Posts

Is Your Company Ready for a Cyberattack?

/in , /by

Is Your Company Ready for a Cyberattack?

Can you ever be ready for a cyberattack—yes, you can!

Asking if you are ready for a cyberattack is like asking if you are ready for an accident. When an accident occurs, you can have insurance and the coverage you need to take care of the problem—with a cyberattack, if you have a cybersecurity partner on your side, you can do the same.

If you are not already prepared for a cyberattack, it is imperative you understand the serious and imminent dangers of an attack.

With global cybercrime damages predicted to cost up to $10.5 trillion annually by 2025, having a quality cybersecurity service is no longer an option, it’s a requirement. Hackers are coming at your company from all angles, intent on stealing (or holding hostage) your most valuable assets, and you need to be ready.

It’s no longer a matter of, “you should probably do something about that,” it’s a, “you NEED to make the necessary adjustments as soon as possible,” and here’s why.

Cybercrime costs organizations $2.9 million every minute, and major businesses lose $25 per minute as a result of data breaches. It takes 280 days to find and contain the average cyberattack, while the average attack costs $3.86 million. Companies in the United States have the highest average total cost at $8.64 million per breach, and it is estimated that half of all data breaches globally will occur in the United States by 2023. If you haven’t already, take a minute and look at one of the many cyber threat maps to see how many attacks are detected every second—there are hundreds of thousands every day!

That’s why you need to understand what kinds of threats you are up against and how your defenses will fare.

A cybersecurity partner can help ensure the safety of your company’s most critical assets. The reason to rely on a cybersecurity partner is because teams like ours are full of cybersecurity experts who have the extensive education and experience needed to combat various types of cyberattacks. If you have some kind of cybersecurity product installed to your network of devices, you are going to be able to prevent a good number of attacks, but without an expert who constantly reads reports and anticipates the different attacks, you are at risk. Experts don’t need to turn to an incident response manual every time there appears to be a threat. You need a team to be on constant lookout for things such as zero-day attacks and other unseen threats that may appear.

Attacks can come from your cloud, servers, firewalls, SDS systems, personal devices, and more.

With a threat detection solution—such as Security Information and Event Management (SIEM) continuously monitoring your environment—you’ll not only get preventative software, but real-time notifications on serious threats, not false positives. In addition, if an attack is detected, our team of experts will start working with you to find a solution within minutes of an attack.

Analysis finds that 80% of data breaches can be prevented with basic actions, such as vulnerability assessments, patching, and proper configurations.

Although the reality of cybersecurity threats and malicious attacks is challenging, CIT is here to help you realize your cybersecurity capabilities and risks and provide recommendations for improving your overall defense in-depth for the best possible cybersecurity outcomes.

Let’s discuss!

Combatting Business Email Compromise Risks 

/in /by

Combatting Business Email Compromise Risks 

An old scam that keeps reinventing itself with new victims. Don’t become one! 

You’ve probably heard the classic business email compromise (BEC) scam about Nigerian princes who want to deposit money in people’s bank accounts—but first need their prey to send them money to make it all work to plan. It’s an oldie but goodie. Unfortunately, it’s also one that keeps reinventing itself along with another batch of unwitting victims. In fact, it happens so often, BEC scams currently outdo ransomware as the most damaging cyberattack in the world. 

In fact, according to the FBI’s Internet Crime Complaint Center (IC3), in 2020, losses from BEC exceeded $1.8 billion—that’s a fourfold increase since 2016! The number of BEC incidents also rose by 61% between 2016 and 2020. Using tactics that play off real-time world events, such as COVID-19 or the trust of established interpersonal relationships, criminal elements have managed to stay ahead of the good guys with increased sophistication and swiftness. 

  • Healthcare provides bilked by criminals posing as trusted vendors with access to much-needed personal protection equipment 
  • A large social media firm handed over personal payroll information about employees to an individual they thought was their CEO 
  • A non-profit organization was fooled into transferring a large loan to a business partner right into the hands of the threat actor  

To protect yourself and your business from these types of attacks, employee education is essential. For example, if someone in your accounts payable department receives an email from a business partner requesting you alter established wire transfer information, be sure your staff are trained to recognize the request as a red flag and confirm directly with their point of contact details of the change. It seems second nature, but when people are busy and working against deadlines, it’s easy to miss a well-disguised ruse.   

From a defense in-depth perspective, it’s also essential to ensure you have a layer of threat detection in place to help identify malicious behavior, alert of the threat, and inform the correct response and remediation measures. This would include: 

Monitoring for anomalous behavior, both on-premises and in the cloud  

BEC threats rely on looking like normal user activity. With an increase in remote work, companies are relying more on cloud services like Microsoft® Office 365® which puts data into a complex environment that’s often under-protected. Once threat actors can get access to Office 365, getting to the juicy data is just a few clicks away. Traditional perimeter security tools, such as firewalls, aren’t able to monitor suspicious activity in cloud-hosted applications like Office 365, SharePoint, or OneDrive. The same applies to monitoring of your endpoints for suspicious activity. If a threat actor slips past perimeter defense and acquires user credentials, it will be difficult to identify threats that appear as typical activity. 

Having enough IT Security staff 

When something nefarious goes down, you need to know immediately. Too many businesses lack the ability to dedicate staff to 24/7 monitoring of their environment. If an alert goes off at 1 a.m., the time lost until someone sees it and makes sense of it could be the difference between defense of the business or catastrophic damage. Managed threat detection and response can be a force multiplier if you are unable to monitor your environment 24/7. 

While there are many aspects to improving your defense in-depth, the following from the FBI act as good and effective tips to share with employees to help elevate everyone’s awareness of how to avoid business email compromise attacks. 

  • Be skeptical—Last-minute changes in wiring instructions or recipient account information must be verified. 
  • Don’t click it—Verify any changes and information via the contact on file—do not contact the vendor through the number provided in the email. 
  • Double check that URL—Ensure the URL in the email is associated with the business it claims to be from.
  • Spelling counts—Be alert to misspelled hyperlinks in the actual domain name.
  • It’s a match—Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it’s coming from. 
  • Pay attention—Often there are clues with business email compromise, e.g.:
    • An employee who does not normally interact with the CEO receives an urgent request from them 
    • Data shows an employee is in one location at 1 p.m. but halfway around the globe 10 minutes later
    • Active activity from an employee who is supposed to be on leave 
  • If you see something, say something—If something looks awry, report it to your managed service provider or IT Security supervisor. And if you have been a victim of BEC, file a detailed complaint with IC3.

To learn more about business email compromise threats and defense against them, CIT can provide you with guidance, education, and technology to strengthen your security posture. Give us a call and let’s discuss.

What is CMMC?

/in /by

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a program developed by the Department of Defense (DoD) to help measure the cybersecurity maturity level of contractors across the defense industrial base (DIB), which includes over 300,000 companies. The CMMC is the DoD’s response to significant increase in compromises of sensitive data located on contractors’ information systems.

When did it go into effect?

September 2020.  Many companies have already been required to meet certain requirements outlined by the DoD to meet CMMC requirements.  The expectation is that CMMC will be a requirement of all new DoD requests for proposals beginning in 2026.

What companies are included?

The certification is applicable to contractors who work directly with DoD, and to subcontractors who contract with primary contractors to provide fulfilment and execution of those contracts. 

As mentioned above, all contracts with the DoD will include CMMC requirements by 2026.  It is worth noting that the DoD has indicated they intend to issue contract opportunities at all levels of the maturity model, meaning that there will be some number of requests issued that will require only a low level of certification.

What are the levels of CMMC?

The levels of CMMC can be directly related to the security maturity of organizations.   They are accumulative meaning, as organizations implement stronger controls, they can achieve a higher level.  The level of maturity may be a differentiator for retaining or gaining new contracts with the DoD

  • CMMC level 1: Preformed – Creation requirements.  Processes are informal
  • CMMC level 2: Documented meaning a security program exists, is documented, and understood throughout the organization.
  • CMMC level 3: Managed.  Tools and processes are in place, consistent and followed by all within the organization
  • CMMC levels 4: Reviewed.  Tools and processes are reviewed periodically and updates as opportunities are identified from review.
  • CMMC level 5: Continuous improvement throughout the organization.  Organization has implemented all requirements.

What is included in the review?

The CMMC includes the following cybersecurity domains, all of which need to have at least Basic Cybersecurity milestones to be CMMC compliant:

  • Access control 
  • Asset Management
  • Awareness and training 
  • Audit and accountability 
  • Configuration management 
  • Identification and authentication 
  • Incident Response 
  • Maintenance 
  • Media protection 
  • Physical protection 
  • Personnel security 
  • Recovery
  • Risk management
  • Security assessment 
  • Situational awareness
  • System and communications protection 
  • System and information integrity

Still have questions?

CIT is a Registered Provider Organization (RPO). RPO’s are the “implementors” and consulting organizations that help companies achieve the various levels of certification.

Not All MFA is Created Equal: Advantages and Disadvantages of Common Forms of MFA

/in , /by

Not All MFA is Created Equal: Advantages and Disadvantages of Common Forms of MFA

If you’ve spoken to anyone in the cybersecurity industry in the past few years, you’ve probably heard at least once “multi-factor authentication (MFA) is one of the best things you can do to protect yourself and your organization.” But what, you may be asking, does that specifically entail? MFA comes in all different shapes and sizes and like anything else in the cybersecurity and technical worlds, there is a fair amount of nuance in the available technologies. There are many things to consider when attempting to determine what type of MFA is best for you and your organization, including security, ease of implementation, ease of use, cost, etc. Let the below information serve as a high-level overview of those considerations for the four most common forms of MFA: SMS OTP, software TOTP, hardware TOTP, and push OTP.

SMS One-Time Password (OTP) 

  • Description: a random, numerical password, usually six digits, sent via SMS message to a designated mobile device. The password can only be used once.
  • Advantages: easy to implement and better than no MFA at all. It can also be free or inexpensive to set up (disregarding the cost of the mobile phone).  
  • Disadvantages: requires the user to own a mobile phone that can receive SMS text messages. One of the least secure forms of MFA (see Vulnerabilities).
  • Vulnerabilities: susceptible to SMS intercept attacks, wherein the text message is “intercepted” by a cyber attacker who receives the text message instead. SMS intercept attacks can be accomplished in a variety of ways, including SIM-swap scams, mobile number port-out scams, and SMS-stealing malware. Several high-profile security breaches have occurred over the past few years that were the result of SMS intercept attacks, including the 2018 data breach at Reddit and the 2019 compromise of Twitter CEO Jack Dorsey’s Twitter account.
  • Other info: SMS OTP was deprecated by the National Institute of Standards and Technology (NIST) in 2016.

Software Time-based One-Time Password (TOTP)

  • Description: a random, numerical password, usually six digits, generated via an authenticator app installed on the associated mobile device. The code regenerates at regular intervals, usually every 30 seconds, and each code may only be used once. There are a variety of authenticator apps available, including Google Authenticator, Duo Mobile, Authy, etc.
  • Advantages: more secure than SMS OTP and fairly easy to deploy, though not as easy as SMS OTP. It is can also be free or inexpensive to set up (disregarding the cost of the smartphone).
  • Disadvantages: requires the user to own a smartphone and install a mobile app. The security of software TOTP is heavily dependent on the authenticator app being used, as well as the parameters specified by the authenticating server. TOTP relies on a shared secret key that is portable, often shared via a QR code, which makes it susceptible to cloning.

Hardware Time-based One-Time Password (TOTP)

  • Description: a random, numerical password, usually six digits, generated via a hardware token, like a key fob or smart card, with a digital display. The code regenerates at regular intervals, usually every 30 seconds, and each code may only be used once.
  • Advantages: very secure, as most hardware tokens are difficult to compromise remotely. The use of hardware tokens does not require users to own a mobile device or smartphone or install an authenticator app.
  • Disadvantages: can be very expensive (~$15+ per token). Hardware tokens can be difficult to deploy, as they are set up using NFC, which can be temperamental to use. The hardware tokens, which can be quite small, can be easily lost. Additionally, some hardware tokens, such as Yubikeys, require a physical connection to the device attempting the authentication and are thus not compatible with devices that do not have the token’s connection type (i.e., USB-A, USB-C, Lightning, etc.). Hardware tokens with more than one connection type are available, but they tend to be more expensive.

Other info: Push One-Time Password (OTP)

  • Description: a push notification is sent to the user’s device via an installed mobile app, giving the user the option to approve or deny the authentication request. The push notification usually includes the context of the authentication request, such as the IP address and corresponding location from which the login request originated.
  • Advantages: very secure, as the authentication communication is out-of-band and encrypted. Unlike TOTP, push OTP links a single device to the user’s identity, so it is not susceptible to cloning. It is easy to deploy and extremely easy to use, requiring only the click of a button to approve the request. It can be free or inexpensive (disregarding the cost of the smartphone).
  • Disadvantages: possible for users to accidentally approve fraudulent requests. It requires the user to own a smartphone and download a mobile app. Push OTP requires that the smartphone have an internet connection and it is a relatively new technology that is still not widely supported.
  • Other info: often used as a replacement for passwords. The push notification does not usually carry the OTP, but upon approval by the user, a unique OTP is generated internally on the device and sent back to the authenticating server to verify it.

Why should an organization consider using a security framework?

/in , /by
NIST framework

Why should an organization consider using a security framework?

Historically, organizations have invested significant amounts of time and budgets into their current security posture.  Up until recently, that posture was largely designed to protect the traditional office space.  With more people working remotely than ever, that security posture and program may not fit with the new requirements of protecting employees that may be working anywhere at any time. 

A security framework is designed to help organizations:

  • Understand their current cybersecurity posture
  • Define or update a cybersecurity program
  • Help communicate requirements and future state with stakeholders
  • Identify opportunities or needs for new or revised standards
  • Assists in prioritizing potential projects to help reduce risk to the company
  • Enables investment decisions to address gaps

What is NIST?

The National Institute of Standards and Technology developed its cybersecurity framework to strengthen the security of United States critical infrastructure.  Like most security frameworks, NIST can be applied to any sized organization in any industry.  The NIST framework includes five cores. 

Those are:  Identify, Protect, Detect, Response, and Recover.



Identify

Naturally, most security programs begin with the Identify stage.

  • Identify can include the review Inventory of assets, data, Users, Systems, and the boundaries of where all those items can be located.  After which, most will complete assessments, which may include gap analyses, a self-assessment or questionnaire, a review of the technical infrastructure, as well as potentially reviewing those of their supply chain vendors and partners. 
  • Assessments are performed to help define risks allowing the organization or that of its partners, to develop the appropriate security controls to address those risks.
  • Identify also includes the traditional governance process of building or revising security policies and procedures, change management processes, vendor management processes, and so on.

Protect

Once the identify process has been completed building a security program begins with defining and applying security controls to help mitigate the risks as well as help build processes to protect the organizations’ assets and people.

  • The Protect core focuses on building administrative and technical controls to protect data, identifiable information, and all company assets.
  • Some tools that assist with this function include building out Identity Management, applying a least privileged access model to limit users’ access to only what they need to complete their daily tasks.  Applying multifactor authentication (MFA) on external-facing systems, limiting access to management interfaces, continuously reviewing and remediating vulnerabilities.
  • Building out a cybersecurity training program that should include training of current threats and should include frequent phishing simulations.
  • An example of administrative controls can include ensuring no one user can approve a wire transfer without a second person’s confirmation.
  • Physical controls can include physical access management through locked doors, badging as well as the use of security cameras.

Detect Icon

Detect

As organizations continue to mature Detection and response capabilities become a priority.  The detection core is designed to help build a formal detection process for the various threats organizations face every day. 

  • Advanced Detection tools help gather information from disparate systems across the network, from Cloud environments, 3rd party threat intelligence, and system vulnerabilities.  Correlate that information providing event alerts and insights on a variety of threats.  Such as external attacks on systems, anomalous user behavior as well as helping with Data Loss Prevention.  Common detection tools include SIEM solutions, Endpoint Detection, and Response tools.

Respond Icon

Response

As organizations mature their detection capabilities the next step would be to respond to detected threats.

  • Building out response processes and procedures is also a core capability of NIST. Cybersecurity Incident Response plan is a common 1st step in building out and formalizing response capabilities.  Understanding that over 94% of organizations had a security event in 2020, building a plan to respond is crucial to help the organization better understand their capabilities and outline how communications flow.
  • Once an Incident Response Plan has been developed working through a variety of tabletop exercises will help organizations validate and test their plan and capabilities.
  • Tools such as Endpoint Detection and Response are absolutely critical tools that need to be budgeted and deployed for every organization regardless of industry or size. 
  • EDR tools have the capability of detecting, shutting down malicious processes, quarantining, ability to remove the malicious file as well as potentially providing valuable logging capabilities for forensic investigation in some cases.

Recover Icon

Recover

Developing and implementation of a Disaster Plan is the final pillar of the NIST Framework.

  • In the event that all of the other tools and processes don’t stop an event from happening, having a well-documented and tested disaster plan is also needed for every organization.
  • Deployment of backup solutions that validate backups, replicates to the cloud, are configured properly, and tested is a requirement for every organization that has any sort of business-critical data, even if that data is stored in the cloud.

Regardless of whether or not compliance is a requirement for your organization, a security framework such as NIST can help provide a solid foundation, through the general guidance, for maturing your security posture.

Can HIPAA Information Be Emailed?

/in , /by
Women standing with a laptop near a server room.

Can HIPAA Information Be Emailed?

According to the CDC: “while the HIPAA Privacy Rule safeguards protected health information (PHI), the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called ‘electronic protected health information (e-PHI).”

In order to comply with the HIPAA Security Rule you must:

  • Ensure the confidentiality, integrity, and availability of all electronic protected health information
  • Detect and safeguard against anticipated threats to the security of the information
  • Protect against anticipated impermissible uses or disclosures
  • Certify compliance

But what does this mean for those working in the healthcare industry emailing HIPAA information? Let’s start with why email communications should be secure first:

Understanding how cybersecurity and email are connected begins with a breakdown of the path that an email follows. Email follows the following path:

  1. Created by sender on their workstation
  2. Sent from workstation to sender’s email server
  3. Sender’s email server sends email to recipient’s email server
  4. Recipient’s workstation pulls the message from their server

Every time the email is sent it could be at risk for malicious interference. In addition, a copy of the email is stored on each workstation it travels through. Breaking that down, that means there’s a copy on:

  • The sender’s workstation
  • The sender’s email server
  • The recipient’s email server
  • The recipient’s workstation 1

This path alone illustrates the risk a single email can pose – both in transit and at rest. So can emails be HIPAA compliant?

Emails can be HIPAA compliant, but requires IT resources and a monitoring process to ensure that authorized users are communicating PHI in adherence with policies for HIPAA compliance for email.2

What IT resources and monitoring processes are available? Beyond our in-house security solution, we also recommend email encryption.

Encrypted Email

Encryption is a way to make data unreadable at rest and during transmission. CIT partners with Zix for email encryption and they partner with more than 1,200 U.S. hospitals to help maintain HIPAA compliance. As cyberattacks continue to grow exponentially, Zix provides you with efficient methods to optimize your IT security effectiveness while better securing PHI in and out of their organization.

To learn more check out A Case for Email Encryption.

So now that we’ve talked about the path of an email, HIPAA compliance, and our recommended solutions we want to make sure all types of emails are secure.

What different kinds of emails need to be secure?

In the healthcare industry, it is important to avoid security risks, meet compliance standards, and secure multiple types of emails. Cybersecurity and compliance solutions should include securing:

  • In-office emails
  • Doctor-to-doctor emails
  • Personal emails
  • Mass emails 
  • Reply emails
  • Patient emails

Additional email security considerations

Start with a HIPAA Compliance Checklist or learn more about a Cybersecurity Gap Analysis for your business. Want to chat with one of our experts? Contact us here. 

  1. https://www.securitymetrics.com/blog/how-send-hipaa-compliant-emai
  2. https://www.hipaajournal.com/hipaa-compliance-for-email/

CYBERSECURITY AWARENESS MONTH 2021

/in , /by

CYBERSECURITY AWARENESS MONTH 2021

Now in its 18th year, Cybersecurity Awareness Month continues to raise awareness about the importance of cybersecurity across our Nation. Held every October, Cybersecurity Awareness Month is a collaborative effort between government and industry to ensure everyone in the Nation has the resources they need to be safer and more secure online.

DO YOUR PART. #BECYBERSMART.

WEEKLY MESSAGES

Every year, led by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA), Cybersecurity Awareness Month conveys a clear message of the importance of partnership between government and industry, from the White House to the individual.

The evergreen theme—Do Your Part. #BeCyberSmart.—encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity.

To help you and your organizations create an effective cybersecurity awareness campaign, CISA and NCSA have created four weekly themes to focus on during Cybersecurity Awareness Month:

  • Week 1: Be Cyber Smart
    The first week explores cybersecurity fundamentals: how simple actions can help secure your digital lives, improve the security of smart and internet-connected devices, and how other fundamentals can help reduce cyber risks.
  • Week 2: Fight the Phish!
    The second week will focus on how individuals can spot potential phishing attempts—which often lead to
  • Week 3: Explore. Experience. Share.
    In partnership with the National Initiative for Cybersecurity Education (NICE), the third week celebrates Cybersecurity Career Awareness Week. This week will illustrate how cybersecurity professionals play a vital role in global society and security and call attention to their contributions and innovations. This week also showcases how building a global cybersecurity workforce enhances each nation’s security and promotes economic prosperity.
  • Week 4: Cybersecurity First
    The final week will emphasize that cybersecurity should be a priority and not an afterthought and will examine how what we do today can affect the future of personal, consumer, and business cybersecurity. This week will also highlight how cybersecurity is a year-round effort and should be an individual’s or organization’s first considerations when they create or buy new devices and connected services.

Use the Cybersecurity Awareness Month hashtag #BeCyberSmart, to help promote cybersecurity awareness. Also, be sure to keep checking this website and follow us on social media to learn more about upcoming Cybersecurity Awareness Month efforts in October.

Improving the Nation’s Cybersecurity

/in /by

Improving the Nation’s Cybersecurity

The White House recently published a Cybersecurity Executive Order, highlighting the critical steps to provide a roadmap- to address the persistent and increasingly sophisticated threats to “American people’s security and privacy”.

A simplified Fact Sheet was also published summarizing the order to help: 

· Remove Barriers to Threat Information Sharing Between Government and the Private Sector

· Modernize and Implement Stronger Cybersecurity Standards in the Federal Government

· Improve Software Supply Chain Security

· Establish a Cybersecurity Safety Review Board

· Create a Standard Playbook for Responding to Cyber Incidents

· Improve Detection of Cybersecurity Incidents on Federal Government Networks

· Improve Investigative and Remediation Capabilities

Who will be affected?

  • Federal executive agencies (U.S. Department of Agriculture, U.S. Department of Commerce, U.S. Department of Defense, U.S. Department of Education, U.S. Department of Energy, U.S. Department of Health and Human Services, U.S. Department of Homeland Security, U.S. Department of Housing and Urban Development, etc.) will be expected to modernize their technology infrastructure and security practices.
  • Federal contractors, companies working with the federal government, and agencies, including but not limited to software vendors and providers, will be expected to include their cybersecurity security standards in new contracts. These organizations will also be required to share more information on cyber incidents regarding attacks on themselves or federal entities.
  • The private sector will likely see an increased focus on hardware and software supply chain security. This focus will include new requirements built around providing transparency for the government, as well as consumer, security of software, services, and physical equipment including historically unregulated devices such as the internet of things (IoT). 

What does all this mean?

The changes will be wide-reaching and affect organizations that would not have typically expected to be impacted by such requirements. The supply chain attacks that have been prevalent throughout 2021 have caused organizations to consider the implications of what a potential attack would have on their entire supply chain. Many organizations have started to require their partners and vendors to have a security program in place that will “meet or exceed the standards and requirements for cybersecurity” outlined by the Executive Order. Meaning, requirements such as having a formal security program in place with a heavy emphasis on measuring and improving the security posture have become a standard requirement in contracts and agreements across the industry. It is also anticipated that the compliance requirements, such as those around ensuring supply chain contract updates and compliance with those updates will most likely fall on your organization to verify and update as needed.  

There will also be new requirements for some organizations to implement new processes and toolsets to be compliant with the Executive Order. This may be due to direct relationships with federal organizations or required by partners, vendors, or contractors that work with the Federal agencies.

The following is a high-level summary of the Executive Order requirements

  • Development and adoption of an organization-wide Security policy
  • The need for updated contract language designed to ensure Confidentiality, Integrity, and Availability of data and systems. Inclusion of Detection, Prevention, and reporting of security events will be required language.
  • Open collaboration and communication between service providers and the federal government
  • Development of a security roadmap outlining the steps and milestones required to adopt a Zero Trust Architecture.
  • Cybersecurity training for all staff and contractors associated with your organization.
  • Developing a Cybersecurity Incident Response Plan and/or security incident playbooks for specific incident types
  • The deployment of new Administrative and Technical controls to help protect the organization’s Network, Information Technology, Operational Technology, and Internet of Things (IoT) devices.

This may include but is not limited to:

  • A security assessment or audit (security review of systems including vulnerability reporting, configuration review, etc.)
  • Multifactor Authentication
  • Encrypting data at rest and in motion
  • Detection of security vulnerabilities and incidents
  • Deployment of Endpoint Detection and Response capabilities that includes containment, remediation, and incident response

CIT Security Services Notification Updated July 9th 2021

/in /by

CIT Security Services Notification

Updated July 9th 2021

The CIT Security team is sending an alert in regards to a new privilege Escalation “zero-day” vulnerability labeled as PrintNightmare in all Windows Server systems.

At this time there is not a patch available for this vulnerability however, it is possible to disable the print spooler service that is affected by this vulnerability until a patch can be made available from Microsoft. Once the official patch is released from Microsoft it will be approved for installation for CIT managed customers. Managed customers who wish to have the print spooler service-disabled may also make this request to the CIT Services Team

July 9th update:

As a follow-up to our previous security alert regarding the Microsoft privilege escalation zero-day vulnerability labeled as PrintNightmare, Microsoft released an emergency patch which CIT has released effective immediately. All customers that receive CIT patching will receive this patch cycle. If you have any issues or concerns, please reach out to the CIT Support desk at support@cit-net.com or 651.255.5799

CIT Security Update July 2021

/in /by

Over the last several months there has been a significant increase in attacks on the critical infrastructure of the United States. These attacks include, but are not limited to, attacks on the Solarwinds and Kaseya products. Some attacks have been linked to “State-level” actors and others are still under investigation. The attacks we are addressing today are specifically “supply chain attacks”. Other recent examples of supply chain attacks include the Colonial Pipeline cyber attack and the attack on JBS S.A., a meat processing company. The Solarwinds and Kaseya events were both very serious; however, it is worth noting these are not new. Virtually no vendor, whether commercial or open-source, is immune to attack. As an example, Microsoft recently suffered an attack on their supply chain as well.

As a trusted partner, we at CIT wanted to take a few minutes to outline a broad scope of how we protect our company and work to secure our customers.

CIT has built its security program around the NIST 800-171 security framework. This framework was used to help us define our risks and build out a governance program designed to mitigate those risks.

The NIST framework includes five functions: Identify, Protect, Detect, Response, and Recover. A few high-level examples of what that includes are as follows:

Identify.

This is the core of our security program. Our security governance program includes assessments, gap analyses, security policies and procedures, change management processes, vendor management processes, and so on.

Protect.

This includes building both administrative and technical controls to protect data, identifiable information, and all company assets. Some tools that assist with this function include using multifactor authentication (MFA), limiting access to management interfaces, continuously reviewing and remediating vulnerabilities, and building out a cybersecurity training program.

Detect.

CIT uses several tools to help detect threats and anomalous behavior, including a SIEM solution, as well as an advanced detection and response toolset from Darktrace.

Response.

As mentioned above, CIT uses Darktrace as part of our autonomous response systems, as well as a Security Operations Center to review alerts and correlate data against known and unknown threats.

Recover.

CIT uses a robust backup and restoration toolset to ensure we can continue to provide service to customers, as well as ensure our operations are minimally impacted.

Last but not least, CIT uses a third party to audit our security program to the SOC 2 Type II compliance standard.

CIT also partners with several great resources, including CISA and the FBI, in addition to our vendors. While we do not use the Solarwinds or Kaseya products that were affected by the attacks, we do still use the lessons learned to improve our posture and response capabilities.

While we covered a good deal of CIT’s security program above, CIT has also been helping secure our customers by using these same core principles. For example, we include yearly security reviews, security training, vulnerability scans, and so on in our offerings. This is by design as we are purposely building a strong, secure core infrastructure and the foundation of a security program for our customers. While that is a great start, our customers are strongly encouraged to have detection and recovery processes and tools in place, such as Darktrace or endpoint detection and response (EDR) capabilities, as well as a secure, validated recovery solution, such as a Datto.

As mentioned, CIT uses Connectwise as our core toolset. Connectwise has put significant effort into improving its security posture. Most recently it has rolled out a security page to help be more transparent about its program and roadmaps.

Best,

Todd Sorg, CISO