When the COVID-19 lockdowns began many months ago, experts in the cybersecurity industry knew what was coming next. As we have established in past articles, hackers are opportunistic: eager for any chaos to exploit in pursuit of their goals.
After its release in January 2020 and after many delays, the new Cybersecurity Maturity Model Certification (CMMC) has not yet been enforced in contracts from the Department of Defense or any other agency.
In 2017, an unnamed casino found that its data servers had been compromised and called on the aid of a security firm to help them find the culprit. Shortly afterwards, the surprising results of this investigation were reported far and wide: like the plot of an ill-conceived James Bond story, hackers had entered the casino’s network through an Internet-connected thermostat in a decorative aquarium.
At the beginning of 2020, we predicted that strengthening America’s critical infrastructure would become a renewed focus of cybersecurity for federal agencies and contractors. In spite of everything else that has happened since then, this prediction is coming true more rapidly than we would have guessed.
The RMS Titanic was carrying 2,224 passengers and crew when it sank one April night in 1912, killing over 1,500 people. Since then, many have wondered why the ship was not carrying enough lifeboats to save all the souls on board.
There’s a simple answer: the designers of Titanic had followed the British Board of Trade by equipping it with 20 lifeboats, and even threw in four more than the regulations required. Since then, the story of Titanic has served as a grim reminder that regulatory compliance does not guarantee safety or security.
In 2017, an unnamed casino found that its data servers had been compromised and called on the aid of a security firm to help them find the culprit. Shortly afterwards, the surprising results of this investigation were reported far and wide.
The convergence of IT and OT has come so far that – in a recent blog post – the SANS Institute recommended dropping the “IT/OT” nomenclature entirely. Judging by the state of OT today, it’s a reasonable suggestion: over 65% of industrial control systems (ICS) are linked to enterprise or third-party networks, shrinking the “air gap” which has historically defended them.
It’s fair to say regulations from the National Institute of Standards and Technology (NIST) are a cornerstone to the security of our federal government: NIST documents set the standard for business operations in both the public and private sector, ranging from information security controls (SP 800-53) to cybersecurity practices (CSF). As time goes by, these documents are frequently updated, and keeping track of them can be difficult.
Why Crowd-sourced Pentesting Isn’t All it’s Cracked Up to Be
Crowds have always been a powerful thing, but before the Internet came along, it was difficult to harness them. Now things have changed: almost anything can be powered by crowds these days, from funding initiatives to news coverage, research and more. But is crowd-sourcing the right approach to penetration tests? Some people think so.
Organizations beware: last week, Xerox released a security advisory for several models of the WorkCentre Multifunction and Color Multifunction printers. Thanks to a Lightweight Directory Access Protocol (LDAP) vulnerability, hackers can launch a pass-back attack against printers with weak or default credentials. This exposes the login information of Active Directory users – including those with administrative privileges – and can be used to gain further control over an organization’s network.
When the Cybersecurity Model Maturity Certification (CMMC) goes into effect this year, the defense department will be holding its contractors to a higher standard than ever before. But whether or not they’re ready for the change remains to be seen: in the past, DoD partners were required to comply with regulations like NIST 800-171. In reality, many fell behind due to the leeway they had in implementation.
The arrival of 2020 signals many exciting developments in cybersecurity across the public and private sectors. With the beginning of a New Year comes the start of a new budget for public spending, and now that Congress has reconvened after the Holiday season, there are lots of items that will have to be discussed as 2020’s agenda for National Security starts taking shape.
2019 is coming to an end, and with it so is the decade when America started taking cybersecurity seriously. In the past decade, we have seen the rise of cloud-based infrastructure, government legislation like FedRAMP, and – most importantly – a dramatic increase in the number of cyber threats facing both commercial and governmental organizations.
How to Survive a Data Breach: 14 Disaster Response Tips
Twenty years ago, data breaches were uncommon, and when they happened, they tended to be small. But thanks to digital infrastructure, a worldwide community of skilled attackers with powerful tools and a black market for personally identifiable information (PII), login credentials and financial accounts, large-scale data breaches are now a significant threat to organizations large and small.
The IoT Security Gap, and Six Ways to Overcome It
By next year, Gartner predicts that the number of devices connected to the Internet will reach 20.4 billion. That’s up 14.1 billion from 2016 – a shocking amount of growth in a short period of time and quintuple the number of usable IP addresses that existed under IPv4.
The Difference Between IT and OT, and How They Are Converging
Every system is susceptible to failure or manipulation, and that is why all technology in the enterprise must be carefully secured. Depending on the type of technology, however, different approaches to security are required: guarding a computer with guns will not prevent it from being hacked. Likewise, anti-virus software will not protect a car.
At least, that’s how things used to be. More recently, the kinds of technology that support industry, business and personal productivity have started to converge on the level of software and networking, and security requirements are changing in response.
NIST 800-53 Rev. 5: What it Is, and Why You Should Care
Later this year, the National Institute for Standards and Technology (NIST) will release revision #5 to Special Publication SP 800-53 Security and Privacy Controls for Information Systems and Organizations, a key framework documenting recommended security controls for federal information systems. Soon, government agencies, contractors and FedRAMP certified vendors will be rushing to update their systems before the guidelines go into effect.
NIST 800-171: What it Is, and Why You Should Care
Since 2017, any federal contractor working in association with the Department of Defense (DoD) is required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 – Protecting Unclassified Information in Nonfederal Information Systems and Organizations. In this article, we’ll give you the rundown on this important regulation, and why compliance is essential for any federal partner.
How Regular Risk Assessment Prevents and Stabilizes Threats
Data breaches, foreign hackers and corporate espionage: today, it seems that phrases like these are on the tips of every tongue, and not without good reason.
What is ICS?
Through our years of experience within cyber security, Industrial Control Systems (ICS) are unique. There is a blend of old and new technologies. Critical infrastructure security comes in many sizes but only one principle is constant, high availability. Many clients within critical infrastructure and security is becoming more of a concern.
Always Expect the Worst: Anticipating Threats with Cyber Hunt
Once upon a time, security was about mitigating risks to an organization by following best practices and responding effectively to incidents when they arose. This compliance and risk-based mindset is no longer enough: the past several years have seen escalating breaches and organized cyber-crime, showing that safety is now the exception and not the rule. A threat-based mindset is the only solution.
A New Security Risk for ICS Controllers: Triton Malware Explained
Over the past few years, we’ve started to see malware specifically developed to target industrial control systems (ICS). Among the most notable of recent culprits are BlackEnergy, Industroyer and Triton. FireEye was the first security firm responding to the Triton incident, and recently published more information about the Triton Threat Actor TTP profile which we will review in this article.
Ransomeware ‘LockerGoga’ Disrupting Industrial Operations
It has recently been reported that a new breed of ransomeware is infecting industrial networks and forcing ICS organizations to switch from digital to manual operations. The malware ‘LockerGoga has, within the past few weeks, infiltrated Norweigan aluminum Manufacturer, Norsk Hydro. Because of this incident, the organization was forced to execute their business continuity and cyber security incident response plans.
Answering Risk Requests from Third-Party Partners with Standardized Documentation and Response
As CISOs become increasingly aware of the risks surrounding third-party relationships – and with a shift in focus towards supply chain risk management – there is mounting pressure from partners and clients to maintain a security posture centered on a mature information security program.
2018 will likely go down in history for the sheer scale of consumer data that was hacked, leaked, stolen and otherwise compromised by cyberattacks throughout the year. Estimates show that during the first six months alone, 4.5 billion records were exposed over 945 data breaches leading to mass identify theft and financial fraud.
One year away from the third decade of the 21st century and technology has finally caught up with science fiction. In 2019, we’re going to hear more news about driverless cars, revolutions in artificial intelligence and commercial applications for drones. One thing is for sure: it’s an exciting time to be alive.
A recent poll found that an overwhelming majority of Americans (92%) agree on one thing: the power grid needs better protection. This point of view is understandable. The day before New Year’s 2017, researchers discovered that foreign hackers had infiltrated an internal computer at Vermont utility Burlington Electric.
Securicon supports USCYBERCOM in planning, coordinating, integrating, synchronizing, and conducting the operations and defense of Department of Defense Information Networks (DODIN).