3…2…1... We have lift-off! Zero Trust World 2023 has officially launched and is coming to you from the Omni Champions Gate Resort in Orlando, Florida. Seated in a dark ballroom with a blue ambient light cascading throughout the room like the aurora borealis, I took in the events of the morning with splendor. The National Ballroom is the main stage where the morning’s activities took place. I don’t want to just bring you the information, but I want you to feel like you are here sitting beside me at the round table. No stone was left unturned at the event. As I sat at my table before the speakers even began, I was mesmerized by the exuberance and excitement pulsating through the room. If I were to close my eyes and just absorb the auditory environment, I would have assumed that I was at a trendy nightclub with upbeat music pulsating through the air.

I’m going to throw some names out at you: Target, Uber, Colonial Pipeline, Equifax, Twitter. I’m sure most, if not all of you know these household names… maybe with the exception of Colonial Pipeline. I myself had never heard of them until I was sitting in my car in line to get gas while vacationing in the Outer Banks of North Carolina. On the radio was playing the news of how Colonial Pipeline had suffered a severe network breach that allowed an attacker to launch ransomware on their systems, shutting down their fuel transmission operations to the Southeastern United States. Which by sheer luck, I happened to be in that neck of the woods and got to experience my first-ever gas shortage. All I knew was I needed gas, or I wasn’t going to be able to leave the beach! Wait… how is that a bad thing? I digress.

As the world increasingly moves online, so do the risks to our businesses. Cyber insurance is one way to help your business recover following a cyberattack. It covers financial losses caused by events such as data breaches, cyber theft, ransomware, and more.

Security Misconfiguration

Last week we touched on the basics of the Open Web Application Security Project® (OWASP) and why it should be used as a source of information for keeping your web applications secure.  This week we are going to touch on one particular vulnerability from the OWASP Top 10 Web Application Security Risks - Security Misconfiguration.

I sat in the parking lot watching employees walk in the corporate office.  Ready with my five dozen donuts, I waited until the perfect moment to see if I could infiltrate.  It’s like the start of a great superhero movie - except starring Kevin James and not Christian Bale.

I had been hired by the company for a physical social engineering assessment.  Only a few people (stakeholders and managers) within the company knew that this was occurring that day.  The goal was to see if I could gain entry into the building unnoticed and once in, what I could access.

OWASP - is it something we don’t want to get stung by, or is it here to protect us?  In cybersecurity, we’ve all heard the term, but what is it really?

There are many frameworks and security models to refer to when working to secure your organization.  Sometimes it can prove to be overwhelming.  Today I’m going to talk about three action items that will make a significant difference in your overall security posture.  Keeping in mind that there is no silver bullet to securing an organization, these three will certainly gain a great return.

People carry less cash in their wallets than they used to.  Even when going to the ice cream stand in the middle of summer, a debit or credit card is swiped instead of cash being tendered.  The reason for this is simple - it’s easier to swipe a card than it is to carry a load of cash in your wallet.  This has become an extremely convenient option over the years when making purchases.  However, as is often the case, convenience comes with risk.

This month’s release of the much-anticipated CMMC 2.0 left many of us in the world of cybersecurity shaking our heads.  We have been working diligently with the defense industrial base for several years now, even before the CMMC was created, to stop the bleeding of our defense secrets to our adversaries.  As a veteran and a Patriot, I, along with many other Americans, take this very serious problem personally. 

In a previous blog post, we discussed how to calculate your SPRS (Supplier Performance Risk System) score in support of your CMMC (Cybersecurity Maturity Model Certification) efforts.  In that same blog, we also provided a free tool to help you calculate your SPRS score automatically.

In this follow-on blog, we’ll talk about how to provide your SPRS score to the DoD, which is a whole other chore once you’ve actually determined what your score is.  In order to access the part of the SPRS website where your score is uploaded, we first need a CAC (Common Access Card) or a DoD approved medium assurance ECA (External Certification Authority) certificate.  The primary purpose of this certificate is to ensure that the individual person entering the score is who they actually claim to be (non-repudiation), in addition to ensuring the confidentiality of the data.

Your company has been proactive in having a penetration test performed and you have the report in hand - so now what do we do with it?

Secure your Organization with the NIST Blueprint

Breaches are at all time high.  Over 50 billion devices are connected to the internet.  Some of them are secure, and some of them are not.  Which category does your organization fall into?

Let’s face it.  Security is expensive.  Many organizations think of security as an unwanted expense when budgeting for the next fiscal year.  However, no matter what industry an organization is in, security IS its business too.

Over the weekend, the Colonial Pipeline, one of the largest US pipelines and a major supplier for the East Coast, was hit by a cyber attack. A ransomware attack caused the company to shutdown operations as they work through the necessary steps to respond and recover, however the impact is expected to be significant if fuel terminals experience outages as a result in disruption to their supply.  The Colonial Pipeline supplies diesel, gasoline, and jet fuel.  The US government has issued an emergency waiver to allow an exemption for drivers related to hours of service, as well as exemptions related to fuel transportation via tanker ships.  To compound the supply issues further, the US is experiencing a shortage of fuel truck drivers, areas of the US are opening up further from COVID restrictions which is expected to increase travel, and we are approaching the summer travel season which notoriously increases fuel demands.

Data security isn’t a matter to be taken lightly, as too many businesses have found out the hard way. Unfortunately, there are far too many simple ways to correct common security issues - enough that it’s foolish not to do so. We’ll review a few ways to fix security issues, after discussing one of, if not the, most egregious security failings in modern history.

The password isn’t nearly as secure as it used to be. Hackers have begun to take advantage of extremely powerful solutions designed to brute force their way into accounts by using software to rapidly guessing thousands of passwords per second, making it extraordinarily difficult to prepare yourself for them.

What’s the best way to guarantee that passwords aren’t going to be the downfall of your company? A great start is by taking a close look at password best practices and two-factor authentication.

Despite what detractors say, regulations are in place for good reason. They typically protect individuals from organizational malfeasance. Many of these regulations are actual laws passed by a governing body and cover the entire spectrum of the issue, not just the data involved. The ones that have data protection regulations written into them mostly deal with the handling and protection of sensitive information. For organizations that work in industries covered by these regulations there are very visible costs that go into compliance. Today, we look at the costs incurred by these organizations as a result of these regulations, and how to ascertain how they affect your business.