Federal Register announcing CMMC - to be published Tuesday Morning. How'd we get here?

Well, if there was ever a question...  Here's the Federal Register, which will appear Tuesday morning. 

https://www.govinfo.gov/content/pkg/FR-2024-10-15/pdf/2024-22905.pdf

OK, folks, at this point, there will be no more government mealy-mouthing, miscommunication, or fragmentation in messaging. It's real, and it will become law on December 16th.

Here's how I see it:

1. CMMC was born only after self-attestation failed (and it was tried multiple times, starting in 2009).
2. CMMC, while not optimal, can actually help (wait for it, this is big).
3. I had an old boss who used to tell me "Don't let perfect get in the way of good."

So how did we get here?

I'm going to tackle point number one today. 

CMMC was born only after self-attestation failed (and it was tried multiple times, starting in 2009).

I worked at the DoD Cyber Crime Center. In 2009, we developed a self-attestation request based on a relatively straightforward set of best information security practices. It could have been better, but it was a first step, and it was mainly based on SANS Top 20 and later, as it evolved, NIST 800-171.

We sent a request to all of the large contractors and asked them to tell us what they had (mostly to help us analyze incident reports if/when necessary). Every company submitted one.

This practice was retained, and we hoped for the best. 

Sadly, as the practice grew, self-attestation, as it turns out, didn't work.

Fast Forward to 2018... 

In June 2018, a significant cybersecurity breach occurred involving the U.S. Navy and one of its contractors, resulting in the loss of sensitive data related to the Sea Dragon project [1][2]. Chinese government hackers were identified as the perpetrators of this sophisticated cyberattack [2].

The Breach

The hackers successfully compromised the computers of a Navy contractor, gaining access to a substantial amount of highly sensitive information [2]. The stolen data amounted to 614 gigabytes, primarily related to the classified Sea Dragon project [1][3][4]. This project was a closely held initiative believed to be associated with undersea warfare capabilities [4].

In addition to the Sea Dragon project data, the hackers also obtained:

• Signals and sensor data
• Submarine radio room information
• Data related to cryptographic systems
• Electronic warfare library

This breach was particularly concerning due to the nature and volume of the compromised information, which could provide significant insights into U.S. naval capabilities and technologies [2][5].

Implications and Response

The incident highlighted the vulnerabilities in the defense supply chain, particularly with contractors handling sensitive information [1]. In response to this and other similar breaches, the Department of Defense (DoD) took steps to enhance cybersecurity measures:

• Development of the Cybersecurity Maturity Model Certification (CMMC) in 2019
• Implementation of stricter security protocols for contractors
• Increased focus on supply chain security

The CMMC was designed to ensure that companies working with the DoD, including contractors, meet specific cybersecurity standards based on the sensitivity of the information they handle [1].

This breach was not an isolated incident. It was part of a larger pattern of cyber attacks targeting U.S. defense contractors and universities working on military projects[1]. The Chinese government consistently denied involvement in these attacks, but the frequency and sophistication of such breaches raised significant concerns about the security of sensitive military information [1][5].

The Sea Dragon data breach is a stark reminder of the ongoing challenges in cybersecurity, especially in the defense sector, and the persistent efforts of foreign actors to obtain classified information through digital means.

(Sourced with Perplexity.ai to summarize the story of the Sea Dragon)

[JLS Comments] 

Sadly, self-attestation didn't work. When the Navy validated the self-attestation reports (as I heard it secondhand), only a few of the thousands of contractors in the program (I heard less than 3%) had actually done what they said they'd done in their self-attestations of their cyber posture. 

This is one of THOUSANDS of stories of lost data in our defense supply chain. Have a look back through my blog. Take a look at this blog: https://henrybasset.blogspot.com/2013/04/red-sky-weekly-woshihaoren.html. It's my most-read blog and showcases a beer and cigar conversation with a friend who lived this. This CISO had hackers logging into his network during business hours, leaving only when their work week was over and returning after the weekend. 

CMMC is the "Trust but Verify" model that came out from the Navy Sea Dragon story.

BT

I am the CEO of Trusted Internet, LLC, a Managed Security Service Provider that services defense contractors. We have no government contracts and don't handle CUI, but we can show you our POAM toward completed NIST 800-171. We've done the work to help small contractors survive this. For more information, contact us at staysafeonline@trustedinternet.io or sign up for a no-cost baseline assessment workshop at https://trustedinternet.io/compliance. 

Citations:

[1] https://redriver.com/security/navy-contractor-hacked

[2] https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html

[3] https://www.nexusitc.net/sensitive-data-stolen-from-naval-contractor-by-chinese-hackers/

[4] https://www.c4isrnet.com/cyber/2018/06/08/chinese-hackers-steal-sensitive-navy-program-data/

[5] https://www.reuters.com/article/world/china-hacked-sensitive-us-navy-undersea-warfare-plans-washington-post-idUSKCN1J42MK/

CMMC Final Rule: What Defense Contractors Need to Know and Do Before December 2024

The final rule for the Cybersecurity Maturity Model Certification (CMMC) program is set to be published in the Federal
Register on October 15, 2024. Once it does, it will become law in 60 days. 

The final CMMC rule represents a significant step in enhancing cybersecurity in the defense sector. While it introduces new compliance requirements, it offers a more flexible and cost-effective approach for many contractors, especially small businesses handling only FCI. Companies should start preparing to meet the necessary requirements when the rule takes effect. 

 

Here's a breakdown of what this means:

 

CMMC Overview

 

CMMC is a program designed to enhance cybersecurity across the Defense Industrial Base (DIB). It aims to verify that defense contractors comply with existing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) protections.

 

Key Changes and Benefits

 

Simplified Certification Levels

• Level 1 (Foundational): Requires 15 basic cybersecurity practices
• Level 2 (Advanced): Requires 110 security practices from NIST SP 800-171
• Level 3 (Expert): Requires 110+ practices from NIST SP 800-171 and a subset from NIST SP 800-172

The new structure potentially reduces costs for many small businesses:

• Level 1: Allows for annual self-assessment, which is more cost-effective
• Level 2: May require third-party assessment or self-assessment, depending on the program
• Level 3: Requires government-led assessment

 

This tiered system allows companies to implement security measures commensurate with the sensitivity of the information they handle.

 

 Impact on Contractors

• Contractors must determine their expected CMMC level(s) for future contracts. In most cases, they will be told by their prime, which will be mandated by the contract.
• They need to ensure all information systems supporting DoD contracts are accounted for in compliance planning
• Subcontractor compliance must be assessment
• Internal policies and procedures should be reviewed and updated to ensure compliance

 

Implementation Challenges and Solutions

 

The implementation of CMMC presents significant challenges, particularly for smaller defense contractors. 

 

Here's an overview of the situation and potential solutions:

•  Even Level 1 certification requires a substantial investment, which can be difficult for smaller companies to manage
• Cyber security requirements have been law since 2012, but they were never taken seriously. Government waffling and poor communications left companies uneasy about the potential spend. As a result, it was not considered a business necessity, and many companies are still not adequately prepared due to poor communication and multiple delays
• Smaller companies often need more in-house expertise to implement complex cybersecurity measures.

 

For many small defense contractors, outsourcing CMMC compliance to a specialized Managed Security Service Provider (MSSP) like Trusted Internet is generally the fastest and most cost-effective route to compliance. 

 

What’s the difference between your current MSP and an MSSP? 

 

• An MSP (Managed Service Provider) focuses on general IT management, including network administration, software updates, and helpdesk support. 
• An MSSP (Managed Security Service Provider) specializes in cybersecurity and offers services such as threat monitoring, incident response, and compliance management. 
• MSPs ensure IT efficiency, while MSSPs protect against cyber threats.

 

How does Trusted Internet help?

Trusted Internet offers a no-cost CMMC Baseline Assessment Workshop: Trusted Internet offers a comprehensive workshop to help small defense contractors achieve CMMC compliance:

• A half-day in-person or online session where contractors answer assessment questions using a virtual dashboard
• Participants receive a scorecard and a detailed spreadsheet outlining the necessary steps for compliance.
• The workshop provides baseline policies written for the chosen compliance level.

At the end of the day, contractors will leave with a baseline assessment, written policies, simplified roadmap compliance, and a control-by-control spreadsheet that can be copied into SPRS.

 

What comes next? The final steps involve:

• Procedure Development: Creating specific procedures based on the policies.
• Technology Implementation: Implement Trusted Internet's comprehensive technology stack within 3-4 weeks to rapidly enhance your organization's security posture and meet CMMC compliance requirements.

The CMMC final rule presents challenges, especially for small defense contractors. However, outsourcing your security to Trusted Internet and participating in specialized workshops can provide a cost-effective and much more efficient path to compliance than going it alone. These approaches offer small businesses the expertise and resources to meet CMMC requirements without overwhelming their internal capabilities or budgets.

 

Want to sign up for a Trusted Internet CMMC Workshop? Sign up here to be notified of upcoming events. 

 

GET CMMC HELP NOW

This is bad architecture. Let me show you why.

 

I have Comcast. Most of my clients do, too -business and executive homes. In 100% of cases when we walk in the door and see this very basic internet architecture, we know that you're already hacked. Why? Comcast, Frontier, Verizon, Spectrum; it doesn't matter who you use, this architecture provides ZERO protection from what's happening on the internet. 

Take six and a half minutes out of your day and watch this short cybersecurity education burst. I think you'll find it useful. 

Trusted Internet regarding the Colonial Pipeline Hack

On May 10, the FBI announced that on Friday, May 7, a group known as Darkside was responsible for a ransomware attack that effectively shut down the operation of the Colonial Pipeline. This morning, it was reported that Colonial Pipeline paid $5 mil in ransome tor restore operations.

DarkSide’s team is considered relatively professional and organized.  The group even has a dedicated phone number and a helpdesk to facilitate negotiations with its victims.  DarkSide has traditionally presented itself to be quite meticulous in using this process to collect information from the victim to only use its ransomware on the “right targets.” This stems from the claim that DarkSide is only interested in extorting large for-profit businesses and has even attempted to donate a portion of its earnings to various charities.  Further analysis of the group’s historic attacks shows that only western, English-speaking companies have been targeted with a mandate to exempt companies in Soviet states grouped under the Commonwealth of Independent States (CIS) coalition, including Georgia and Ukraine, hinting at the origins of the group.

DarkSide is a relatively new actor that presents itself as an independent for-profit group that follows the RaaS (ransomware-as-a-service) model touting new ransomware, DarkSide 2.0, equipped with the “fastest encryption speed on the market.” Along with conducting its ransomware operations, the group also markets and sells its software and tools to other hacking groups. 

 

Darkside 2.0 features multithreading in both Windows and Linux versions.  The Linux version of the ransomware can now target VMware ESXi vulnerabilities, meaning it can hijack virtual machines and encrypt their virtual hard drives targeting network-attached storages (NAS), including Synology and OMV.  A unique feature of the DarkSide ransomware is that it targets domain controllers, which puts the entire network environment at risk.

What have we done about it, and is your company at risk? 

Trusted Internet utilizes a defense-in-depth approach to protect our clients from ransomware attacks such as DarkSide.  Trusted Internet’s cybersecurity solution detects and prevents ransomware deployment from several aspects. 

• As information has come available, Trusted Internet has been combing our logs for indicators of Dark Side activities.
• As well, while we do participate in some of the larger information sharing environments, any intelligence offered has been validated and loaded into firewalls and endpoint solutions. 
• We continue to remain vigilant for updates in other kinds of pre-ransomware attacks, including loaders, installers, and dormant code.
• Last we've been working with our security vendors to ensure the latest indicators are loaded, in an effort to keep our customers safe and free of ransomware. 

Our 24/7 Security Operations Center monitors both next-generation firewalls and our Secure Workstation endpoint software to protect your corporate network and devices. These systems are specifically designed to prevent this type of and other attacks.  To keep up with the ever-evolving threat landscape, our internal systems and deployed equipment and software are uniquely equipped and constantly updated in real-time with the latest threat intelligence to stay ahead of malicious actors and malware.  

From an Intelligence and Analysis perspective, we continue to monitor the situation. We receive intelligence from dozens of high-quality, reliable sources and will update your firewalls with any additional information as it is received and validated.

 

In the meantime, if you are a Trusted Internet Cyber Security client, you are already protected. If you are interested in establishing cybersecurity services to secure your network, Trusted Internet can assist immediately.

If you're concerned or have had a problem or breach, please contact Trusted Internet to speak with a Virtual CISO^® today. 

Contact our 24x7 Security Operations Center at 800-853-6431, or staysafeonline@trustedinternet.io.

www.trustedinternet.io

Keep your company digital assets available, and safe: "Two is One and One is None"

I received a call yesterday from my insurance agent. He works for a large company; you'd know the name. He told me that when the entire company went remote, their connection to the home office dropped for about a day. This is not the first company that I've heard this about. In our haste to go quickly to remote work, many companies failed to plan for redundancies and choke points. The good thing? The fixes aren't hard:

Here are some simple things to consider as we normalize in our potential for longer-term quarantine.

When it comes to terminating VPNs at the border, think redundancy

Many companies use a Next-Generation Firewall (NGF) at the edge. NGFs are great little boxes, filled with features --traditional firewalls, routing, intrusion prevention, anti-malware and SSL and IPSec VPN Concentrators.  Here's the problem: in generic terms, if you turn on VPN and Intrusion Prevention in many of these firewalls, performance drops... fast. You could lose as much as 70% of your speed. Add in SSL Inspection, and that amazing hardware-based box comes to a screeching halt, crawling, frustrating workers and costing the company valuable productivity time. What to do about it:

• Separate those duties into independent functions
• Consider adding High Availability (HA) pairs to allow for failover
• Have a backup plan if you find your current inbound bandwidth swamped

Separate those duties into independent functions. Isolate VPN Concentration from protection. Use one machine (firewall, router, VPN concentrator) to terminate VPNs at the company edge, and the NGF for edge firewalling, IPS, anti-malware, etc. You'll find that your employees will be much happier.

Consider adding High Availability (HA) pairs to allow for failover.  High availability is the

pairing of two devices together so that if one fails, the other automatically takes over. Every device that we've used has the ability to be paired in high availability mode. Why? Three nights ago we saw an ASA fail because of the heavier workload. When it finally failed, the connection simply rolled over to the second firewall, allowing remote operations to continue, almost without issue, until the first machine could be updated to the newest OS.  In the world of firewalls, two is one and one is none. If you have HA paired firewalls, if one fails, the other continues. If you only have one, your remote workers lose access to the company and productivity stops.

Have a backup plan if you find your current bandwidth is swamped.  Most companies had planned for only a fraction of their workforce to be remote --sales, executives, support, and maybe a few dedicated telecommuters. If you had 100Mb of bandwidth set aside for remote access for 10% of your company, how much bandwidth will you need when the other 90% gets quarantined? The math isn't hard. Look at what's used internally, taking into consideration actual utilization, and plan.

--------------------------------------------

TRUSTED INTERNET IS A MANAGED SECURITY SERVICES PROVIDER

We install next-generation firewalls, managed antivirus, and an anti-evasion toolkit in your home or office, and then monitor and manage them remotely, 24x7. If we see a threat, we stop it.

Contact us

800-853-6431

staysafeonline@trustedinternet.io

No Cost NIST 800-171 Self Assessment

Did you know that last week, Lockheed Martin won a $1 billion contract to build hypersonic aircraft and technologies? 

Did you also know that NIST 800-171 compliance is going to be required to participate on the contract?

I thought I might take an opportunity to present an 'easy button'. We took the NIST Assessment document and turned it into a no cost, no obligation, online Self Assessment.  Fill in the correct contact information (as opposed to fake contact information) and at the end, we'll send you your individual responses.

The self assessment is located here: https://www.surveymonkey.com/r/BKTXJ89

If you're a small business (<500 alliance="" also="" and="" ask="" at="" business="" businesses:="" can="" charge="" corner="" employees="" for="" help="" in="" nbsp="" need="" no="" ompliance="" provided="" questions="" red="" sky="" small="" span="" the="" you="">https://redsky-sba.ning.com/compliance-corner.

Good luck.
Jeff

What are Meltdown and Spectre? Should you be concerned?

We posted this analysis in the Red Sky Small Business Alliance portal. Red Hat Videos deserves kudos.. they do a wonderful job of describing where these bugs come from and one of our newer analysts offers a short analysis, written in plain english, describing the bugs in more detail. 

Source: Red Hat Videos - Meltdown and Spectre in 3 minutes

Meltdown and Spectre are two major flaws that affect all modern computers based on processors from Intel, AMD and ARM. Discovered and named by the team of security researchers as part of Google Project Zero, both of these flaws potentially allow hackers to steal personal data from computers, including cloud servers and mobile devices.

The disclosure date for the flaws were set for January 9, 2018 but due to premature reports, growing speculation and risk of exploitation, the information was revealed sooner and patches are just being made available for some platforms.

Meltdown

Spectre

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure.

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.

Both these critical CPU flaws come down to how a CPU handles cache and optimizes execution techniques which results in a user getting access to kernel memory.

Cache Management and Speculative Execution:

Processors use a concept of rings to protect kernel memory from user programs. x86 processors have lots of rings, but for this issue, only two are relevant: "user" (ring 3) and "supervisor" (ring 0). When running regular user programs, the processor is put into user mode, ring 3. When running kernel code, the processor is in ring 0, supervisor mode, also known as kernel mode.

These rings are used to protect the kernel memory from user programs. The page tables aren't just mapping from virtual to physical addresses; they also contain metadata about those addresses, including information about which rings can access an address. The kernel's page table entries are all marked as only being accessible to ring 0; the program's entries are marked as being accessible from any ring. If an attempt is made to access ring 0 memory while in ring 3, the processor blocks the access and generates an exception. The result of this is that user programs, running in ring 3, should not be able to learn anything about the kernel and its ring 0 memory.

Every modern processor performs a certain amount of speculative execution. For example, given some instructions that add two numbers and then store the result in memory, a processor might speculatively do the addition before ascertaining whether the destination in memory is actually accessible and writeable. In the common case, where the location is writeable, the processor managed to save some time, as it did the arithmetic in parallel with figuring out what the destination in memory was. If it discovers that the location isn't accessible—for example, a program trying to write to an address that has no mapping and no physical location at all—then it will generate an exception and the speculative execution is wasted.

Intel processors, specifically—though not AMD ones—allow speculative execution of ring 3 code that writes to ring 0 memory. The processors do properly block the write, but the speculative execution minutely disturbs the processor state, because certain data will be loaded into cache and the TLB in order to ascertain whether the write should be allowed. This in turn means that some operations will be a few cycles quicker, or a few cycles slower, depending on whether their data is still in cache or not. As well as this, Intel's processors have special features, such as the Software Guard Extensions (SGX) introduced with Skylake processors, which slightly change how attempts to access memory are handled. Again, the processor does still protect ring 0 memory from ring 3 programs, but again, its caches and other internal state are changed, creating measurable differences. (ArsTechnica, 2018)

Patch Status:

As these flaws cannot be fixed with a firmware or microcode update alone, an OS-level fix is also required for the affected operating systems. The immediate solution comes in the form of a kernel Page Table Isolation (PTI), which separates the kernel’s memory from user processes. But this solution increases the kernel’s overhead, potentially causing the system to slow down depending on the task and processor model.

Early indications suggest that these patches mostly deal with Meltdown exploits and not Spectre, which again, is harder to exploit and to fix. In order to protect against all instances of Spectre, application-level fixes are to be expected.

1. 1.     Windows

Microsoft has released an emergency patch this week for Windows 10 that is being applied automatically. Windows 7 and Windows 8 have also received a patch that can be applied manually while automatic updates are rolling out ahead of next Patch Tuesday.

In addition to the patch, Microsoft is warning that some third-party antivirus will create a conflict with the fix and the OS update won't be applied to those systems until the antivirus supports these changes.

Users should expect additional hardware/firmware updates from OEMs and motherboard manufacturers in the short term to complement Microsoft's patch. There is a PowerShell verification script which can be used to test and confirm whether protections have been enabled properly.

1. 2.     MacOS

Apple has confirmed that all of its iPhones, iPads, and Mac devices are affected by the recently discovered chip flaws. The company has already released OS updates to protect users from the Meltdown attack, and a patch for Spectre will arrive "in the coming days.”

Apple released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown, adding that these updates do not slow down the devices. As the Apple Watch doesn’t use Intel chips, it is not affected.

1. 3.     Linux

Linux kernel developers have a set of patches named kernel page-table isolation (KPTI) released in kernel 4.15 (currently in RC).

1. 4.     Android

According to Google, devices with latest security updates are protected.

1. 5.     Cloud Services

Companies using virtualized environments are the biggest potential targets for those looking to exploit the vulnerability. Microsoft Azure, Amazon AWS and Google Cloud are all implementing fixes and claim they have already mitigated some of the risk. Expect scheduled downtime of several cloud services in the coming days.

User Checklist:

• Update to the latest version of Chrome (on January 23^rd) or Firefox 57 if using either browser
• Check Windows update and ensure KB4056892 is installed for Windows 10
• Check your PC OEM website for support information and firmware updates and apply any immediately.

White Papers:

Meltdown: https://meltdownattack.com/meltdown.pdf
Spectre: https://spectreattack.com/spectre.pdf

References:

1. https://arstechnica.com/gadgets/2018/01/whats-behind-the-intel-design-flaw-forcing-numerous-patches/

2. https://meltdownattack.com/

3. https://www.theverge.com/2018/1/4/16848976/how-to-protect-windows-pc-meltdown-security-flaw

4. https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in?ranMID=24542&ranEAID=nOD%2FrLJHOac&ranSiteID=nOD_rLJHOac-0s_BQfWnVMfvTrXJyOOiCA&tduid=(8ccb530b4211244cf9ca25d6db524960)(256380)(2459594)(nOD_rLJHOac-0s_BQfWnVMfvTrXJyOOiCA)()

Author: Wapack Labs, Asia Desk

Contact the Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com.