January 19, 2021
Good morning, everyone, and Happy New Year!
|This week’s critical vulnerabilities:
Patch all the things!!
So you've probably heard something about SolarWinds
The big cyber security news the past few weeks has been the SolarWinds hack that exposed thousands of government and private industry networks. The bad guys managed to break into a server that pushes software updates out to clients, and embedded malware in the software updates. How on earth did this happen? All that you really need to know is in this one sentence:
Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”
Folks, this is why we can't have nice things! Even reputable companies providing security services for large enterprises and our own government ... aren't following basic cyber hygiene. Two take-aways:
Especially #2! Even with that bad password, if 2FA had been in place, the attack would most likely have failed.
SMS phishing is getting out of control
Phishing is moving from the inbox to message apps and now it’s called smishing. “According to security firm Proofpoint, text message phishing went up 328 percent in the third quarter of the year, compared to the previous one.
What’s your best defense? As always … Think before you click! If you get a text from your bank asking you to verify a charge, don’t just click on that phone number. Look up the bank in your contacts. Get your ATM card out and call the number on the back. Go to bookmarked website to log into your account. Use the app on your phone. Remember, trust only original sources of information.
Three tips on how to approach ransomware
It’s not going away. It’s only getting worse. This article discusses three tips on how to handle ransomware. Number one, as always, is education! “You need to have a comprehensive cybersecurity training program in place to educate your team about online threats (phishing schemes, etc.) and cybercrimes. The best way to avoid a ransomware attack is to inform employees and increase awareness.” (Hint: I can help! I love teaching security awareness.)
CISA releases new Cybersecurity and Physical Security Convergence Action Guide
CISA recently released a new action guide addressing the convergence of physical and cyber security. It focuses on the “benefits of a holistic security strategy that aligns cybersecurity and physical security functions with organizational priorities and business objectives. The guide describes the risks associated with siloed security functions, a description of convergence in the context of organizational security functions, benefits of convergence, a flexible framework for aligning security functions, and several case studies.”
GSA extends the CMMC into civilian contracting
Earlier this month, the GSA put out a draft request for proposals on “Polaris”, a new contract vehicle for providing IT services to federal agencies.
“While CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisitions; so it is vital that contractors wishing to do business on Polaris monitor, prepare for and participate in acquiring CMMC certification...”
What is the CMMC? you may be asking yourself. The Cybersecurity Maturity Model Certification (CMMC) is a recently-released program for third-party certification of the security of information systems in all DoD contractors and subcontractors. It is widely believed that the CMMC will be extended to all federal government contractors in the coming years. Polaris is the second time the GSA has referenced CMMC in contracting documents, encouraging all federal contractors to adopt the CMMC security model.
Curious? Concerned? Want to learn more? Join my next work(fromhome)shop on January 26, Understanding the CMMC, where I’ll be covering the basics of the CMMC: what it is, why we have it, applicability, terminology, timeline, the assessment process, methodology, etc.
Tuesday, January 26 @ 10:00 AM - 11:00 AM (CT)
This newly-updated online class is an introduction to my "deep dive" series on the specifics of achieving Maturity Leve ls 1-3 coming up in Spring 2021. Participants in this class will have the first chance at signing up for the spring series.
As always, I could talk a lot more about this stuff! Come back next week for the next installment. :)
Talk to you again soon!
Security Awareness Training Goes Virtual
Thanks to COVID-19, lots of things are going virtual, and that includes my employee Security Awareness Training. I've set up a small studio in our conference room (nobody there but me) so I can provide live training (almost) just like before! You can see me wave my hands and make faces while a wall of fascinating facts and practical tips slideshow across your screens, wherever you and your employees may be.
Contact me to schedule your employee training sessions. They're fun! ☺