Latest Articles

SD WAN Checklist

SD-WAN Checklist : Choosing an SD-WAN solution


The traditional WAN function often struggles with the current unprecedented explosion of WAN traffic due to widespread cloud adoption and as a result, is no longer the most effective way to provide satisfactory user application experiences.

The need for SD wan Solutions

Hence, the introduction of software-defined WAN solutions. SD-WAN solutions are invaluable to companies seeking to upgrade their network and optimize user experience significantly. Most importantly, they offer security features that protect the traffic they manage, as well as functions that protect the offerings themselves. In this article, we will be exploring a checklist of capabilities that an enterprise should look for when choosing SD-WAN solutions. This SD wan checklist will help you to select the right SD wan Solutions for your company.

SD-WAN (Software Defined Networking) Checklist:

  • Accessibility
  • Cost of Ownership
  • Easy and remote deployment
  • Simple Management
  • Effective Pricing
SD WAN Checklist
                                                 SD-WAN Checklist

Accessibility

Cloud migration is, of course, fast-rising among enterprises and is the foremost reason for adopting SD-WAN solutions. In 2018, the cloud migration rate grew 15% more than the previous year and will keep rising. Businesses use hundreds of unique cloud services for apps, services, and platforms and expect SD-WAN to optimize their performance.

Service providers who are accessible to clients can provide hybrid cloud optimization, hybrid WAN, and granular policy-based network administration. The best service providers do not only offer cloud-based SD-WAN deployment but also create better WANs and networking strategies physically and in the cloud.

This will help clients to achieve long-term optimization of components such as network security and extensibility. Accessibility should also extend to the availability of account reps for face-to-face interactions, on-site support, and individualized guidance as customers’ satisfaction depends on it.

Cost of Ownership

SD-WAN solutions offer companies simpler administration jobs, better workload performance, avoided cost of MLPS, enhanced agility, fewer days bottlenecks, and as a result, instant return on investments and increased savings. However, not all vendors provide an equal ratio of value to cost. Businesses need to evaluate the TCO for SD-WAN solutions to determine which of the providers will most likely drive cost optimization and savings benefits.

They are searching for providers that will ensure cost savings on initial technology investments in hardware, software subscriptions, support monthly subscription costs for managed services and savings on security safeguards such as firewalls and so on.

Easy and remote deployment

Companies researching SD-WAN are often struggling with complex technical migrations and require a solution that would perform these tasks effectively. The right service providers offer easy deployment and intelligently designed solutions.

An intelligible SD-WAN solution should be built based on an in-depth investigation into the company’s network needs such as sites managed, budget, number of users, workload patterns, anticipated WAN usage and technology goals. They should also provide a deployment plan that includes a comprehensive strategy for monitoring network data after migration for continuous improvements.

Furthermore, companies want to provide remote users with secure, high-performing access to applications and data, without burdening IT resources. To do this, they require an SD-WAN tool that is capable of performing configurations remotely and enabling all users to connect a branch location to the network just by plugging in power and data cables. These solutions should also include security offerings that incorporate built-in firewall, encryption and filtering capabilities. According to a study on Next-Generation Networking, 66% of SD-WAN users intend to replace all their existing firewall branches with SD-WAN solutions.

Simple Management

Most SD-WAN technologies today provide a centralized and intuitive administration portal and allow configuration based on point-and-click workflows. However, these features don’t necessarily guarantee ease of successful management or simpler optimization of network performance. Hence, the best SD-WAN approach is one that fits the company’s needs and requirements for complexities. In other words, solutions must be able to provide improved user experience, integrate seamlessly with your existing designs and systems, offer appropriate accommodations for traffic prioritization and ensure transparency across WAN, users and hybrid environments.

Pricing

Pricing is another significant factor companies evaluate when choosing SD-WAN solutions. They want solutions that fit into their budget but most importantly, ones that offer clear cut value for their cost. Companies must keep in mind the cheapest service provider might not be the best in this regard because their features and support might be significantly limited and insufficient to drive ROI.

Instead, organizations should seek to identify providers with better TCO. These providers might appear slightly more costly but offer advanced support systems, expert engineering, active monitoring, optimized network agility and flexibility that will save money in the long run.

Conclusion

Choosing the right SD-WAN can be confusing and complicated but with SD-WAN Checklist You can. However, companies can unlock the full potential of SD-WAN by partnering with Cynexlink to find the best-managed services vendor. During the evaluation processes, we help companies review IT strategy, test-drive solutions, understand the ROI and develop an SD-WAN migration strategy that ensures success.

 

 

Read more

Endpoint Security Best Practices


The proliferation of end-user devices and cloud systems in recent years has given rise to an increased volume and sophistication of cyber threats. Cyber attackers with malicious intents have developed new ways of infiltrating the data systems of all types of businesses and organizations.

In the 21st century, data is the most valuable asset of all companies and must be protected at all times. For this reason, many organizations are adopting endpoint cybersecurity services. Endpoint protection practices secure critical systems, intellectual property, customer data, employees, and guests of businesses. The following are the best practices for endpoint security.

Best Practices for Endpoint Security

  • Ensure Absolute Visibility of the Entire Network
  • Regular System Updates
  • Educate Employees
  • Enforce Least Privilege Access
  • Deploy SIEM solutions

Here is an Infographic Representation of (Endpoint Security Best Practices)

endpoint security best practices

Now let’s discuss them one by one:

Ensure Absolute Visibility of the Entire Network: It is vital to establish complete visibility of the entire network, especially the traffic to and from endpoints. Businesses should not only know what is traversing through their systems but also what it is doing. Fortunately, with real-time and historical data, they’ll have a clearer picture of their devices’ behaviours.

Regular System Updates: With more devices and applications on today’s networks and an ever-growing list of threats, patch management has become even more critical. You must establish a regular period to push updates to user workstations to protect against the vulnerabilities within your systems and thwart attacks.

Educate Employees: Employees are regularly targeted by cybercriminals to perform detrimental actions and divulge critical organizational information. The only way to stop this is by teaching every employee who has access to computers and the internet, basic security practices like the regular change of password, and ensuring their computers are locked when they leave their desk. It is also crucial to teach them how to detect the signs of emails and phone phishing scams.

Enforce Least Privilege Access: The least privilege approach to cyber threats involves restricting the access of every user and endpoint to only the minimum information and resources required to carry out its designated function. If a user tries to access something against the organization’s policy, it will immediately alert appropriate authorities. However, if elevated rights are required, the user must go through Multi-Factor Authentication in the process. Ensure that every event is logged correctly and looked through promptly and periodically to enable monitoring and improvement of existing systems guiding administration rights and ensure their accuracy and applicability.

Deploy SIEM solutions: It is often challenging for companies to keep track and manage hundreds or even thousands of endpoint devices and also anticipate risks that might occur. As a result, there is a need for a centralized system. Thanks to SIEM solutions, companies can now centralize documentation for monitoring and compliance purposes and predict security events by identifying vulnerabilities, calculating risks based on the likelihood of an event, and automating security responses.

Endpoint Security Risks

Phishing Attacks: Phishing attacks aim at gaining access to a company’s records and stealing vital customer data and information that can be used for blackmail purposes or published through the media to damage their reputation. The public image of the company can also be damaged and the customer base may decline as consumers tend to avoid products or services that seem incapable of protecting their sensitive information.

Malvertising: Malvertising affects a company’s website by introducing malware and malicious software that disrupts users’ visits to the website or redirects them to other sites where other attacks await. This endpoint threat can also reduce the productivity of employees, who have to deal with intrusive advertisements or redirections as they work. If not detected and solved, malvertising can cause the company substantial financial losses.

Unpatched Vulnerabilities: One leading cause of cyber hacks is long unattended and unpatched system vulnerabilities. Through this window of neglect, hackers can access relevant company data and sell it on the dark web or carry out any other malicious activity that might cost the company its reputation and in some cases lead to its closure.

Data Loss and Theft: Between 2015 to 2019, the number of U.S companies that experienced a data breach doubled, and the numbers will likely increase in the coming years. Ransomware demands, increased regulatory fees, investigation cost, damaged reputation are some of the devastating effects data loss and theft can have on a company.

Conclusion

In conclusion, considering the numerous negative impacts of cyber attacks on organizations, both small and large scale businesses need to embrace endpoint security and implement the practices outlined above. Also, remember that endpoint security requires consistent improvements to fight the risks mentioned above. Threats will keep evolving using advancements in technology, and your company must be up to speed with the most recent innovations and security systems to adequately combat the latest attacks with the best patches and solutions.

Read more
Voip Benefits

The VoIP (Voice over Internet Protocol) Benefits


What is VoIP (Voice over Internet Protocol)?

VoIP – Voice over Internet Protocol – allows users to make and receive calls over Local Area Networks (LANs) or the internet. Although VoIP has been around since the 1970s, it has soared in popularity in recent years due to the many advantages it offers over the traditional phone system.

Here are some of the top VoIP benefits everyone should know.

  • Lower Cost
  • Simplified Conferencing
  • Worldwide Access
  • Clear Voice Quality
  • Security 
  • Scalability 
  • Extensive Additional Feature

Now let’s Discuss these advantages in detail:

Lower costs:

A significant advantage of VoIP service for businesses is that it can help your business save money. The initial setup and ongoing costs of operating a VoIP are far lower than that of operating a landline phone system (POTS). On average, a traditional phone system costs around $50 per line each month, and this figure is usually for local and domestic calls.

In contrast, a VoIP system is available for around $20, significantly cutting costs on domestic and international calls. It also helps eliminate other expenses such as up-front hardware purchases, repairs, and maintenance.

Simplified conferencing:

Another area in which VoIP trumps traditional phone systems is conferencing. For instance, a traditional phone system can, of course, support conference calls but hidden costs may occur. VoIP eliminates such fees by including conference calls as an added advantage to the service you already paid for.

What’s more, it also improves video conferencing as you can transfer files while you participate in online presentations or meetings.

Worldwide access:

As the world continues to come to terms with the new trend of working from home, VoIP can help your employees work remotely from anywhere in the world. With merely an average-speed data connection, your team can make and receive phone calls so you can stay productive regardless of the location.

And if that employee is temporarily unable to receive phone calls for any reason, calls can forward to a mobile phone, another person, or the voicemail can be received by email. Lesser mentioned VoIP benefits connected to this advantage is that your business will enjoy decreased utility costs as well as smaller office spaces.

Clearer voice quality:

One of the concerns of many business owners is the quality of calls using VoIP service. These concerns are not unfounded as poor call quality was one of the major disadvantages of VoIP as calls either ended abruptly for no reason or there was some level of distortion.

However, these issues no longer exist since we now have a fast and stable internet connection. Additionally, the VoIP telephone system offers HD voice that makes it nearly impossible for the person you are calling to tell whether you’re using VoIP or traditional landline.

Extensive additional features:

VoIP offers a range of features suitable for both small and big businesses. For small businesses, tools like auto-attendant and call transferring make it possible to project the image of a larger company.

In a similar vein, it can also help large businesses appear approachable since phone numbers with different area codes can be allotted to a company so that their customers can perceive them as local. Other notable features include call forwarding, call waiting, voicemail, caller ID, and many more you might expect.

Security:

One of the key advantages of VoIP is that it is very secure thanks to the standardized encryption protocols that make it impossible for a third party to intercept the calls – a feature that’s non-existent on the traditional phone system.

Scalability:

When it comes to any kind of technology, most businesses are concerned about the possibility of scaling up or down. With VoIP, you can scale your phone system in accordance with the needs of your business while remaining productive and keeping costs down.

The reason is obvious: you don’t need to make a budget for any hardware as you only pay for what you need. You can either add a new line or eliminate some lines instantly without worrying that the decision will take its toll on your business.

Advantages of VOIP

Conclusion: The advantages of VoIP in the modern business world are enormous and this is why many small and large businesses are now migrating from a conventional telephone system. If you are ready to explore VoIP benefits for your business, then your best option is to contact Cynexlink. Cynexlink provides all the features expected of a modern-day phone system for your business.

 

Read more
Managed It services

Best Practices To Choose Managed IT Service Provider


Need For Managed IT Services?

Businesses need advanced technologies to meet the expectation of their customers as well as manage their operations.

But the problem is that they lack the extensive budget or IT staff to pacing up with ever-changing applications. 

Luckily, as technology expects more from small businesses, there are also great solutions available to meet their needs. 

And an MSP or managed services provider is one of them. Their key role is to manage and assume responsibility for providing a defined set of services to such businesses. This way, they play the role of an IT department or IT staff for them. 

However, it is not easy to choose the right one for your business.

The MSP landscape is dotted with many providers, making it challenging to choose an efficient one. Some might have limited services while some might charge you even for the services you don’t use. The last thing to worry about is their customer support. 

That’s why it is important to ponder over these practices when choosing a managed IT service provider.

Here are some it managed services best practices to choose an efficient MSP Provider:

1. Do their Services Fit Your Requirements?

First of all, make sure to assess your equipment or systems in place, and then think: where I need improvement? Where we have inefficiencies? Are we prone to the risk?

There are many solutions to choose from, and it is challenging to figure out the right fit when you have no ideas where to start. 

Many MSPs provide an auditing service to help you know your existing situation and identify potential threats. 

The point is here to assess your assets, requirements, and what the MSP has for you. This is an important part which also requires you to discuss with your consultants. 

2. What about Their Track Records and Past Performances?

This is also a critical factor to consider when choosing an MSP.

Examining their past and existing clients in similar businesses as yours gives you an idea of their quality. 

What do you find in their testimonials and reviews? Do they have a list of past projects and clients? Do they provide a list of references who you can contact? 

This homework will let you determine if they are right for you. After all, not all managed IT service providers are the same. Some might be more focused on accounting and not healthcare. Others may be affordable but have a small or inexperienced team. 

3. Do They Hold Expertise in Your Systems? 

Most managed IT service providers promise to offer a complete range of services. However, it is important to check their level of expertise with the applications you have. Are they an Amazon Web Services certified partner for example, and what other certifications and qualifications they own?

Also, take note of their personnel working at the MSP. After analyzing the expertise of each employee, review the weakness and strength of the provider. 

Don’t hesitate to ask questions if you want to know more about it. After all, a managed service provider company is as efficient as its staff. 

4. How efficient is their Customer Support?

A good managed IT support provider responds quickly to the problems. Make sure that they don’t forward queries to a call centre.

Instead, they should respond on time. Check their guaranteed response time. Also, check how they respond to after-hours support. Can they handle emergency issues 24/7/365? 

5. Are They Serious about Security? 

Security has become one of the topmost business priorities, thanks to the ever-increasing cyber incidents. Work with an MSP that can also offer effective security plans. With consolidated IT security, you can make sure that all your data is safe and secure. Efficient IT MSP assures this by protecting all your endpoints. 

6. Can They Grow With You?

Business growth is one of the key factors when choosing an MSP. Your business demands today might be as important to what you will have in upcoming months. Therefore, choose a service provider that can understand your dynamic business needs. 

An efficient managed service providers to deliver scalable services. It means that you can increase or decrease your MSP services according to your growth. 

7. How Long is Their Experience?

Experience also does matter in this industry. Experience service providers can understand who needs what and how to deliver it. This is also important as not all businesses are the same. Moreover, every company has its unique way to conduct the operations. Working with such managed service provider ensures that they can meet unique IT systems requirements. 

Bottom Line:

So these are some key factors to consider while choosing a managed IT service provider. You need to go the extra mile to choose the right one. After all, IT operations are the lifeline of your business.

You need an efficient outsourcing partner if you don’t have a big team and sophisticated resources as well. But not all MSPs are the same, and you should look for the one that can understand your business. What do you think? Let us know by commenting below! 

Read more

Podcast: SD WAN for the Home Office


As a primer for our upcoming webinar on June 25th (Register), we conducted a short interview with VergX COO, Chris Chirico, about SD WAN and how it’s not just for the office anymore. VergX is the technology partner solution which powers Cynexlink Enterprise SD WAN and the new Cynexlink Home SD WAN.

Has a key employee lost his or her home internet connection at a critical moment due to heavy demand on the home wifi? Don’t let that problem plague your team any longer.

You can learn more by listening to our roughly 10-minute conversation right here:

Now, companies of all sizes can use this fast-growing solution to secure, manage and prioritize the flow of data — even in employees’ home environments! This is truly a simple, cost-effective game changer for savvy organizations to utilize.

And again, be sure to join us at 10am PDT on June 25th for a full, free webinar presentation regarding all SD WAN can do:

Enjoy the podcast above and we hope to see you on the 25th!

Read more
Single Sign on

Single Sign-On (SSO): Pros & Cons


Introduction to Single Sign-on:

 

MyFitnessPal had 151 million usernames and passwords stolen. For a third-party Facebook app, it was 540 million.

And First American Financial Corp., the largest real estate title insurance company in the U.S., exposed transaction records of 885 million individuals.

These were just a few of the largest data breaches from last year alone!

What if your organization could avoid such headaches altogether? What if your business managing all of its user logins through a leading SSO system or customized solution?

Who is going to take the time to hack your website when none of your user details is accessible once they get inside?

Welcome to Single Sign-On (SSO). If you’re using it, you know its power and benefits. If you have only heard of SSO but haven’t enabled it, the following information is for you.

Authentication Without SSO

Without SSO, each website or application maintains its own database of usernames and passwords. When a person logs in, the following things happen:

The service runs a scan to determine if you have already been verified. If so, access to the site is then granted.

If no authentication is discovered, the visitor is prompted to log in; the service then checks those credentials vs. what is on file in its own repository.

Once the user has logged in, the service ensures the identity verification info travels with the user he or she navigates the system, meaning that this same user has effectively verified each time a new page within the application is visited.

Such authentication info travels with the user either in the form of cookies with session data or as tokens, which do not track that specific visit and are therefore faster to process.

The SSO Comparison

By contrast to the scenario outlined above, SSO authentication relies on a trust relationship between different web services. Ever been asked to quickly register for a new website with the Google or Facebook account credentials you’re already logged in with? Bingo.

In that instance, the service allowing you to sign-in with another solution’s credentials is simply verifying your identity through the use of a single sign-on. Facebook says you are who you say you are? Good enough for us – come on in!

If the new domain can’t determine you have been authenticated by another website – again, thanks to SSO – you will be sent to the login page for the appropriate SSO service, where you enter the credentials that will provide you access.

Just like in the example above, SSO allows authentication data to move with you throughout the new domain, continually verifying your identity with each new page you visit.

Best of all, SSO authentication data runs as tokens, not cookies, which is good for speed and performance.

Moving forward, SSO continues to authenticate with a solution such as Active Directory, allowing you to visit new domains tied to that single sign-on provider. Because the next website also verifies your credentials with SSO, you pass through the next website without having to login yet again. Good stuff.

SSO Under the Hood

Let’s now dig even deeper into how SSO functions. As we have already learned, when a visitor logs into a new domain, that website or application provider will validate the user on its own. That process goes like this:

  1. As a visitor, you land on a page within, let’s say, xyz123.com which tries to authenticate your login status. If yes, off you go to the desired destination—your Yahoo email inbox, for example.

  2. If you’re not already logged in, it’s time to plug in your user/password combo on the login page.

  3. You fill in your credentials, xyz123.com runs those credentials against the data in its own tables. Depending on what it finds, the service either lifts the velvet rope or the bouncer says you can’t come in.
  4. If you can log in, xyz123.com will its method of tracking your visit. This could originate on the server or it might attach to you as a token.

Again, however you decide to navigate that site or service, that domain keeps checking to ensure that your credentials are valid.

That same process when powered by SSO, however, would go like this:

  1. As a visitor, you land on a page within, let’s say, xyz123.com which tries to authenticate your login status. If yes, off you go to the desired destination—your Yahoo email inbox, for example.

  2.  Not logged in yet? No problem! That new site, xyz123.com, then gives you choices for authentication through another app (Google, Amazon, Facebook, etc.). Click your favorite service and log into the new web app with those pre-existing credentials (let’s say Facebook in this case).

  3.  As far as authentication, Facebook does the authentication for that new website. Once Facebook says you are who you claim to be – and checks to ensure that xyz123.com is legitimate, both sites agree you’re ready to roll.The Facebook password database issues a token that becomes your passport to and through xyz123.com.

  4.  By accepting that token from Facebook, xyz123.com verifies the user’s identity with more ease and confidence. Further, it can now associate the visitor with all other data that’s known about that person, things like preferences, history, shopping cart, etc.

Now let’s discuss the Single Sign-on  Pros and Cons

Single Sign-On(SSO) Pros

For organizations of all kinds, Single Sign-on has many advantages. Among them:

  • It cuts down on password fatigue

    Remembering just one password makes the lives of users or employees so much simpler. In truth, when challenged to use different passwords for different services, most people do not; the vast majority actually use the same password across multiple sites, creating an even bigger risk.

    And as a side benefit, the use of SSO usually results in unusually strong passwords since they only have to use just one.

  • Streamline the management of employee credentials

    When employees turn over, the use of SSO reduces both IT effort and the chances of mistakes. In one shot, departing users lose their login privileges across the entire organization.

  • Single Sign-on enhances identity protection

    With SSO, organizations strengthen identity security within their teams through the use of multifactor authentication (MFA).

  • It boosts speed where counts the most

    In highly regulated industries like healthcare, defence and finance, or large organizations in which many people and departments demand rapid and unfettered access to the same applications, SSO can be extremely helpful.

    It is in environments precisely like these where malware brought on by compromised credentials can literally mean the difference between life and death.

  • SSO relieves stress on helpdesks

    With far fewer employees calling in with password issues, IT teams can focus on critical work that saves the most time and money while also elevating security overall.

  • It reduces 3rd-party security risks.

    Connections between vendors, partners and customers present another threat surface, one which SSO can greatly diminish.

SSO Cons

Despite all the benefits listed above, companies do need to keep in mind possible drawbacks when considering an SSO implementation:

  • Very strong passwords must be demanded and adhered to. If one set of SSO credentials is unveiled, it potentially leads to a cascade of breaches under that user’s umbrella.

  • If SSO goes down, access to all connected services halts. Here is one important reason to exercise great care in choosing an SSO solution. It must be extremely reliable, and plans should be crafted for immediately dealing with any cracks which might present themselves.

  • If your identity provider goes down, so does Single Sign-on. Because your ID vendor’s vulnerability becomes your vulnerability, too, choosing the right set of vendors is of the utmost importance.

  • If your identity provider gets breached, all linked systems could be open to attack. Here is where advance planning is so important.A possible single point of failure like this needs to be considered, avoided it possible, and a response plan should be created in advance.

    If the right identity provider with top-flight security practices is chosen in the first, place, such planning should never have to be tested. Still, it is best to think through all possible vulnerabilities ahead of time.

  • An investment of time is required for proper SSO architecture and setup. Because each environment is different, wrinkles in even the most well-thought-out plans can develop. Pause, document, compare vs. best practices and structure of the new system accordingly.

  • SSO is not the ideal solution for multi-user computers. If your team makes a habit of hot-desking, it can be both frustrating and unsafe for users to be constantly toggling on and off with one another.

  • Reduced sign-on (RSO) may be needed in some environments, leading to a greater cost. If a company needs to accommodate users with different levels of access, additional authentication servers may be required.

  • SSO based on social media credentials may not fit. If an employer blocks social media sites and government connections where censorship is involved, the problem here becomes clear.

  • Some SSO-linked sites actually share data with third-party entities. Understanding who’s who in this regard requires thorough homework – or the rock-solid advice of a trusted IT professional.

Providers aplenty

The playing field of leading providers is large and potentially overwhelming, including some familiar names you may be familiar with:

  • Okta
  • Citrix Workspace
  • Duo Security
  • OneLogin
  • LastPass
  • Keeper Password Manager
  • JumpCloud
  • Auth0

…to name just a few.

Cynexlink Can Help

There is no reason for any organization to create its own system or to develop deep SSO expertise. Cynexlink’s team understands available offerings and can help identify the best choices for your company. Contact us to learn more!

Read more
Network Penetration testing

Stay Safe with a Network Penetration Testing Checklist


Are you thinking about exploring what vulnerabilities exist within your network or applications?

You need what is known as a pen test. For a complete background, in this article, we provide a fundamental network penetration testing checklist for organizations to keep in mind.

We are going to look at a 5-step network penetration testing checklist which can be used to ensure your efforts deliver results.

Before we get into the details, here are 3 reasons why organizations should perform a network penetration test in the first place:

  • Network penetration testing will enable you to identify the security vulnerabilities and flaws that are currently present in your system.
  • After a thorough penetration test, you should be able to understand the level of security risk that your organization or business entity is running.
  • The reports from the network penetration tester will help you formulate a proper plan to fix and remedy the flaws that are discovered. At Cynexlink, we employ certified ethical hackers who act as though they are malicious actors, uncovering the vulnerabilities before the bad guys do first!

Also, some companies face regulatory requirements for conducting penetration tests (CMMC, SOC2, HIPAA, etc.).

Along with this network penetration testing checklist, we will also mention several network pen testing tools that help ethical hackers perform each task.

Now for the network penetration testing steps(checklist):

Step 1: Information Gathering

The goal of the first step in this network penetration testing checklist is to gather as much information about your target network as possible.

It should be information that can potentially be used to exploit vulnerabilities.

Primarily having IP addresses or URLs to work with initially, this is the point where technicians will use a tool like Nmap to enumerate the IP DNS records.

Nmap is an information-gathering tool that will get you DNS records of an IP address like A, MX, NS, SRV, PTR, SOA, CNAME records.

With these tools, we can detect all the hosts on the network, what services they are providing and the server software & versions they are running.

Because certain server software versions have known vulnerabilities, we’ll need this information in step 2 of this network penetration testing checklist.

Another very important piece of information needed before formulating an attack model is the open port’s availability.

Again using Nmap, we can discover and enlist all open ports in the entire network.

Open ports are the most commonly used openings for malicious hackers to gain unauthorized or backdoor access into a network and to install malicious scripts.

Step 2: Threat modeling

After collecting all the information we can about the target network, it’s time to use this information for something more active.

Step 2 of this network penetration testing checklist involves using this information to run tests on the target system, scouting for obvious vulnerabilities.

At this point, we are simply trying to enlist all the vulnerabilities available on the network, without necessarily moving forward to attack them and see if they are exploitable.

Note also that while you can use automated tests to scan for network system vulnerabilities, a more thorough process runs manual tests with live technicians, as well.

It is at this point, a network penetration test tool like Metasploit framework gains critical information about security vulnerabilities on a target system. It generally finds all the loopholes and security flaws on a target with a very low percentage of false positives.

Another vulnerability scanner tool like Nessus is also great for finding software bugs and possible ways to violate software security.

With the information on operating systems and versions, you can use Nmap to then find known vulnerabilities for potential exploits on the target.

With information on all the possible vulnerabilities, let’s move to step 3 of this network pen testing methodology.

Step 3: Vulnerability Analysis

First, keep in mind that not all vulnerabilities are worth trying to exploit.

The vulnerability assessment tools used in step 2 of this network penetration test checklist exported some reports; it’s now time to look into these reports and categorize the security flaws with their level of severity.

It is by using such reporting that we’re able to formulate an attack plan to exploit the real-world attack vectors.

The vulnerability analysis step aims to identify suitable targets for an exploit so we don’t waste time performing unnecessary tasks.

It is at this point that we can also draw a network diagram to help you understand the logical network connection path. We also prepare proxies to use in step 4 to keep ourselves anonymous: testing the recognition and response to an attack is part of the pen testing process. Does the IT team of the targeted organization know if a hacker has gained access to their network? We’ll find out.

Having noted the attractive targets for exploitation at this point, it is time to determine the most appropriate attack vectors for the vulnerabilities identified.

Step 4: Exploitation

Exploitation means probing the networks’ vulnerabilities to ascertain whether they are exploitable. This is the most important step because it allows us to show clients which flaws they need to fix most immediately.

The tools we often use at this point for exploitation include Metasploit, Burp Suite, and Wireshark.

Depending on the project scope, we will also use password cracking tools like Aircrack or Cain & Abel, to explore the strength of network passphrases.

This network penetration test stage might also involve other heavy manual testing tasks that are often very time-intensive. Such vulnerability exploitation may involve SQL injection, password cracking, buffer overflow, and OS commands, among others.

Even social engineering might be employed at this stage, again depending on the project scope.

Here’s the bottom line about step 4: because this phase depends on savvy probing by a live pen tester, hiring the most experienced technicians is vital.

Step 5: Reporting

The delivery and reporting phase on network penetration testing is very important.

A good network penetration test report should not only give an overview of the entire penetration testing process, but it must also include the most critical network vulnerabilities that need to be addressed – in order of urgency.

Good reports will also include a summary of the vulnerability statistics together with screenshots of exploit attempts, and a well-written pen testing report will outline a clear plan fixing all vulnerabilities which were discovered.

Which is, of course, the point of network penetration testing in the first place.

Conclusion

It is always important to follow a proper network penetration testing methodology.

With this checklist, organizations should now understand how a properly trained technician will formulate a large-scale attack on a network without missing any gaps.

While there is no one-size-fits-all checklist for performing network penetration testing, the steps above should provide a good foundation for almost any organization that had been looking for a network penetration testing tutorial.

Read more

How to Get CMMC Certification : Everything you Need to Know About CMMC


The Cybersecurity Maturity Model Certification, or CMMC Certification, is the next step in the Department of Defense’s (DoD) efforts to properly secure the Defense Industrial Base (DIB). 
 
The loss of controlled unclassified information (CUI) from the Defense Industrial Base, or DIB (America’s defense contractors), increases the risk to national security. To reduce this risk, the Department of Defense (DoD) has finally created both rules and an auditing mechanism that will ensure the DIB practices good cybersecurity hygiene.

In the past, defense contractors could merely attest to their cybersecurity practices such as those outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171 but that is all about to change.

Starting later this year, aerospace and defense manufacturers will have to prove their cybersecurity practices are strong to bid on future DoD contracts.

What is CMMC and why is it Being Created?

CMMC stands for Cybersecurity Maturity Model Certification. The CMMC will encompass five maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract awards.

DoD is planning to migrate to the new CMMC framework to assess and enhance the cybersecurity posture of the DIB. The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as to protect CUI that resides on the Department’s industry partners’ networks.

More about CUI

We refer frequently to controlled unclassified information but what is it, exactly?

CUI, established by Executive Order 13556, is an umbrella term for all unclassified information that requires safeguarding.

CUI is information the federal government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at https://www.archives.gov/cui and includes organizational index groupings ranging from defense to taxes to natural resources. Contractors who are interested in learning more can find online training to better understand CUI at the following page on the National Archives’ website: https://www.archives.gov/cui/training.html.

When Does CMMC Take Effect?

Members of the DIB who are still asking this question are frankly behind the curve.

The DoD released CMMC Model version 1.0 to the public on January 31, 2020, and has already issued a revision dated March 18th to correct administrative errors identified in the initial release. The itemized list of corrected errata, as well as a more accessible version of the model (i.e. tabular format in Excel), are provided with the release of CMMC Model v1.02.

The Department has made no substantive nor critical changes to the model relative to v1.0. Subsequent updates can be found on this defense department website: https://www.acq.osd.mil/cmmc/updates.html

Now, this does not mean that defense contractors today must already be CMMC certified but it does mean they should start preparing because CMMC certification will start appearing as a requirement in some DoD contracts later this year.

Currently, a new non-profit called the CMMC AB is training auditors, finalizing exams and creating processes for how contractors will become certified. Because CMMC levels 1-3 are composed of requirements under NIST 800-171, however, there is great clarity regarding what DIB members should prepare for.

Comparing CMMC and NIST

What is the relationship between NIST SP 800-171 rev.1 and CMMC?

CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev1. CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense” and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.

Unlike NIST SP 800-171, however, the CMMC model possesses five levels. Each level consists of practices and processes as well as those specified in lower levels, with levels 4 and 5 being reserved for the small percentage of DIB member companies that deal with the most sensitive systems, information and assets.

In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s institutionalization of cybersecurity processes.

Questions Regarding the Certification Process

So how does an organization become certified?

As mentioned above, The CMMC Accreditation Body (AB), a non-profit, independent organization, is starting to train and accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors.

The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs as well as other information. After the CMMC Marketplace is established, DIB companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.

What will certification cost – and what if it is too expensive for my company?

The CMMC assessment costs will depend upon several factors to include the CMMC level, the complexity of the DIB company’s network, and other market forces. That said, The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. And keep in mind that for contracts that require CMMC, you will be disqualified from participating if your organization is not certified. Consult with your tax advisor regarding cost reimbursement.

Can my company self-assess?

No – that is the point of this new regime. No longer will defense contractors merely be able to claim their cybersecurity practices were sound – and from what we have seen, they generally were not. Going forward, CMMC certification will be granted only by auditors who have been trained and certified by the CMMC AB.

Only CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors that have been accredited by the CMMC AB will perform CMMC assessments.

However, contractors are strongly encouraged to complete a self-assessment before scheduling their CMMC assessment – that’s the audit preparation process we here at Cynexlink can help with.

Who sees the results of CMMC audits and how often do we need to be re-assessed?

The results of a CMMC assessment will not be made public. The only information that will be publically available is that your company has a CMMC certification. The specific certification level will NOT be made public. The DoD, however, will have access to all DIB companies’ certification levels.

In general, a CMMC certificate will be valid for 3 years.

CMMC Levels and Bidding

How will companies know what CMMC level is required for a contract?

The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs). A CMMC-certified contractor may bid on contracts that require their certification level or below.

For instance, a company certified to CMMC level 3 can bid on contracts that require certifications at levels 1, 2 or 3 but cannot bid on an RFP requiring level 4.

As a general guideline for preparing now, NIST 800-171 is substantially equivalent to CMMC level 3. Companies that already practice cybersecurity hygiene up to NIST 800-171 can, therefore, feel confident in being able to reach CMMC level 3 certification.

CMMC Exemptions

Does an organization that does not handle CUI have to be certified, anyway?

If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1.

Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.

It should be noted that all of these rules apply both to contractors AND subcontractors.

So long as your company does not solely produce COTS products, it will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowing down from your prime contractor.

How to get certified?

Okay, I understand my company needs to become CMMC certified. What does that process look like?

The reason defense contractors should begin preparing now is that becoming CMMC certified can take 3 or 4 months, depending on which level they need to meet and the current state of their current cybersecurity practices. In general, however, contractors can think of the process in three phases:

Phase 1 – Assessment and Gap Analysis

First, a company must determine which of the 5 CMMC levels it intends to meet, then conduct a gap analysis – where does our cybersecurity hygiene stand today versus where it needs to get to? From there, a roadmap can be created. Contact us if your company needs help in conducting this gap assessment and roadmap.

Phase 2 – Remediation

Once all gaps are identified, fix them before setting a date with an auditor. For all of those issues that are IT-related, Cynexlink can help. Perhaps your company needs to establish multi-factor authentication (MFA) for the first time or has to begin 24/7 security event monitoring. Whatever the network or cybersecurity-related need, Cynexlink has the solution.

Phase 3 – Certification

Now the appointment with the certified auditor can be scheduled. If you have worked with Cynexlink on phases 1 and 2, you can enter this final step in the process with the highest degree of confidence possible.

Summary

In the end, CMMC represents a long-overdue evolution in better protecting America’s vital interests as they pertain to national defense. Becoming certified may seem like a daunting task but with proper guidance, this necessary step can be a manageable and cost-effective one for defense contractors of all sizes.

Read more
USEFUL TACTICS TO PROTECT AGAINST COVID-19 CYBER SCAMS

Useful Tactics to Protect Against COVID-19 Cyber Scams


HOW TO PROTECT AGAINST COVID-19 CYBERSECURITY SCAMS?

Coronavirus (COVID-19) isn’t just a growing threat to public health – it’s also a growing threat to your company’s cybersecurity.

From using scary subject lines to adopting faux official letterhead, bad actors are scrambling to use the climate of fear and disruption caused by COVID-19 to their advantage.

Disasters, emergencies, and global pandemics provide a target-rich environment for cybercriminals to launch phishing attacks and employ other dirty tricks to gain access to your data.

It only takes one staffer opening a bogus email, clicking on a dangerous link, or downloading a malware-laden attachment for them to succeed.

Here are three ways that you can act immediately to prevent a potentially disastrous Coronavirus-related data breach.

1. Plan, Preserve and Protect

Use expert guidance from agencies like CISA to prepare your organization for risks posed by COVID-19.

Is your cybersecurity plan adequate for the unique challenges presented by increased virtualization if your staff is quarantined or working remotely for safety?

Two-factor authentication and other tools like VPN help keep your organization’s data and systems safe, even when workers aren’t in the office.

2. Trust but Verify 

Get updates about COVID-19, scams and frauds related to the Coronavirus pandemic, and its impact on cybersecurity from trusted, official sources.

  • Encourage your staff to only use vetted information for planning and communications.
  • Be wary of any email with a COVID-19-related subject line, attachment, or hyperlink.
  • Avoid sharing or clicking on social media posts, text messages, or IMs offering Coronavirus information, vaccination, treatment or cures.

3. Make Prevention a Priority 

  • Refresh every staffer’s training on how to spot phishing scams and online fraud.
  • Remind your staff that government agencies will never ask for sensitive personal, financial or business information via email.
  • Reinforce that clicking on links or opening attachments from unfamiliar sources is a quick way for scammers to infect your systems with malware.
  • Employee Security Awareness Training and Phishing Simulations can help make sure that your staff is ready to spot and defend against attack.

Constant vigilance against cyberattacks is a smart strategy for any business.

In these uncertain times, we’re happy to be your trusted source for the tools and strategies that you need to keep cybercriminals out of your business.

References: https://www.cisa.gov/sites/default/files/publications/20_0306_cisa_insights_risk_management_for_novel_coronavirus.pdf

https://www.consumer.ftc.gov/blog/2020/02/coronavirus-scammers-follow-headlines

https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams

https://www.consumer.ftc.gov/features/coronavirus-scams-what-ftc-doing

https://www.cisa.gov/coronavirus

https://www.consumer.ftc.gov/blog/2020/03/ftc-fda-warnings-sent-sellers-scam-coronavirus-treatments

Read more
Cmmc Certification

DoD Warns Contractors: Watch Out for CMMC Fraudsters


DoD Warns Against  CMMC Fraudsters:

Memo to all companies within the Defense Industrial Base (DIB): you cannot reach CMMC certification – yet!

Today, DoD contractors of all sizes should identify the CMMC compliance level they need to reach, plan for performing a gap analysis and then remediating those gaps, but that’s all they can do for now. the roadmap they will follow to fill those gaps.

Why? Because as of yet there are no auditors.

What’s happening right now in the world of CMMC compliance is this: the Department of Defense is still in the process of finalizing the CMMC accreditation body.

Department of Defense

It is that accreditation body which will then train the many CMMC auditors, which will be known as third-party assessment organizations (C3PAO).

Only once those C3PAOs have been trained, which won’t happen until this summer, at the earliest, will defence contractors be able to then be audited and certified.

This is why DoD Under Secretary Ellen Lord warned this week about companies that are claiming to be able to provide CMMC certification to contractors. Not true!

In her words:

“Unfortunately, the Department has learned that some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DoD.  The requirements for becoming a CMMC third-party assessment organization (C3PAO) have not yet been finalized, so it is disappointing that some are trying to mislead our valued business partners. To be clear, there are no third-party entities at this time who are capable of providing a CMMC certification that will be accepted by the Department.” (source)

That accreditation body should be formalized soon. At that point, auditors who can provide certification will start being trained.

Status Of CMMC Certification:

Although it will be available sometime around mid-year, reaching CMMC certification is not possible today.

So again: can and should DoD contractors be preparing now for CMMC compliance right now? Yes, and they can take every step up to the point of being audited for certification.

But any company that claims it can get your organization to CMMC certification today is telling a whopper.

Now you know. 🙂

Read more