Singapore Academy of Law Publishes ERM/privacy/cyber research co-authored by James Goepel

The Singapore Academy of Law Journal has published an article authored by Bridget Mead, Jared Paul Miller, Paul Flanagan, and Fathom Cyber’s own James Goepel on establishing “reasonableness” under the #law in the context of #cybersecurity and #data #privacy. In the article, the authors explore a variety of concepts, including:

  • the need for federal-level privacy laws in the United States;
  • how to integrate cybersecurity and data privacy risks into an organization’s Enterprise Risk Management program;
  • the important role industry standards such as NIST SP 800-171, the NIST Cybersecurity Framework (“NIST CSF”), and the US Department of Defense’s Cybersecurity Maturity Model Certification (“CMMC”) play in defining reasonableness;
  • the critical role compliance plays in establishing reasonableness and the overall defensibility of an organization’s cybersecurity program; and,
  • supply chain cybersecurity issues.

Although published in Singapore, the article has applicability worldwide. The article should be very useful to judges, litigators, policy makers, and others as they wrestle with the concepts of whether a particular cybersecurity or data privacy program is “reasonable”. The article can be viewed here:

https://journalsonline.academypublishing.org.sg/Journals/Singapore-Academy-of-Law-Journal-Special-Issue/Current-Issue

Solving Dropped Zoom, Teams, Google, WebEx, etc. Sessions

Like many parents, my kids have started back to school. But this year, things are a little different because we’re all working/learning from home. Suddenly there many more devices trying to access the Internet at the same time, and all for “mission critical” reasons (either conducting business meetings or online learning). Thankfully, I had already set up our network to be able to handle this, and things have gone smoothly for us. Before you buy a faster Internet connection or new routers for your home, I wanted to share a few tips with you.

Are you Overwhelming the Chromebook with Smiling Faces?

Have you ever noticed that, when you open a video conference or lesson with one person your Chromebook or other device (I’m going to just call all devices a “Chromebook” for this post) works fine, but as more people are added things get really weird? That’s because of all the incoming videos. The Chromebook needs to receive each high definition video stream and convert it to a size that is appropriate for your screen, and it has to do it fast enough that you won’t notice. That’s easy when only one person is, or two people are, on video.

Simple Video Conference

As you add more people, they each have to be scaled and displayed separately, and that is a LOT of data for your Chromebook to handle. That creates a lot of lagging videos, slow mouse movements, and other issues.

Lots of Smiling Faces

You should consider switching to a view that only shows the person speaking, or disabling the incoming video if that make sense (just don’t forget that your camera may still be broadcasting!). Of course, where the teacher is actively teaching you really can’t turn off the teacher’s video!

In that case, you should talk to the teacher to understand whether they need everyone’s video to be on all the time. In the “live” online classes I teach, I have my students turn on their video only when they are speaking. This keeps things running smoothly for the entire 3-4 hour sessions.

Switching to this “only when speaking” approach takes some getting used to, both for the students and the teacher. I know I miss seeing my students’ smiling faces and reading their body language, and I’m sure your kids’ teachers will feel the same. But the Chromebooks won’t be as overwhelmed and the students won’t be as distracted and frustrated, which is a boon for their learning. It also has the added benefit of not using as much of your WiFi and Internet connection, and we’ll talk about that more in a bit.

Is it the Internet or is it me?

If the problems still persist even after you have tried switching your meetings to “videos for speakers only”, the next thing to test is whether your Internet connection is fast enough to meet your needs. Wait until an evening when things are quiet at home, then run an Internet speed test from your Chromebook.

Internet Speed Test

An easy way to run a speed test is to visit Google.com and type in “Internet Speed Test”, or you can visit Ookla or SpeakEasy. If you have high speed Internet service (200 Megabits Per Second, or MBPS, or faster) at home, some of these other sites may not give you accurate results, and you should use Google’s site. If the results are within 70-80% of what you’re paying for from your Internet provider, that’s pretty good (there is some overhead data needed to make the Internet connection happen, and that can use up 20-30%). In that case, you may be smothering your WiFi with attention during business hours. If your results are significantly less than what you expect, keep reading.

Focusing the Conversation by Using Wired Connections

Using a Wired Connection with Your WiFi Router

Most of our homes have multiple sources of electronic “noise” that can interfere with wireless signals. From microwave ovens to fans to your neighbor’s WiFi router, these noise sources create interference that makes it harder for your device to stay connected. Remember what it was like to sit in a noisy restaurant? When you’re close to your table you can hear what your friends are saying, but as you get farther away the noise makes it harder to carry on a conversation. The same is true for your Chromebook when you’re on WiFi: the farther you are from the router, the harder it is for your Chromebook to talk to the router. Computers are finicky and like to get all of the information they are meant to receive, so if the noise interrupts a conversation between the Chromebook and the router, the interrupted parts have to be re-sent, which slows things down and can cause dropped connections.

So, if you can, switch to a wired connection. This is the fastest and most reliable way to connect to your router and the Internet. Its like calling your friend on the phone from across the noisy restaurant rather than trying to yell over everyone.

Unfortunately, Chromebooks and some other devices don’t come with wired connections out of the box, and you’ll need to buy an adapter. Some adapters, like this one, even add additional USB ports.

You’ll also need an Ethernet cable. They come in all different lengths and colors, from 1 foot to 50 feet and beyond, with 6 to 10 feet being the standard. Choose one that is long enough to stretch from your home router to wherever you’ll be using the Chromebook.

At this point, wired connections are easy to configure, too. Just plug one end of the Ethernet cable into your router and the other end into your Chromebook, and the router and Chromebook will handle the rest.

I use a wired connection from my laptop to the Internet. It is more secure and more stable, and I don’t have to worry about my kids eating up all of the WiFi (I’ll talk about that more in a bit).

Reconnecting with your WiFi

Sitting Closer to your Router will Improve Your Connection

Wired connections are great and very reliable, just not all that convenient. If you live in a multi-level house, or if you need to move around with your device, WiFi makes things much easier.

Get Close to your Router

As I mentioned, WiFi comes with issues, the biggest of which is that the connection is subject to noise. I talked about noise sources before, and it is important to understand that the farther your Chromebook is from the WiFi router, the more likely noise is to impact the connection. If at all possible, move the Chromebook closer to the router or move the router closer to where you’re working. This will cut down on the noise and allow more of the conversation to occur uninterrupted.

Help your WiFi Reach You

If you can’t move the router or the Chromebook, you might need to add a new device to your network. You could buy a more powerful router or an amplifier, but in many cases the better approach is to use a “mesh router” with multiple extenders, or to use a “range extender.”

Buying a mesh router, like a Deco, eero, or Orbi can be an easy way to get more consistent WiFi coverage throughout your home. You can keep adding extenders to these mesh systems and they handle transitioning your devices from one extender to another without dropping your connections. If you add a new device, please be sure to change any default passwords.

If you decide new equipment is your best bet, be sure to change any default passwords to make it harder for criminals to get in.

– Jim Goepel
Range Extender

If you’re on a budget or aren’t confident you’ll be able to set up a whole new router system, the mesh routers may not be for you. That’s where a separate range extender, like this one from NETGEAR, might be useful. They act as a bridge between your device and your router, playing a game of “whisper down the lane” but with more accuracy than when people are involved. This extends the reach of your current router without requiring significant technical skill on your part. Range extenders are great if you stay in one place with your Chromebook while you are on a video conference. If you want to walk around the house, expect some dropped connections as your Chromebook transitions from using the range extender to your router.

Stop Smothering your Connection

At this point, you should have pretty good WiFi coverage throughout your home. If you are still experiencing a lot of dropped connections, there are basically only two places left to look for problems.

There’s only so much WiFi to go Around!

It is possible that your devices, when all used at the same time, are using up all of your WiFi. If that is the case, you may want to consider separating your devices into different WiFi networks.

Although you might be tempted to simply put your kids, or yourself, on your router’s “guest” network, this may not be enough to solve the problem. All of the different devices, including your Chromebook, will still be talking to the router. If you were overwhelming it before, splitting them in this manner may not be enough to fix the problem.

Instead, you’ll want to add a separate WiFi router with its own, separate WiFi network. This has the added benefit of allowing you to easily implement parental controls and other restrictions on your kids’ network.

There’s only so much Internet to go around, too!

Although the Internet speed test you conducted at the beginning of this article may have come back with high speeds when you tried it at night while no one was online, if you have multiple Chromebooks all trying to simultaneously participate in video conferences with many incoming videos, that can eat up a good bit of your Internet connection. Try running another speed test during the day from the same location; does the result drop to less than a 10 Megabits per second? If so, it’s probably time to upgrade your connection.

It isn’t you, it’s them.

At this point, you’ve basically done everything you can on your end. That means your network isn’t likely to be the problem. Instead, the problem is likely to be with the presenter’s computer or the site hosting the meeting. For example, hackers and other criminals know the video conference services and online learning tools are in heavy demand right now, and the criminals routinely target these services in an attempt to extort money.

Conclusion

I hope this helps you create a more stable Internet connection at home and takes some of the frustration out of your online learning experience!

Configuring a Student Workstation

Student Workstation

With many school districts conducing all-virtual learning at least for a portion of the school year, many parents are concerned about creating a positive learning environment for their children.  When the students are in their normal classroom environments, they typically have their Chromebooks or laptops (in this sheet, we’re going to use “Chromebook” to describe both full-function laptops and Chromebooks that are in use by many school districts) open on their desks, and they can watch the teacher at the front of the room.  Trying to re-create this environment at home using only the Chromebook’s single screen can be a challenge.  Fortunately, Chromebooks support adding an additional monitors, allowing the student to work on one screen while watching the teacher in another screen.  This allows the home environment to be similar to the school environment.  Some parents have been asking how they can set up something similar in their homes, and this tip sheet provides some basic instructions.

What you’ll need:

  • Monitor
  • Cable
  • Adapter*
  • USB Hub*
  • Mouse*
  • Keyboard*

* Optional

We’ll walk you through selecting each of those in more detail, below. We’ve also added links to products as suggestions, but we don’t have any affiliation with any of the companies. As a reminder, sometimes you will find great deals at membership stores like BJ’s, Costco, etc., or at local stores including Target, Best Buy, etc., although if you wind up needing an adapter (we’ll discuss that in a bit), they may not have what you need.

Step 1 – Identify Chromebook Video Port

The first step is to figure out what video ports your Chromebook has. To do this, you’ll need to look along the sides of the Chromebook. In general, Chromebooks will have one of 4 types of connectors. The first, illustrated below on the right, is an HDMI port. If the Chromebook has this, things are a bit simpler, but some newer Chromebooks have done away with HDMI ports. The second is a USB-C port, which is illustrated below on the left. If your Chromebook has either of those, you can skip to Step 2.

Laptop with USB-C and HDMI ports

If your Chromebook doesn’t have either of these, you will probably find one of these other ports:

Common video ports on Laptops and Chromebooks

So, to recap, you need to know what video port your Chromebook has, and it will likely be either HDMI or USB-C if you have a true Chromebook. Many other laptops also use these, although some have USB2.0, Mini-DisplayPort, or Micro-HDMI.

Step 2: Pick a Monitor

Some people are looking at buying new monitors for their students, and some are repurposing monitors they already own. We’ll discuss both options below.

Buying a Monitor

If you’re buying a new monitor, the easiest option is to buy one with an HDMI port. Below are a few examples:

You’ll need to pick a monitor size, and that will be influenced by the size of your students’ work area. Bigger monitors are generally easier on the eyes, but they take up a lot of space and are more expensive. This is where buying from a bricks-and-mortar store like Best Buy can be handy, because you can get a better sense for how much of the work area the monitor will take up before you make the purchase. If you’re going to buy a monitor, you can skip down to Step 3.

Repurposing a Monitor

Some of you may already have monitors that can be repurposed for your student, or you’ve decided to picking up a used monitor from Craigslist. We’ve even heard some parents mention hooking up their flat-screen TVs as monitors. All of these are viable options, too. We’re going to call them all “monitors” to make things easier.

Regardless of your monitor type, you’ll need to identify an open video port so you can plug in the Chromebook. That is the same basic process we described above for the Chromebooks, but instead of looking on the side of the Chromebook, you’ll be looking at the back of the monitor. You can typically find the video ports on the back of the monitor, and sometimes they can be easy to find.

Monitor with DisplayPort, HDMI, and VGA inputs

However, some manufacturers set up the monitors so when a cable is connected to the port, the cable sits flush with the monitor. This can make it a little harder to find and identify the ports at first.

Monitor with flush VGA port

Some TVs also have extra ports along the sides.

Step 3: Decide how to Connect the Monitor to the Chromebook

At this point, you should know the monitor you’re using and the video port you’ll use (most likely HDMI if you’re buying a new one) and the video port on your Chromebook (most likely either HDMI or USB-C). Now you need to be able to connect them, and that’s where the cable comes in. Regardless of which cable you need, choose one that is between 3 and 6 feet long. This way you have more flexibility with where you position the monitor and Chromebook.

HDMI to HDMI

If your Chromebook and monitor both have HDMI ports, things are easy. You just need an HDMI to HDMI cable, and you can pick those up at most local stores including MicroCenter, Target, Best Buy, and (sometimes) Five Below, and warehouse stores like BJ’s and Costco. Or you can order them online from Amazon or Monoprice. If you’re in the “HDMI on both devices” camp, you can skip down to Step 4.

USB-C to HDMI

If your Chromebook has a USB-C port and your monitor has HDMI, you can buy a dedicated USB-C to HDMI cable, but those can be expensive to replace. Another option is to use an HDMI cable, like those mentioned above, and a USB-C to HDMI adapter. Using an adapter is generally less expensive, but it does create a potential failure point. If you’re in the USB-C and HDMI camp, you can skip down to Step 4.

Something Else

If your Chromebook has something other than HDMI or USB-C video port, or if your monitor has something other than HDMI, you’ll need either a cable or adapter that fits the Chromebook’s video port and a cable to connect to the monitor’s video port. For example, if your Chromebook has USB-C and the monitor has only a DVI port, you’ll need a USB-C to DVI cable.

Step 4: Connect the Monitor and Chromebook

This is the easy part. If you wind up using an adapter, like a USB-C to HDMI adapter, start by plugging the adapter into the cable so you now have one “cable”. Once you have your cable, simply plug one end into the Chromebook, and the other end into the monitor.

Step 5: Pick a Mouse and Keyboard

We found it awkward to work on the Chromebook’s keyboard while using a second monitor, so we opted to connect an external USB keyboard and wireless mouse or bluetooth mouse (different mice for different kids), but there are some great wired and wireless keyboard and mouse combination packs out there, too. Depending on what you choose, the keyboard and mouse may take up all of the available USB ports on the Chromebook, so you might want a USB hub to allow your student to plug in a thumb drive if one is needed.

Step 6: Connect the Keyboard and Mouse

For the most part, the keyboard and mouse should work right out of the box. Just plug them in to the Chromebook’s USB port, wait a moment, and they should work. If you bought a Bluetooth keyboard or mouse, you’ll need to open the Chromebook’s Bluetooth menu, put the keyboard and mouse in pairing mode, and then pair them with the Chromebook. If you need help with this process, please see this article from Google.

Conclusion

We hope this you find this information useful, and that it helps ease your students’ transition to the virtual learning environment!

James Goepel selected to present his research at Drexel University’s 5th Annual International Research Showcase

Fathom Cyber’s CEO, Jim Goepel, is an adjunct professor of cybersecurity in both Drexel University’s Lebow College of Business and Thomas R. Kline School of Law and Drexel University. Since joining Drexel, Jim Goepel has been working with Professor Paul Flanagan on an innovative approach to cybersecurity and data privacy risk management. Drexel University has asked Jim and Paul to present their research as part of Drexel’s 5th Annual International Research Showcase on May 27, 2020. Using Professor Goepel’s and Professor Flanagan’s unique approach, organizations can implement an holistic enterprise risk management program that creates an agile business environment while adding structure necessary to properly manage regulatory, legal, cyber, data privacy, and other risks. Their approach includes risk definition and management techniques, carefully tailored policies and procedures, and strong compliance and audit functions. More details about Professor Flanagan’s and Professor Goepel’s approach will be included in an upcoming technology journal published by the National University of Singapore.

DoD CMMC Certification Process

The Department of Defense (“DoD”) is pressing forward with its plans to create a cybersecurity maturity program that will apply to all government contractors in the Defense Industrial Base (“DIB”). As we have previously reported, draft Version 0.6 of the Cybersecurity Maturity Model Certification was released a few weeks ago. You can read our analysis of Version 0.6 here. Version 0.7, which is due in December, is slated to address maturity levels 4 and 5, and we will provide updates on that version shortly after it is released.

Although the DoD is creating the initial version of the CMMC, including the maturity scale itself as well as training and other materials, the DoD wants a nonprofit accreditation body to take over the maintenance of the CMMC. The nonprofit will also be responsible for creating a credentialing process for the C3PAOs (certified 3rd party assessment organizations) that will provide the actual CMMC certification to a government contractors, as well as training materials for those C3PAOs. In a November 26 response to industry inquiries, the DoD indicated that it will not have the initial training guides (for CMMC Levels 1-3) available to the C3PAO until at least early February, and that training for Levels 4 and 5 may not be available until March. This means that the 3PAOs will not be able to even begin the certification process until at least late February, and there will inherently be only a limited number of people who are certified in CMMC audits at each C3PAO.

The DoD also indicated that it has received inquiries from several other government agencies and outside groups who are interested in CMMC and the overall process. We expect to see adoption of the CMMC expand to other industries and in other contexts, such as by insurance companies when assessing overall cybersecurity maturity and associated risk and insurance rates.

Finally, the DoD stressed that although written security plans and Plans of Actions and Milestones (“POAMs” or “POA&Ms”) are acceptable under DFARS 252.204-7012, DIB contractors have not done a good job in executing their POAMs. Thus, the CMMC will not give credit for plans; instead, only the current state will count toward the contractor’s CMMC level.

We strongly encourage all organizations, and especially DIB contractors, to engage an independent consultant to conduct a maturity assessment as soon as possible. The C3PAOs will have a large backlog of organizations (over 300,000!) to go through in only a few short months to meet the DoD’s September 2020 deadline, and the C3PAOs are likely to prioritize certifying those organizations that have already taken steps to assess their maturity and to address any shortcomings.

Contact Fathom Cyber today to discuss how your organization will benefit from a maturity assessment.

Webinars

Training and Advisory Services

Fathom Cyber is excited to announce our upcoming webinars for December and January:

  • December 16, 2019 – Cybersecurity Terms for Nontechnical Managers
  • January 13, 2020 – An overview of the Department of Defense’s Cybersecurity Maturity Model Certification (“CMMC”)
  • January 27, 2020 – Introduction to Enterprise Risk Management
  • February 10, 2020 – Creating Defensible Cybersecurity Strategies

All webinars will begin at 1 PM US Eastern.  To register for one or more of the webinars, please visit our webinar registration page.

Holiday Shopping Security Tips

The UK’s National Cyber Security Centre has published a useful guide for people shopping online this holiday season. Here are a few highlights:

A padlock isn’t enough – That padlock in the address bar of your browser means that communications between the browser and the site you are visiting are encrypted. However, that padlock does not mean the company you’re buying from is legitimate. Criminals can create inexpensive shopping sites that look legitimate, even down to implementing encryption to trick you into thinking they are safe

Limit the information you give – Most websites don’t need your mother’s maiden name, the name of your primary school, or other such personal information so you can buy something from them. Instead, only fill in the mandatory information, such as your name and address. Don’t create an account on the site unless you are going to buy from them again frequently in the future.

Make Cybersecurity Make Sense

Follow good device hygiene – Keep your devices up to date, use strong passwords, enable multi-factor authentication, and follow other good hygiene practices. For more information on staying safe online, see our Top 7 Tips for Improving Individual Cybersecurity.

Free Cybersecurity and Data Privacy Training Videos

Smaller entities like nonprofits, state and local governments, and small and medium businesses are frequently reluctant to devote already scarce resources to cybersecurity and data privacy.  They often feel that they are too small to be attractive to cyber criminals or that they have nothing of value.  Unfortunately, this attitude makes them targets for cyber criminals, because the criminals know that the smaller organizations are easy to attack.

For organizations looking to improve their cybersecurity and data privacy programs, employee training can bring significant returns on investment.  Educating all employees about their role in keeping the organization secure is critical to ensuring the organization stays safe, and Fathom Cyber offers a variety of training options, including training for an organization’s employees, executives, and even Boards of Directors.  We also recommend augmenting these traditional courses with short awarness videos, and we have partnered with Wizer, an innovative training system provider to help our clients achieve this goal.  Wizer offers an ever-increasing number of free, 1 minute long security awareness videos along with premium options including phishing simulation, gamification, and training videos and more, all for a reasonable fee. Wizer’s short videos are a great way for organizations of all sizes to keep security and privacy top-of-mind for their employees.

Below is an example of one of their videos. Contact us for more information or to create your free account today!

DoD CMMC Version 0.6 Released

The US Department of Defense released version 0.6 of its Cybersecurity Maturity Model Certification program on Thursday, November 7, 2019.

More Ratings Clarity

As we have previously discussed, the CMMC will use a maturity rating system to assess not only the technical controls that are in place (which the DoD refers to in the CMMC as “practices”), but also the policies and procedures that the contractor has implemented to help guide the use of that technology.

The maturity ratings will range from level 1 to level 5, and the contractor will be rated separately for the controls and the polices. This rating system is used for each of the seventeen (17) different “domains” defined within the CMMC.

The DoD recognizes that many of its contractors are likely to still be rushing to get themselves to at least an overall rating of level 3 for each domain (which the DoD appears to suggest as a “reasonable” baseline for security), and thus this version focuses on the requirements to meet levels 1-3. Requirements for levels 4 and 5 are left for a later version.

It should be noted that a contractor’s overall maturity rating in each domain will be equal to the lowest of the two maturity ratings. That is, an contractor that has superior technical controls in a particular domain (i.e., one deserving a 5 rating) but which has yet to implement any policies and procedures (i.e., one deserving a 1 rating) will only be given an overall maturity rating of 1 for that domain.

Ratings Requirements in Government Contracts

It remains unclear how the DoD will specify the maturity level required for a given contract. For example, we know that the contractor will be rated across each of the domains, but it is not yet clear whether a contractor will have a single, aggregate rating that will be used for assessment on a particular contract, or if the contracts are expected take a more granular view, specifying each of the ratings across all of the domains. From earlier comments by the DoD, it would appear that they are likely to use a single, aggregate rating and that it will be the lowest rating across all domains. Clarity on this issue would be beneficial because it will allow contractors to prioritize their remediation and enhancement efforts within their Plan of Action and Milestones (“POAM”).

CMMC Domains

As discussed above, the CMMC divides cybersecurity into seventeen (17) domains. These domains are:

  • Access Control (AC)
  • Asset Management (AM)
  • Audit and Accountability (AA)
  • Awareness and Training (AT)
  • Configuration Management (CM)
  • Identification and Authentication (IDA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PP)
  • Recovery (RE)
  • Risk Management (RM)
  • Security Assessment (SAS)
  • Situational Awareness (SA)
  • Systems and Communications Protections (SCP) and
  • System and Information Integrity (SII)

Much like the NIST Cybersecurity Framework’s Functions (Identify, Protect, Detect, Respond, Recover) and their corresponding controls categories, at a high level, the CMMC domains can be useful for organizations’ management, including boards and the C-Suite, as a means for organizing discussions around issues to be addressed by, or being addressed in, their organization’s cybersecurity strategy. This can allow for a more granular discussion between the security/technology teams and the contractor’s senior management without the senior management having to become experts in any particular domain. For self-assessment purposes, these domains and the corresponding maturity within them can be very useful for contractors as they assess how to invest their hard-earned IT and security budgets.

A Missing Domain

However, as is common with many cybersecurity strategies, the DoD has overlooked a key domain: legal and regulatory concerns. While it appears from the comments in Appendix B that the DoD may intend the legal and regulatory aspects to be included across all of the domains, many organizations are not aware of their legal and regulatory exposure. Forcing contractors to explicitly address this as part of their maturity assessment will be beneficial. For example, many organizations’ incident response plans focus on data privacy reporting obligations and do not address their cybersecurity incident reporting requirements, such as those imposed by the Securities and Exchange Commission. The failure to address the full spectrum of legal and regulatory requirements as part of an incident response plan is a strong indicator of the overall maturity of the contractor’s approach to its cybersecurity strategy. Thus, legal and regulatory domain should be incorporated into the CMMC’s requirements.

Capabilities and Practices

Version 0.6 adds additional clarity within each of the domains as to what the DoD expects of its contractors. There are now a set of 40 defined capabilities, or achievements to ensure cybersecurity objectives are met within each domain. Each of these capabilities has associated with it at least one practice that is to be implemented to demonstrate compliance with that practice. Different practices are assigned to different maturity levels. Each practice also has associated with it one or more external references. These external references are provided to help practitioners understand how the practices are to be implemented, but strict compliance with the external references is not required to achieve CMMC certification.

Conflicting Messaging

While the CMMC represents a significant improvement over most organizations’ approach to cybersecurity, version 0.6 of the CMMC still misses the boat. The NIST Cybersecurity Framework and the Cybersecurity & Infrastructure Security Agency’s “Cyber Essentials” for small and medium businesses both encourage businesses to conduct a thorough business assessment before making any significant technology investments. However, CMMC v.0.6 encourages contractors to treat cybersecurity primarily as a technological problem. This is evidenced in part by the way the technical domains are prioritized over more business-oriented domains like risk management. For example, organizations can achieve a level 2 rating without ever even considering risk management, which is a mistake as it forces the DoD’s contractors to invest in technologies that may not be necessary and prioritizes doing something over doing the right thing. Even within the Audit and Accountability domain, a domain which by its title should be focused more on business-level issues, the proscribed practices are purely technology focused. The US Government, and especially the Executive Branch agencies entrusted with protecting our nation, should be providing consistent messaging and prioritization to everyone on this very important topic.

Conclusion

We believe the NIST/CISA approach to be the approach that will provide the best value to both the contractor and the DoD, and is also the approach that is more likely to result better cybersecurity as the contractor will have business-oriented reasons for maintaining and enhancing the programs rather than it being treated as a compliance-type expense from which the business derives limited value. In addition, under the CMMC’s current approach, contractors are likely to spend money on practices that will have only a marginal improvement on their actual security while ignoring other controls from which they would greatly benefit. The DoD needs to bring the level 1 requirements more in line with the NIST Cybersecurity Framework and CISA’s guidance.

We also want to stress that we support the DoD’s efforts with respect to the CMMC. Requiring contractors to change the way they view and address cybersecurity is a long overdue change. However, there are some fundamental issues that need to be addressed. We hope the DoD will reassess its approach and address these issues before version 1.0 is released.

Microsoft is Helping to Combat Ransomware

Image Courtesy Microsoft

Some users of Office 365 will soon have a new tool to fight ransomware.  As we noted in our recent article on corporate ransomware protection, one of the most common ways companies are infected with ransomware is through infected Microsoft Office files.  These files typically have macros, or computer programs, embedded in them that kick off the ransomware infection.  Microsoft recently announced that users of Office 365 ProPlus will soon be able to open all documents from untrusted sources (e.g., anything sent via E-mail or downloaded from the Internet) using “Microsoft Office Application Guard,” a separate virtual environment.  The virtual environment is isolated from the user’s operating system and standard programs, and is destroyed when the user logs out.  This means that any infection that may be caused by the untrusted document should not be able to infect the user’s computer, and will be destroyed within the virtual environment when the user logs out.  This should significantly limit the spread of ransomware, or at least force the criminals to find other approaches for infecting user computers.

We expect to see Microsoft make this available to lower-tier Office 365 users in the near future as well. If your organization uses Office 365, we encourage you to take advantage of this exciting security feature which should help significantly reduce your organization’s attack surface.

That being said, no security system is perfect.  For example, a file may be run in the virtual environment without any negative effects being detected, but it may include a “sleeper” version of the ransomware that waits days, or even months, before it will launch.  Others may seek to detect whether they are being launched in the virtual environment and, if detected, may postpone any malicious activity until they are outside the virtual environment.  Still others may attempt to escape the virtual environment by exploiting vulnerabilities.

In the end, as we discussed previously, disabling macros can significantly reduce your attack surface.  If you must enable macros, the Australian Cyber Security Center has created this handy chart that outlines some of the risks associated with the different levels of macros.

(Source: Australian Cyber Security Center)