Our team is comprised of engineers and technicians who can resolve any problem in your environment, often before it occurs! This means fewer interruptions in productivity, fewer delays, and faster resolution of your issues. Anytime an authorized user of your staff needs computer help, they simply call the Nomerel Support Line for instant access to the support they are looking for. Nomerel support technicians are located in Tulsa, Oklahoma, and are ready to assist your needs.
Our team is competent and ready to get your company its CMMC certification. Nomerel offers an efficient and affordable way to get your scores where they need to be when they need to be there. Anytime an authorized user of your staff needs help, they simply call the Nomerel Support Line for instant access to the support they are looking for. Nomerel support technicians are located in Tulsa, Oklahoma, and are ready to assist your needs.
CMMC is a certification process related to a compliance level system derivative of NIST 800-171. NIST 800-171 is a framework of controls that any non-Federal computer system must follow to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems. CMMC helps the Department of Defense (DoD) determine whether an organization has dedicated adequate resources to provide appropriate security to work with controlled or otherwise vulnerable data.
Small and medium-sized businesses face additional challenges when seeking CMMC certification than larger enterprise businesses with more personnel and resources.
The first thing a DoD contractor must determine is what level of compliance your company must meet. Level 1 (Foundational) pertains to systems that process, store, or transmit Federal Contract Information (FCI). Level 1 compliance is based on 17 controls found in Federal Acquisition Regulations 52.204-21. Level 2 (Advanced) pertains to systems that process, store, or transmit Confidential Unclassified Information (CUI). Level 2 will mirror NIST 800-171 with 14 categories and 110 security controls. Level 3 (Expert) focuses on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on DoD’s highest priority programs. Level 3 is based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls. Most small to medium-sized businesses will only be concerned with Level 1 and Level 2.
Next Steps
After a company has decided on which level of compliance it desires to achieve, it will conduct a self-assessment of its current compliance posture and enter that score into the Supplier Performance Risk System (SPRS). For example, scores for Level 2 can range from -196 to +110.
When the Contractor’s score is uploaded into SPRS, then the hard work begins to improve that score until they reach the appropriate level of CMMC certification dictated by whether the company transmits, processes, or stores FCI or CUI. The responsibility of compliance cannot be delegated to a third party. A third party such as Nomerel can greatly assist a Contractor in implementing toolsets, producing documentation such as Plan of Actions and Milestones (PoAM) and System Security Plan (SSP), and creating policies and procedures. However, the ultimate responsibility for compliance rests in the adherence of the Contractor’s employees to the policies and procedures.
Once a Contractor feels they have achieved their selected level of compliance, there must be an assessment to verify and certify the compliance. DoD intends for Contractors required to be compliant with Level 1 to be allowed to conduct a self-assessment for CMMC. The self-assessment of the Contractor’s network(s) will be required annually, accompanied by a yearly affirmation, under penalty of law, from a senior company official that the company is meeting requirements.
Level 2
Likewise, a subset of programs with Level 2 requirements that do not involve information critical to national security and associated contractors may be allowed to conduct self-assessments as well. This self-assessment will also require a yearly affirmation from a senior company official that the company is meeting requirements.
Those vendors involved in programs that affect information critical to national security will be required to obtain a third-party assessment. These third-party assessments will be conducted by CMMC Third Party Assessment Organizations (C3PAOs). C3PAOs are listed on the CMMC-AB Marketplace. After completing the CMMC assessment, the C3PAO will provide an assessment report to the DoD.
In conclusion, attaining CMMC can be a daunting task if a Contractor tries to do it by themselves while managing their day-to-day business. Nomerel’s security and technology experts can help Contractors needing Level 1 or Level 2 CMMC. We have a CMMC Registered Practitioner for consultation and to guide the process and technology experts to implement toolsets, write policies and procedures, provide documentation and verification of compliance and assist in any assessments. Please contact us for more information.
A few days ago, Marco returned from lunch to his small office and turned on his computer. It appeared that he had been logged out of his account which sometimes happens as his workstation is a gateway that other employees go through to access files on his company’s main server. As Marco signed back in and started to utilize some of his usual programs, he noticed that some of the commands he usually used were missing. This should have been his first clue that something was very wrong but he didn’t pay attention to what he was looking at. So, he restarted his programs and the issue persisted. Marco began to encounter other issues and elected to restart his computer. It was then that he noticed that there was another session running in the background and he observed the session was utilizing 30 to 40% of the CPU’s time which was unusual. Marco then left the office for a meeting. Upon his return to the office the next day, it was apparent that ransomware has been placed on his system, encrypting all his and the company’s files. His screen was filled with a communication of what to do and not to do by the hacker if he wanted to unlock his company’s files. A ransom demand of 5 Bitcoins, which amounted to approximately $58,000, was demanded and eventually paid by his company.
The above account is not fiction although it has been anonymized to protect the victim company. It happened and continues to happen on an all-too-frequent basis to companies and private citizens alike. Before we get too far ahead of ourselves, let’s look at what ransomware is and what can be done before, during and after a ransomware attack is executed. If you think you have have been attacked, experts in ransomware recovery are available to aid in recovery.
According to the FBI ransomware is a form of malware that encrypts files on a victim’s computer or server, making them Inaccessible to the user. Cyber criminals then demand a ransom, usually in the form of Bitcoin or some other anonymized currency, in exchange for providing a key to decrypt the victim’s files. Ransomware attacks are becoming more sophisticated, are better targeted and are more costly. During the recent pandemic, ransomware attacks have become more prevalent in the advent of more employees working from home, utilizing their own devices, and networks which may or may not be well protected.
Ransomware victims span across most if not all economic sectors Including health care organizations, industrial/manufacturing companies, local and state governments, law enforcement institutions, educational institutions, transportation entities, and other commercial entities as well as the computers of private citizens. Historically, most attacks begin as an email phishing campaign wherein the cyber criminal uses generic, broad based spamming strategies to deploy their malware, while recent ransomware campaigns have been more targeted.
Cyber criminals socially engineer phishing emails to reflect urgency which if not acted upon may create anxiety and fear of not taking appropriate action as well as preying upon the natural curiosity of the human being on the receiving end of their phishing attack. The more information cyber criminals know about the recipient of their email the more likely they will be successful in their attack. In the current pandemic, a newly mobilized remote workforce people are already anxious and maybe more susceptible to an attack, often times trying to “click away” their anxiety in search of answers that will alleviate their present concerns.
Ransomware is more prevalent nowadays because hackers have access to more sophisticated tools that are supported 24/7. Defense always lags behind offense when new tactics are being utilized. Ransomware tools are cheaper to build. There are also more distribution channels to utilize and more lucrative targets whose information is already in the public domain through Facebook, LinkedIn, and other social media and internet searches. The method to pay for the ransom which is typically Bitcoin, is untraceable with regard to the recipient and the payer and therefore cannot assist law enforcement in identifying the cyber criminals. Cyber criminals also make use of the TOR anonymity network to interact with the victim which anonymizes the cyber criminals’ identity.
Before the Event
It is important for any individual or organization to lay the groundwork to protect itself from becoming a ransomware victim. You cannot eliminate 100% of the possibility that you will be a victim of ransomware but you can diminish the probability by being proactive. The primary defense for any organization or individual against ransomware is to have an effective, and robust back-up and restore capability for all your critical data. Having an updated backup to restore from could save your company and you personally from having to pay a significant ransom to regain access to your information and being at the mercy of hackers to regain access to your data. The time to invest in backups and test to see if your backups are working properly is not after a ransomware attack has occurred. Back-ups are critical to your company’s recovery from a ransomware attack.
In addition to having regularly updated backups and verifying their functionality, you must ensure that the backup drives or devices are not connected to the computers or networks after they are backed up, otherwise they too will be encrypted during a ransomware attack and will be rendered useless.
Your company can enhance any security measures taken to protect their computers and networks by training and educating your employees and end users on information security principles and techniques. Ransomware is not a firewall/anti-virus issue. Socially engineered phishing attacks are often the vector of attack and employees are the targets and as such are a company’s portal of vulnerability. Employees should be made aware of the threat of ransomware, how it is delivered, and how to recognize what may be a phishing email attack and not click on it.
Keep your operating systems, software, and firmware patches updated preferably through a centralized patch management system. Ensure that every server is patched or it may become the access point to the whole network. Ensure that you have anti-virus and anti-malware automatically updated and that scans are conducted frequently.
Practice restricting access to file, directory and network share permissions. Configure access controls to allow only those who need access to have access to necessary information and data.
Consider disabling macro scripts from Office files transmitted by email. Utilizing Office Viewer software instead of full Office Suites applications when you open Microsoft Office files should be considered.
Prevent the execution of programs in common ransomware locations by restricting software policies or other controls. The aforementioned locations are temporary folders supporting popular internet browsers, and compression/decompression programs, including those located in the AppData/LocalAppData folder.
Since cyber criminals frequently utilize open RDP ports, companies should audit their network for systems that use RDP and close all unused RDP ports, utilize multi-factor authentication (MFA) and track RDP login attempts.
Companies should categorize and prioritize data based on its criticality and value to their organization and create both physical and logical separation of networks and data for different organizational units. In other words, protect your most valuable data more than your lesser valuable data.
Utilizing application whitelisting allows systems to execute only programs known and permitted by your company’s security policy. Also utilizing virtual environments to execute operating systems environments or specific programs.
During the Attack
Let’s go back to our friend Marco. When Marco realized that his computer was infected with ransomware, he remained calm and contacted his IT department who, not knowing how far into the attack the company was, instructed him to disconnect his computer from the network, as well as disconnect all devices from his computer. Unfortunately, Marco advised his IT contact that the attack likely started the day before when he noticed some anomalies when using his computer. The IT contact called the local police department and reported the attack to the FBI. Reporting the attack to the authorities is not done thinking they can stop the attack or assist with remediation. Reporting the event to the local law enforcement will get you a report number in case it is needed to make a claim against the company’s cyber security policy or to claim a loss with regard to corporate taxes. Notifying the FBI also allows them to track victims and crimes to see if there are other victims attacked with the same ransomware variant and to aggregate the cases if there is an open investigation or get authority to open one.
At this point we leave Marco and his coworkers to sort out what damage was done to their systems and data. They will have to make the decision to either pay the ransom utilize their backups to restore their systems.
As a rule, the FBI does not advocate paying a ransom because cyber criminals are not the most reliable people in keeping their word to decrypt your data once you have paid the ransom. Additionally, cyber criminals are not vested in customer service so even if you paid and they are acting in “good faith” they may not possess the know-how or capability to be able to decrypt your data. Things still can go wrong with their algorithms too. Historically, ransomware cyber criminals have been content to just encrypt your systems and receive a ransom to unlock or if no ransom was received, they would move on to the next victim. However, now we are seeing a shift in tactics wherein cyber criminals are stealing sensitive information at the same time as executing a ransomware attack and threatening to release the information if no ransom is paid. Even if a company has a backup, they still may pay the money in blackmail, hoping the cyber criminals keep their word not to disclose the information. These are some of the reasons that the FBI will always be reluctant to reinforce criminal behavior by advocating that businesses pay ransoms. Furthermore, if a company pays, they may be a victim again at a later date because they have set the precedent of paying. So, if you do decide to pay, understand that you may be a target again. Also, if you do agree to pay, seek out a service to pay on your behalf so that you do not involve your company brand in the negotiations.
Ultimately, it is not the FBI’s decision whether or not a company pays the ransom. It is the decision of company’s management team and maybe their legal counsel. The management team must make the decision that will be the best for business continuity.
After the Attack
After the company has done its best to get back to business, now is the time to make sure they limit the probability it will happen again. Your company should start with a third-party assessment to see what vulnerability let the attacker through. What systems vulnerabilities were you not aware of? This should be done by a third-party vendor to ensure the integrity of the process. Also, the IT staff may not have the tools or expertise to conduct the assessment. After the assessment, you need to clean or wipe your environment because the cyber criminal might have left a backdoor for him to return through at a later date and time or might have left additional malware embedded in the system. Next you need to invest in modern defenses such as real-time monitoring of your network. Firewalls and anti-virus are important, but they won’t give you network visibility or real-time alerts. Finally, invest in cyber security training and awareness for your employees and test whether it is working. By educating your employees in cyber security threats you are developing them into “human firewalls” and lessening the likelihood that they will fall for phishing attacks and introducing ransomware into your network.
Conclusion
Ransomware is a very real existential threat to small to medium size businesses and as such needs to be prevented whenever possible. Seventy-eight percent (78%) of small to medium sized businesses (SMB) are targeted by cyber criminals not only for their data but also as a portal to other systems. Sixty percent (60%) of SMBs that are hacked go out of business within six months of their victimization. This statistic does not have to be an inevitable outcome.
Prevention is key and includes utilizing technology, operations and administrative means to accomplish. Utilizing technology includes regularly backing up data and ensuring functionality in restoring data in case the need arises, updating patches, deploying anti-virus and anti-malware, disabling macro scripts etc. Operational means includes restricting access to critical data and systems, implementing software restriction policies, employing best practices utilizing RDP, whitelisting, network and systems segmentation, etc. Administrative means includes implementing policies and procedure that institute best practices for employee behaviors and actions, as well as cyber security training and awareness for those employees. Protecting your company against ransomware can be done. You just got the plan, so let’s get busy!
Recent Comments