m.a.collins
, , ,

5 Reasons Every Business Owner Should Care About CMMC

iStock

What is CMMC, and why should you care?  CMMC stands for Cybersecurity Maturity Model Certification.  It’s a new initiative implemented by the Department of Defense (DoD) to better protect critical defense information (both classified and unclassified).  Essentially, in order to do business with the government, you now have to prove you are taking cybersecurity seriously through this certification model.  While your business may not qualify for CMMC, there are five reasons you should care about what it signals for all businesses.

Last year, I had a few friends (not customers) privately reach out to me to discuss security breaches of different sorts.  As I advised those friends through their particular scenarios, I inevitably learned that they fairly easily could have avoided the security breaches altogether.  Of course, just as a doctor many times can easily diagnose common illnesses, the same often is true of a security advisor.  I’m careful not to chide my friends in these instances, because I certainly don’t want to add insult to injury.  Nevertheless, it is incumbent upon all business owners to take cybersecurity more seriously and to engage resources to help them before they experience a breach, not after.  How does CMMC do just that?

1. CMMC will inform regulated industries and critical infrastructure.

As CMMC is rolled out to Defense contractors, other regulated industries will take note.  Health and Finance industry regulators, in particular, will be interested to see how CMMC implementation can drive initiatives toward better regulatory controls.  How effective was the adoption of these new regulations?  How were DoD contractors able to soften the blow of the financial expense of implementing security requirements?  What lessons can other regulators learn about the rollout of new security regulations?  All these will be questions regulators will be employing to find ways to properly motivate businesses to hold themselves accountable to the personal data entrusted to them.

Here’s a sobering security stat:  According to CNBC, roughly 85% of America’s critical infrastructure is privately-owned.  This means that the oil pipeline shutdown from May of 2021 could be just the beginning.  As these regulations get applied to the private sector in regulated industry, they likely will translate to every business via more practical avenues, such as the insurance industry.

2. CMMC will inform cyber-insurance policy coverage

The increase in business security breaches is already pushing the insurance industry to raise rates and tighten controls.  According to Chainalysis’ Ransomware Update in May of 2021, ransomware increased at a rate of 4x in 2020 (from $92.94M in 2019 to $406.34M in 2020).  These increases are burdening the insurance industry with finding ways to better mitigate their risk.  One way of mitigating the risk is paying resources to work with law enforcement officials to recover and/or freeze the ransom payments before the malicious actors can benefit from them. 

Some insurance carriers have implemented security questionnaires that automatically deny coverage for those entities falling short on basic cyber-hygiene.  The natural result is higher cost of business for insurance companies which translates to higher prices for insurance coverage.  These increased prices and required security screenings will force businesses to take security more seriously.  The higher your operational maturity as it relates to security, the lower your insurance costs will be.  It’s that simple.

3. CMMC provides security best-practices for all businesses.

CMMC is built upon the NIST 800-171 guidelines.  These guidelines serve as best practices for all organizations, no matter what the size or industry.  Some of these practices are simple ones that you hear regularly, like don’t reuse passwords and use multi-factor authentication for your user accounts.  Some are not so obvious, though.  For instance, how many businesses have smart devices in your organizations (TVs, thermostats, alarm systems, Alexa, etc.)?  Are any of those devices on your primary business network?  Do you have a policy and process for how those devices get implemented in your business?  Do you routinely check your network for such smart devices?  The introduction of everything smart (IoT – Internet of Things) is going to complicate businesses security.  There’s no way around that.

4. CMMC practices give businesses the best chance to protect against ransomware and other attacks.

For far too long, bad actors have thrived due to ignorance surrounding security best practices.  These bad actors exploit and monetize the low-hanging fruit of security illiteracy.  Implementing the CMMC best practices approach to security not only makes it more difficult to successfully hack an organization, it also makes your business more resilient to successful attacks.  Securing a business is not only about defending against attacks but also being able to recover and continue operations in the face of one.  Those who ignore these best practices unnecessarily put their businesses at risk.  These risks, when compounded and exploited, pose existential threats to the affected businesses.  Those who do survive lose potential revenue from downtime, critical resources from cutbacks, brand reputation losses, and more.

5. CMMC best practices mitigate the monetization of security breaches.

The more businesses and organizations that implement security best practices, as found in the CMMC framework, the less opportunity exists for bad actors to monetize security breaches.  For instance, if you fall victim to a ransomware attack but you have ways to recover from that attack without paying the ransom, you directly impact the hackers’ ability to monetize their otherwise successful attack.  By reducing the ability for hackers to monetize these breaches, we collectively disincentivize (at least monetarily) the ransomware industry in particular.

Conclusion

In our industry, it’s principally difficult to explain to our clients why they need new security protections.  We want to educate our clients on cybersecurity without using scare tactics.  We don’t want our clients to think we are manufacturing new ways for them to spend money, while also informing them of new security implementations they need to consider.  Everyone readily admits that technology has drastically changed in the last five years. Nevertheless, it seems that few are interested in changing their five-year-old (or worse) approach to security. 

There tends to be a mindset of what’s the least we can spend and still be “secure.”  That’s a failed approach, though, because in truth cybersecurity is a moving target.  No final destination for security exists in our smart-everything world.  There is such a thing as cyber-maturity, though.  Cyber-maturity (an ever-maturing approach toward cybersecurity) is what will serve us best in this time.  CMMC can help us all have a more informed approach to security, and that’s ultimately why it should matter to every business owner.

/by
Charlie Waters
, ,

Endpoint and Application Security vs The Soft Gooey Middle

Soft, Gooey, What?!

Still no Silver Bullet…

In this article we are going to distinguish between various areas of our defense-in-depth strategy.  If you have read our prior posts, you know security is not a single thing and there is no magic silver bullet, but good security is a combination of layers of defense.  So here is the problem with the traditional approach: much emphasis has been placed on the corporate network with its firewalls, intrusion detection, content filters, hard wired ethernet connections, and encrypted corporate wifi – except there is a paradigm shift toward mobility and this puts our endpoint devices and applications at a disadvantage. 

Safety outside the castle

Access is needed outside of the high castle (corporate) walls where the commoners gather.  Places like Starbucks or the now ubiquitous home office.  These external areas most often do not share the same security features of the traditional workplace network. So, what is “soft and gooey”?  Well, the truth is, even the corporate network is not as secure as we would like to believe.  Yes, it is more secure but with the ever-increasing threats of email phishing, zero-day attacks, and other threats, the constant cat and mouse game of securing the network is often a losing battle.  We still need to address these areas, but even more is needed.  And because of the trend to cut the corporate tether and leverage the advantages of mobility, the current best defense strategy is to assume the corporate network is an unsafe zone and beef up efforts to build security around the endpoint (more and more often a laptop or smart phone/tablet these days) and likewise the application itself.

Endpoint Protection

Not your average antivirus

Endpoint protection is generally reduced to signature-based antivirus.  The flaw is these products are ineffective against new threats that have not yet been cataloged by the software vendor and released as updates.  Also, threats evolve into different variants that are not detected by the antivirus engine and leave your device open to attack.  Installing operating system updates helps but still do not offer protection against unknown vulnerabilities.

More needs to be done.  New “next generation” antivirus products build on the traditional approach by using behavior monitoring and artificial intelligence.  These security products not only block known/cataloged threats but are able to detect unknown threats by looking for malicious behavior by the application running on your device.  Advanced heuristics establish a baseline of “normal” behavior and shuts down activity when a process misbehaves.

Even more is needed

An additional capability involves moving content filtering from the corporate firewall to the endpoint itself.  This can be accomplished with very little additional overhead as the filtering takes place on secure Internet DNS servers (hosted by the security vendor).  This is a valuable security measure when developing a mobility-first strategy.

Who has not seen a VPN commercial these days?!  There seems to be an endless number of companies selling virtual private network technology.  These can be used to extend the corporate network for secure access to on premise and/or cloud-hosted applications. Also, a VPN can be leveraged to encrypt general Internet traffic on an endpoint connected to unsafe/open wireless networks (like Starbucks).

Further, endpoint cloud backup is desirable when there is critical data on a laptop that is not saved frequently to servers. This trend is more common as we rely less on servers and move our data to cloud storage.

Application Protection

C squared = B + HS = I V

Reading a bit like a Phil Mickelson formula to defeat Tiger Woods, the alphabet soup of IT Security can be equally intimidating – we get something like HTTPS+VPN+2FA-MITM = GTG. Much like securing the endpoints in untrusted environments, the applications can be protected from unauthorized access.  Two-factor authentication along with forcing an encrypted connection is a common approach these days.  You will notice most web sites you visit these days use https instead of http.  The former is an encrypted connection while the latter is open to what is called “Man-in-the-middle” (MitM) attacks due to the lack of an encrypted session.  Essentially a hacker can read user passwords and other data sent back and forth over the unencrypted connections while it is much more difficult to do the same thing when the connection is secured using advanced encryption.  Cloud-hosted applications can also use software firewalls to enable many of the same security features traditionally found on the corporate hardware firewalls. 

M365 to the rescue

Microsoft 365 is a good example where application security can be enhanced.  Companies using 365 email have the mail transport encrypted end to end between internal and external parties running on the same Microsoft hosted platform.  Further, anti-phishing and cloud-to-cloud backup can be used to protect the documents and emails stored on the M365 system.  Additionally, Microsoft Teams communications through chat or voice/video calls are encrypted.  There are huge benefits to living within this ecosystem as much as possible as the number of security products needed to protect communication and collaboration can be reduced.  Less complexity also means greater security as there are fewer configurations needed to make the security work.  When combined with Microsoft Azure virtual server hosting, it is now possible to move niche line of business applications and critical company workflows to the secured Microsoft environment.

So What, Now What?

Will legislation force all of our hands?

Responsibility is being placed on the Managed Services Provider to enforce these security measures.  For example, Louisiana Act 117 – Senate Bill 273 requires MSPs that manage infrastructure or end-user systems for “public bodies” to register with the state.  Additionally, MSPs are now required to disclose cyber incidents to the state. 

It is expected for similar legislation to make its way to other states and there will be an increased top-down accountability between regulated organizations and their technology vendors.  This means MSPs will continue to up its security game or be left behind.  Also, managed service providers will become more selective when choosing its clients to ensure there is a closer alignment of operational maturity levels (OML), otherwise there will be constant tension between the MSP obligations versus the organization’s cooperation to improve security.

Follow the leader

The best approach is when a security-minded MSP articulates the reasons behind the need and the client trusts the advice of its technology partner and follows their lead.  For those who refuse to take security seriously, MSPs may be eventually forced to document the opt-out on the client’s part by issuing a legal letter advising of the dangers of not implementing the needed defenses.  This will strain relationships where there is a mismatch of OML or where trust is lacking.  What this means for all of us is the cost of doing business will continue to go up as more products and time will be needed to implement these solutions.  But the risk is too high to ignore the warnings and being wrong about security can result in a higher cost to business due to downtime, stolen data, or potential fraudulent wire transfers.  Be sure your organization has implemented the latest and greatest security tools and services by having a conversation with your trusted security advisor.

/by
Charlie Waters
, , ,

Extra! Extra!

Back to the future

Eight years ago around this time, I was busy in my secret lab cooking up my latest and greatest geeky tech project. A little scripting here, some hardware and networking there…not unlike the countless other times I’ve done this since my Dad bought my first computer (Commodore 64) when I was twelve. Except this time I was doing a proof of concept for a magazine article while working as the Senior Consultant for a Managed Service Provider. I guess that investment in my first computer paid off. Thanks, Dad!

Hakin9 Extra – Guide to Kali Linux: Kali Scanning for HIPAA

I was asked by Hakin9 Magazine to write an article for their (then) upcoming “Guide to Kali Linux”. But before we get to that, some background first – Linux is a popular free and open source operating system developed by Linus Torvalds. He created the new platform because he did not want to pay the expensive licensing fees for Unix, which was the operating system used in his university computer science courses. Today, Linux is the operating system that runs most of the Internet services we use every day. While many in the community debate whether “free” means “as in beer” or “as in speech”, Linux can be downloaded at no cost which makes it perfect for tech-savvy IT professionals who are seeking to build low-cost systems for niche applications. Windows and Microsoft Office are the business standard so Linux is not a recommended alternative for general business computing.

Kali Linux is what is called a Linux distribution or “distro” for short. Basically, it is a version of Linux with preinstalled applications and tools. Distros run the gamut from general purpose computing to niche applications. Kali, for example, is a security distribution and comes with computer forensic, penetration testing, and vulnerability scanning tools. It is the latter that was the focus of writing the magazine article. Specifically, how a low-cost, distributed system running Kali Linux on top of Raspberry Pi hardware (low cost non-Intel PC) could be used in the Healthcare industry to support HIPAA compliance. I chose OpenVAS as the application for vulnerability scanning.

The results from the proof of concept demonstrated the RPi+(Kali) Linux+OpenVAS combination was viable as an ad-hoc tool and could be further developed into an integrated, distributed reporting system. The gory technical details from the article can be found here: Hakin9 Extra – Guide to Kali Linux: Kali Scanning for HIPAA.

Back to the present

So what’s changed in the last eight years? In some ways, not much. In other ways, everything. Tools like Kali Linux are still useful and part of the solution. What has changed is the ever-evolving threat landscape and the cost of doing business due to the added layers of security needed to maintain business as usual. We have written other articles on defense-in-depth so I won’t get in the weeds on that topic here, but it is no longer the medical and financial industries (or other regulated business), but all businesses large and small that must invest in security to reduce risk and protect their business operations and data. The phrase often attributed to Vince Lombardi comes to mind, “Hope is not a strategy.”

Call to action

Great, we’ve identified a business problem…so now what?! Here’s the high level recipe for building an effective security strategy:

  1. Discuss the need for addressing security with the top levels of the organization. This cannot be a bottom-up initiative. Too much is at stake.
  2. Work with a trusted technology/security partner to explore options.
  3. Invest in educating yourself and your team about the risks and how implementing security tools and best practices help mitigate these risks.
  4. Measure the effectiveness of your security program to understand residual risk.
  5. Rinse and repeat.

With an intentional focus on security and developing a plan to monitor and assess its effectiveness over time, your business can reduce risk of data loss and downtime. Much like how Linux is not for the faint of heart, Information Security can be tough to understand, so IT professionals are happy to work with you to formulate a winning game plan. Be like Lombardi and don’t just hope the problem will go away on its own!

/by