news/2020/03/19/who-wins-in-coronavirus-bailout-138419 (scroll down to the section titled “Small Businesses: $300 Billion”).

While there are more details to learn about, the points above hit the highlights. And this legislation, which is the 3rd in a series of bills (two have been signed) in response to COVID-19, still needs to be married to the equivalent House bill that’s taking shape.

Still, it just seemed to be a possible fit for so many of our clients that we wanted to share this information with a wider audience.

Again, we’re in IT so this doesn’t constitute tax/payroll advice, consult your financial professional, yada yada… all the necessary disclaimers. But hopefully this is of some help or interest.

Last thing, while we’re at it: keep in mind that because of the lag in discovering new COVID-19 cases, the numbers will undoubtedly get much worse over the next couple of weeks. This widely-read article describes that lag well: https://medium.com/@tomaspueyo/coronavirus-act-today-or-people-will-die-f4d3d9cd99ca. While the numbers in that article are now out of date, the reasoning isn’t, and it’s fascinating.

However, that lag also means that the strict measures we’re all taking, like social distancing, are having an impact. They’re undoubtedly having a big impact right now – we just won’t see it in the data for two or three weeks.

The economic damage is real. You have hard calls to make regarding your employees and your business. But have confidence that better days are coming in terms of virus/new case statistics – and they may be coming sooner than we can imagine in this moment.

Hang in there and have a safe weekend,

Read more
corona virus (covid 19)

With Employees Working Remotely, You Have New Security Risks


While emerging companies increasingly leverage remote workers, the COVID-19 outbreak has caused many companies to adopt the same practice en masse.

Hackers are well aware.

Not only did those bad actors immediately try to capitalize with an array of Coronavirus-related phishing emails, now their cute little stunt is sharing infection maps that are laden with malware: https://www.techradar.com/news/hackers-are-spreading-malware-through-coronavirus-maps.

As an aside, here is a safe version of such a map from the WHO: https://experience.arcgis.com/experience/685d0ace521648f8a5beeeee1b9125cd

Now, back to that new attack vector…

With so many employees working remotely, are you certain their devices are safe from attack? We ask because while many companies do a good job of protecting their network infrastructure (servers, domain controllers, etc.), security on the laptop or mobile device is often lacking.

If a company is unsure of the efficacy of its hosted endpoint security protection, NOW is the time to do a review. If you need some help, we’re here and are actively conducting such reviews on behalf of new clients; we have the expertise, know the vendors and their various feature sets to help find the right fit for organizations of all sizes.

In the meantime, let us also share some useful information below relating to COVID-19, links we provided to our clients recently. Feel free to copy and paste this information for sharing with your workforce… and stay safe out there!

– The Cynexlink Cybersecurity Team

Now, for those resources:

The U.S Department of Homeland Security has issued a warning with regard to the Coronavirus (COVID-19) outbreak and its impact on technology within personal, business and professional settings.

It is advised that individuals be on alert for scams related to Coronavirus Disease 2019 (COVID-19). Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19

The Hyperlinks below are to federal government websites and have been verified by us as valid/safe

The Cybersecurity & Infrastructure Security Agency (CISA) encourages individuals to remain vigilant and take the following precautions.

  • Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information.
  • Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.
  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
  • Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.
Read more

Who’s the Phish? Shark Tank’s Barbara Corcoran, it Turns Out


How phishing affects businesses?

Imagine you’re on the finance team for a mid-sized business, with regular duties that include accounts payable. Your boss sends an email instructing you to pay Client XYZ today and includes full wiring instructions, details with what the payment is for, etc. What do you do?

You might send that wire with no questions asked.

Problem is, the situation described above is becoming increasingly common, as Shark Tank’s Barbara Corcoran discovered recently:

“This morning I wired $388,000 into a false bank account in Asia,” the real estate mogul tweeted a couple of weeks ago. Here’s what happened:

Corcoran’s bookkeeper Christina received what appeared to be a routine invoice from Corcoran’s assistant Emily to approve a $388,700.11 payment to a German company called FFH Concept.

The bookkeeper replied asking, “What is this? Need to know what account to pay out of,” and the cybercriminal posing as Emily was able to give a credible, detailed response that FFH was designing German apartment units that Corcoran had invested in. Corcoran does invest in real estate, and FFH is a real company in Germany. (full article)

Poof! Money gone.

Now, in this case, there’s a happy ending, as you may have read a few days later: Corcoran Gets Her $400k Back

That said, such positive outcomes are rare – usually, the funds are not recoverable. Indeed, are you confident you can put the kind of pressure on a bank that Barbara Corcoran can?

And don’t just shrug your shoulders and decide it won’t happen to you. Hackers target smaller businesses precisely because their security is less sophisticated. Plus, scams are like these are pretty slick, as she explains:

“I lost the $388,700 as a result of a fake email chain sent to my company,” Corcoran told the outlet. “It was an invoice supposedly sent by my assistant to my bookkeeper approving the payment for a real estate renovation. There was no reason to be suspicious as I invest in a lot of real estate.”

How can you avoid such pitfalls?

First, better practices: have a process in place for confirming such requests with your team, usually by a live phone call. It’s time well spent.

Further, train your team to be better at spotting such phishing scams – in this case, there was a missing ‘O’ in the sender’s email address which should have provided the clue.

The best news is this: anti-phishing employee training from Cynexlink is very affordable and provides incredible bang for the buck.

Click here to learn more about the valuable service and don’t get caught off guard – it can happen to anyone!

Read more
Botnet Attack

Everything You Want to Know About a Botnet Attack


It is no secret that botnet attack have become significant security threats but what are they, exactly?

What is a Botnet Attack?

A botnet attack is performed by hackers using a collection of malware-infected devices, often termed as “zombies,” which are being controlled by the attackers. We often think of servers and computers being used in such an attack but increasingly, IoT devices like cameras, thermostats and more can help form botnet clusters.

Threat actors gain access to a device by using particular viruses to weaken the computer’s security system before executing “command and control software” to let them conduct their malicious activities on a large scale.

These activities can be automated to carry out countless simultaneous attacks, paralyzing infected devices for ransom or damage while also disguising their identity via the vast botnet network.

A botnet is used in many cybercrimes such as exploiting and making a financial gain, malware propagation, or just general disturbance of the Internet.

Botnet attacks are launched in many ways, including:

  • Spam Emails

The spamming process can be conducted by posing bots as a content server while others as SMTP servers. A spam campaign includes message templates, a senders list, and a recipient list.

  • Launching a DDOS Attack:

A Distributed Denial of Service Attack (DDoS) is another type of botnet attack launched on a website, company or government. This is conducted by sending many requests for content that overwhelms and shuts down the targeted server or website.

  • Ad Fraud

Cybercriminals can utilize the combined processing power of botnets to run fraudulent advertising schemes to attract clicks to get a percentage of ad fees.

  • Distributing Spyware, Malware, and Ransomware

Botnet attacks are also conducted to distribute spyware, ransomware, and malware.

  • Selling and Renting:

Believe it or not, botnets can be found for sale on the dark web to other cybercriminals to exploit!

HOW TO PREVENT BOTNET ATTACKS?

1. Emphasize Cybersecurity Education

For companies of all sizes, training their people is key. Employees should be trained to report unauthorized emails to the IT team, how to spot phishing emails, not to use public WiFi without using a VPN and more.

2. Keep All Software Up-to-Date

Software patches should always be applied promptly – beyond your browser and operating system, don’t forget to update antivirus protection, too!

3. Spam Filtering:

Email filtering solutions should be enabled to prevent most malicious messages from getting into the email inboxes. The more messages that are blocked, the less risk there is of your staff interacting with a phishing email.

4. Avoid Downloads from File Sharing Networks and P2P

Botnets regularly capitalize on P2P networks and file-sharing services to exploit company networks. Make sure all files are downloaded only from trusted sources and they’re scanned before and after downloading.

5. Control Access

Use multi-factor, risk-based authentication and other safe practices for access controls to prevent a successful botnet invasion on one machine from affecting the entire network.

Read more
VULNERABILITY SCANNING

Vulnerability Scanning: Pros, Cons and Best Practices


Vulnerability scanning has become an important practice in cybersecurity

There are a lot of threats that can be discovered on a daily basis. And these threats can damage your valuable data and systems. Therefore, it is important to detect your network ecosystem for associated risks. 

But it is equally true that vulnerability scanning has its own limitations. They can deal with the vulnerabilities known to them. Using outdated or inferior vulnerability scanning tools can give a false sense of security. 

To equip you with the right outlook towards vulnerability scanning, here we have come up with some key pros and cons of vulnerability scanning. 

Advantages of Vulnerability Scanning:

  • Quick Results:

The key benefit of vulnerability scan tools is that they generate quick results. 

  • Repeatable:

An automated vulnerability scan can be repeated as you can decide when and how long to perform the scan. 

  • Easy to Use:

Most vulnerability scanning tools come with a user-friendly interface. However, a security specialist is still required to read the results obtained through these tools. 

  • Constant Monitoring:

Vulnerability scanning software can be used effectively for constant monitoring. 

Disadvantages of Vulnerability Scanning:

  • Not Locating All Vulnerabilities:

A vulnerability scanning tool can miss on some threats, so you have no idea which vulnerability can be exposed by a threat actor. For example, it might not detect the threat that is unknown to its database. Sometimes, the vulnerability is too complex to be detected by an automated tool. 

  • Giving a False Sense of Security

If you have a large IT infrastructure, plenty of servers and data systems, it can be challenging to understand the impact of the vulnerabilities detected by the scanner. Consequently, you end up with a false positive. If you are not a cybersecurity pro, it would be time-consuming and overwhelming to detect such things. 

  • Unclear Vulnerabilities

If a vulnerability is spotted, it is sometimes challenging to examine its impact on your business operations. An automated tool won’t educate you on this while a system admin will likely be more concerned about the technical part of the vulnerability.     

Hope these pros and cons would help you develop the right outlook towards vulnerability scanning tools. The point is here that you shouldn’t blindly believe the results as no tool is perfect. Therefore, keep your tools updated and run a frequent scan that can be once a week or month. 

Need for Vulnerability Scan?

For organizations in need of quantifying their exposure to surface level risks, vulnerability scanning can be a cost-effective method of discovering available attack vectors, albeit with some shortcomings that are important to understand.

First, a vulnerability scan is not equivalent to a network penetration test. In a pen test, vulnerabilities are not only discovered, but they are also exploited and re-exploited, if possible, in the name of discovering all potential damage a harmful actor could do if able to gain access to an organization’s network.

Such testing is carried out by a live specialist – in our case here at Cynexlink, by our Certified Ethical Hacker (CEH) – who thinks and acts like an intruder.

How does it work?

Vulnerability scans, on the other hand, are typically run via automated programs. While these scans can be effective at performing network discovery, identifying open ports, missing patches, misconfigurations and more, it should also be remembered that such scans only uncover surface vulnerabilities – those weaknesses that exist in isolation, independent from other weak spots.

Unfortunately, vulnerabilities rarely exist in isolation. Indeed, a string of seemingly low-level individual risks could leave a gaping security hole while leaving the scanned organization falsely confident in its risk profile.

Out-of-date signature repositories and the ability of network-based scanning solutions to run only on active systems are further drawbacks, which means poorly established vulnerability scans can either be inaccurate or more labour-intensive than imagined.

If run by an experienced provider who knows how to avoid the potholes mentioned above, however, vulnerability scanning can indeed provide great cybersecurity bang-for-the-buck.

Here are five rules for ensuring a positive outcome with vulnerability scanning: 

  • Scan All Network Assets

Make sure to scan each device and access points within your network ecosystem. Assessing all assets within the system helps expose various loopholes within the infrastructure and lets you create solutions accordingly. Moreover, create an inventory list including all network assets regardless of their function, and determine which target to be scanned from your inventory.

  • Scan Frequently

The gap between the scans can be critical as this time interval leaves your systems exposed to new threats. Scanning can be done weekly, monthly, or quarterly. If done frequently, not every network device is required to be scanned, minimizing the time and effort while providing layered network coverage. Your network architecture and device impact are factors that help determine scanning intervals.

  • Set Accountability

Create asset owners or asset supervisors to create accountability. For example, roles can be designed to protect specific devices and take actions in the event of a data incident. However, asset owners shouldn’t be confined to tech teams; business owners can also oversee some systems.

  • Run Patching Process

Patching internet-enabled equipment for all discovered vulnerabilities is more crucial than patching similar devices that have already been blocked by firewalls or settings. This is a time-management practice that can be needed due to resource limitations and it is essential to focus on assets that provide the highest risk levels to the enterprise.

  • Document All Scans and Their Results:

Make sure to document all scans and their outcomes. Every vulnerability scan should be scheduled utilizing a management-approved timetable, with an audit process set to provide detailed reporting. By documenting the scan run according to a timetable, companies can monitor vulnerability trends and issues, identifying susceptible systems and creating accountability.

Interested in learning more about how Cynexlink provides pen testing and vulnerability scanning solutions for companies of all sizes? Contact us to learn more!

 

Read more