The Singapore Academy of Law Journal has published an article authored by Bridget Mead, Jared Paul Miller, Paul Flanagan, and Fathom Cyber’s own James Goepel on establishing “reasonableness” under the #law in the context of #cybersecurity and #data #privacy. In the article, the authors explore a variety of concepts, including:
the need for federal-level privacy laws in the United States;
how to integrate cybersecurity and data privacy risks into an organization’s Enterprise Risk Management program;
the important role industry standards such as NIST SP 800-171, the NIST Cybersecurity Framework (“NIST CSF”), and the US Department of Defense’s Cybersecurity Maturity Model Certification (“CMMC”) play in defining reasonableness;
the critical role compliance plays in establishing reasonableness and the overall defensibility of an organization’s cybersecurity program; and,
supply chain cybersecurity issues.
Although published in Singapore, the article has applicability worldwide. The article should be very useful to judges, litigators, policy makers, and others as they wrestle with the concepts of whether a particular cybersecurity or data privacy program is “reasonable”. The article can be viewed here:
Like many parents, my kids have started back to school. But this year, things are a little different because we’re all working/learning from home. Suddenly there many more devices trying to access the Internet at the same time, and all for “mission critical” reasons (either conducting business meetings or online learning). Thankfully, I had already set up our network to be able to handle this, and things have gone smoothly for us. Before you buy a faster Internet connection or new routers for your home, I wanted to share a few tips with you.
Are you Overwhelming the Chromebook with Smiling Faces?
Have you ever noticed that, when you open a video conference or lesson with one person your Chromebook or other device (I’m going to just call all devices a “Chromebook” for this post) works fine, but as more people are added things get really weird? That’s because of all the incoming videos. The Chromebook needs to receive each high definition video stream and convert it to a size that is appropriate for your screen, and it has to do it fast enough that you won’t notice. That’s easy when only one person is, or two people are, on video.
As you add more people, they each have to be scaled and displayed separately, and that is a LOT of data for your Chromebook to handle. That creates a lot of lagging videos, slow mouse movements, and other issues.
You should consider switching to a view that only shows the person speaking, or disabling the incoming video if that make sense (just don’t forget that your camera may still be broadcasting!). Of course, where the teacher is actively teaching you really can’t turn off the teacher’s video!
In that case, you should talk to the teacher to understand whether they need everyone’s video to be on all the time. In the “live” online classes I teach, I have my students turn on their video only when they are speaking. This keeps things running smoothly for the entire 3-4 hour sessions.
Switching to this “only when speaking” approach takes some getting used to, both for the students and the teacher. I know I miss seeing my students’ smiling faces and reading their body language, and I’m sure your kids’ teachers will feel the same. But the Chromebooks won’t be as overwhelmed and the students won’t be as distracted and frustrated, which is a boon for their learning. It also has the added benefit of not using as much of your WiFi and Internet connection, and we’ll talk about that more in a bit.
Is it the Internet or is it me?
If the problems still persist even after you have tried switching your meetings to “videos for speakers only”, the next thing to test is whether your Internet connection is fast enough to meet your needs. Wait until an evening when things are quiet at home, then run an Internet speed test from your Chromebook.
An easy way to run a speed test is to visit Google.com and type in “Internet Speed Test”, or you can visit Ookla or SpeakEasy. If you have high speed Internet service (200 Megabits Per Second, or MBPS, or faster) at home, some of these other sites may not give you accurate results, and you should use Google’s site. If the results are within 70-80% of what you’re paying for from your Internet provider, that’s pretty good (there is some overhead data needed to make the Internet connection happen, and that can use up 20-30%). In that case, you may be smothering your WiFi with attention during business hours. If your results are significantly less than what you expect, keep reading.
Focusing the Conversation by Using Wired Connections
Most of our homes have multiple sources of electronic “noise” that can interfere with wireless signals. From microwave ovens to fans to your neighbor’s WiFi router, these noise sources create interference that makes it harder for your device to stay connected. Remember what it was like to sit in a noisy restaurant? When you’re close to your table you can hear what your friends are saying, but as you get farther away the noise makes it harder to carry on a conversation. The same is true for your Chromebook when you’re on WiFi: the farther you are from the router, the harder it is for your Chromebook to talk to the router. Computers are finicky and like to get all of the information they are meant to receive, so if the noise interrupts a conversation between the Chromebook and the router, the interrupted parts have to be re-sent, which slows things down and can cause dropped connections.
So, if you can, switch to a wired connection. This is the fastest and most reliable way to connect to your router and the Internet. Its like calling your friend on the phone from across the noisy restaurant rather than trying to yell over everyone.
Unfortunately, Chromebooks and some other devices don’t come with wired connections out of the box, and you’ll need to buy an adapter. Some adapters, like this one, even add additional USB ports.
You’ll also need an Ethernet cable. They come in all different lengths and colors, from 1 foot to 50 feet and beyond, with 6 to 10 feet being the standard. Choose one that is long enough to stretch from your home router to wherever you’ll be using the Chromebook.
At this point, wired connections are easy to configure, too. Just plug one end of the Ethernet cable into your router and the other end into your Chromebook, and the router and Chromebook will handle the rest.
I use a wired connection from my laptop to the Internet. It is more secure and more stable, and I don’t have to worry about my kids eating up all of the WiFi (I’ll talk about that more in a bit).
Reconnecting with your WiFi
Wired connections are great and very reliable, just not all that convenient. If you live in a multi-level house, or if you need to move around with your device, WiFi makes things much easier.
Get Close to your Router
As I mentioned, WiFi comes with issues, the biggest of which is that the connection is subject to noise. I talked about noise sources before, and it is important to understand that the farther your Chromebook is from the WiFi router, the more likely noise is to impact the connection. If at all possible, move the Chromebook closer to the router or move the router closer to where you’re working. This will cut down on the noise and allow more of the conversation to occur uninterrupted.
Help your WiFi Reach You
If you can’t move the router or the Chromebook, you might need to add a new device to your network. You could buy a more powerful router or an amplifier, but in many cases the better approach is to use a “mesh router” with multiple extenders, or to use a “range extender.”
Buying a mesh router, like a Deco, eero, or Orbi can be an easy way to get more consistent WiFi coverage throughout your home. You can keep adding extenders to these mesh systems and they handle transitioning your devices from one extender to another without dropping your connections. If you add a new device, please be sure to change any default passwords.
If you decide new equipment is your best bet, be sure to change any default passwords to make it harder for criminals to get in.
– Jim Goepel
If you’re on a budget or aren’t confident you’ll be able to set up a whole new router system, the mesh routers may not be for you. That’s where a separate range extender, like this one from NETGEAR, might be useful. They act as a bridge between your device and your router, playing a game of “whisper down the lane” but with more accuracy than when people are involved. This extends the reach of your current router without requiring significant technical skill on your part. Range extenders are great if you stay in one place with your Chromebook while you are on a video conference. If you want to walk around the house, expect some dropped connections as your Chromebook transitions from using the range extender to your router.
Stop Smothering your Connection
At this point, you should have pretty good WiFi coverage throughout your home. If you are still experiencing a lot of dropped connections, there are basically only two places left to look for problems.
There’s only so much WiFi to go Around!
It is possible that your devices, when all used at the same time, are using up all of your WiFi. If that is the case, you may want to consider separating your devices into different WiFi networks.
Although you might be tempted to simply put your kids, or yourself, on your router’s “guest” network, this may not be enough to solve the problem. All of the different devices, including your Chromebook, will still be talking to the router. If you were overwhelming it before, splitting them in this manner may not be enough to fix the problem.
Instead, you’ll want to add a separate WiFi router with its own, separate WiFi network. This has the added benefit of allowing you to easily implement parental controls and other restrictions on your kids’ network.
There’s only so much Internet to go around, too!
Although the Internet speed test you conducted at the beginning of this article may have come back with high speeds when you tried it at night while no one was online, if you have multiple Chromebooks all trying to simultaneously participate in video conferences with many incoming videos, that can eat up a good bit of your Internet connection. Try running another speed test during the day from the same location; does the result drop to less than a 10 Megabits per second? If so, it’s probably time to upgrade your connection.
It isn’t you, it’s them.
At this point, you’ve basically done everything you can on your end. That means your network isn’t likely to be the problem. Instead, the problem is likely to be with the presenter’s computer or the site hosting the meeting. For example, hackers and other criminals know the video conference services and online learning tools are in heavy demand right now, and the criminals routinely target these services in an attempt to extort money.
I hope this helps you create a more stable Internet connection at home and takes some of the frustration out of your online learning experience!
With many school districts conducing all-virtual learning at least for a portion of the school year, many parents are concerned about creating a positive learning environment for their children. When the students are in their normal classroom environments, they typically have their Chromebooks or laptops (in this sheet, we’re going to use “Chromebook” to describe both full-function laptops and Chromebooks that are in use by many school districts) open on their desks, and they can watch the teacher at the front of the room. Trying to re-create this environment at home using only the Chromebook’s single screen can be a challenge. Fortunately, Chromebooks support adding an additional monitors, allowing the student to work on one screen while watching the teacher in another screen. This allows the home environment to be similar to the school environment. Some parents have been asking how they can set up something similar in their homes, and this tip sheet provides some basic instructions.
What you’ll need:
We’ll walk you through selecting each of those in more detail, below. We’ve also added links to products as suggestions, but we don’t have any affiliation with any of the companies. As a reminder, sometimes you will find great deals at membership stores like BJ’s, Costco, etc., or at local stores including Target, Best Buy, etc., although if you wind up needing an adapter (we’ll discuss that in a bit), they may not have what you need.
Step 1 – Identify Chromebook Video Port
The first step is to figure out what video ports your Chromebook has. To do this, you’ll need to look along the sides of the Chromebook. In general, Chromebooks will have one of 4 types of connectors. The first, illustrated below on the right, is an HDMI port. If the Chromebook has this, things are a bit simpler, but some newer Chromebooks have done away with HDMI ports. The second is a USB-C port, which is illustrated below on the left. If your Chromebook has either of those, you can skip to Step 2.
If your Chromebook doesn’t have either of these, you will probably find one of these other ports:
So, to recap, you need to know what video port your Chromebook has, and it will likely be either HDMI or USB-C if you have a true Chromebook. Many other laptops also use these, although some have USB2.0, Mini-DisplayPort, or Micro-HDMI.
Step 2: Pick a Monitor
Some people are looking at buying new monitors for their students, and some are repurposing monitors they already own. We’ll discuss both options below.
Buying a Monitor
If you’re buying a new monitor, the easiest option is to buy one with an HDMI port. Below are a few examples:
You’ll need to pick a monitor size, and that will be influenced by the size of your students’ work area. Bigger monitors are generally easier on the eyes, but they take up a lot of space and are more expensive. This is where buying from a bricks-and-mortar store like Best Buy can be handy, because you can get a better sense for how much of the work area the monitor will take up before you make the purchase. If you’re going to buy a monitor, you can skip down to Step 3.
Repurposing a Monitor
Some of you may already have monitors that can be repurposed for your student, or you’ve decided to picking up a used monitor from Craigslist. We’ve even heard some parents mention hooking up their flat-screen TVs as monitors. All of these are viable options, too. We’re going to call them all “monitors” to make things easier.
Regardless of your monitor type, you’ll need to identify an open video port so you can plug in the Chromebook. That is the same basic process we described above for the Chromebooks, but instead of looking on the side of the Chromebook, you’ll be looking at the back of the monitor. You can typically find the video ports on the back of the monitor, and sometimes they can be easy to find.
However, some manufacturers set up the monitors so when a cable is connected to the port, the cable sits flush with the monitor. This can make it a little harder to find and identify the ports at first.
Some TVs also have extra ports along the sides.
Step 3: Decide how to Connect the Monitor to the Chromebook
At this point, you should know the monitor you’re using and the video port you’ll use (most likely HDMI if you’re buying a new one) and the video port on your Chromebook (most likely either HDMI or USB-C). Now you need to be able to connect them, and that’s where the cable comes in. Regardless of which cable you need, choose one that is between 3 and 6 feet long. This way you have more flexibility with where you position the monitor and Chromebook.
HDMI to HDMI
If your Chromebook and monitor both have HDMI ports, things are easy. You just need an HDMI to HDMI cable, and you can pick those up at most local stores including MicroCenter, Target, Best Buy, and (sometimes) Five Below, and warehouse stores like BJ’s and Costco. Or you can order them online from Amazon or Monoprice. If you’re in the “HDMI on both devices” camp, you can skip down to Step 4.
USB-C to HDMI
If your Chromebook has a USB-C port and your monitor has HDMI, you can buy a dedicated USB-C to HDMI cable, but those can be expensive to replace. Another option is to use an HDMI cable, like those mentioned above, and a USB-C to HDMI adapter. Using an adapter is generally less expensive, but it does create a potential failure point. If you’re in the USB-C and HDMI camp, you can skip down to Step 4.
If your Chromebook has something other than HDMI or USB-C video port, or if your monitor has something other than HDMI, you’ll need either a cable or adapter that fits the Chromebook’s video port and a cable to connect to the monitor’s video port. For example, if your Chromebook has USB-C and the monitor has only a DVI port, you’ll need a USB-C to DVI cable.
Step 4: Connect the Monitor and Chromebook
This is the easy part. If you wind up using an adapter, like a USB-C to HDMI adapter, start by plugging the adapter into the cable so you now have one “cable”. Once you have your cable, simply plug one end into the Chromebook, and the other end into the monitor.
Step 5: Pick a Mouse and Keyboard
We found it awkward to work on the Chromebook’s keyboard while using a second monitor, so we opted to connect an external USB keyboard and wireless mouse or bluetooth mouse (different mice for different kids), but there are some great wired and wireless keyboard and mouse combination packs out there, too. Depending on what you choose, the keyboard and mouse may take up all of the available USB ports on the Chromebook, so you might want a USB hub to allow your student to plug in a thumb drive if one is needed.
Step 6: Connect the Keyboard and Mouse
For the most part, the keyboard and mouse should work right out of the box. Just plug them in to the Chromebook’s USB port, wait a moment, and they should work. If you bought a Bluetooth keyboard or mouse, you’ll need to open the Chromebook’s Bluetooth menu, put the keyboard and mouse in pairing mode, and then pair them with the Chromebook. If you need help with this process, please see this article from Google.
We hope this you find this information useful, and that it helps ease your students’ transition to the virtual learning environment!
Fathom Cyber’s CEO, Jim Goepel, is an adjunct professor of cybersecurity in both Drexel University’s Lebow College of Business and Thomas R. Kline School of Law and Drexel University. Since joining Drexel, Jim Goepel has been working with Professor Paul Flanagan on an innovative approach to cybersecurity and data privacy risk management. Drexel University has asked Jim and Paul to present their research as part of Drexel’s 5th Annual International Research Showcase on May 27, 2020. Using Professor Goepel’s and Professor Flanagan’s unique approach, organizations can implement an holistic enterprise risk management program that creates an agile business environment while adding structure necessary to properly manage regulatory, legal, cyber, data privacy, and other risks. Their approach includes risk definition and management techniques, carefully tailored policies and procedures, and strong compliance and audit functions. More details about Professor Flanagan’s and Professor Goepel’s approach will be included in an upcoming technology journal published by the National University of Singapore.
As the holiday season approaches, we want to remind everyone that safe travels includes more than just driving safely; there are cybersecurity and privacy considerations as well. We strongly encourage you to always follow our Top 7 Tips for Individual Cybersecurity, even when you travel (you can download a free printer-friendly version here). We also recommend creating an electronics travel kit. The kit should include*:
So, why do you need to carry all this stuff? The travel extension cord is very useful in airports or other locations where power outlets can be scarce or inconveniently placed. For example, in many hotel rooms we have recently visited, the outlets near the bed are all taken by lamps, alarm clocks, etc. The travel extension cord allows us to use one of those outlets to charge our electronics without having half the room be dark. Similarly, some rooms now have power outlets on the desk or nightstand, but they do not provide enough clearance for larger wall adapters. The travel extension cord allows us to use our preferred wall adapter with those outlets.
You’re probably thinking “but you can find USB charging ports just about anywhere; why would you need a wall outlet and extension cord?” In short, those charging ports can be modified to allow an attacker to copy all of the data from your device, and even to plant malware on your device. The ports can also provide inconsistent and potentially damaging amounts of electricity to your device. Given the range of issues these public USB ports pose, we recommend to our clients that they avoid them.
We also recommend
carrying a cigarette lighter adapter for the same reasons. Automobiles are a convenient place to charge
our devices, but criminals know that they can modify the USB port on a rental
car and gain access to or infect your device.
Rental car USB adapters also take more abuse than most personal vehicle adapters
(think about how often you unplug your cable in your car versus during a rental)
and thus are more likely to suffer electrical issues that can damage your
device. Carrying a known-good USB car
adapter helps avoid these problems.
That being said, we know that wall and cigarette lighter adapters are left behind, fail, or simply fall out of a bag. That is why we recommend also carrying a USB data blocker. The USB data blocker prevents a potentially malicious USB port from accessing the data on your device. It should be noted that although the USB data blocker does a good job of protecting your device from criminals, it will not condition the power supplied by the USB outlet and thus your device can still be damaged.
We recommend carrying spare cables when you travel because you don’t want to use charging cables you find lying around or that you borrow from a stranger. There are malicious cables out there (see https://www.vice.com/en_us/article/evj4qw/these-iphone-lightning-cables-will-hack-your-computer) that can be used to give an attacker access to all of the data on your device. In addition, some cables are poorly made or contain lower-quality electronics and can fail easily. We encourage our clients to always use cables purchased by them, and cables that have been purchased from a reputable source (not the bin next to the gas station cash register).
Finally, we recommend carrying a portable battery for those times when other power sources simply aren’t convenient or accessible. Examples include when you are getting off a plane or train and need to call your rideshare or let your loved one know you arrived safely. We find we use ours most when attending conferences, where the wall outlets are typically already taken by others. The portable batteries are small, light weight, and extremely handy in those desperate times.
* Please note: Although we have provided links to certain products, those links are provided for illustrative purposes only. We have not tested those products and, consistent with our role as a trusted advisor and agent for our clients, we are not endorsing any product or vendor. We do not receive any compensation if you purchase the products we reference.
The Department of Defense (“DoD”) is pressing forward with its plans to create a cybersecurity maturity program that will apply to all government contractors in the Defense Industrial Base (“DIB”). As we have previously reported, draft Version 0.6 of the Cybersecurity Maturity Model Certification was released a few weeks ago. You can read our analysis of Version 0.6 here. Version 0.7, which is due in December, is slated to address maturity levels 4 and 5, and we will provide updates on that version shortly after it is released.
Although the DoD is creating the initial version of the CMMC, including the maturity scale itself as well as training and other materials, the DoD wants a nonprofit accreditation body to take over the maintenance of the CMMC. The nonprofit will also be responsible for creating a credentialing process for the C3PAOs (certified 3rd party assessment organizations) that will provide the actual CMMC certification to a government contractors, as well as training materials for those C3PAOs. In a November 26 response to industry inquiries, the DoD indicated that it will not have the initial training guides (for CMMC Levels 1-3) available to the C3PAO until at least early February, and that training for Levels 4 and 5 may not be available until March. This means that the 3PAOs will not be able to even begin the certification process until at least late February, and there will inherently be only a limited number of people who are certified in CMMC audits at each C3PAO.
The DoD also indicated that it has received inquiries from several other government agencies and outside groups who are interested in CMMC and the overall process. We expect to see adoption of the CMMC expand to other industries and in other contexts, such as by insurance companies when assessing overall cybersecurity maturity and associated risk and insurance rates.
Finally, the DoD stressed that although written security plans and Plans of Actions and Milestones (“POAMs” or “POA&Ms”) are acceptable under DFARS 252.204-7012, DIB contractors have not done a good job in executing their POAMs. Thus, the CMMC will not give credit for plans; instead, only the current state will count toward the contractor’s CMMC level.
We strongly encourage all organizations, and especially DIB contractors, to engage an independent consultant to conduct a maturity assessment as soon as possible. The C3PAOs will have a large backlog of organizations (over 300,000!) to go through in only a few short months to meet the DoD’s September 2020 deadline, and the C3PAOs are likely to prioritize certifying those organizations that have already taken steps to assess their maturity and to address any shortcomings.
The UK’s National Cyber Security Centre has published a useful guide for people shopping online this holiday season. Here are a few highlights:
A padlock isn’t enough – That padlock in the address bar of your browser means that communications between the browser and the site you are visiting are encrypted. However, that padlock does not mean the company you’re buying from is legitimate. Criminals can create inexpensive shopping sites that look legitimate, even down to implementing encryption to trick you into thinking they are safe
Limit the information you give – Most websites don’t need your mother’s maiden name, the name of your primary school, or other such personal information so you can buy something from them. Instead, only fill in the mandatory information, such as your name and address. Don’t create an account on the site unless you are going to buy from them again frequently in the future.
Follow good device hygiene – Keep your devices up to date, use strong passwords, enable multi-factor authentication, and follow other good hygiene practices. For more information on staying safe online, see our Top 7 Tips for Improving Individual Cybersecurity.
Smaller entities like nonprofits, state and local governments, and small and medium businesses are frequently reluctant to devote already scarce resources to cybersecurity and data privacy. They often feel that they are too small to be attractive to cyber criminals or that they have nothing of value. Unfortunately, this attitude makes them targets for cyber criminals, because the criminals know that the smaller organizations are easy to attack.
For organizations looking to improve their cybersecurity and data privacy programs, employee training can bring significant returns on investment. Educating all employees about their role in keeping the organization secure is critical to ensuring the organization stays safe, and Fathom Cyber offers a variety of training options, including training for an organization’s employees, executives, and even Boards of Directors. We also recommend augmenting these traditional courses with short awarness videos, and we have partnered with Wizer, an innovative training system provider to help our clients achieve this goal. Wizer offers an ever-increasing number of free, 1 minute long security awareness videos along with premium options including phishing simulation, gamification, and training videos and more, all for a reasonable fee. Wizer’s short videos are a great way for organizations of all sizes to keep security and privacy top-of-mind for their employees.
Below is an example of one of their videos. Contact us for more information or to create your free account today!
Phishing attacks are a threat faced by every organization, in part because they are easy and inexpensive to launch, and they are highly successful. If you are unfamiliar with phishing or wonder if your organization is taking the appropriate steps, The National Cyber Security Centre of the United Kingdom has put together an excellent, high-level article that we highly recommend. Although it touches on some technical jargon, it is written at a high enough level that most nontechnical people should be able to follow it. One of the key take-away points is that a phishing defense needs to have multiple layers, as illustrated in the infographic above. Organizations need to be not only training users to improve their ability to spot current threats and phishing attack styles, but also putting in place appropriate policies and procedures to detect when a user has fallen for a phishing attack, responding to the resulting attack, and recovering from it. The article is available in the link below.