I started writing SSP’s (System Security Plans) well before the original Executive Order mandated deadline of December 31st 2017 and have since written at least 50 SSP’s for defense contractors of every imaginable type and size. There wasn’t a lot of guidance on how to do this at that time, other than to have a very thorough and complete understanding of the nearly 500-page NIST 800-53 framework.
Appalachia Technologies Blog
Appalachia Technologies team is comprised of a diverse mix of IT professionals, some of whom have been on the forefront of IT since the industry’s inception. Through the years, our team has developed a wide array of experience in understanding individual needs and how they relate to your business.
In your city or town, you know that stretch of road or highway that feels like it has been under construction for 10 years? In many ways, the development of CMMC can feel like it too is marked with orange cones and will be underway for years. From the most significant change of CMMC 1.0 (the OG version) to the November 2021 update to CMMC 2.0, to even the CMMC-AB name change to The Cyber AB, new information seems to keep coming with timelines shifting. While The Cyber AB holds monthly Town Hall webinars to share updates, the DoD and various vendors are also sharing out information via webinars. Recently, PreVeil, a DoD supplier, along with members of the Manufacturing Extension Partnership, hosted a webinar with DoD leaders Stacy Bostjanick (DoD CMMC Program Head) and Dave McKeown (DoD CISO) to review recent updates and timelines.
In today’s threat landscape, where businesses are constantly at risk of being targeted by a cyberattack, adopting a zero-trust security model could be a wise decision from a cybersecurity point of view.
Cyberattacks have become rampant and have also grown in sophistication. A simple lapse in your network security could lead to a chain of events that could prove catastrophic for your business. You can avoid this by implementing a robust cybersecurity framework such as zero trust.
In today’s digital age, ransomware attacks are becoming increasingly frequent, sophisticated and costly. With cybercriminals constantly evolving their tactics and targeting businesses of all sizes, organizations like yours must proactively safeguard your data and systems. Unfortunately, many companies fall prey to common ransomware myths, which can leave them vulnerable to attacks and unprepared to respond effectively in the event of an incident.
Ransomware is a type of malicious software that encrypts files on a device or network, making them unusable until the victim pays the attacker a ransom. What started as a simple virus spread through floppy discs in the late 1980s has now evolved into a billion-dollar cybercrime industry.
Even organizations with solid cybersecurity programs will have findings from a security assessment. After all, cyber attacks and attackers continue to learn and evolve, always trying to be one step ahead of their prospects. Through our years of performing security assessments, here are the Top 5 areas that we have found to need remediation work post-assessment.
The year is 2021. We don’t have flying cars or robot maids, but nearly 5 billion souls worldwide are now connected to the Internet and to each other. This is a beautiful thing and a remarkable feat of human ingenuity. However, every rose has its thorn (to borrow from the great post-modern philosopher Bret Michaels) and to us who work in cybersecurity, 2021 was thornier than ever.
Here is Appalachia’s 2021 Cybersecurity Year in Review!
If you are an organization with digital assets to protect, you’ve most likely heard the term Penetration Testing, also known as Pen Testing. Penetration testing is the process used to find vulnerabilities and leverage them to hack an organization.
Humans are the smartest beings on earth. So why is it that they are the number one cause for breaches that cost millions of dollars? It’s because they are kind.
Because of the kindness of human beings, they are easily manipulated by bad actors to give up private information or even hold a door. This is the foundation of Social Engineering.
Not a single day goes by that we don’t either hear the word security or read the word security. See? You’ve already read it twice! The internet is full of so much noise that it sometimes can be hard to filter out information that pertains to you and your organization, as well as what is credible. Today I thought I’d take a moment to give you some great sources for security news. These are sources that are very accurate and trustworthy.
Ransomware – The What, Where, and Why
Everyone has heard stories by now of an organization getting hit by ransomware. From individuals to small and enterprise-level organizations, it can pop up anywhere and cause havoc. What is it? Where does it come from? Why isn’t it going away? Today we’re going to break it down.
Recently, we explored the Open Web Application Security Project (OWASP) Top 10 (Allergic to Bees? Don’t Get Stung by the OWASP Top 10) by looking at what it is and why it matters. Then we took a closer look at one area of the Top 10 – Security Misconfiguration. Next in line for a deeper dive is Security Logging and Monitoring Failures. This particular category is in place to help detect, escalate, and respond to active breaches.
Security Misconfiguration
Last week we touched on the basics of the Open Web Application Security Project® (OWASP) and why it should be used as a source of information for keeping your web applications secure. This week we are going to touch on one particular vulnerability from the OWASP Top 10 Web Application Security Risks - Security Misconfiguration.
I sat in the parking lot watching employees walk in the corporate office. Ready with my five dozen donuts, I waited until the perfect moment to see if I could infiltrate. It’s like the start of a great superhero movie - except starring Kevin James and not Christian Bale.
I had been hired by the company for a physical social engineering assessment. Only a few people (stakeholders and managers) within the company knew that this was occurring that day. The goal was to see if I could gain entry into the building unnoticed and once in, what I could access.
OWASP - is it something we don’t want to get stung by, or is it here to protect us? In cybersecurity, we’ve all heard the term, but what is it really?
There are many frameworks and security models to refer to when working to secure your organization. Sometimes it can prove to be overwhelming. Today I’m going to talk about three action items that will make a significant difference in your overall security posture. Keeping in mind that there is no silver bullet to securing an organization, these three will certainly gain a great return.
People carry less cash in their wallets than they used to. Even when going to the ice cream stand in the middle of summer, a debit or credit card is swiped instead of cash being tendered. The reason for this is simple - it’s easier to swipe a card than it is to carry a load of cash in your wallet. This has become an extremely convenient option over the years when making purchases. However, as is often the case, convenience comes with risk.
This month’s release of the much-anticipated CMMC 2.0 left many of us in the world of cybersecurity shaking our heads. We have been working diligently with the defense industrial base for several years now, even before the CMMC was created, to stop the bleeding of our defense secrets to our adversaries. As a veteran and a Patriot, I, along with many other Americans, take this very serious problem personally.
In a previous blog post, we discussed how to calculate your SPRS (Supplier Performance Risk System) score in support of your CMMC (Cybersecurity Maturity Model Certification) efforts. In that same blog, we also provided a free tool to help you calculate your SPRS score automatically.
In this follow-on blog, we’ll talk about how to provide your SPRS score to the DoD, which is a whole other chore once you’ve actually determined what your score is. In order to access the part of the SPRS website where your score is uploaded, we first need a CAC (Common Access Card) or a DoD approved medium assurance ECA (External Certification Authority) certificate. The primary purpose of this certificate is to ensure that the individual person entering the score is who they actually claim to be (non-repudiation), in addition to ensuring the confidentiality of the data.
