What GovCons Should Know About Software Bills of Material (SBOMs)
In May of 2021 – following the Log4Shell vulnerability and other software supply chain incidents – the White House directed government agencies to adopt software bills of material (SBOMs) in executive order (EO) 14028. Two years later, the federal security community is still debating how to implement them.
What’s New in NIST’s Cybersecurity Framework (CSF) 2.0?
Since 2022, the National Institute of Standards and Technology (NIST) ) has been working on major updates to its Cybersecurity Framework (CSF), a set of guidelines and best practices for cybersecurity which enjoys wide adoption among federal organizations and private businesses of every size.
Why AI-Driven Tools Will Fail Cyber Defenders
Every few decades, the world goes through an “AI spring,” and we are in the middle of one right now. With accelerating progress in AI research and the arrival of emerging capabilities exemplified by tools like ChatGPT, hopes are surging that AI applications will soon help organizations to detect threats in their IT environment, prevent data breaches, and block incoming attacks with a much higher success rate.
A False Sense of Security: Why VPNs Are Not a Silver Bullet
In a world of hybrid organizations and a rising number of remote employees, virtual private networks (VPNs) are rapidly growing as a solution for secure access between enterprise networks and external endpoints. In 2022, the global VPN market was valued at $44.6 billion, with experts projecting a $93.1 billion increase by 2030.
The Hidden Dangers of AMI Infrastructure: Protect Your Utility Company Now
The rise of Advanced Metering Infrastructure (AMI) has revolutionized the way utilities collect and manage data. Implementing AMI improves the efficiency and accuracy of energy consumption monitoring and billing, and provides more real time information and control to consumers. But AMI also increases the exposure of both utilities and consumers to cyber threats.
How Multi-Factor Authentication Can Make Your Business Safer
In today’s digitally transformed world, user access is the cornerstone of a strong security program. With people remotely logging into applications, networks, and systems, companies must implement robust identity and access management (IAM) policies, limiting access as precisely as possible.
How to Protect Your Operational Technology (OT) in 2023
Oil and gas, manufacturing, energy distribution and critical infrastructure – what do all these industries have in common? Aside from their indispensability, they all rely on operational technology (OT) such as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.
Why Shadow IT is the Biggest Blind Spot in Your Cybersecurity Strategy
In the past few years, software-as-a-service (SaaS) apps have exploded in popularity, bringing powerful new functionality to organizations which they could only dream of in the past. Unfortunately, the ease and availability of cloud apps are a double-edged sword that can work against the security of your business without proper oversight.
Seven Ways to Reduce The Impact of Zero-Day Exploits
At the end of 2021, the Log4Shell remote code execution (RCE) exploit was discovered in a popular Java logging package, Log4j. Wi millions of devices and software packages affected, it became the worst cybersecurity vulnerability since the SolarWinds attack, with attacks continuing into the early months of 2022.
Why Hackers Aren’t the Biggest Threat to Your Cloud Configuration
Private businesses and government contractors alike are increasingly relying on public cloud services to drive their core business functions – according to Gartner, global cloud spending will increase by over 20% to almost $500 billion. But the speed of cloud adoption often leaves cybersecurity by the wayside, leaving companies open to major risks.
Should I Pay the Ransom? Answering 10 Common Questions About Ransomware
Ransomware continues to make headlines, especially as cybercriminals aligned with nation-states continue to perpetrate attacks. According to a 2022 report, attackers fall into two categories. First, sophisticated attackers who continually improve their techniques, tactics, and procedures (TTPs), learning from their mistakes and establishing their own group of highly skilled cybercriminals. Second, Ransomware-as-a-Service (RaaS) models which lower the barrier to entry so that inexperienced or less technical cybercriminals can deploy attacks.
Microsoft is Changing How it Authenticates Email: Explaining CISA’s Announcement
Back at RSA 2020, in the days before the pandemic drove most companies to adopt remote work, Microsoft explained that about half of 1% of the enterprise accounts in their system were compromised per month. The reason? 99.9% didn’t use multi-factor authentication (MFA).
What the Federal Government is Doing to Fight Ransomware in 2022
Among the cybersecurity threats that are escalating in 2022, ransomware attacks remain one of the most damaging and impactful to federal agencies and contractors. According to Verizon’s yearly Data Breach Investigation Report (DBIR), this year has seen ransomware incidents increase by 13%, which is more growth than the past 5 years combined.
When it Comes to Picking Targets, Hackers Don’t Care About Size
As a small business, it’s easy to think that malicious cyber actors only want to target the largest companies. After all, those are the ones who have the most data and sensitive assets. At the same time, those companies also have the highest security budget, making attacks against them time-consuming and resource intensive. Meanwhile, attacks against small businesses are not only easier – they can be just as profitable.
How the Cybersecurity Talent Gap is Threatening Your Business
In 2022, the worldwide shortage of cybersecurity talent has exceeded 3 million. If current trends continue, that number will only grow in 2023 and beyond: this is a major problem for businesses across all industries and verticals who are facing an epidemic of ransomware and data breaches – not to mention the looming possibility of cyberwarfare.
What the Russian Invasion of Ukraine Means for Your Cybersecurity
Throughout the Russian invasion of Ukraine, cybersecurity experts have warned about the possibility that Western businesses are about to end up in the crosshairs of cyberwarfare. Should you be worried? The answer is: yes.
Cyber Warfare Now: Explaining the Global Threat Landscape in 2022
2021 was a very difficult year for the cybersecurity sector, with cybercrime spanning nation-state actors, lone wolves and advanced persistent threat (APT) groups. But who are the players, what are their tools, and how are their tactics changing?
Surviving Log4j: How to Maintain Mission Resilience in the Face of Threats
Months after it was discovered in December of 2021, the Log4j remote code execution exploit (Log4Shell) is still impacting businesses and government organizations throughout the world. To call it the worst cybersecurity vulnerability since SolarWinds would not be an exaggeration, and – with millions of devices and software packages affected – it’s a problem that won’t disappear any time soon.
Everything Defense Contractors Need to Know About CMMC 2.0
On November 4th, the Department of Defense (DoD) announced major revisions to the Cybersecurity Maturity Model Certification (CMMC). Since it first entered federal law in December of 2020, the CMMC has only undergone minor revisions, bringing it to version 1.02. Now the framework will jump ahead to version 2.0, with a streamlined system of security levels, introduction of a waiver process, and changes to the framework core.
How Zero Trust Push Will Transform the Government
2021 has been an eventful year for cybersecurity, especially in the federal space. Following a series of high-profile cyberattacks targeting government organizations and public infrastructure, the White House decided to take action this summer with a sweeping executive order that demands broad reforms to improve America’s cybersecurity posture.
What Defense Contractors Need to Know About New DFARS Rules and CMMC Compliance
In 2019, the Department of Defense (DoD) announced the Cybersecurity Maturity Model Certification (CMMC), a new set of standards for cybersecurity compliance across the Defense Industrial base (DIB). Last December, the CMMC finally went into effect under an “interim rule” which gives organizations in the defense sector time to fully comply while the DoD prepares for enforcement.
Cybercriminals and the Future of Insider Threats
Every year, Dan Lohrmann from the Government Technology blog chooses a pithy title for the previous year in cybersecurity. For 2020, he chose ‘The Year the COVID-19 Crisis Brought a Cyber Pandemic,’ and for a summary of the past 12 months, we can’t improve on that.
Right-of-Breach Mentality Leads to Cyberattacks on Critical Infrastructure
The dust is still settling from the latest in a series of highly publicized cyberattacks affecting critical infrastructure in the U.S. Two Fridays ago, Colonial Pipeline – the single largest provider of natural gas across the Eastern U.S – experienced a ransomware attack and announced that it was shutting down all 5,500 miles of its main pipeline, running from Houston, TX to Linden, NJ.
In 2021, Remote Employment is Driving Cybersecurity Trends
Every year, Dan Lohrmann from the Government Technology blog chooses a pithy title for the previous year in cybersecurity. For 2020, he chose ‘The Year the COVID-19 Crisis Brought a Cyber Pandemic,’ and for a summary of the past 12 months, we can’t improve on that.
How Local Governments Can Help Their Remotely Employed Cybersecurity Teams
When the COVID-19 lockdowns began many months ago, experts in the cybersecurity industry knew what was coming next. As we have established in past articles, hackers are opportunistic: eager for any chaos to exploit in pursuit of their goals.
Everything Government Contractors Need to Know About CMMC and NIST 800-171
After its release in January 2020 and after many delays, the new Cybersecurity Maturity Model Certification (CMMC) has not yet been enforced in contracts from the Department of Defense or any other agency.
The IoT Security Problem in 2020: Taking a Deeper Look
In 2017, an unnamed casino found that its data servers had been compromised and called on the aid of a security firm to help them find the culprit. Shortly afterwards, the surprising results of this investigation were reported far and wide: like the plot of an ill-conceived James Bond story, hackers had entered the casino’s network through an Internet-connected thermostat in a decorative aquarium.
Breaking Down CISA/NSA’s Warning to Industrial Control System (ICS) Operators
At the beginning of 2020, we predicted that strengthening America’s critical infrastructure would become a renewed focus of cybersecurity for federal agencies and contractors. In spite of everything else that has happened since then, this prediction is coming true more rapidly than we would have guessed.
Why A Compliance-Based Approach to Cybersecurity is Not Enough
The RMS Titanic was carrying 2,224 passengers and crew when it sank one April night in 1912, killing over 1,500 people. Since then, many have wondered why the ship was not carrying enough lifeboats to save all the souls on board.
There’s a simple answer: the designers of Titanic had followed the British Board of Trade by equipping it with 20 lifeboats, and even threw in four more than the regulations required. Since then, the story of Titanic has served as a grim reminder that regulatory compliance does not guarantee safety or security.
Why Third-Party Vendors Are Responsible for the IoT Security Problem
In 2017, an unnamed casino found that its data servers had been compromised and called on the aid of a security firm to help them find the culprit. Shortly afterwards, the surprising results of this investigation were reported far and wide.
OT Security Risks Are Worse Than Ever: Here’s How You Fight Them
The convergence of IT and OT has come so far that – in a recent blog post – the SANS Institute recommended dropping the “IT/OT” nomenclature entirely. Judging by the state of OT today, it’s a reasonable suggestion: over 65% of industrial control systems (ICS) are linked to enterprise or third-party networks, shrinking the “air gap” which has historically defended them.
5 NIST Updates That Will Impact Security Professionals in 2020
It’s fair to say regulations from the National Institute of Standards and Technology (NIST) are a cornerstone to the security of our federal government: NIST documents set the standard for business operations in both the public and private sector, ranging from information security controls (SP 800-53) to cybersecurity practices (CSF). As time goes by, these documents are frequently updated, and keeping track of them can be difficult.
Why Crowd-sourced Pentesting Isn’t All it’s Cracked Up to Be
Crowds have always been a powerful thing, but before the Internet came along, it was difficult to harness them. Now things have changed: almost anything can be powered by crowds these days, from funding initiatives to news coverage, research and more. But is crowd-sourcing the right approach to penetration tests? Some people think so.
Hackers Can Gain Active Directory Privileges Through Vulnerability in Xerox Printers
Organizations beware: last week, Xerox released a security advisory for several models of the WorkCentre Multifunction and Color Multifunction printers. Thanks to a Lightweight Directory Access Protocol (LDAP) vulnerability, hackers can launch a pass-back attack against printers with weak or default credentials. This exposes the login information of Active Directory users – including those with administrative privileges – and can be used to gain further control over an organization’s network.
The Hacker’s Perspective: Risk as Opportunity
When the Cybersecurity Model Maturity Certification (CMMC) goes into effect this year, the defense department will be holding its contractors to a higher standard than ever before. But whether or not they’re ready for the change remains to be seen: in the past, DoD partners were required to comply with regulations like NIST 800-171. In reality, many fell behind due to the leeway they had in implementation.
2019 in Retrospect: Federal Security Changes and New Directions
The arrival of 2020 signals many exciting developments in cybersecurity across the public and private sectors. With the beginning of a New Year comes the start of a new budget for public spending, and now that Congress has reconvened after the Holiday season, there are lots of items that will have to be discussed as 2020’s agenda for National Security starts taking shape.
5 Big Risks for Industrial Control Systems (ICS) in 2020
2019 is coming to an end, and with it so is the decade when America started taking cybersecurity seriously. In the past decade, we have seen the rise of cloud-based infrastructure, government legislation like FedRAMP, and – most importantly – a dramatic increase in the number of cyber threats facing both commercial and governmental organizations.
How to Survive a Data Breach: 14 Disaster Response Tips
Twenty years ago, data breaches were uncommon, and when they happened, they tended to be small. But thanks to digital infrastructure, a worldwide community of skilled attackers with powerful tools and a black market for personally identifiable information (PII), login credentials and financial accounts, large-scale data breaches are now a significant threat to organizations large and small.
The IoT Security Gap, and Six Ways to Overcome It
By next year, Gartner predicts that the number of devices connected to the Internet will reach 20.4 billion. That’s up 14.1 billion from 2016 – a shocking amount of growth in a short period of time and quintuple the number of usable IP addresses that existed under IPv4.
The Difference Between IT and OT, and How They Are Converging
Every system is susceptible to failure or manipulation, and that is why all technology in the enterprise must be carefully secured. Depending on the type of technology, however, different approaches to security are required: guarding a computer with guns will not prevent it from being hacked. Likewise, anti-virus software will not protect a car.
At least, that’s how things used to be. More recently, the kinds of technology that support industry, business and personal productivity have started to converge on the level of software and networking, and security requirements are changing in response.
NIST 800-53 Rev. 5: What it Is, and Why You Should Care
Later this year, the National Institute for Standards and Technology (NIST) will release revision #5 to Special Publication SP 800-53 Security and Privacy Controls for Information Systems and Organizations, a key framework documenting recommended security controls for federal information systems. Soon, government agencies, contractors and FedRAMP certified vendors will be rushing to update their systems before the guidelines go into effect.
NIST 800-171: What it Is, and Why You Should Care
Since 2017, any federal contractor working in association with the Department of Defense (DoD) is required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 – Protecting Unclassified Information in Nonfederal Information Systems and Organizations. In this article, we’ll give you the rundown on this important regulation, and why compliance is essential for any federal partner.
How Regular Risk Assessment Prevents and Stabilizes Threats
Data breaches, foreign hackers and corporate espionage: today, it seems that phrases like these are on the tips of every tongue, and not without good reason.
What is ICS?
Through our years of experience within cyber security, Industrial Control Systems (ICS) are unique. There is a blend of old and new technologies. Critical infrastructure security comes in many sizes but only one principle is constant, high availability. Many clients within critical infrastructure and security is becoming more of a concern.
Always Expect the Worst: Anticipating Threats with Cyber Hunt
Once upon a time, security was about mitigating risks to an organization by following best practices and responding effectively to incidents when they arose. This compliance and risk-based mindset is no longer enough: the past several years have seen escalating breaches and organized cyber-crime, showing that safety is now the exception and not the rule. A threat-based mindset is the only solution.
A New Security Risk for ICS Controllers: Triton 
Malware Explained
Over the past few years, we’ve started to see malware specifically developed to target industrial control systems (ICS). Among the most notable of recent culprits are BlackEnergy, Industroyer and Triton. FireEye was the first security firm responding to the Triton incident, and recently published more information about the Triton Threat Actor TTP profile which we will review in this article.
Ransomeware ‘LockerGoga’ Disrupting Industrial Operations
It has recently been reported that a new breed of ransomeware is infecting industrial networks and forcing ICS organizations to switch from digital to manual operations. The malware ‘LockerGoga has, within the past few weeks, infiltrated Norweigan aluminum Manufacturer, Norsk Hydro. Because of this incident, the organization was forced to execute their business continuity and cyber security incident response plans.
Answering Risk Requests from Third-Party Partners with 
Standardized Documentation and Response
As CISOs become increasingly aware of the risks surrounding third-party relationships – and with a shift in focus towards supply chain risk management – there is mounting pressure from partners and clients to maintain a security posture centered on a mature information security program.
Preparing For Data Breaches: 5 Lessons From 2018
2018 will likely go down in history for the sheer scale of consumer data that was hacked, leaked, stolen and otherwise compromised by cyberattacks throughout the year. Estimates show that during the first six months alone, 4.5 billion records were exposed over 945 data breaches leading to mass identify theft and financial fraud.
Looking Ahead: Why 2019 Will Be the Year of Cyberwarfare
One year away from the third decade of the 21st century and technology has finally caught up with science fiction. In 2019, we’re going to hear more news about driverless cars, revolutions in artificial intelligence and commercial applications for drones. One thing is for sure: it’s an exciting time to be alive.
Improving the Reliability of Power Delivery Systems
A recent poll found that an overwhelming majority of Americans (92%) agree on one thing: the power grid needs better protection. This point of view is understandable. The day before New Year’s 2017, researchers discovered that foreign hackers had infiltrated an internal computer at Vermont utility Burlington Electric.
United States Cyber Command (USCYBERCOM)
Securicon supports USCYBERCOM in planning, coordinating, integrating, synchronizing, and conducting the operations and defense of Department of Defense Information Networks (DODIN).