By now, DoD contractors already mired in the complexities of Cybersecurity Maturity Model Certification (CMMC) know one thing for certain: the process takes time—anywhere from six to 12 months, depending on the maturity of your company’s security level, policies, and procedures. If you want to continue to win government contracts, and you haven’t started the CMMC process yet, it’s crunch time, and a last-minute cram session won’t cut it in this case. 

There is a LOT that goes into the CMMC certification process. While not all DoD contractor’s compliance journeys will be the same, those who are ahead of the game have some valuable insights that every organization can apply. To help ensure you start your CMMC efforts off on the right foot, here are some lessons learned by Certified Third-Party Assessor Organizations (C3PAOs).

Don’t Skimp on Standard Operating Procedures (SOP)

At CMMC Level 2, organizations are required to document a system security plan, practices, and policies that allow staff to perform processes that are repeatable and consistent. Best practices show that having robust, detailed, step-by-step procedures, including a well-defined purpose, scope and roles and responsibilities for each activity, is important for a successful CMMC.   

Make an Incident Response Plan a Priority

Also high on the list of lessons learned is establishing a formal and proactive Incident Response (IR) plan and regularly test the plan to increase your organization’s ability to respond to security incidents.

Know Your Network Inside and Out

Get to know your network—and the people who use it—intimately! Start by performing an audit to accurately assess your network devices and approve all of the devices connected to your network, the applications and software they are running, including your email system, and create a list. And, know your data stored on your network. CMMC focuses mainly on protected controlled unclassified information (CUI) which can include software executable code, source code, technical reports, studies, analysis, intellectual property, engineering drawings, tax-related information, to name a few.

Get a Grip on Daily Cybersecurity Hygiene

Checking in on your organization’s cybersecurity measures everyday isn’t just a suggestion, but a must. And it’s much more than protecting passwords and telling employees not to click on phishing links. There are 5 levels of CMMC cybersecurity hygiene, each with their own requirements. One way to get a handle on daily cybersecurity hygiene—and show your due diligence—is through a dashboard-driven tool like SME’s state-of-the-art Compliance Management Platform, that gives you the visibility you need to know the real-time status of all your programs.  

Need CMMC Assistance?

If you bid on DoD contracts, don’t wait any longer to start your CMMC certification process. SME will work with you to prepare and navigate CMMC and help you maintain your maturity levels. Give us a call at 703-378-4110 or email info@smeinc.net.

The Internet of Things, or IoT devices are great! Not only do they provide automated, seamless assistance to normal, everyday life; they also make life simpler. Can’t remember if you locked the door before leaving? Open up the app for your Smart Door Lock and engage the lock. Want to make sure the house is the perfect temperature when you arrive? Smart thermostats like Nest, Ecobee, or HoneyWell can give you the ability to turn on the heat or AC before you even walk through the door; and who doesn’t like the sound of being able to make sure dinner is cooking and will be ready for when you get home from work? There’s a Smart Crockpot for that! Yes, seriously! Even a large majority of the TV’s sold in stores are Wi-Fi enabled.

As convenient and simple as these types of devices can make our everyday lives, they can also be something of a double edged sword, as they can come at a price that’s significantly higher than what the device itself actually costs. As with many of the electronic and internet enabled devices that we use in everyday life, IoT devices require a certain level of security, and ignoring this aspect when it comes to your IoT devices can do much more harm than good. 

How IoT devices Can Make Us More Vulnerable

As with any device that connects to a network, hackers can use IoT devices to gain access and even a long standing foothold into your network, and this can happen from even the most unexpected of devices. Unfortunately, many of us are more concerned with getting these cool, new devices, getting them configured, and setup on the network so that we can start using them immediately; and as a result put the idea of securing the devices on the back burner. 

So what exactly can be done to secure these IoT devices? Actually, there is quite a bit that can be done!

Use Your Own Network, Avoid Public Wi-Fi

It should go without saying that if you’re planning on trying out that new Wi-Fi enabled toaster, don’t connect it to a public Wi-Fi network. In the rare, off chance that you absolutely have to connect the device to a public network, use a Virtual Private Network (VPN).

Setup and Use a Guest Network

Guest networks are simple to set up and configure and provide an extra layer of security to your network. This is especially true in the case when you have visitors who want to use your Wi-Fi, either at home or in the office. The guest network can provide them with access to the network and of course to the internet, but it secludes them from entering into the main network so they can’t actually access any of the other devices or system connected to the main network. 

It’s recommended to also use a guest network for your IoT devices, such that in the off chance that one of the devices is indeed compromised, then the threat actor (hacker) will be trapped within that guest network and unable to access your personal devices on the main network.

Always Reconfigure Every IoT Device

Whether you receive it as a gift or purchase it as soon as it hits the shelves, every IoT device that you plan to connect to your network needs to be reconfigured during setup. This doesn’t mean you have to take the device apart to “hack it”, all this simply means is setting up a strong, complex, and secure password for the device, as well as the email or federated login account you’re using to set up the device.

Use Strong Passwords

Just as we mentioned above, make it a habit of using strong, complex passwords for all the devices that you connect to your network and the accounts that you may end up creating for these devices. People often have a tendency of reusing the same password for many of their devices and accounts, what is even worse is the fact that most of these passwords are simple, and can either be easily guessed, or cracked by hackers.

Also make a habit of using Two-Factor Authentication (2FA) if the account or device allows it. 

Always Know What Is Connected to Your Network. 

It should go without saying that you should always be cognizant or aware of what devices are connected to your network. Many of today’s wireless network routers come with easy to access and user friendly administrative interfaces that can be used to find out exactly what devices are connected to your network. However there are some routers that are setup and configured using an app, and these apps also allow the same type of administrative check. 

Ensure Devices are Updated

When initially setting up a new IoT device, always make sure to check and see if it has any current software/firmware updates that can be applied. Also, another even more helpful feature to have is auto-updates, so if the device has this capability, enable it. Be sure to make a habit of checking to see if the device needs updating. 

IoT devices and the technology that drives them have a seemingly unlimited potential to assist us in our daily lives, but do not disregard the risks. You can purchase the most highly rated, most expensive IoT device on the market that was created by the top companies in that field, but at the end of the day, the security of IoT devices and that of your network is up to your and the amount of time and level of protection that you are willing to take. 

Ransomware, phishing, password cracking, social engineering—these are all REAL threats, and they are only getting worse as cyber criminals get better. If you are a DoD contractor, it’s time to get your staff on the same security page. If your staff isn’t trained in cybersecurity hygiene, then they’re putting your entire organization at risk.

As part of the CMMC compliance, Security Awareness and Training (AT) is one of the 17 domain requirements that companies looking for CMMC maturity certification level 2 or higher have to meet before working on government contracts. 

The requirement means that you have to have an effective cybersecurity training program in place. There are five AT practices broken into two capabilities: C011 Conduct Security Awareness Activities and C012 Conduct Training. Here’s a look at how the practices are broken out.

C011 includes two practices:

AT.2.056: Cybersecurity awareness training for all users

This practice ensures that managers, system administrators, and users of company systems are conscious of the various security risks related to their activities, and the procedures, standards, and policies related to the security of those systems.

Contractors can comply with this DoD CMMC requirement by conducting an annual cybersecurity awareness training. This training program must be customizable and should come with links to a company’s security policies and the contact information of its security department.

AT.3.058: Provide cybersecurity awareness training to identify and report possible insider threats

Contractors handling controlled unclassified information (CUI) must conduct insider threat training as part of their cybersecurity initiative. The training must identify the risk factors involved in becoming an insider threat, as well as a less formal way of reporting potential threats to avoid discrimination among friends and colleagues.

C012 includes these four practices:

AT.2.057: Ensure that cybersecurity personnel are properly trained to perform their security-related tasks and responsibilities.

Contractors should implement security training designed for system administrators, help desk, developers, and testers. Cybersecurity personnel should also possess security certifications such as a Certified Information Systems Security Professional (CISSP).

AT.4.059: Offer security awareness training designed to detect and respond to threats from suspicious behavior, breaches, advanced persistent threats (APTs), and social engineering. This security awareness training must be updated at least once a year, or if new threats are discovered. (Meant for certification levels 4 or higher)

To meet the requirements of this practice, contractors must conduct security awareness training sessions that focus on tactics used by APT actors. The goal of this practice is for companies to go beyond basic cybersecurity practices and broaden their cyber defenses against more advanced attacks.

AT.4.060: Practical exercises must be included in security awareness training modules. These exercises should be aligned with the latest threat scenarios and must offer feedback to personnel involved in the training. (Meant for certification levels 4 or higher)

This practice is designed to enhance a contractor’s security awareness training by including exercises associated with real-world threats. Also, the requirement to provide feedback is to ensure contractors are being proactive in measuring the value provided by these security exercises.

How you get trained is important too. SME’s CMMC experts are Certified Security Awareness Practitioners, or CSAP. Our security awareness training program includes everything you need to select the right content, deploy your training, and obtain detailed reporting on progress and completion. Don’t put off this important CMMC certification requirement. Our training programs are easy to arrange and affordable. Start your Security Awareness and Training domain requirement today!

The Cybersecurity Maturity Model Certification program (CMMC) is ramping up this summer—even though approved CMMC Third-Party Assessment Organizations (C3PAOs) are in short supply and timelines are ever evolving. These hiccups might have you thinking you have all the time in the world to start your CMMC certification. Unfortunately, that assumption just isn’t correct.

CMMC isn’t going away. Though the organizations waiting to receive their C3PAO status are stacking up, so are the thousands of DoD contractors who are waiting to achieve CMMC certification. Having the right controls in place isn’t just something you can wing, or pencil whip your way around. Now is the time to save your place in line so you don’t miss out on opportunities for government contracts.  Here are five steps you can take now to get you closer to CMMC compliance.

Get to Know Your Data

Not every piece of data that resides in a contractor’s IT systems is classified—and it doesn’t have to be. In fact, CMMC largely focuses on protecting controlled unclassified information, or CUI. CUI data covers a wide range of information, including software executable code, source code, technical reports, studies, analysis, intellectual property, engineering drawings, tax-related information, and much, much more.

Test Your Backups

Are you prepared to recover from an event that might compromise the integrity or availability of your data? Backing up all content—not just CUI—is a CMMC requirement. A loss of data can significantly impact your operations, and, depending on CMMC level, impact national security. Now is the time to test your backup systems and determine their functionality.

System recovery is a key focus of CMMC, specifically the ability to recover from any event that compromises the integrity and availability of data. The requirement is to backup all content, not just controlled unclassified information (CUI) and other critical content.

Create an Incident Response Plan

Speaking of recovering from an event, contractors with level 2 or higher CMMC requirements must have an incident response plan in place that proves your ability to detect, respond, analyze, report, and test incidents.

Practice Daily Cybersecurity Hygiene-That Means Everybody

CMMC success starts with every single person in your organization practicing cyber hygiene at all times. From the front desk to the C-Suite, ensuring cybersecurity in your government contracting business is everyone’s responsibility. This goes beyond checking off the usual boxes of password updates and identifying phishing emails. Your firm needs to be right 100% of the time for cybersecurity. Attackers only need to be right one time—that one time they are able to detect a weakness and move in for the kill.

There are 5 levels of CMMC cybersecurity hygiene, and each has its own requirements. Level 1 is basic cyber hygiene and includes 17 practices from NIST standards that companies should already be practicing when working for the DoD. They go up from there to Level 5, which includes 171 practices. These organizations have an advanced, progressive cybersecurity system in place and can assess and prevent advanced threats.

Even if CMMC wasn’t a requirement for DoD contractors—you should be practicing cybersecurity hygiene anyway! With high-profile ransomware and leakware attacks making the headlines in increasing fashion, it’s not a matter of if, but when a compromise will take place.

Communicate with your Subcontractors

In addition to your own internal team, getting your subcontractors on the same page is also crucial to CMMC success—and it’s a requirement. Weaknesses in the DoD supply chain are most prevalent several levels down from the prime contractor. If you are a prime, know this: you are obligated to educate your subcontractors on the proper CMMC requirements and where CUI lives on your systems so they can begin their CMMC journey as well.

With thousands of DoD contractors already waiting to achieve CMMC certification, you don’t want to find yourself at the back of the line. No matter where you are in the process, SME can help you navigate the process. We’re experts in CMMC certification requirements and implementation. Give us a call at 703-378-4110 or email info@smeinc.net.

Cybersecurity and Compliance Made Easy

Do you have a compliance action plan in place? With 171 sub-controls across five levels, CMMC compliance can seem overwhelming—even more so for contracts with higher level requirements. SME’s Compliance Management Platform makes compliance easy for DoD contractors to maintain their eligibility.

What is SME’s Compliance Management Platform?

Our state-of-the-art Compliance Management Platform is a dashboard-driven tool that helps your organization crosswalk from NIST 800-171 to CMMC, at any maturity level. The platform gives you the visibility you need to know the real-time status of your programs—across all lines of business—and makes it easy to assess, build, manage, connect, and report all of your cybersecurity functions. Here’s a look at some of the features.

Assessment Manager

Predefined or customized templates. The questionnaire-based Assessment Manager in SME’s Compliant Management Platform allows you to evaluate your cybersecurity posture quickly and easily. You can fast track assessments using the Platforms’ predefined templates or customize your own to match your unique needs.

One click-reporting. The reports feature improves visibility for all your stakeholders including auditors, executives, and Board of Directors. And, you can transfer the results of your assessment to a program to get a head start on compliance, management, and remediation.

Create a full program. Transfer your completed assessment results and evidence into a full program. There you can manage remediation tasks and workflows, monitor compliance progress and budgets—and create additional reports.

Harmony

As your cybersecurity program matures, the Harmony feature of the Platform makes it easy for you to add and manage multiple frameworks as one mapped program without duplicating your efforts. This means you can consolidate thousands of sub controls from an entire library of frameworks, making your cybersecurity and compliance efforts much more efficient. In fact, you could see a reduction in cost, time and effort by 60% and gain a head start on compliance with:

 Unlimited combinations. Crosswalk frameworks in unlimited combinations.

One-click reporting. Easy report feature for consolidated analysis of mapped programs supports a wide variety of recurring and ad hoc reporting needs.

Flexible monitoring. Monitor and report on combined and individual frameworks.

Streamlined maintenance. Data replication across subcontrols in both the mapped program and standalone frameworks.

Automatic Uncoupling. If you need to remove a framework from a mapped program, the Compliance Management Platform will automatically uncouple the subcontrols, but will remain in each standalone framework.

For a seamless execution of your CMMC strategy, let SME’s robust Compliance Management Platform be your competitive advantage. To start your compliance action plan today, give me a call today at (571) 601-1496 or email at info@smeinc.net.

Many of us are probably aware in the weeks following the Colonial Pipeline attack that ransomware attacks are a serious concern that all of us face. Many cyber-criminals are agnostic on who they target with ransomware, victims can range from large multinational corporations, to local hospitals, even individuals like you or I, and in this most recent instance; highly crucial U.S. infrastructure. This attack had a direct effect on millions of Americans and as a result, led to long lines at the gas pump and even gas shortages in some states along the Eastern Seaboard. 

Headlines, news stories and anxiety about how soon a fix would be implemented, this was what was on the minds of many of us during the weeks after the attack. In the end, Colonial Pipeline paid the hackers roughly $4.4 million dollars in order to have their data decrypted. 

However, after all of the stories, and buzz about the incident, many people may still be wondering what exactly ransomware is, how it works, and why it is becoming more popular for cyber-criminals. Our goal for this post is to provide some answers to these questions.

What is Ransomware?

Ransomware is a form of malware, or virus that encrypts data and files on a victim machine, which then prevents users from accessing their files. When ransomware infects a system, it starts searching for files and then begins encrypting them, oftentimes it will encrypt all of the files on the machine. Attackers hold the key that can decrypt the files, which they commonly will offer to give to the victim once a ransom payment has been made, but it is not always a guarantee.

Most ransomware will display a ransom notice/pop-up to users, usually by replacing their desktop background image or placing a text file with instructions in the folders it has encrypted. The ransom notice demands payment, which may be between hundreds and several thousand dollars, most typically to be paid in cryptocurrency to keep the transaction anonymous, and untraceable.

How Does Ransomware Work? 

Ransomware can enter a network in several different ways, the most common of which is from being downloaded, however other means of infection can come from social engineering. These downloads can come in the form of email attachments, or programs that are disguised to perform a specific function or task, but in fact are carrying the ransomware. Once downloaded, the ransomware program then begins attacking the system and then begins encrypting all of  the data and files on the system, adds a new file extension to the files and makes them inaccessible and unusable. There are even much more sophisticated variants of ransomware than can spread themselves throughout networks and systems without human interaction, much like a computer worm. 

Ransomwares Rise to Popularity

Ransomware attacks have grown in popularity in recent years for several reasons, the most likely reason being that more times than not, ransomware victims will end up paying to have their data decrypted so cyber-criminals see it as an easy means to an end for making money.

Some other reasons that it is becoming more widespread:

• Use of new techniques for encrypting data (encrypting the entire drive instead of just certain files)
• Ransomware and other types of malware kits are becoming more readily available that can be used to create malware on demand
• Malware and ransomware creators are becoming more sophisticated with their design and development, many are using generic interpreters and cross platform technologies so the malware can be spread to more victims.
• Ransomware and other forms of malware are becoming easier and easier to use. Cybercriminals do not have to be tech savvy in order to use, send, or spread the ransomware. 
• Ransomware marketplaces can be easily found online, offering different variants of malware/ransomware that can be purchased and used to their choosing.

There is a silver lining to this cloud. Ransomware can be mitigated and even prevented, if you would like to read more about this, check out one of our previous posts. Ransomware Prevention: Backups & Data Recovery

SME offers both Managed Backup solutions and Cloud Backup Storage solutions that ensure reliable backups of your data. For any IT/security related questions, please give us a call at 703-378-4110 or email info@smeinc.net.

A fact that many businesses and organizations have difficulty accepting is that their employees are one of the biggest risks to their overall security posture. Human error is still considered the leading causes of data breaches and compromises. 

However, with proper Security Awareness Training and provided with the fundamental understanding and knowledge to identify threats, your employees can act as another line of defense altogether, and even become one of your greatest assets. When designing, developing and implementing a Security Awareness Training program, it is vital to ensure that you take into consideration all of the cyber threats that your organization is most likely to face, and address those directly with your employees. 

The goal of this post is to discuss some of the more common Security Awareness Training program topics.

Phishing

I’m sure many of you reading this have received a call about your car’s extended warranty, or a call from the IRS of Social Security Administration. Phishing scams are still one of the most common attack methods that cyber criminals use in order to gain access to an organization’s network and resources. These threat actors play on fear, emotions, or empathy in order to take advantage of human nature and our inherent ability to trust others, and an ingrained need to help those in need. They do this by creating a sense of urgency or fear, by offering some sort of incentive like free stuff of “Stays at the Hamptons”, or “A free cruise”. 

Password Security

Passwords are still the main source for authentication measures used by organizations, and poor password security can be one of the biggest threats to enterprise level security. A large majority of your employees can have upwards of a dozen or more accounts that require a username (most typically their email address), and a password. The following tips are very important to include in training content.

• Passwords should be randomly generated
• Always use a different, unique password for each online account
• Passwords should contain a combination of letters, numbers, and symbols
• To make managing all of these accounts easier, use a password manager
• When possible, always use Two-Factor or Multi-factor Authentication to reduce the risk of compromised passwords

 Safe Internet Habits

Almost every employee in the workplace, especially so in tech. Have access to the internet. Security Awareness Training programs should be sure to incorporate safe internet habits in and outside of the workplace to further protect the network and your employees from threat actors. 

• Ability to spot, and recognize spoofed domain names
• What the difference between HTTP and HTTPS is and why it is important
• The potential dangers of downloading software from untrusted or suspicious websites
• The inherent risks and dangers or entering login credentials into suspicious or untrusted websites

Social Networking Risks

More and more organizations are using social media as a form of both customer service and a way to connect and build relationships with their customers, and even generate online sales. Unfortunately for them, cybercriminals have also started utilizing social media to create another attack surface that can put organizations reputation, and systems at risk.

An organization should have a section in their Security Awareness Training program that focuses on social networking and should limit the use of social networking on premises and should inform and train employees on the threats that social media can present online.

Removable Media

Removable media such as CDs, and USB drives can be useful to organizations to share and transfer documents, however, they can also be very useful for cybercriminals. Threat actors can enable malware to bypass an organization’s security measures and defenses. Malware can easily be installed on the media and configured to execute automatically, or can even trick employees into clicking and opening the file by naming the file with something enticing. These malicious media can be used to install malware like ransomware, steal data, and even destroy the system they’re installed on.

• Inform employees to never plug or insert untrusted removable media into a computer 
• Take any untrusted device to IT or Security Team for scanning and approval
• IT/Security Team should disable autorun on all computers

Clean Desk Policy

Organizations should take time to inform their employees of Clean Desk Policies. What this means is that employees are not leaving sensitive information out on  their desk for passersby or others to glance at and see. These can be in the form of printouts, papers, sticky notes, etc that can be easily taken by thieves and seen by prying eyes. Before leaving a work space, all sensitive and confidential information should be securely stored. 

Physical Security

Security Awareness does not just have to apply to computers or other electronic devices, employees should also be made aware of the potential physical security risks in the workplace.

• Employees should be made aware of what “shoulder surfing” is, and how to counteract it
• Employees should be made aware to ensure and verify other peoples credentials to prevent “impersonation”
• Informing employees to not leave passwords written on pieces of paper on one’s desk
• Leaving company issued devices out in the open
• Not locking or logging off of company issued computers when leaving one’s desk

SME is here to help increase security posture and get rid of those sleepless nights, for any IT/security related questions, please give us a call at 703-378-4110 or email info@smeinc.net.

A fact that many businesses and organizations have difficulty accepting is that their employees are one of the biggest risks to their overall security posture. Human error is still considered the leading causes of data breaches and compromises. 

However, with proper Security Awareness Training and provided with the fundamental understanding and knowledge to identify threats, your employees can act as another line of defense altogether, and even become one of your greatest assets. When designing, developing and implementing a Security Awareness Training program, it is vital to ensure that you take into consideration all of the cyber threats that your organization is most likely to face, and address those directly with your employees. 

The goal of this post is to discuss some of the more common Security Awareness Training program topics.

Phishing

I’m sure many of you reading this have received a call about your car’s extended warranty, or a call from the IRS of Social Security Administration. Phishing scams are still one of the most common attack methods that cyber criminals use in order to gain access to an organization’s network and resources. These threat actors play on fear, emotions, or empathy in order to take advantage of human nature and our inherent ability to trust others, and an ingrained need to help those in need. They do this by creating a sense of urgency or fear, by offering some sort of incentive like free stuff of “Stays at the Hamptons”, or “A free cruise”. 

Password Security

Passwords are still the main source for authentication measures used by organizations, and poor password security can be one of the biggest threats to enterprise level security. A large majority of your employees can have upwards of a dozen or more accounts that require a username (most typically their email address), and a password. The following tips are very important to include in training content.

• Passwords should be randomly generated
• Always use a different, unique password for each online account
• Passwords should contain a combination of letters, numbers, and symbols
• To make managing all of these accounts easier, use a password manager
• When possible, always use Two-Factor or Multi-factor Authentication to reduce the risk of compromised passwords

 Safe Internet Habits

Almost every employee in the workplace, especially so in tech. Have access to the internet. Security Awareness Training programs should be sure to incorporate safe internet habits in and outside of the workplace to further protect the network and your employees from threat actors. 

• Ability to spot, and recognize spoofed domain names
• What the difference between HTTP and HTTPS is and why it is important
• The potential dangers of downloading software from untrusted or suspicious websites
• The inherent risks and dangers or entering login credentials into suspicious or untrusted websites

Social Networking Risks

More and more organizations are using social media as a form of both customer service and a way to connect and build relationships with their customers, and even generate online sales. Unfortunately for them, cybercriminals have also started utilizing social media to create another attack surface that can put organizations reputation, and systems at risk.

An organization should have a section in their Security Awareness Training program that focuses on social networking and should limit the use of social networking on premises and should inform and train employees on the threats that social media can present online.

Removable Media

Removable media such as CDs, and USB drives can be useful to organizations to share and transfer documents, however, they can also be very useful for cybercriminals. Threat actors can enable malware to bypass an organization’s security measures and defenses. Malware can easily be installed on the media and configured to execute automatically, or can even trick employees into clicking and opening the file by naming the file with something enticing. These malicious media can be used to install malware like ransomware, steal data, and even destroy the system they’re installed on.

• Inform employees to never plug or insert untrusted removable media into a computer 
• Take any untrusted device to IT or Security Team for scanning and approval
• IT/Security Team should disable autorun on all computers

Clean Desk Policy

Organizations should take time to inform their employees of Clean Desk Policies. What this means is that employees are not leaving sensitive information out on  their desk for passersby or others to glance at and see. These can be in the form of printouts, papers, sticky notes, etc that can be easily taken by thieves and seen by prying eyes. Before leaving a work space, all sensitive and confidential information should be securely stored. 

Physical Security

Security Awareness does not just have to apply to computers or other electronic devices, employees should also be made aware of the potential physical security risks in the workplace.

• Employees should be made aware of what “shoulder surfing” is, and how to counteract it
• Employees should be made aware to ensure and verify other peoples credentials to prevent “impersonation”
• Informing employees to not leave passwords written on pieces of paper on one’s desk
• Leaving company issued devices out in the open
• Not locking or logging off of company issued computers when leaving one’s desk

SME is here to help increase security posture and get rid of those sleepless nights, for any IT/security related questions, please give us a call at 703-378-4110 or email info@smeinc.net.

As often as some topic relating to cybersecurity is in the news, whether its online fraud, ransomware, or the almost weekly discussion of a new data breach, or form of serious exploits or hacks, one would assume that many of us would have some of the basic terminology memorized right? Not exactly; as long as cyber attacks continue to perpetuate the daily or weekly news cycle, there’s always a new term or buzzword that gets thrown around into the mix.

Our overall goal with this post is to take some of the most commonly used cybersecurity terms and lay them out as plainly as possible so that they are not only easy to understand, but easy to remember. We hope that in reading these terms, the next time you come across one while reading or hearing it, you’ll know exactly what it’s referring to.

1. Software – a set of instructions that tells a computer how to perform a certain task. Also known as program, or application.
   Examples: Microsoft Office, Internet Explorer, Mobile Apps
   
2. Hardware – The physical components of a computer, or other device.
   Examples: Motherboard, CPU, RAM, Hard Drive
   
3. Server – A computer that provides data to other computers (ie it serves other computers).
   Examples: Database server, Email server, Web server, Cloud server, File server
   
4. The Cloud – the cloud is nothing more than a set of high storage servers that are accessed over the Internet. The purpose is to store, and access data remotely rather than on your own physical device.
   Examples: Apple iCloud, Amazon AWS, Dropbox, Google Apps, Microsoft Office Online
   
5. Virtual Private Network (VPN) – a tool or service that protects your information and privacy online by protecting your internet connection. VPN’s do this by masking location and encrypting web traffic.
   Examples: NordVPN, ExpressVPN, IPVanish
   
6. Domain – computers, printers, telephones, and other devices that are interconnected and administered with a common set of rules. Also known as a Network Domain.
   Not to be confused with Domain Name.
   
7. Domain Name – unique, easy-to-remember address used to access websites.
   Examples: google.com, whitehouse.gov, smeinc.net
   
8. IP Address – a unique address that identifies a device on the internet or a local network. The internet version of a home address for a computer.
   Examples: 127.0.0.1, 192.168.0.1
   
9. MAC Address – a hardware identification number that uniquely identifies each device on a network. Commonly assigned by the manufacturer to a piece of network hardware (like a wireless card or an ethernet card).
   Example: 00:1B:44:11:3A:B7
   
10. Data Breach – an incident that exposes confidential or protected information. A breach might involve the loss or theft of your Social Security Number, bank account or debit/credit card numbers, personal health information, passwords or email.
    Examples: Target, Equifax, LinkedIn
    
11. Exploit – a program, or code, designed to discover and take advantage of a security flaw or vulnerability in an application or computer system, typically for malicious purposes such as installing malware.
    Examples: EternalBlue, WannaCry, Petya/NotPetya
    
12. Malware – short for malicious software, malware is an umbrella term for a number of malicious software variants designed to cause harm to computers and computer users.
    Examples: viruses, trojan horses, worms, adware, ransomware, rootkits, and spyware.
    
    1. Virus – a type of malware that can be either malicious code or a program written to alter the way a computer operates and is designed to spread from one computer to another.
       Examples: Code Red, ILOVEYOU, Slammer, CryptoLocker, Zeus
       
    2. Trojan Horse – a type of malware that is often disguised as legitimate software.
       Examples: Backdoor Trojan, Fake Antivirus Trojan, Keylogger Trojan, Mailfinder Trojan.
       
    3. Worm – a type of malware that spreads copies of itself from computer to computer.
       Examples: Morris Worm, Koober, SQL Slammer, Stuxnet, WANK.
       
    4. Adware – software that displays unwanted advertisements on your computer. Adware programs will tend to serve you pop-up ads, can change your browser’s homepage, add spyware and spam your device with advertisements.
       Examples: Fireball, Gator, DeskAd, DollarRevenue, Appearch
       
    5. Ransomware – a constantly evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.
       Examples: WannaCry, CryptoLocker, Bad Rabbit, Petya, Locky, Jigsaw
       
    6. Spyware – malicious software designed to enter your computer device, gather data about you, and forward it to a third-party without your consent.
       Examples: CoolWebSearch, Zlob, Gator, TIBS Dialer, Internet Optimizer.
       
    7. Rootkits – a computer program designed to provide continued privileged access to a computer while actively hiding its presence.
       Examples: NTRootkit, HackerDefender, Machiavelli, Stuxnet, Flame, Zeus.
       
13. Bot/Botnet – networks of hijacked computer devices (“bots”) that are used to carry out various scams and cyberattacks.
    Examples: Mirai, Mariposa, Kraken, 3ve.
    
14. Denial of Service (DoS) – a malicious attempt to overwhelm a web property with traffic in order to disrupt it’s normal operations.
    
15. Distributed Denial of Service (DDoS) – a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
    
16. Phishing/Spear Phishing – a type of social engineering attack often used to steal user data, including login credentials and credit card numbers.
    
17. Social Engineering – the art of manipulating people so they give up confidential information.
    
18. Clickjacking – attack that tricks victims into clicking on an unintended link or button, usually disguised as a harmless element.
    
19. White Hat Hacker – an ethical computer hacker, or a computer security expert, who specializes in penetration testing and other testing methodologies that ensure the security of an organization’s information systems.
    
20. Black Hat Hacker – a hacker who violates computer security for their personal profit or malice

We here at SME hope that the definitions to some of these commonly used terms will assist you in knowing what exactly is being referred to when you hear them, or what they are in regards to.

SME is here to help increase security posture and get rid of those sleepless nights, for any IT/security related questions, please give us a call at 703-378-4110 or email info@smeinc.net.