Category: Advice

Complying with new DFARS regulations is easier with external help

If you are a DoD contractor of any size, including sub contractors to other contractors, you no doubt have already heard of the new changes to the Defense Federal Acquisition Regulations (DFARS) requiring enhanced security controls over contract info. The regulations are specific and will be costly. The good news is that the cost of compliance is considered an allowable cost under Federal Acquisition Regulation (FAR)/Cost Accounting Standards (CAS), which means if you do things smartly the government will allow you to role the cost into what is allowable for rates you charge. More good news is that when you engage external help in complying with DFARS you can leverage the talent of people who know the most efficient way to get these things done. This can not only get you into compliance but can make you more secure and save you money.

For more information see: Crucial Point LLC Best Practices in Cybersecurity  and What You Need To Know About The New DFARS Regulations

We are now part of OODA: Technology Due Diligence – CTO as a service – CISO as a Service

The Future of Cybersecurity: An update by CTOvision

There are seven key megatrends driving the future of enterprise IT. You can remember them all with the helpful mnemonic acronym CAMBRIC, which stands for Cloud Computing, Artificial Intelligence, Mobility, Big Data, Robotics, Internet of Things, CyberSecurity.  All these trends are tracked at our sister site CTOvision.

In this post we dive deeper into the trend of enhanced Cybersecurity.

We can make a prediction with absolute certainty: In the future, cybersecurity will be like watching a rodeo. Sometimes the rider will ride and sometimes the rider will be thrown.

Cybersecurity is especially important because of the newfound complexity arising in our systems. All the megatrends we listed above point to dramatically enhanced complexity. And all indications are that tricking future systems will become easier not harder. Bottom line here: No organization should think they can handle their security needs by themselves. We will all need help.

A snapshot of the trend right now indicates:

  • Some of humanity’s greatest thinkers, business leaders and computer scientists have struggled to enhance cyber security. Their approaches are not working.
  • Cybersecurity will have to advance or none of these other technologies will be optimized.
  • Cybersecurity is especially important because of the newfound complexity arising in our systems.
  • Behavioral analytics is seen as a promising approach to enhancing our response

Open questions decision-makers should track include:

  • Is humanity sleepwalking into a preventable catastrophe?
  • Will it be easier to trick future systems?
  • Will any organization be able to defend itself without help?
  • What is the role of behavioral analytics?

For more on all these trends see our white paper titled: CAMBRIC: The Seven Megatrends Creating The Future Of Information Technology

We are now part of OODA, offering: Technology Due Diligence – CTO as a service – CISO as a Service

Why Deep Defense Should Start with Detecting Compromised Credentials

Different credentials are used by billions of users daily to authenticate themselves in their physical and digital lives. From physical keys to tokens and cards to login and password combinations – all are vulnerable to attack. According to Verizon, 81% of hacking-related breaches leveraged either stolen and/or weak passwords.

Obtaining valid credentials using multiple mechanisms and tools continues to be extremely lucrative for a cyber-criminal. However, with a greater understanding of the lifecycle of a stolen credential, under-pressure security teams can put in place effective countermeasures to prevent attacks and mitigate the damage when one happens.

Read more about how early detection of compromised credentials can help mitigate the damage of cyberattacks on Infosecurity Magazine.

Three sources for researching internet outages

After some unscientific but widely disseminated twitter polls and a few questions via facebook we have compiled a list of three recommended sites for researching Internet outages. These three tools can help you troubleshoot whether a site is being attacked or is just having an internal glitch. They are:

  • DownDetector.com: They leverage twitter as a source so can provide fast insights into what is on people’s mind. They collect from many other sources as well and then list outages and status by company.
  • SANS Internet Storm Center: Their insights are much more fact-based and generally provide great insights into what is really going on regarding major outages and cyber attacks.
  • JustDownForMe.com: Very simple way to check to see if any site can be reached. Displays list of what others are searching for.

During a massive outage you might not be able to reach the Internet from your primary path. Our recommendation: have multiple paths of course!

Beating The Threat Takes Talent

One of the bright spots in the cybersecurity community is the corporate awakening to the need for highly competent executive level talent. Businesses in every sector of the economy and of all sizes are realizing that effective cyber risk mitigation is not just a matter of buying new technologies or turning on a firewall. Mitigating risks while enabling business requires executive talent that can understand and empower business objectives but take systematic, cross-organizational action to strategically reduce the threat to the business.

We found great context on this trend in this Chief Security Officer Magazine article by Benchmark Executive Search’s Jeremy King titled: “National Security Brain Drain.”  Jeremy writes in part that:

Whether defending from adversaries to include nation states, crime groups, extremists, and hackers, their unique understanding of the complex threat landscape, methods and capabilities used to combat these threats is now what corporate America needs. Their sense of patriotism and mission continues and will now help protect some of our country’s top brands and companies.

Since the critical infrastructure is primarily owned and operated by the private sector, our government can’t be expected to solve all the problems in keeping America safe. Industry must take the lead. We have seen the demand for these accomplished leaders skyrocket as forward-looking corporate CEOs and boards are turning to these former national security and cyber government officials to gain expertise, insight and address the growing need to combat a full spectrum of enterprise risks.

American industry has always benefited from the talent produced by the U.S. government, especially those with national security experience. The demand signal from industry and the needs to secure our nation’s economy indicate more of this talent will be needed in the future. There are issues here of course. Will industry demand cause more in government to decide to leave earlier and will that cause impact to important agency missions? How will agencies mitigate their risks if that happens?  Those are challenges, but overall it seems America needs this talent to protect the economy and government should prepare and adapt to meet these changes.

I should also mention that for many mid-sized companies there will not be enough of this talent to go around. What does the small to mid-sized firm do when they want high end cybersecurity talent on their side? They need expert advice from Crucial Point of course! See our CISO-as-a-Service offering for more. Or for those who want to keep improving on their own you can find and follow our collection of best practices in cybersecurity.

 

Cybercrime: The Complete Guide to All Things Criminal on the Web

The idea of using the internet to commit crimes isn’t new, but the problem continues to grow as people become more reliant on the internet for making purchases and storing personal information. Just as you’d take steps to defend yourself from crime in a major city, you should do so while using the internet. Sometimes, avoiding a questionable areas isn’t enough.

To help you out, Cloudwards has published a new guide to cybercrime that explores the most potent threats on the internet today.

Read the full overview of the common kinds of cybercrime, which includes real-world examples and suggest tools you can use to protect yourself, on Cloudwards.

Keeping your cloud malware-free: What you need to know

This year we’ve seen massive malware attacks spanning from nation state campaigns originating in North Korea and Russia to popular restaurants and everything in between. Each new incident serves as a grim reminder to business leaders that hackers will not relent. Yet with cloud adoption growing rapidly in the enterprise, the odds of a malware infection spreading and leading to a potential breach are increasing.

According to a study conducted by the Ponemon Institute, almost 90 percent of businesses believe an increase in cloud usage will increase the probability of a data breach – and this trend isn’t going away anytime soon.

Learn how you can protect your data in the cloud on Help Net Security.

7 Steps to Start Your Risk Assessment

“Managing risk is one of the most, if not the most important, functions in an organization,” says Tony Martin-Vegue, enterprise security management strategist for LendingClub, a peer-to-peer lending company based in San Francisco. “It’s really important to have a structured, formalized process for measuring risk, managing risk, and the entire remediation process.”

Large organizations will have teams dedicated to assessing and re-assessing risk on a regular basis. Small organizations may lack the team, but they will not lack the need to understand what risks IT faces and how those risks are reflected in the rest of the business units.

Read about seven steps that apply to a variety of frameworks — and that are applicable no matter where the risk assessment process takes your organization, on DarkReading.

8 Ways To Empower Your Security Operations Center

When it comes to building a security operations center (SOC), it can be hard to know where to start. Even if you’re making sure the security operations team you already have in place has all the bases covered when it comes to protecting digital assets, ensuring you know exactly what’s going on throughout your environment can be a challenge.

To help you chart your course, Jorge Alago, cybersecurity architecture lead at Veristor, provides a quick rundown of essential components that should be core to your security efforts. Each one generates useful data and a unique perspective to help your team find out exactly what’s going on and determine how to best prevent, contain, and mitigate security threats.

Read about the 8 essential components on Information Security Buzz.

10 Tactics For Teaching Cybersecurity Best Practices To Your Whole Company

Smart leaders know that their entire team needs to be well-educated on the importance and best practices of cybersecurity if they hope to protect their data. Unfortunately, this is easier said than done, especially when it comes to training your non-tech employees. Using too much jargon and technical terms will only disengage them, leaving them less prepared and less vigilant.

While you don’t necessarily need to “dumb down” cybersecurity training for non-techies, you do need to present the information in a way that’s relatable and easy to understand.

Read about 10 tactics you can follow while approaching this task on Forbes.