Ransomware, phishing, password cracking, social engineering—these are all REAL threats, and they are only getting worse as cyber criminals get better. If you are a DoD contractor, it’s time to get your staff on the same security page. If your staff isn’t trained in cybersecurity hygiene, then they’re putting your entire organization at risk.

As part of the CMMC compliance, Security Awareness and Training (AT) is one of the 17 domain requirements that companies looking for CMMC maturity certification level 2 or higher have to meet before working on government contracts. 

The requirement means that you have to have an effective cybersecurity training program in place. There are five AT practices broken into two capabilities: C011 Conduct Security Awareness Activities and C012 Conduct Training. Here’s a look at how the practices are broken out.

C011 includes two practices:

AT.2.056: Cybersecurity awareness training for all users

This practice ensures that managers, system administrators, and users of company systems are conscious of the various security risks related to their activities, and the procedures, standards, and policies related to the security of those systems.

Contractors can comply with this DoD CMMC requirement by conducting an annual cybersecurity awareness training. This training program must be customizable and should come with links to a company’s security policies and the contact information of its security department.

AT.3.058: Provide cybersecurity awareness training to identify and report possible insider threats

Contractors handling controlled unclassified information (CUI) must conduct insider threat training as part of their cybersecurity initiative. The training must identify the risk factors involved in becoming an insider threat, as well as a less formal way of reporting potential threats to avoid discrimination among friends and colleagues.

C012 includes these four practices:

AT.2.057: Ensure that cybersecurity personnel are properly trained to perform their security-related tasks and responsibilities.

Contractors should implement security training designed for system administrators, help desk, developers, and testers. Cybersecurity personnel should also possess security certifications such as a Certified Information Systems Security Professional (CISSP).

AT.4.059: Offer security awareness training designed to detect and respond to threats from suspicious behavior, breaches, advanced persistent threats (APTs), and social engineering. This security awareness training must be updated at least once a year, or if new threats are discovered. (Meant for certification levels 4 or higher)

To meet the requirements of this practice, contractors must conduct security awareness training sessions that focus on tactics used by APT actors. The goal of this practice is for companies to go beyond basic cybersecurity practices and broaden their cyber defenses against more advanced attacks.

AT.4.060: Practical exercises must be included in security awareness training modules. These exercises should be aligned with the latest threat scenarios and must offer feedback to personnel involved in the training. (Meant for certification levels 4 or higher)

This practice is designed to enhance a contractor’s security awareness training by including exercises associated with real-world threats. Also, the requirement to provide feedback is to ensure contractors are being proactive in measuring the value provided by these security exercises.

How you get trained is important too. SME’s CMMC experts are Certified Security Awareness Practitioners, or CSAP. Our security awareness training program includes everything you need to select the right content, deploy your training, and obtain detailed reporting on progress and completion. Don’t put off this important CMMC certification requirement. Our training programs are easy to arrange and affordable. Start your Security Awareness and Training domain requirement today!

The Cybersecurity Maturity Model Certification program (CMMC) is ramping up this summer—even though approved CMMC Third-Party Assessment Organizations (C3PAOs) are in short supply and timelines are ever evolving. These hiccups might have you thinking you have all the time in the world to start your CMMC certification. Unfortunately, that assumption just isn’t correct.

CMMC isn’t going away. Though the organizations waiting to receive their C3PAO status are stacking up, so are the thousands of DoD contractors who are waiting to achieve CMMC certification. Having the right controls in place isn’t just something you can wing, or pencil whip your way around. Now is the time to save your place in line so you don’t miss out on opportunities for government contracts.  Here are five steps you can take now to get you closer to CMMC compliance.

Get to Know Your Data

Not every piece of data that resides in a contractor’s IT systems is classified—and it doesn’t have to be. In fact, CMMC largely focuses on protecting controlled unclassified information, or CUI. CUI data covers a wide range of information, including software executable code, source code, technical reports, studies, analysis, intellectual property, engineering drawings, tax-related information, and much, much more.

Test Your Backups

Are you prepared to recover from an event that might compromise the integrity or availability of your data? Backing up all content—not just CUI—is a CMMC requirement. A loss of data can significantly impact your operations, and, depending on CMMC level, impact national security. Now is the time to test your backup systems and determine their functionality.

System recovery is a key focus of CMMC, specifically the ability to recover from any event that compromises the integrity and availability of data. The requirement is to backup all content, not just controlled unclassified information (CUI) and other critical content.

Create an Incident Response Plan

Speaking of recovering from an event, contractors with level 2 or higher CMMC requirements must have an incident response plan in place that proves your ability to detect, respond, analyze, report, and test incidents.

Practice Daily Cybersecurity Hygiene-That Means Everybody

CMMC success starts with every single person in your organization practicing cyber hygiene at all times. From the front desk to the C-Suite, ensuring cybersecurity in your government contracting business is everyone’s responsibility. This goes beyond checking off the usual boxes of password updates and identifying phishing emails. Your firm needs to be right 100% of the time for cybersecurity. Attackers only need to be right one time—that one time they are able to detect a weakness and move in for the kill.

There are 5 levels of CMMC cybersecurity hygiene, and each has its own requirements. Level 1 is basic cyber hygiene and includes 17 practices from NIST standards that companies should already be practicing when working for the DoD. They go up from there to Level 5, which includes 171 practices. These organizations have an advanced, progressive cybersecurity system in place and can assess and prevent advanced threats.

Even if CMMC wasn’t a requirement for DoD contractors—you should be practicing cybersecurity hygiene anyway! With high-profile ransomware and leakware attacks making the headlines in increasing fashion, it’s not a matter of if, but when a compromise will take place.

Communicate with your Subcontractors

In addition to your own internal team, getting your subcontractors on the same page is also crucial to CMMC success—and it’s a requirement. Weaknesses in the DoD supply chain are most prevalent several levels down from the prime contractor. If you are a prime, know this: you are obligated to educate your subcontractors on the proper CMMC requirements and where CUI lives on your systems so they can begin their CMMC journey as well.

With thousands of DoD contractors already waiting to achieve CMMC certification, you don’t want to find yourself at the back of the line. No matter where you are in the process, SME can help you navigate the process. We’re experts in CMMC certification requirements and implementation. Give us a call at 703-378-4110 or email info@smeinc.net.

Cybersecurity and Compliance Made Easy

Do you have a compliance action plan in place? With 171 sub-controls across five levels, CMMC compliance can seem overwhelming—even more so for contracts with higher level requirements. SME’s Compliance Management Platform makes compliance easy for DoD contractors to maintain their eligibility.

What is SME’s Compliance Management Platform?

Our state-of-the-art Compliance Management Platform is a dashboard-driven tool that helps your organization crosswalk from NIST 800-171 to CMMC, at any maturity level. The platform gives you the visibility you need to know the real-time status of your programs—across all lines of business—and makes it easy to assess, build, manage, connect, and report all of your cybersecurity functions. Here’s a look at some of the features.

Assessment Manager

Predefined or customized templates. The questionnaire-based Assessment Manager in SME’s Compliant Management Platform allows you to evaluate your cybersecurity posture quickly and easily. You can fast track assessments using the Platforms’ predefined templates or customize your own to match your unique needs.

One click-reporting. The reports feature improves visibility for all your stakeholders including auditors, executives, and Board of Directors. And, you can transfer the results of your assessment to a program to get a head start on compliance, management, and remediation.

Create a full program. Transfer your completed assessment results and evidence into a full program. There you can manage remediation tasks and workflows, monitor compliance progress and budgets—and create additional reports.

Harmony

As your cybersecurity program matures, the Harmony feature of the Platform makes it easy for you to add and manage multiple frameworks as one mapped program without duplicating your efforts. This means you can consolidate thousands of sub controls from an entire library of frameworks, making your cybersecurity and compliance efforts much more efficient. In fact, you could see a reduction in cost, time and effort by 60% and gain a head start on compliance with:

 Unlimited combinations. Crosswalk frameworks in unlimited combinations.

One-click reporting. Easy report feature for consolidated analysis of mapped programs supports a wide variety of recurring and ad hoc reporting needs.

Flexible monitoring. Monitor and report on combined and individual frameworks.

Streamlined maintenance. Data replication across subcontrols in both the mapped program and standalone frameworks.

Automatic Uncoupling. If you need to remove a framework from a mapped program, the Compliance Management Platform will automatically uncouple the subcontrols, but will remain in each standalone framework.

For a seamless execution of your CMMC strategy, let SME’s robust Compliance Management Platform be your competitive advantage. To start your compliance action plan today, give me a call today at (571) 601-1496 or email at info@smeinc.net.

Many of us are probably aware in the weeks following the Colonial Pipeline attack that ransomware attacks are a serious concern that all of us face. Many cyber-criminals are agnostic on who they target with ransomware, victims can range from large multinational corporations, to local hospitals, even individuals like you or I, and in this most recent instance; highly crucial U.S. infrastructure. This attack had a direct effect on millions of Americans and as a result, led to long lines at the gas pump and even gas shortages in some states along the Eastern Seaboard. 

Headlines, news stories and anxiety about how soon a fix would be implemented, this was what was on the minds of many of us during the weeks after the attack. In the end, Colonial Pipeline paid the hackers roughly $4.4 million dollars in order to have their data decrypted. 

However, after all of the stories, and buzz about the incident, many people may still be wondering what exactly ransomware is, how it works, and why it is becoming more popular for cyber-criminals. Our goal for this post is to provide some answers to these questions.

What is Ransomware?

Ransomware is a form of malware, or virus that encrypts data and files on a victim machine, which then prevents users from accessing their files. When ransomware infects a system, it starts searching for files and then begins encrypting them, oftentimes it will encrypt all of the files on the machine. Attackers hold the key that can decrypt the files, which they commonly will offer to give to the victim once a ransom payment has been made, but it is not always a guarantee.

Most ransomware will display a ransom notice/pop-up to users, usually by replacing their desktop background image or placing a text file with instructions in the folders it has encrypted. The ransom notice demands payment, which may be between hundreds and several thousand dollars, most typically to be paid in cryptocurrency to keep the transaction anonymous, and untraceable.

How Does Ransomware Work? 

Ransomware can enter a network in several different ways, the most common of which is from being downloaded, however other means of infection can come from social engineering. These downloads can come in the form of email attachments, or programs that are disguised to perform a specific function or task, but in fact are carrying the ransomware. Once downloaded, the ransomware program then begins attacking the system and then begins encrypting all of  the data and files on the system, adds a new file extension to the files and makes them inaccessible and unusable. There are even much more sophisticated variants of ransomware than can spread themselves throughout networks and systems without human interaction, much like a computer worm. 

Ransomwares Rise to Popularity

Ransomware attacks have grown in popularity in recent years for several reasons, the most likely reason being that more times than not, ransomware victims will end up paying to have their data decrypted so cyber-criminals see it as an easy means to an end for making money.

Some other reasons that it is becoming more widespread:

• Use of new techniques for encrypting data (encrypting the entire drive instead of just certain files)
• Ransomware and other types of malware kits are becoming more readily available that can be used to create malware on demand
• Malware and ransomware creators are becoming more sophisticated with their design and development, many are using generic interpreters and cross platform technologies so the malware can be spread to more victims.
• Ransomware and other forms of malware are becoming easier and easier to use. Cybercriminals do not have to be tech savvy in order to use, send, or spread the ransomware. 
• Ransomware marketplaces can be easily found online, offering different variants of malware/ransomware that can be purchased and used to their choosing.

There is a silver lining to this cloud. Ransomware can be mitigated and even prevented, if you would like to read more about this, check out one of our previous posts. Ransomware Prevention: Backups & Data Recovery

SME offers both Managed Backup solutions and Cloud Backup Storage solutions that ensure reliable backups of your data. For any IT/security related questions, please give us a call at 703-378-4110 or email info@smeinc.net.

A fact that many businesses and organizations have difficulty accepting is that their employees are one of the biggest risks to their overall security posture. Human error is still considered the leading causes of data breaches and compromises. 

However, with proper Security Awareness Training and provided with the fundamental understanding and knowledge to identify threats, your employees can act as another line of defense altogether, and even become one of your greatest assets. When designing, developing and implementing a Security Awareness Training program, it is vital to ensure that you take into consideration all of the cyber threats that your organization is most likely to face, and address those directly with your employees. 

The goal of this post is to discuss some of the more common Security Awareness Training program topics.

Phishing

I’m sure many of you reading this have received a call about your car’s extended warranty, or a call from the IRS of Social Security Administration. Phishing scams are still one of the most common attack methods that cyber criminals use in order to gain access to an organization’s network and resources. These threat actors play on fear, emotions, or empathy in order to take advantage of human nature and our inherent ability to trust others, and an ingrained need to help those in need. They do this by creating a sense of urgency or fear, by offering some sort of incentive like free stuff of “Stays at the Hamptons”, or “A free cruise”. 

Password Security

Passwords are still the main source for authentication measures used by organizations, and poor password security can be one of the biggest threats to enterprise level security. A large majority of your employees can have upwards of a dozen or more accounts that require a username (most typically their email address), and a password. The following tips are very important to include in training content.

• Passwords should be randomly generated
• Always use a different, unique password for each online account
• Passwords should contain a combination of letters, numbers, and symbols
• To make managing all of these accounts easier, use a password manager
• When possible, always use Two-Factor or Multi-factor Authentication to reduce the risk of compromised passwords

 Safe Internet Habits

Almost every employee in the workplace, especially so in tech. Have access to the internet. Security Awareness Training programs should be sure to incorporate safe internet habits in and outside of the workplace to further protect the network and your employees from threat actors. 

• Ability to spot, and recognize spoofed domain names
• What the difference between HTTP and HTTPS is and why it is important
• The potential dangers of downloading software from untrusted or suspicious websites
• The inherent risks and dangers or entering login credentials into suspicious or untrusted websites

Social Networking Risks

More and more organizations are using social media as a form of both customer service and a way to connect and build relationships with their customers, and even generate online sales. Unfortunately for them, cybercriminals have also started utilizing social media to create another attack surface that can put organizations reputation, and systems at risk.

An organization should have a section in their Security Awareness Training program that focuses on social networking and should limit the use of social networking on premises and should inform and train employees on the threats that social media can present online.

Removable Media

Removable media such as CDs, and USB drives can be useful to organizations to share and transfer documents, however, they can also be very useful for cybercriminals. Threat actors can enable malware to bypass an organization’s security measures and defenses. Malware can easily be installed on the media and configured to execute automatically, or can even trick employees into clicking and opening the file by naming the file with something enticing. These malicious media can be used to install malware like ransomware, steal data, and even destroy the system they’re installed on.

• Inform employees to never plug or insert untrusted removable media into a computer 
• Take any untrusted device to IT or Security Team for scanning and approval
• IT/Security Team should disable autorun on all computers

Clean Desk Policy

Organizations should take time to inform their employees of Clean Desk Policies. What this means is that employees are not leaving sensitive information out on  their desk for passersby or others to glance at and see. These can be in the form of printouts, papers, sticky notes, etc that can be easily taken by thieves and seen by prying eyes. Before leaving a work space, all sensitive and confidential information should be securely stored. 

Physical Security

Security Awareness does not just have to apply to computers or other electronic devices, employees should also be made aware of the potential physical security risks in the workplace.

• Employees should be made aware of what “shoulder surfing” is, and how to counteract it
• Employees should be made aware to ensure and verify other peoples credentials to prevent “impersonation”
• Informing employees to not leave passwords written on pieces of paper on one’s desk
• Leaving company issued devices out in the open
• Not locking or logging off of company issued computers when leaving one’s desk

SME is here to help increase security posture and get rid of those sleepless nights, for any IT/security related questions, please give us a call at 703-378-4110 or email info@smeinc.net.

A fact that many businesses and organizations have difficulty accepting is that their employees are one of the biggest risks to their overall security posture. Human error is still considered the leading causes of data breaches and compromises. 

However, with proper Security Awareness Training and provided with the fundamental understanding and knowledge to identify threats, your employees can act as another line of defense altogether, and even become one of your greatest assets. When designing, developing and implementing a Security Awareness Training program, it is vital to ensure that you take into consideration all of the cyber threats that your organization is most likely to face, and address those directly with your employees. 

The goal of this post is to discuss some of the more common Security Awareness Training program topics.

Phishing

I’m sure many of you reading this have received a call about your car’s extended warranty, or a call from the IRS of Social Security Administration. Phishing scams are still one of the most common attack methods that cyber criminals use in order to gain access to an organization’s network and resources. These threat actors play on fear, emotions, or empathy in order to take advantage of human nature and our inherent ability to trust others, and an ingrained need to help those in need. They do this by creating a sense of urgency or fear, by offering some sort of incentive like free stuff of “Stays at the Hamptons”, or “A free cruise”. 

Password Security

Passwords are still the main source for authentication measures used by organizations, and poor password security can be one of the biggest threats to enterprise level security. A large majority of your employees can have upwards of a dozen or more accounts that require a username (most typically their email address), and a password. The following tips are very important to include in training content.

• Passwords should be randomly generated
• Always use a different, unique password for each online account
• Passwords should contain a combination of letters, numbers, and symbols
• To make managing all of these accounts easier, use a password manager
• When possible, always use Two-Factor or Multi-factor Authentication to reduce the risk of compromised passwords

 Safe Internet Habits

Almost every employee in the workplace, especially so in tech. Have access to the internet. Security Awareness Training programs should be sure to incorporate safe internet habits in and outside of the workplace to further protect the network and your employees from threat actors. 

• Ability to spot, and recognize spoofed domain names
• What the difference between HTTP and HTTPS is and why it is important
• The potential dangers of downloading software from untrusted or suspicious websites
• The inherent risks and dangers or entering login credentials into suspicious or untrusted websites

Social Networking Risks

More and more organizations are using social media as a form of both customer service and a way to connect and build relationships with their customers, and even generate online sales. Unfortunately for them, cybercriminals have also started utilizing social media to create another attack surface that can put organizations reputation, and systems at risk.

An organization should have a section in their Security Awareness Training program that focuses on social networking and should limit the use of social networking on premises and should inform and train employees on the threats that social media can present online.

Removable Media

Removable media such as CDs, and USB drives can be useful to organizations to share and transfer documents, however, they can also be very useful for cybercriminals. Threat actors can enable malware to bypass an organization’s security measures and defenses. Malware can easily be installed on the media and configured to execute automatically, or can even trick employees into clicking and opening the file by naming the file with something enticing. These malicious media can be used to install malware like ransomware, steal data, and even destroy the system they’re installed on.

• Inform employees to never plug or insert untrusted removable media into a computer 
• Take any untrusted device to IT or Security Team for scanning and approval
• IT/Security Team should disable autorun on all computers

Clean Desk Policy

Organizations should take time to inform their employees of Clean Desk Policies. What this means is that employees are not leaving sensitive information out on  their desk for passersby or others to glance at and see. These can be in the form of printouts, papers, sticky notes, etc that can be easily taken by thieves and seen by prying eyes. Before leaving a work space, all sensitive and confidential information should be securely stored. 

Physical Security

Security Awareness does not just have to apply to computers or other electronic devices, employees should also be made aware of the potential physical security risks in the workplace.

• Employees should be made aware of what “shoulder surfing” is, and how to counteract it
• Employees should be made aware to ensure and verify other peoples credentials to prevent “impersonation”
• Informing employees to not leave passwords written on pieces of paper on one’s desk
• Leaving company issued devices out in the open
• Not locking or logging off of company issued computers when leaving one’s desk

SME is here to help increase security posture and get rid of those sleepless nights, for any IT/security related questions, please give us a call at 703-378-4110 or email info@smeinc.net.

As often as some topic relating to cybersecurity is in the news, whether its online fraud, ransomware, or the almost weekly discussion of a new data breach, or form of serious exploits or hacks, one would assume that many of us would have some of the basic terminology memorized right? Not exactly; as long as cyber attacks continue to perpetuate the daily or weekly news cycle, there’s always a new term or buzzword that gets thrown around into the mix.

Our overall goal with this post is to take some of the most commonly used cybersecurity terms and lay them out as plainly as possible so that they are not only easy to understand, but easy to remember. We hope that in reading these terms, the next time you come across one while reading or hearing it, you’ll know exactly what it’s referring to.

1. Software – a set of instructions that tells a computer how to perform a certain task. Also known as program, or application.
   Examples: Microsoft Office, Internet Explorer, Mobile Apps
   
2. Hardware – The physical components of a computer, or other device.
   Examples: Motherboard, CPU, RAM, Hard Drive
   
3. Server – A computer that provides data to other computers (ie it serves other computers).
   Examples: Database server, Email server, Web server, Cloud server, File server
   
4. The Cloud – the cloud is nothing more than a set of high storage servers that are accessed over the Internet. The purpose is to store, and access data remotely rather than on your own physical device.
   Examples: Apple iCloud, Amazon AWS, Dropbox, Google Apps, Microsoft Office Online
   
5. Virtual Private Network (VPN) – a tool or service that protects your information and privacy online by protecting your internet connection. VPN’s do this by masking location and encrypting web traffic.
   Examples: NordVPN, ExpressVPN, IPVanish
   
6. Domain – computers, printers, telephones, and other devices that are interconnected and administered with a common set of rules. Also known as a Network Domain.
   Not to be confused with Domain Name.
   
7. Domain Name – unique, easy-to-remember address used to access websites.
   Examples: google.com, whitehouse.gov, smeinc.net
   
8. IP Address – a unique address that identifies a device on the internet or a local network. The internet version of a home address for a computer.
   Examples: 127.0.0.1, 192.168.0.1
   
9. MAC Address – a hardware identification number that uniquely identifies each device on a network. Commonly assigned by the manufacturer to a piece of network hardware (like a wireless card or an ethernet card).
   Example: 00:1B:44:11:3A:B7
   
10. Data Breach – an incident that exposes confidential or protected information. A breach might involve the loss or theft of your Social Security Number, bank account or debit/credit card numbers, personal health information, passwords or email.
    Examples: Target, Equifax, LinkedIn
    
11. Exploit – a program, or code, designed to discover and take advantage of a security flaw or vulnerability in an application or computer system, typically for malicious purposes such as installing malware.
    Examples: EternalBlue, WannaCry, Petya/NotPetya
    
12. Malware – short for malicious software, malware is an umbrella term for a number of malicious software variants designed to cause harm to computers and computer users.
    Examples: viruses, trojan horses, worms, adware, ransomware, rootkits, and spyware.
    
    1. Virus – a type of malware that can be either malicious code or a program written to alter the way a computer operates and is designed to spread from one computer to another.
       Examples: Code Red, ILOVEYOU, Slammer, CryptoLocker, Zeus
       
    2. Trojan Horse – a type of malware that is often disguised as legitimate software.
       Examples: Backdoor Trojan, Fake Antivirus Trojan, Keylogger Trojan, Mailfinder Trojan.
       
    3. Worm – a type of malware that spreads copies of itself from computer to computer.
       Examples: Morris Worm, Koober, SQL Slammer, Stuxnet, WANK.
       
    4. Adware – software that displays unwanted advertisements on your computer. Adware programs will tend to serve you pop-up ads, can change your browser’s homepage, add spyware and spam your device with advertisements.
       Examples: Fireball, Gator, DeskAd, DollarRevenue, Appearch
       
    5. Ransomware – a constantly evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.
       Examples: WannaCry, CryptoLocker, Bad Rabbit, Petya, Locky, Jigsaw
       
    6. Spyware – malicious software designed to enter your computer device, gather data about you, and forward it to a third-party without your consent.
       Examples: CoolWebSearch, Zlob, Gator, TIBS Dialer, Internet Optimizer.
       
    7. Rootkits – a computer program designed to provide continued privileged access to a computer while actively hiding its presence.
       Examples: NTRootkit, HackerDefender, Machiavelli, Stuxnet, Flame, Zeus.
       
13. Bot/Botnet – networks of hijacked computer devices (“bots”) that are used to carry out various scams and cyberattacks.
    Examples: Mirai, Mariposa, Kraken, 3ve.
    
14. Denial of Service (DoS) – a malicious attempt to overwhelm a web property with traffic in order to disrupt it’s normal operations.
    
15. Distributed Denial of Service (DDoS) – a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
    
16. Phishing/Spear Phishing – a type of social engineering attack often used to steal user data, including login credentials and credit card numbers.
    
17. Social Engineering – the art of manipulating people so they give up confidential information.
    
18. Clickjacking – attack that tricks victims into clicking on an unintended link or button, usually disguised as a harmless element.
    
19. White Hat Hacker – an ethical computer hacker, or a computer security expert, who specializes in penetration testing and other testing methodologies that ensure the security of an organization’s information systems.
    
20. Black Hat Hacker – a hacker who violates computer security for their personal profit or malice

We here at SME hope that the definitions to some of these commonly used terms will assist you in knowing what exactly is being referred to when you hear them, or what they are in regards to.

SME is here to help increase security posture and get rid of those sleepless nights, for any IT/security related questions, please give us a call at 703-378-4110 or email info@smeinc.net.

It may come as no surprise to many of us that cyber attacks across the globe are on the rise. As more devices and systems are being connected to the internet, and people are continuing to share, or store personal data on these devices and systems, this creates extra attack surfaces that hackers can use to try and steal this data.

Some common examples of cyber attacks and types of data breaches are:

• Malware
• Phishing
• Spamming
• Spoofing
• Spyware
• Trojan Horses
• Viruses
• Rootkits
• Zero Days
• Identity Theft
• Extortion
• Ransomware
• Denial-of-Service (DoS)
• Distributed Denial-of-Service (DDoS)
• Stolen hardware/software
• Password sniffing
• Breach of access/access controls
• Website defacement
• Web browser exploits
• IM/Email Spamming
• Intellectual Property theft
• System infiltration
• Cross-Site Scripting (XSS)
• Credential Reuse Attack
• SQL Injection
• IoT Based Attack
• Wi-Fi Cracking

As you can tell from this list, there are tons of ways that hackers can make use of in order to get into our systems and steal our data. In an attempt to try and adequately protect not only ourselves, but also our business or organization from any number of these possible cyber attacks, we must first understand what a cyber attack is.

NISTS Computer Security Resource Center describes a cyber attack as:

An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.

One might ask, “what can I do to protect myself, or my business from a possible cyber attack?”. How can you prevent, or at least make it more difficult for hackers to exploit your systems, and steal your data?

Our goal with this post is to provide a short list of the Top 10 tip that a business can perform in order to increase the security posture of their business or work force.

1. Keep Software and Systems Up-to-Date

Most cyber attacks occur because our software or systems are not up to date or fully patched, which leaves weaknesses in systems, known as vulnerabilities. These vulnerabilities can then be exploited by hackers in order to gain access to the system and eventually to the network; and once they are in, it is often too late.

2. Security Awareness Training for Staff/Employees

Users will always be the weakest link in the security chain, and will almost certainly be the most common way hackers get access to private systems and data. For hackers, phishing and social engineering are still very common entry points into company networks. Employees need to be regularly trained on common security awareness techniques like checking links before clicking them, and checking email addresses from supposed senders. 

3. Install and Configure a Firewall

Putting your company’s network behind a firewall can prove to be one of the more effective ways to defend from a cyber attack. A well configured firewall can provide protection against hackers by shielding your company’s computers or network from malicious or unnecessary network traffic. Firewalls can also prevent malicious software from infiltrating a computer or network via the internet.

4. Implementing Endpoint Security 

Endpoint security is the practice of securing the entry points of end-user devices such as desktops, laptops, and mobile devices from being exploited. Endpoint security systems secure these entry points on a network or in the cloud from cyber attacks. These paths need to be protected with specific endpoint protection software. 

5. Perform, and Maintain Regular Backups

When a cyber attack does occur, it can often lead to disaster in the form of damages, theft of data or intellectual property, and loss of reputation. This is why it is crucial for data to be backed up in order to avoid not only serious downtime, but the loss of data and the potential for serious financial loss.

6. Perform Access Control

This may come as a surprise, but not all of the possible attack surfaces that hackers can use will be remote or from the internet; but can actually be physical as well. Ensuring that only those who should have access to the systems or networks inside of the company is imperative not only to business security but business continuity. Another often overlooked fact is employees leaving unlocked desktops open while they are away from their desks. All it would take is a hacker to insert a USB device containing malware into a system that would allow them access into the machine or the entire network and infect it.

7. Wireless Security

Any device that connects to the internet can be infected, this means that if an infected device is connected to a company network, then the entire network can subsequently become infected as well. Securing networks, and hiding them could potentially be one of the safest actions that a company can take to ensure their wireless systems are secure.

8. Separate Accounts for Each User

Anytime there is more than one user connecting to the same account, this can put not only the credentials for the account, and the account itself at risk; but also the network and the business itself. Having separate accounts for each user, and providing them with their own set of login credentials for every application and program.

Ensuring that every staff member or employee has their own logins can help in reducing the total number of attack surfaces that hackers can take advantage of. Also, businesses will also get the benefit of increased usability, on top of the added layer of security.

9. Account & Access Management

Another often overlooked risk that many businesses face is allowing employees to have the ability to install software, apps, or other programs onto business owned devices. These actions could ultimately compromise the businesses systems/devices and further put the network and business at risk.

Having administrative rights and blocking employees from installing software or even accessing certain data on the network will provide greater overall security to the business.

10. Enforce Strong Passwords

As unfortunate as it is, it’s becoming more and more known that many employees reuse the same password for multiple logins. This habit, as convenient as it may seem, can actually turn out to be very dangerous for a business. Once a hacker has figured an employees password, if the employee has set the same password for multiple accounts, then  the hacker may have login access to multiple accounts as well. 

Ensuring the employees are not only using different passwords for every login account they may have, but also enforcing a strong password policy can be incredibly beneficial to a businesses security. 

SME is here to help increase security posture and get rid of those sleepless nights, for any IT/security related questions, please give us a call at 703-378-4110 or email info@smeinc.net.

Although the media headlines often highlight major data breaches of large corporations and government agencies, the majority of businesses being hacked are small businesses. Why is this the case?  Most small businesses do not have layers of security in place to protect them, so attackers consider them low hanging fruit. 

According to Verizon’s 2020 Data Breach Investigations Report, 28% of all cyber-attacks and data breaches in 2020 occurred in small businesses. And according to Fundera roughly 60% of all small businesses that are victims of a cyber-attack go out of business within six months.

As many of you are aware, the title industry is in the attacker’s direct line of fire.  The good news is that effective IT security is not beyond reach. Here are a few cybersecurity tips that can benefit your business.

There was a 424% increase in new small business cyber breaches in 2020.

Network Security

Implementing a network firewall with Intrusion Detection and Prevention capabilities (IDS/IPS) is crucial.  A firewall protects your network from malicious traffic and an IDS/IPS properly monitored can stop an attacker in their tracks. Unmanaged systems do not provide adequate security.  Attackers are working around the clock and so should your security.

Performing regular network vulnerability testing, internally and externally, can identify risks giving you the opportunity to remediate before being hacked. Many of the common vulnerabilities identified include legacy or otherwise unsupported operating systems, poor patch management, and exposed systems.

It is essential that workstations, servers, and laptops are updated and patched on a regular basis.  The WannaCry ransomware attack quickly infected 150 countries and targeted computers that were unpatched.  It is important that not only Microsoft updates/patches are consistently applied but also third-party software such as Adobe, JAVA, and Anti-Virus programs need to be maintained.  There are managed systems available to ease administration and ensure timely and consistent updating/patching occurs.

Back Up

Having a backup and understanding where your data is stored is critical.  There are several backup scenarios available.  Whichever scenario fits your business the important factors remain the same:  Make sure your data is in a secure location, is encrypted during transit and storage, and regularly test that the data can be restored.  You do not want to be in the position where your back up is needed and find that hardware is not available, the time to recover is days or weeks longer than expected, or it won’t restore properly.  Consider keeping backups of your backups.

Security Policies and Procedures

With the ongoing concern about keeping business and client data safe it is vital to have security policies and procedures in place.  Employees need to understand what is expected of them and be given the proper tools and technology to safeguard business and client data.  For many businesses writing security policies and procedures can seem like a daunting task.  There is no reason why you can’t start small and add to them.  One simple yet very important policy is a password policy.  According to Verizon’s 2018 Data Breach Investigations Report, 81% of hacking-related breaches leveraged either a stolen and/or weak password.  Every password can be hacked it is just a matter of how much time it takes.  A basic 7-character password consisting of lower case letters can be cracked in seconds.  The longer and more complex a password is the longer it takes to crack.  Make it difficult for the hackers and they will move onto lower hanging fruit.

Multi-Factor Authentication

ALTA announced at the end of last year that they have added a requirement, effective January 2020, to the ALTA Best Practices for multi-factor authentication (MFA) to be enabled on all remotely hosted or remotely accessible systems storing, transmitting, or transferring non-public personal information.  Multi-factor authentication provides another layer of security as it requires a code to be put in when you are logging into a system or email from a different location.  In the event an attacker is trying to log into your systems or email you will be sent a notification with a code that someone is accessing your systems from a different location.  Without this code the attacker will not be successful, giving you time to go in and change your password and make sure your systems are secure.  This announcement from ALTA shows that the Best Practices are not going anywhere and are more important than ever.

Security Awareness Training

Security Awareness Training, which is a required layer of security, is the missing link across many small businesses.  All of the previously mentioned layers of security can be implemented, however, if your employees are not trained on how to recognize and handle everyday security risks your business is still at serious risk.  Employees are the number one target of attackers who expect they have not been given the necessary training and tools.  One of the main problems the title industry is facing now are phishing emails. ALTA reported a 480% increase in wire fraud attacks in 2016, many of these attacks involved phishing emails.  Implementing a comprehensive and ongoing Security Awareness Training program is your best line of defense against these attacks. Educate and empower your employees; everyone is part of the security team!

It is very important that small businesses take pro-active approaches to IT security.  Avoiding the necessary steps is only going to increase your chances of falling victim to an attack.  Implementing and maintaining the proper layers of security can be complex and requires knowledge of the ever changing landscape of the IT security world.  When choosing a company to assist your business, it is important to choose a company with proven expertise in IT security.  Cybersecurity threats are continuing to rise, now is the time to take action to protect your business and client data.

How SME Can Help

SME has been working with businesses in the title industry for several years, and our team of professionals not only understands the industry, but all the risks that the industry faces. The importance of protecting the information of customers is crucial for the title industry, and title agents alike. This is why Title Agents are expected to meet the ALTA (American Land Title Association) Best Practices, so that they can have the knowledge to the protect non-public personal information of their customers.

To find out more about our compliance solutions, or any other IT/security related questions, please give us a call at 703-378-4110 or email info@smeinc.net.