Update on CMMC

 

Cybersecurity Maturity Model Certification (CMMC)

The CMMC space is still evolving. All definitive guidance is solely from Office of the Under Secretary of Defense for Acquisition and Sustainment. The CMMC Accreditation Body has not fully established the C3PAO or certification processes. LP3 nor others can claim to provide CMMC certifications nor do we or others can promise certifications.

LEVERAGE YOUR NIST 800-171 COMPLIANCE FOR CMMC CERTIFICATION ROADMAP

Since CMMC version 1 has been released and is based on NIST 800-171, LP3 will do a fixed cost 800-171 assessment to include a System Security Plan (SSP) and a Plan of Actions & Milestones (POA&M) with a roadmap based on CMMC version 1 on the estimated level of effort to achieve compliance.

Be assured without the CMMC certification as part of your acquisition record (similar to DUNS and CAGE#) you will NOT be qualified to bid or receive Government Contracts as a Prime or a Sub. Let LP3 make the unknown known!

 

Why CMMC – Under Secretary of Defense Ellen Lord

Statement from Under Secretary of Defense Ellen Lord:

“Since I introduced the Cybersecurity Maturity Model Certification model last year, I have consistently stressed the importance of communicating and engaging extensively with industry, academia, military services, the Hill and the public to hear their concerns and suggestions. The purpose of this communication was, and still is, to ensure everyone fully understands the intent, process and requirements of CMMC to fight the very real threats that drive us to require rigorous cybersecurity.

Unfortunately, the Department has learned that some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DoD.  The requirements for becoming a CMMC third-party assessment organization (C3PAO) have not yet been finalized, so it is disappointing that some are trying to mislead our valued business partners. To be clear, there are no third-party entities at this time who are capable of providing a CMMC certification that will be accepted by the Department.  At this time, only training materials or presentations provided by the Department will reflect our official position with respect to the CMMC program. I have also reached out to the presidents of the PSC, AIA and NDIA industry associations to make them aware as well, and they remain connected with my CMMC team.

Moving forward I am confident we will soon sign a Memorandum of Understanding (MOU) with the Cybersecurity Maturity Model Certification Accreditation Body on the accreditation, certification and approval processes relating to the Defense Supply Chain. When that happens we will make an announcement.”

 

“The theft of intellectual property and sensitive information undermines our nation’s defense posture and economy.  Global costs last year are estimated at $600 billion, with an average cost per American of $4,000.” Katie Arrington Chief of Information Security for Acquisition, Department of Defense

DoD Contractors

(Organizations Seeking Certification – OSC)

There are more than 300,000 vendors in the supply chain to the DoD, each of which will require assessment.

Organizations Seeking Certification include:

  • Prime Contractors
  • Subcontractors
  • In short, every organization that sells or services the Department of Defense

Facts.

  • Prime contractors and subcontractors must be certified under CMMC standards to any one of five levels.  The highest levels are reserved for organizations exposed to the most sensitive information.
  • The implementation rollout will begin 1 September 2020, and take up to 5 years.
  • If a contract requires CMMC certification it will be listed in the Request For Proposal (RFP) Sections C and L.
  • The CMMC-AB will provide the standard for applying the model and certify trainers who will train assessors.
  • The CMMC-AB will provide an online marketplace where organizations can find an available, qualified C3PAO.
  • A certification will last 3 years, provided there are no incidents or other triggers inducing a second look at an organization.

But wait. We are just getting started.

Come back here often for detail and sign up below for alerts and emails.

There is much to come, we will provide information as we build it.

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) (LINK)

https://www.acq.osd.mil/cmmc/index.html

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.

OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC).

 

  • The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
  • The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
  • The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
  • The intent is for certified independent 3rd party organizations to conduct audits and inform risk.

See The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))   site for more details.

The CMMC contains five levels ranging from basic hygiene controls to state-of-the-art controls, but unlike NIST 800-171, the CMMC will not contain a self-assessment component.

Every organization that plans to conduct business with the Department of Defense will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime.

 

 

 

Glossary

Accreditation – The process of issuing Licenses and Certificates.

Accreditation Body Board of Directors – The board of directors is the governing body of a nonprofit. Individuals who sit on the board are responsible for overseeing the organization’s activities. Directors meet periodically to discuss and vote on the affairs of the organization. The board of directors, as a governing body, should focus on the organization’s mission, strategy, and goals as defined in the bylaws.

Advisory Councils – Advisory Councils operate at the discretion of, but independently from the board, to inform and advise the board from the perspective of the Advisory Council’s membership. The advisory council’s leaders participate in the board as a non-voting member.

Affiliates – Business concerns, organizations, or individuals that control each other or that are controlled by a common third party. Control may consist of shared management or ownership; common use of facilities, equipment, and employees; or family interest.

Assessment – Formal process of assessing the implementation and reliable use of issuer controls using various methods of assessment (e.g., interviews, document reviews, observations) that support the assertion that an issuer is reliably meeting the requirements of a standard.  In the context of CMMC, Assessments are performed against the requirements set forth in the CMMC for the OSC’s desired CMMC Level.  Source: NIST SP 800-79-2 (adapted)

Assessor – A person who has successfully completed the background, training, and examination requirements as outlined by the CMMC-AB and to whom a License has been issued.  Assessors are not CMMC-AB employees.

Asset Owner – A person or organizational unit (internal or external to the organization) with primary responsibility for the viability, productivity, security, and resilience of an organizational asset. For example, the accounts payable department is the owner of the vendor database.  Source: RMM

Association – The process of linking an Assessor’s License Number with the License Number of a C3PAO.

Audit – Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.  Source: NIST SP 800-32

Certified 3rd Party Assessment Organization (“C3PAO”) – An Entity with which at least two Assessors are Associated and to which a License has been issued.

Certificate – A Record issued to an OSC upon successful completion of an Assessment which evidences the CMMC Level against which the OSC has been successfully assessed.

Certification – The process of receiving a Certificate.

CMMC – The set of standards initially defined by the DoD against which an OSC is to be Assessed.

CMMC Certified Organization – An Organization whose cybersecurity program has received a CMMC Certificate from the CMMC-AB.

Compliance – Verification that the planned cybersecurity of the system is being properly and effectively implemented and operated, usually through the use of assessments / audits.  Source: CMMC

Control – The methods, policies, and procedures—manual or automated—used by an organization to safeguard and protect assets, promote efficiency, or adhere to standards. A measure that is modifying risk. (Note: controls include any process, policy, device, practice, or other actions which modify risk.) Source: NISTIR 8053 (adapted)

CUI (Controlled Unclassified Information) – Information that requires safeguarding or dissemination controls pursuant to and consistent with the law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.   Source: E.O. 13556 (adapted)

Cybersecurity – Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.   Source: NSPD-54/HSPD-23

Defense Supply Chain (“DSC”) – The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements. DSC was substituted for Defense Industrial Base to reflect more specifically the base subject to CMMC assessments.

Digital Signature – An electronic file which is used to authenticate other electronic files and to encrypt files at rest and/or in motion.

Dispute – A formal process managed by the CMMC-AB through which an Assessor and an OSC can seek resolution of a disagreement over the Assessment results.

Dispute Adjudicator – A CMMC-AB employee who is responsible for reviewing and resolving a Dispute.

Educator – CMMC-AB employees who are tasked with educating and testing prospective and current Trainers.

Entity – A legal non-person Organization duly created and maintained under the laws of one or more jurisdiction, including without limitation corporations, limited liability partnerships, limited liability companies, and governmental agencies but excluding unincorporated Organizations such as, without limitation, partnerships.

FCI (Federal Contract Information) – Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.  Source: 48 CFR § 52.204-21

License – A document issued to an Assessor, C3PAO, or Trainer, as appropriate, entitling them to perform their duties with respect to the CMMC-AB as further outlined below.

License Number – A unique identified linked to each Assessor, C3PAO, and Trainer.

Organization – An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency, or, as appropriate, any of its operational elements). Source: CMMC

Organization Seeking Certification (OSC) – The Organization that is going through the CMMC assessment process to receive a level of Certification for a given environment.  Source: CMMC

Record – A physical document, electronic file, entry in an electronic database, or the like.

Trainer – A person Licensed to provide Training to prospective and current Assessors.  The Trainers are not CMMC-AB employees.

 

Cybersecurity Maturity Model Certification Version 1 (LINK to PDF)

Impact of Cybersecurity Maturity Model Certification (CMMC) on DoD Contractors

Overview

The Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC).

  • The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
  • The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
  • The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
  • The intent is for certified independent 3rd party organizations to conduct audits and inform risk.

Basic Facts about CMMC and how it will affect your Business

Taken from FAQ posted at: https://www.acq.osd.mil/cmmc/faq.html

CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.”

New Framework and Assessment process based on Controlled Unclassified Information (CUI). CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui and includes the following organizational index groupings:

  • Critical Infrastructure
  • Defense
  • Export Control
  • Financial
  • Immigration
  • Intelligence
  • International Agreements
  • Law Enforcement
  • Legal
  • Natural and Cultural Resources
  • NATO
  • Nuclear
  • Privacy
  • Procurement and Acquisition
  • Proprietary Business Information
  • Provisional
  • Statistical
  • Tax

Resources, including online training to better understand CUI can be found on National Archives’ website at https://www.archives.gov/cui/training.html

The DoD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

Version 1.0 of the CMMC framework will be available in January 2020 to support training requirements. In June 2020, industry should begin to see the CMMC requirements as part of Requests for Information.

The initial implementation of the CMMC will only be within the DoD.

The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.

Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes.

Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.

The certification cost has not yet been determined. The cost, and associated assessment will likely scale with the level requested.

There is no Self-certification

We expect that there will be a number of companies providing 3rd party CMMC assessment and certification. An independent 3rd party assessment organization will normally perform the assessment. Some of the higher level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).

Your certification level will be made public, however details regarding specific findings will not be publicly accessible. The DoD will see your certification level.

The duration of a certification is still under consideration.

If my organization is certified CMMC and your company is compromised, you will not lose your certification. However, depending on the circumstances of the compromise and the direction of the government program manager, you may be required to be recertified.

If your organization cannot afford to be certified, it does that mean your organization can no longer work on DOD contracts. The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.

**Even if your organization does not handle Controlled Unclassified Information (CUI), all companies conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI a company handles or processes.

All Subcontractors currently on a DoD Contract, will need to obtain CMMC.

The government will determine the appropriate tier (i.e. not everything requires the highest level) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts

The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ unclassified networks. CMMC audits by third party assessment organizations will not be applied to classified systems or environments. The Defense Counterintelligence and Security Agency (DCSA) will include CMMC assessments as part of their holistic security rating score.

If you would like more information, contact LP3. We will be glad to help you make an informed decision about the impact that DFARS has on your business or organization.  For more information about our DFARS / CMMC  compliance services,  please visit our website.

Jeff Grim is CTO/CISO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.

Over a Quarter of All Businesses Suffer Cyber Security Issues

Why undergo a cyber security penetration test? Most organizations simply do them to meet compliance standards or to test the methodologies used by the IT security team. However, did you know that about a quarter of all companies perform poorly executed penetration tests – and in some cases do nothing more than validate known vulnerabilities?

A recent RSA security conference survey  revealed a frightening statistic, 26% of companies are lagging in proper cyber security practices. Some companies even intentionally ignore their own security flaws. The reasons range from not having enough time to address the threat, to not knowing how or not wanting to spend the money to hire someone who does.

Only 46% Address Cyber Security Vulnerabilities Right Away

Of the companies that do address vulnerabilities, many do so only with half interest. During the conference, 155 security professionals representing many companies at the RSA conference revealed that only 47% of organizations fix or address their vulnerabilities as soon as they are known.

Even more amazing is that some companies wait – sometimes for significant amounts of time –before they do anything about it. Either by applying patches or “do-overs”, allowing time for hackers to infiltrate their IT infrastructure and attack it.

But if you think that’s jaw dropping, chew on this: 16% wait for one month to apply patches and 8% said they apply patches only once or twice a year.

There Is No Time, They Say

I once heard a preacher say that often people don’t have time to visit a relative, but always have time to come to the funeral. Almost 26% of respondents said their company ignored a critical security flaw because they didn’t have time to fix it. But if their systems go down – or worse yet, is compromised or hacked – they’ll have even less time because so much of it will be spent in restoration.

16% ignore critical security flaws because they didn’t have the skills to patch them.

The conclusion of this study is? Hoping for the best, is obviously not the best way to run an organization.

If You Can Hack Yourself, You’re in Trouble

71% of the IT professionals surveyed admitted that they would be able to hack their own company. And only 9% said this was highly “unlikely.” The fact that 71% felt they could indicates how weak and vulnerable many companies are – which means we are in dire straits.

But There Is A Difference Between Saying and Doing

During this survey, IT security analysts were asked how they might hack their own company if they so wished:

  • More than 30% said they’d use social engineering, something like a phishing email or program
  • 23% said they would think about attacking an insecure web application to get in
  • 21% said that accessing username and passwords for cloud would be the way they would get in
  • And another 21% said they’d target an employee’s smartphone,tablet or laptop

Now if the employees know how to hack their organization, how easy do you think it is for a professional hacker to do the same thing?

Testing, Schmesting

Does testing really matter? Why bother with something as routine as testing?

The truth is effective penetration testing offers an advantage over automated scanners. It allows you to see what a human attacker can easily determine and helps you discover misconfiguration vulnerabilities, something automated scans often can’t detect. And one of the biggest vulnerabilities found are the excessive misuse of user permissions which can easily give unauthorized access to hackers.

Human attackers often compromise a system by using a variety of vulnerabilities together. Penetration tests can simulate a variety of attack paths and thereby allow you to fix the errors.

All in All

It is important that you know all the vulnerabilities available to hackers through your organizations network. And sometimes the only way to really see these vulnerabilities is through penetration testing. It shows you which vulnerabilities are easy to exploit and which aren’t.

Yes, it’s important to know what vulnerabilities exist in your organization’s network. But which ones do you spend your finite resources correcting? Which vulnerabilities are easily exploitable, and which aren’t? Which put critical assets at risk? Which have to be fixed first? Without this context, you might spend time and money in the wrong place, leaving your organization exposed elsewhere.

A clearly described attack path, derived from a well-performed penetration test, can provide this context. For example, your organization might have an old Windows 2003 server running a mission-critical application. Because the server’s operating system is no longer supported by Microsoft, it will never receive patches – even for major, exploitable vulnerabilities. However, if the penetration test discovers that the server is in a properly segmented, hard-to-access network, then the vulnerability is likely of a lower severity. You should still address it, but only after more critical vulnerabilities have been mitigated. This kind of context enables better decisions about the use of finite resources to improve the organization’s overall cybersecurity posture.

Get Engaged, Get Value

Consumers of penetration testing can ensure a more valuable engagement for their organization by understanding what a penetration testing team does and by taking an active role from the beginning. Being highly engaged with the testing helps it generate and capture the appropriate context, which will allow the organization to make more informed decisions about where to allocate limited resources to improve its cybersecurity stance.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.

Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.

 

 

 

Cyber Attacks Against Cryptocurrency Traders

Virus Alert: If you’re a cryptocurrency trader, this worm can cost you everything.

Blockchain it is the new buzzword on the Net – the brainchild of a person or group of people known as Satoshi Nakamoto. But since its invention it has changed into something of importance to everyone.

What Is Blockchain?

Blockchain allows for digital information to be distributed and not copied. It was originally created to be the foundation of a new type of internet and digital currency known as cryptocurrency.

These currencies go by many names (including Bitcoin) and have been called digital gold. Today the value of this new currency runs into the billions of dollars.

Blockchain technology has been a game changer for the finance industry and crypto-currencies have been trading at record levels this year. Investors find them a great alternative to mine wealth. Unfortunately, other miners find it easier to let you do all the work, then take the proceeds for themselves.

The FacexWorm Attacks Crytocurrency Investors

You can catch the virus called FacexWorm as easily as opening a video link from someone you know via Facebook Messenger. If you get one, you better keep your eyes wide open and your fingers still. If you click it you may regret it, and all of your new blockchain acquisitions might be gone in a second.

The FacexWorm

Cyber security experts are warning users of blockchain technology of a dangerous and invasive Chrome extension being spread through Facebook Messenger. Prime targets are users of blockchain cryptocurrency trading platforms. The mission: access all their account credentials, info and data.

FacexWorm, first showed its ugly face in August of 2017, but apparently it’s being improved because recent versions have a host of new malicious capabilities.

These New FacexWorm Capabilities include:

  • Stolen account credentials from websites like Google
  • Invasion of numerous cryptocurrency and trading sites
  • Redirecting traders to cryptocurrency scams sites
  • Interjecting web page miners onto cryptocurrency trading platforms
  • Redirection to a miner’s link for cryptocurrency referral programs so they can not only mine you but also any of your contacts with blockchain currency accounts

Facebook Messenger has now become a favorite target to spread worms and other forms of cyber-destruction.

Other cyber security issues that relate to blockchain attacks are a Monero-cryptocurrency mining bot, called Digmine. It targets Windows and Google Chrome and is spread through Messenger by redirecting crypto-traders to popular video sites like YouTube.

The FacexWorm extension targets only Chrome users so far. If the user does not use Chrome, they will be redirected to a benign useless advertisement.

How FacexWorm Does Its Damage

FacexWorm works by transmitting specifically engineered links via Facebook. If clicked on while using the Chrome browser, FacexWorm redirects you to a bogus YouTube page. To continue, the user must download a fake Chrome extension as a codec extension.

Once installed, the FacexWorm Chrome extension automatically downloads additional modules from its command and control server and creates a replicant clone of Chrome. In addition to its routine functions, the FacexWorm also contains a code snippet that it injects onto the affected system. The destructive new worm spreads every time a new web page is opened.

Researchers reported “FacexWorm will query its C&C server to find and retrieve another JavaScript code (hosted on a Github repository) and execute its behaviors on that webpage. With all permissions accepted at installation the worm can access or modify data for any websites opened.”

How Much Damage Can the FacexWorm Do?

By obtaining a user’s friend list, it can send out bogus YouTube video links and request authorization access to everyone on your list, spreading itself around the globe.

It can capture account credentials and info for Google, MyMonero, and Coinhive, when the user opens a target website login page. It can also install a cryptocurrency miner to any opened web pages, utilizing the user’s own computer to mine Cryptocurrency.

Highjacking

FacexWorm can highjack cryptocurrency related trading transactions by redirecting the keyed-in address and replacing it with the attackers address. When any one of the 52 crypto-currency trading platforms like “blockchain,” “eth-,” or “ethereum” are typed into the URL, FacexWorm redirects to the scam webpage where the hacker can steal any or all of the crypto-coins. Targets include Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and the wallet Blockchain.info.

This Blockchain Malware Is Sneaky

FacexWorm is sneaky. To avoid discovery and extraction it immediately closes an opened tab when it detects Chrome is being opened. There is even an incentive for hackers every time a victim registers an account on Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, or HashFlare.

Targeted crypto-currencies by FacexWorm include Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR).

This is only the beginning with just one Bitcoin transaction being recently affected. With the widespread use of Facebook Messenger around the globe, the worm will spread with it. The malware already has surfaced in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain.

Bottom Line

Facebook spam campaigns are nothing new, so it is always smart to be careful, especially with banking and currency sites and the potentially tremendous losses.

Many malicious extensions have already been removed by Chrome, but they keep reappearing so be careful with your currency trading.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.

Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.

 

 

The Next War Will Be Fought Without Firing A Single Bullet

Bombs, bullets, mortars, tanks. They are all so World War II. The next war, if it happens, will be waged in cyber-space.

Imagine the chaos of no air traffic control, no electrical grid, no banking, money, food or fuel. In a matter of days, life as we know it will be either over or damn close to it. No soldiers needed, no buildings blasted to smithereens. Cyber war is the doomsday scenario being played out in war game exercises around the globe.

Penetration Testing at NATO

NATO’s annual cyber-attack exercise, “Locked Shield,” prepped member states in how to deal with a cyber-attack. Over 2 days, different teams from different nations simulated attacks that compromised air-traffic control centers and the electric grid.

“You don’t need to start a war by targeting the military,” Merle Maigre, Director of NATO Cooperative Cyber Defense Center of Excellence recently said. “Malicious codes could render fighter pilots unable to respond even before they take off.”

Cyber Security Damage is Extensive

If that isn’t a concern for you, then add in the rest of the damage a cyber-blast could affect: banking, food distribution, power, fuel. These are most of the things we need in modern society to survive.

Our systems were set up in the 1970s, well before the current level of concern existed. We are clearly vulnerable and way behind the times – and the threats. Our society is so intertwined we can no longer survive without each other. We need to get ready.

30 countries from the EU and NATO took part in the exercise held in Tallinn, Estonia. U.S. Commander Michael Widmann said real-world practice exercises are needed to prepare for an attack. He claimed, “we look at real-life incidents and then we apply them to our exercises. We’re not trying to make things up.”

It Sounds Like a Sci-Fi Novel, But Cyber Attacks Are Real Threats

This is not a future maybe. Cyber attacks have already presented real damage to areas or industries we thought untouchable. So for those of you who play a role in protecting the cyber security of your organization, let us show you how very real these cyber attack and security breaches are – these are some real examples of what cyber criminals have done before.

The Breach of Hospital Ventilation Systems

In 2011, a data breach affected the ventilation system of a hospital. The hacking took place by injecting malware into the hospital computer system. The vulnerability caused significant physical damage to the hospital and as a result the HVAC system stopped. This immediately put patients at risk and placed an immediate threat on the medical supplies held at the hospital. In this incident, the hacker compromised the system and controlled both the air and heating systems from a remote location. As a result of this issue the hospital made proper cyber security measures a priority and performed several server hardening tasks to better protect their data.

A Compromised Turkish Oil Pipeline

Another serious incident occurred in 2008 when hackers disabled the pipeline computer systems.  There was no serious damage, but the potential risks were immense – causing the businesses to hire a managed security services provider. If this incident had not been controlled properly, people in Southern California would have been exposed to an immense oil leak along their coastline – and it would have gone undetected by the pipeline management system.

Derailing of a Train

A teen in Poland used a homemade transmitter to trip the rail switches and redirect four trains. As a result of this compromise, 12 people were injured when a train derailed.

German Steel Plant Explosion

In 2015, a steel plant in Germany experienced severe consequences due to hacking. The compromise closed crucial areas of the plant and caused a furnace that was not shut down properly to explode.

Raw Sewage Dump

Hackers can oftentimes be very disgruntled and take out their frustrations on IT systems. Back in 2001, a young Australian hacker took out his vengeance on the town he lived in by hacking into the town’s computerized waste management system and spilling millions of gallons of raw sewage into the town’s parks and rivers.

 Power Grid Sabotage

Back in 2015 another critical compromise occurred showing us just how much damage cyber attacks can really do. Faulty firmware placed into a power grid in the Ukraine caused the blackout of an entire city.

Please Pay Attention!

Cyber attacks are no longer confined to stealing information or ransoming information for money. Sometimes hackers just want to do physical damage to a community, a city, an institution or a business. In order to prevent or avoid these horrendous possibility of a Cyber World War III, it is imperative that we implement server hardening measures that prevent infiltrations and improve cyber security.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.

Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.

 

 

 

Law Firm Faces Negligence Class Action Lawsuit Alleging Poor Cyber Security

A Chicago law firm faces a lawsuit alleging they failed to properly protect sensitive client information.  Johnson & Bell faces a class action citing JBoss, VPN, and SSL vulnerabilities.  Interestingly, according to the filing, there was no evidence of compromise but the suit claims the firm could have been easily penetrated.

How many other law firms could face similar legal actions for allegations of poor cyber security practices? This could be a significant issue for legal firms of all sizes across the country.

LP3 is watching this case carefully; we ensure that our clients are implementing sound cyber security practices based on NIST and CIS Top 20 best practices.

Visit https://lp3.com/assessandtest/ or email CyberHELP@LP3.com for a comprehensive vulnerability and business risk assessment.

References: http://privatepomm.com/2017/01/01/cyber-malpractice-negligence-lawsuit-hits-a-chicago-law-firm/

Another Hospital Breach…not a Surprise Unfortunately

A few questions:

  1. How exactly did the third-party get compromised? What network segmentation was in place or not?
  2. How much is the breach going to cost Sentara?
  3. Did Sentara conduct any cyber security due diligence with the third-party vendor? Vulnerability assessments? Monitoring?
  4. How was the breach detected? Did Sentara detect it?  Or were they notified from elsewhere? What worked? What didn’t work?

It’s critically important to work closely with HIPAA/HITECH business associates on a technical cyber security level since the hackers will take advantage of the weakest link in the connected IT systems.

Heck…with any business associate…Target was compromised through an HVAC vendor.   If the company networks are connected, they need to be under continuous monitoring and vulnerability tested at least annually.