Year: 2022

Microsoft Patch Tuesday: Two zero-day flaws in Windows need immediate attention

Posted on by Brad Hudson

Microsoft’s December Patch Tuesday update delivers 59 fixes, including two zero-days (CVE-2022-44698 and CVE-2022-44710) that require immediate attention on the Windows platform. This is a network-focused update (TCP/IP and RDP) that will require significant testing with an emphasis on ODBC connections, Hyper-V systems, Kerberos authentication, and printing (both local and remote).   Microsoft also published an urgent out-of-band update (CVE-2022-37966) to address serious Kerberos authentication issues. 

Known issues

  • ODBC: After installing the December update, applications that use ODBC connections through Microsoft ODBC SQL Server Driver (sqlsrv32.dll) to access databases might not connect. You might receive the following error messages: “The EMS System encountered a problem. Message: [Microsoft] [ODBC SQL Server Driver] Unknown token received from SQL Server”.
  • RDP and Remote Access: After you install this or later updates on Windows desktop systems, you might be unable to reconnect to (Microsoft) Direct Access after temporarily losing network connectivity or transitioning between Wi-Fi networks or access points.
  • Hyper-V: After installing this update on Hyper-V hosts managed by SDN-configured System Center Virtual Machine Manager (VMM), you might receive an error on workflows involving creating a new Network Adapter (also called a Network Interface Card or NIC) joined to a VM network or a new Virtual Machine (VM).
  • Active Directory: Due to additional security requirements in addressing the security vulnerabilities in CVE-2022-38042, new security checks are implemented on domain net join requests. These extra checks may generate the following error message: “Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: An account with the same name exists in Active Directory. Re-using the account was blocked by a security policy.”

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

Picture of Brad Hudson

Brad Hudson

VP of Cyber Security | vCISO
CISSP,CCSP,CCNP,MCSA,MCITP:EA,SA

Cybercrime Expected To Skyrocket in Coming Years

Posted on by Lori DeMello

Early today Statista’ published the following post Chart: Cybercrime Expected To Skyrocket in Coming Years | Statista.   According to estimates from Statista’s Cybersecurity Outlook, the global cost of cybercrime is expected to surge in the next five years, rising from $8.44 trillion in 2022 to $23.84 trillion by 2027. Cybercrime is defined by Cyber Crime Magazine as the “damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm. ”As more and more people turn online, whether, for work or their personal lives, there are more potential opportunities for cybercriminals to exploit. At the same time, attacker techniques are becoming more advanced, with more tools available to help scammers. The coronavirus pandemic saw a particular shift in cyber-attacks, as Statista’s Outlook analysts explain: “The COVID-19 crisis led to many organizations facing more cyberattacks due to the security vulnerability of remote work as well as the shift to virtualized IT environments, such as the infrastructure, data, and network of cloud computing.”

Source: Statista Technology Market Outlook, National Cyber Security Organizations, FBI, IMF

One of the largest hurdles for cyber-security compliance is to develop and document a security program plan and measure that plan as it complies with a specific framework. Accomplishing this is our niche at Columbia Advisory Group. We have developed an approach where we document your current Security Program (what you have in place), assess your current state (define current maturity level), and then define a Plan (roadmap for the future). The best place to start is to perform vulnerability scanning and address weaknesses before they are exploited. We then evaluate current policies and procedures and recommend remediation and improvement. We can provide a Risk Register which is a tool utilized to track identified Information Technology Security risks and define potential solutions. We provide many services that help an organization achieve compliance with a variety of security frameworks (CSF, CMMC, NIST 800-52, TAC 202) or prepare for certification (SOC 2 Type 2, ISO 27001, PCI). We can also help an organization write many policies and procedures required for compliance.

About the Author:
Lori DeMello is Columbia Advisory’s Director of Risk and Compliance. Lori is an expert in areas of Risk Management, Compliance, Security, Regulatory Reviews, Security Assessments, Audit Preparation and Response, Security Services, Continuity of Operations Planning, Risk Assessments, Risk Management Planning, Disaster Recovery, and Change Management. Lead efforts in creating and maintaining critical process documentation for CAG internal and customers. She has 25 years of IT experience with Certifications in PMP, ITILv2 and ITiLv3.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

Columbia Advisory Group Expands Availability of its Services via TIPS-USA Contract

Posted on by Haley Rose

IT issues are mission-critical, and we are glad to be able to help our education, municipal, county and state agency clients to respond to increased IT needs and tightening budgets.

— David McLaughlin, President and CEO, Columbia Advisory Group Tweet

DALLAS, TEXAS, UNITED STATES, August 29, 2022/EINPresswire.com/ — Columbia Advisory Group (CAG), the leading IT managed services and cybersecurity provider to public and private sector organizations, today announced the availability of its industry-leading services on The Interlocal Purchasing System (TIPS-USA).

The TIPS Program evolved to help streamline the procurement process and expedite purchases. As a co-op, both awarded technology vendors and public sector members – which include K-12 and private schools, colleges, universities, cities, counties, non-profits, and other government entities – can accelerate business transactions by requirements up-front.

Leveraging the TIPS-USA contract, higher-education and other government buyers can realize significant cost savings by reducing the overall time and expense of a cumbersome bid process. Because TIPS provides access to high-performance vendors, agencies can also achieve quick and efficient delivery of goods and services, particularly when it comes to cybersecurity and other IT services. In addition, TIPS provides access to state-of-the-art purchasing procedures to provide competitive contracts, bulk purchasing, and other efficiencies. For these reasons, TIPS has become a preferred purchasing vehicle for state and local entities.

The Interlocal Purchasing System currently serves entities such as state and local governments and non-profit organizations, including but not limited to K-12 school districts, Charter Schools, Colleges and Universities (State and Private), Cities/Municipalities, Counties/Parishes, State Agencies, Emergency Services Districts and Non-profit organizations as defined by the Internal Revenue Service, as well as many other entities with legislated purchasing/bidding requirements. TIPS-USA membership is free.

Now, with the addition of the CAG the TIPS-USA contract, members can realize digital transformation with a best-in-class IT services firm designed for public sector frameworks. CAG is trusted by multiple higher-education, government institutions, state agencies and school districts to manage their IT environments via cybersecurity services, digital optimization, and IT innovation.

“Our public sector clients appreciate the ability to secure our services via vetted contracts like that of TIPS-USA,” explains David McLaughlin, President and CEO of Columbia Advisory Group. “TIPS-USA will help our clients to move swiftly when they discover a need within their organization for our IT expertise. In today’s business age, IT issues are mission-critical, and we are glad to be able to help our education, municipal, county and state agency clients to respond to twin dynamics of increased IT needs and tightening budgets.”

For more than 10 years, CAG has helped leading public agencies to improve their cybersecurity postures and to improve their IT environment through managed service. CAG provides access to specialized practice teams, including cybersecurity, application support, IT governance, IT due diligence, project management, IT infrastructure and comprehensive audio-visual services.

To learn more about purchasing from CAG on the TIPS-USA contract, contact CAG.
About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many institutions of higher education, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity and A/V Services. CAG improves business outcomes with IT insights and expert technology support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit www.columbiaadvisory.com.

Columbia Advisory Group Adds Extended Detection and Response to IT Managed Service Portfolio with Abacode Partnership

Posted on by Haley Rose

"In this time of increasing global attacks, it is critical to have around-the-clock eyes on the network.”

— David McLaughlin, President and CEO, Columbia Advisory Group Tweet

DALLAS, TEXAS, UNITED STATES, June 13, 2022 /EINPresswire.com/ — Dallas-based Columbia Advisory Group (CAG), a leading provider of IT Managed and Cybersecurity Services, today announced the expansion of its services via a partnership with Abacode, a leading provider of managed Extended Detection and Response (XDR).

The partnership between CAG and Abacode will allow clients to one-stop-shop for specialized IT Managed Services, Governance, Risk Management, and Compliance (GRC), Virtual CISO services and managed XDR services to analyze data breaches as they occur.

As organizations face increasing threats of ransomware, data breach, and phishing, they must simultaneously upgrade their governance and compliance activities to minimize risk while simultaneously detecting and responding to breaches as they arise to understand, contain and prevent them. This capability requires increasingly scarce competent cybersecurity leadership and specialized, virtual Security Operations Center (vSOC) services that can investigate problems in real-time and provide visibility across the enterprise of controls compliance.

“Our many public-sector, educational, manufacturing, and health care clients already rely upon CAG for cybersecurity guidance and IT expertise. CAG is pleased to bolster our leading Cybersecurity practice by offering 24x7x365 SOC 2 Type 1 and 2 XDR services via our partner, Abacode. In this time of increasing global attacks, it is critical to have around-the-clock eyes on the network,” said David McLaughlin, President and CEO of Columbia Advisory Group.

“Abacode is constantly striving to push the technology industry forward by partnering with top-notch leaders in the MSP space,” said Greg Chevalier, Senior Vice President – Partners and Sales Strategy for Abacode. “Partnering with Columbia Advisory Group ensures that clients not only have their information technology operations humming along at peak efficiency with their managed services but now includes Abacode’s Managed Detection and Response and Security Operations Center support.”

About Columbia Advisory Group:

Columbia Advisory Group (CAG) is a well-respected Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many institutions of higher education, state agencies, and Fortune 500 customers. By focusing on practical solutions and straightforward analysis, CAG’s team supports many regulatory and economic environments and organizations of all sizes. Practice specialty areas include Cybersecurity, Infrastructure, IT Service Management, Application Management and A/V Services. Whether a client is high-growth or economically challenged, CAG can improve business outcomes with IT insight and support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit www.columbiaadvisory.com.

About Abacode

Abacode combines leading technologies and professional services to implement Cybersecurity and Compliance programs for clients throughout the world. Abacode enables clients to implement a Cyber Capability Maturity Model and benefit from our expert Extended Detection and Response capabilities. Offices in the Americas and Europe. Learn more at Abacode.com or connect with us at insight@abacode.com

How The Growth of Esports Could Transform College Enrollment

Posted on by Lindsay Boykin

Colleges around the country are always competing to attract students to their organizations and this requires constant adaptation to the needs of the marketplace and a willingness to change with the times.  With more competition than ever, its those colleges that can expand their marketing and enrolment strategies that will stay on the cutting-edge.  It’s difficult to do this, of course, because of the status quo bias that we all carry with us – but it’s a crucial skill for 2022 and beyond.

One good example of where this is coming into play is in how colleges treat new, emerging trends like the growth of esports.  It feels like we’re at an inflection point right as the industry continues to expand – and it feels like the right time to tackle just what this means for the future of higher education.  We believe that it represents a tremendous opportunity to grab onto some new potential – but we’ll let you be the judge of it.

Let’s dive in.

What are Esports and Why Do They Matter?

Esports refers to organized competitions where people compete in video game format.  Any video game can fall into this category and what sets it apart from a mere hobby is the vast industry that has developed around it.  In a very short space of time, we’ve gotten to a place where large audiences are wanting to watch these competitions, funders who want to back it, and professional players who see this as a viable long-term career for the very first time.

To give you a sense of the scale here, some competitions can fill football stadiums with in-person fans, while still collecting thousands of people watching live online.  It’s kind of surreal to think about the fact that video game competitions are garnering such interest – but that’s where the world is moving.  Thanks to advancements in networking technology, the rapid growth of online streaming, and a societal change to the status of these games, this is now a very serious thing that all colleges should have their eyes on.

We rarely see such a distinct shift in something like this, and so it’s certainly worth paying attention to.

How Should Colleges Think About Esports?

There are some compelling reasons why colleges should be taking this trend seriously and adapting their strategies accordingly.  Here are some of the ones that stand out:

  • New Sporting Code.  For many colleges, the sporting component of the university is incredibly important.  It plays a major role in terms of raising funds, creating a strong brand, providing a well-rounded student experience, and developing an ecosystem of excellence that goes beyond the academics themselves.  

It’s in this vein that esports should be seriously considered as a new sporting code.  It’s inevitable that this world will continue to grow and colleges would do well to set themselves apart by recognizing this early and leaning into the potential here.  By attracting some of the top esports players that are coming out of schools, you give yourself a chance to optimize your admissions for the future – capturing talent that was previously not fully appreciated and creating a student body that represents the full spectrum of the modern world.  It also will help to create a strong sporting environment that can bear fruit in the future.

  • Transferable Skills.  Leaning into esports is also a counter-intuitive way of investing in skills that are very valuable in our modern era.  The very nature of esports is that it engrosses students in technology in a way that can be much more immersive and entertaining than some other means.  We’re always looking for ways to incentivize more engagement with STEM-related subjects and this is a great way to do this.  

Whether it’s the playing of the games itself, or the work that comes with setting up and managing the competitions, there is space for an entirely new collective to grow around these esports that can provide students with a new way to engage, learn, and advance as people.

  • Critical Thinking.  It might not seem so at first glance, but esports actually provides the perfect environment for the development of critical thinking skills.  In any game that you play, there are a range of cognitive and procedural things that you must learn in order to overcome obstacles and achieve the end objectives of the game.  The feedback loops on this learning are immediate and because the rewards are gamified, students don’t even see it as learning.  It becomes a trojan horse that trains concentration, strategic thinking, teamwork, and problem-solving in a way that just can’t be replicated via textbook or lecture.  

As we do more scientific studies into this phenomenon we’ll understand it better, but what is for sure is that these esports are so much more than just about the game.  They are a virtual microcosm for young people to explore new concepts and stretch themselves in service of their cognitive development.

Those are just three of the major points of consideration that should be front of mind for colleges the world over.  By taking these seriously and preparing for what is to come, you put yourself ahead of the game.

Where To From Here?

It’s clear that this trend isn’t turning around and while some dismiss it, others see the opportunity for something special here.  It can help with college enrollment, open up new pathways, and create spaces for new sorts of student engagement that might just transform the way that you think about your admissions process.

Those colleges who get ahead of the curve and start readying themselves for this future are going to have a significant advantage over those who ignore the signs.  Esports are here to stay and they are going to play a major role at the intersection of sport and technology going forward.  It’s time that we remove the stigma from this industry and embrace the rapid growth and widespread benefits that such sports can provide.

Why College Enrollment is Declining and How SIS Can Help

Posted on by Lindsey Garza

When colleges and universities were forced to close their doors midway through the spring of 2020 due to the COVID-19 virus, no one anticipated it would have such a dramatic effect on enrollment for the next two years.

In the fall of 2020, the first full semester in the pandemic, undergraduate enrollment dropped by 3.4%. That initial decline was expected as many students opted to stay home amidst fears of the virus. However, with multiple vaccines available and infection cases dropping, most experts predicted that enrollment rates would rebound.

That did not happen.

Enrollment dropped another 3.2% in the fall of 2021. This continued decline marks the biggest two-year decrease in the last 50 years.

While many believe that the pandemic is the primary reason for smaller undergraduate classes, the truth is that COVID only boosted what was already happening. There has been a steady decrease in new students enrolling in colleges and universities across the country. Between 2011 and 2019, student enrollment dropped 11%.

This decline has affected every type of higher-level institution – from community colleges and public state schools to for-profits and private liberal arts schools – forcing some smaller schools to permanently close. However, the schools most affected are two-year community colleges which saw a 14.1% decline in enrollment during the past two years.

Why Are Fewer Students Attending College?

Before the pandemic, the biggest reason for declining enrollment was that the U.S. was experiencing a strong economy. Historically, when there is a recession and unemployment is up, people use that opportunity to get a higher education. When the economy is strong, more people leave college early or postpone it to start working.

However, with the sudden recession brought on by the pandemic, many families found themselves unable to pay for their children to attend college. This resulted in the numbers continuing to decline despite historical trends.

Also, colleges must account for the rise of non-traditional options like online colleges, massive open online courses (MOOCs) and technology bootcamps that offer industry-recognized certifications. These educational avenues are more affordable and oftentimes more accessible to students weighing their options.

And finally, the cost of college is also playing a major factor in the falling enrollment numbers. While there are financial benefits to earning a college degree, rising costs are beginning to take their toll on prospective students. Between 2009 and 2019, the cost of college increased by more than 25% at private universities and almost 30% at public schools.

What Impact Does Lower Enrollment Have on Colleges and Universities?

To put it bluntly, lower enrollment means there is less tuition being paid to the university. This has a direct impact on the school’s operating budget, resulting in cutbacks including, but not limited to:

  • Labor force reductions.
  • Canceled or diminished programs.
  • Postponed or canceled campus improvements.

How An Effective Student Information System Integration Can Help Improve College Enrollment

At some schools, there is little communication or collaboration between different departments or offices. Departments buy competing software tools that serve the same purpose instead of consolidating purchases under a single, effective solution. This makes it difficult for students to apply while understanding admission requirements and course transfer equivalencies.

If institutions wants to improve enrollment, they need to rethink their practices, especially for recruitment, admission and registration. The key is making everything as simple as possible for your prospective students – a one-stop-shop where they can access everything they need to apply.

To do this you need an easy-to-use and effective student information system (SIS) that is fully integrated with data systems across the institution.

By leveraging the full capabilities of your SIS, you can offer your students a fast and easy-to-use solution that allows them to access and handle every aspect of their student journey.

  • Admissions
  • Enrollment
  • Tuition
  • Financial Aid
  • Class Registration
  • Degree Program Planning
  • Graduation

You can also use SIS data analytics to make predictive models based on past and current trends. Used correctly, you can predict future trends in enrollment and adjust your recruitment efforts accordingly. For example, institutions might focus on specific demographics to maximize recruitment in key areas or recruit specific majors based on changes in enterprise, technology, or society. This helps drive traffic and encourages students to begin the steps necessary to admission.

Transfer equivalency software lets prospective students input their previous coursework from dual-credit high school work or classes from another college and immediately see how it applies to their new program course requirements. They can also compare different program requirements so they can determine which requires the fewest additional classes to graduate. This results in quicker graduation and savings for the student.

Academic course tracking software like Ellucian Degree Works provides comprehensive advising and degree auditing that helps students understand which courses to take and when to take them. This helps students understand course requirements, program timelines and course transfer status quicker and easier so they do not waste time and money taking unnecessary or redundant courses.

In addition, a mobile-friendly SIS is the preferred option for students as it eliminates a student’s reliance on their computer to access their degree program or enrollment data. Mobile access allows them to easily upload documents to the financial aid office or send vaccination records to the enrollment office.

Custom SIS Solutions for Your College or University

Columbia Advisory Group’s (CAG) mission is to provide the technology, resources, guidance and support you need to effectively optimize your SIS solution at your college or university. From IT consulting and managed services to ERP, LMS and SIS implementation and management, CAG delivers custom solutions that are flexible, scalable, and cost-effective to help you with your enrollment challenges.

CAG helps you create a unique student interface that’s simple, seamless, and branded. We integrate systems so that everything from application to enrollment follows automated admission rules so students do not have to jump through hoops to get accepted.

Using the Banner SIS suite, or your chosen SIS system, CAG can help you provide your students access to an entire suite of solutions that lets them do everything including applying for admission, registering for classes, tracking their progress, and filing for graduation. CAG can help you choose and integrate SUS modules that you can use to create more efficient and streamlined business processes. This helps you focus on recruiting the type of students you want while marketing your school to the right prospects.

To learn more about how CAG can help you improve your SIS solutions to better serve your current and prospective students, click here and let us know how we can help you.

Civil Cyber-Fraud Initiative by the US Department Of Justice (DoJ): Everything You Need to Know!

Posted on by Haley Rose

The US Department of Justice (DoJ) has officially launched its new Civil Cyber-Fraud initiative. It enacted the legislation to strengthen cybersecurity standards among contractors undertaking government projects and receiving federal funds and other grant recipients such as universities. Such organizations and beneficiaries need to address cybersecurity risks and report breaches to comply with the latest legislation and regulatory guidelines

The new Cyber Fraud Initiative from the US Department of Justice brings together the department’s expertise in civil fraud enforcement, government contracting, and cybersecurity to counteract existing and growing cybersecurity risks to confidential material and safety infrastructure. The Department of Justice is working to improve the resilience of the country and its critical information infrastructure (CII) against increasingly sophisticated cybersecurity threats via new reforms was much needed to ensure the protection of trade secrets, Intellectual Property (IP), proprietary knowledge, trademarks, and copyrights, protecting the privacy of all stakeholders involved, and preventing sensitive and confidential information from falling into the hands of threat actors. This will ensure that taxpayers’ money is used diligently and will also help build public trust in the system in safeguarding their valuable information assets.

Cyber Fraud: Some Key Statistics

According to AtlasVPN, the damages to organizations by cybercrimes from 2019 to the current time have increased by 37.4% with each passing year. Further, the rate of cybercrimes will increase by over 40%.

CAGImage-CyberSecurity2

Some of the vital cybercrime statistics in the US and around the globe shows how threatening and challenging cybercrime has become:

  • FBI’s IC3 reported complaints in 2020 contained over 241,342 phishing, 76,741 extortion, and over 45,000 personal data cyber breaches.
  • Malicious actors attack 1/5th of educational institutions and universities, with 65% of data breaches targeting higher-education centers.
  • 2022 will be the year for misinformation campaigns surrounding cybercrimes, which will become the new attack vector.
  • Cybercrimes are ever-increasing and are estimated to cost $10.5 trillion per annum to businesses by 2025.

The New Civil Cyber-Fraud Initiative By The US DoJ

The new Civil Cyber-Fraud Initiative will use the False Claims Act to investigate cybersecurity-related misconduct by government contractors and those receiving federal grants and funds. The Act also incorporates the “whistleblower” clause that permits individuals who volunteer evidence pertinent to an inquiry to benefit from any assets seized. The Department of Justice will utilize the FCA (False Claims Act) to hold primary liability for failure to satisfy cybersecurity criteria, including prosecutions for:

  • Offerings and services that aren’t up to par in terms of cybersecurity within the organization or for knowingly providing deficient cybersecurity products or services.
  • Cybersecurity-related information, cybersecurity protocols, and processes that are misrepresented or falsified.
  • Negligence by management or the organization in managing, tracking, and notifying cybersecurity incidents and data breaches.

While the DOJ’s approach is novel, the use of the False Claims Act to compel cybersecurity adherence is not. Still, due to the current Civil Cyber-Fraud Initiative, it has become more crucial than ever for institutions to be ready to deal with constitutional issues relevant to cyber intrusions. On a high level, the Civil Cyber-Fraud Initiative:

  • Holds the government contractors and grantees to their commitments to protect government information and infrastructure.
  • Ensures that government contractors recognize and develop strategies to comply with contract terms, statutes, and federal requirements.
  • Provides an opportunity for reimbursement of taxpayers’ and governments’ money if there is a compromise at the organization’s end.
  • Drives organizations receiving government grants and funds also work to build a strong cybersecurity posture.

Industries to be Impacted by The New Civil Cyber-Fraud Initiative

The Department of Justice’s Civil Cyber-Fraud Initiative may impact almost all private, public, or government organizations receiving government funds or grants, but let’s look at its impact on some of the critical sectors in detail:

  • Health Care and Life Sciences: The Cyber Fraud Initiative would target federal employees and federally funded beneficiaries. Therefore, medical and life sciences organizations that partner with or receive support from the legislative branch may be susceptible to FCA inspection.
  • Educational Institutions: Failure to comply with the Cyber-Fraud Initiative may have far-reaching ramifications for universities and higher education institutions receiving government funds and grants but who lack adequate cybersecurity safeguards. In consideration of federal requirements, every university or college that retains critical or privileged information must carefully evaluate the forms and the efficacy of its security controls and procedures.
  • Banking and Financial Industry: Banking and financial organizations are a significant target for malicious actors because of the scale and sensitivity of data that they store. Following the Cyber Fraud Initiative, all monetary regulators will need sufficient documentation and reporting structures, cybersecurity policies, and incident response strategies since any violation of rules would hold them accountable and liable.
  • Defense Industry: The initiative brings in the DOJ’s expertise and experience in various government procurement and civil fraud enforcement to combat emerging cybersecurity threats and risks. This helps protect confidential and sensitive information and critical information systems. For instance, if a defense contractor misuses trade secrets stored digitally in the form of government intellectual property n, the contractor could become liable, especially if the contractor fails to report the breach.

Risks of Non-Compliance

Non-Compliance with the new Civil Cyber Fraud Initiative opens organizations and individuals to various risks, such as:

  • Increased Liability Risks: The Department of Justice announced that it intends to hold organizations and individuals liable for various actions, including intentionally offering inadequate cybersecurity services, deliberately mischaracterizing their cybersecurity practices or procedures, and knowingly failing to report data breaches and infringements. Contractors may be held liable for failure to cooperate with cyber breach reporting terms in government contracts within the Cyber Fraud Initiative.
  • Penalties on Enterprises and Individuals: NIST 800-171 applies to any organization or agency that deals with Controlled Unclassified Information (CUI). Those who do not adhere to statutory cybersecurity requirements could be prosecuted using the FCA clause in the Cyber Fraud Initiative and face a penalty. Furthermore, besides enterprises, DoJ can hold civilians legally responsible for cybersecurity-related fraud.
  • Increased Litigation Risks: The Department of Justice notably emphasizes relying on whistleblowers to help the government restore order in its announcement. After determining their cybersecurity basis, organizations should consider implementing an internal review with counsel to compare their declarations to the federal government. The FCA cyber-risk exposes the organization to litigation if any disparities with the legal framework are identified.

Recommendations: Here is What Organizations Can Do!

Organizations can protect themselves better and ensure compliance with the Department of Justice’s new law with the help of:

  • Internal Audits and Assessments: Organizations should continue to identify their key information assets and evaluate their readiness for a cyber breach, and internal audits and assessments play a critical role in it. Based on the internal assessment, organizations can prioritize actions and processes to protect their information assets before, during, and after a security incident or data breach.
  • Continuous Monitoring and Reviews: Organizations must implement changes to continuously monitor changes within the technology environment, vulnerability management, and activities to anticipate various infringements with federal regulatory frameworks, processes, and policies. They may use whistleblowers to help with the process.
  • Documentation: Clearly written standards, plans, and policies are essential for ensuring the organization’s compliance with the cybersecurity requirements as per the government. Robust documentation will also help resolve internal issues and potential leaks eliminating questions regarding the standard operating procedures (SOPs) to be followed to effectively identify and address a security incident.
  • Internal Discussions: The Management should ensure that all policy conformity discussions with the government are correctly recorded and readily available. They must also collaborate with individuals who identify issues to analyze risk exposures.

Final Words

The Department of Justice’s Cyber Fraud Initiative seeking compliance with the False Claims Act is the government’s official legal remedy for for cybersecurity negligence and fraud. The strategy raises the bar for adherence initiatives for federal contractors or federal grant beneficiaries, such as universities. The latter are far more at risk concerning adopting essential cybersecurity precautions and deciding whether or not to disclose a violation because of the False Claims Act.

Expect increased FCA litigation against organizations that fail to mitigate the risk of cyber breaches. Attentive cybersecurity compliance procedures will ensure protect sensitive data an minimize the risk of significant fines under the FCA.

References

  1. Krotoski, M., Baruch, D., & Fan, S. (2021, December 08). Are you prepared for DOJ’s Civil Cyber-Fraud Initiative? Morgan Lewis.
    https://www.morganlewis.com/pubs/2021/12/are-you-prepared-for-dojs-civil-cyber-fraud-initiative
  2. Department of Justice. (2021, October 6). Deputy Attorney General Lisa O. Monaco announces new Civil Cyber-Fraud Initiative.
    https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative
  3. Gersh, D., Moundas, C., O’Connor, A., Darch, J. & Hardy, G. (2021, November 24). DOJ Civil Cyber-Fraud Initiative may impact health care and life sciences companies. Mondaq.
    https://www.mondaq.com/unitedstates/security/1134852/doj-civil-cyber-fraud-initiative-may-impact-health-care-and-life-sciences-companies
  4. Shaheen, M., Bartle, S., & Trujillo, G. (2022, January 19). Cybersecurity compliance requirements may surprise higher ed. University Business.
    https://universitybusiness.com/cybersecurity-compliance-requirements-may-surprise-higher-ed/
  5. Ross, R., Pillitteri, V., Dempsey, K., Riddle, M., & Guissanie, G. (2020). Protecting controlled unclassified information in nonfederal systems and organizations. Gaithersburg, MD: National Institute of Standards and Technology.
  6. The false claims act. (2019, June 17). Retrieved February 20, 2022, from Justice.gov website: https://www.justice.gov/civil/false-claims-act

Log4J: Neutralizing the latest global cybersecurity threat

Posted on by Brad Hudson

 

Every day we see news about cybersecurity attacks, exploits, and hacks to the point that we are relatively immune to what feels like sensationalized news about the latest and most devastating threat no matter how legitimately concerned we should be.
And on December 6th when we were getting ready to go to the office holiday party and a weekend of shopping, the world was read-in on a significant security vulnerability known as LogJ4.

What is Log4J?

Log4J is a widely used open-source Java code library from the Apache Software Foundation used by many servers across the world to record a log of activity and send it to a centralized server. It is integrated into thousands of software applications, services, and systems, and websites from Fortune 100 firms down to small providers.

What is the new vulnerability?

It was discovered that some common versions of Log4J are vulnerable to being forced to execute code via specially crafted URLs (web address) that pass through the logs. This address passes through the system and is used to download and execute code that can provide remote access to the machine or perform other malicious tasks. Having information pass through the logs can be done from a chat, submitting an online form, sending an email that is processed by a system that uses Log4J to log emails, or any other means in which data enters the logs, effectively allowing someone with nefarious intentions to see sensitive user data, install malware and spyware, or even take over machines for nefarious purposes.

How widespread is this?

As noted on Wired.com, Twitter users have experimented with changing their display names to trigger the vulnerability, users in the game Minecraft triggered it through the in-game chat, and an iPhone user changed their device name to trigger the vulnerability (and did notify Apple). Cloud service providers, such as Cloudflare, rolled up temporary fixes for their customers while heavily used systems from companies such as VMWare, Oracle, Adobe, RedHat, and others have worked to update to the latest release of Log4j released by Apache that addresses the remote code execution vulnerability and downgrading the risk to moderate.

What do I need to do?

Your institution’s IT departments and security teams should be assessing their catalog of systems and software that use Apache with Java libraries to determine which systems may be vulnerable. Initial focus should be on public-facing systems, most likely to be ERP and SIS systems used by the institution. They should also be working with those vendors on obtaining patches and scheduling updates to the systems as soon as practical.

In addition, it is important to make sure that faculty, staff and students are aware of the exploit and how it can impact their personal BYOD (Bring Your Own Device) devices such as iPhones and share best practices such as using 2-Factor Authentication and keeping their devices up to date with the latest security patches.

If your IT department and security teams are unsure of a system’s potential vulnerability, they should check with the vendor to validate those systems have the latest security patches. If your institution does not have a security team, check with your managed security services provider. If you do not have a managed security service provider, reach out to Columbia Advisory Group as part of E&I contract CNR01469 to engage our team of experts to ensure your institution adheres to appropriate NIST standards and can manage, detect and respond to Log4j and other threats.

Summary

The Log4J vulnerability has been patched by Apache with the introduction of Log4j 2.17.1, yet the threat is being actively exploited across the globe and still poses one of the largest security threats to date. The National Institute of Standards and Technology (NIST) that maintains a database of vulnerabilities has listed this at its highest severity classification. Due to the widespread use of the open-source Log4J application by vendors from small software applications to large enterprise systems and cloud services, there is a high-likelihood most organizations will have some risk to mitigate.

While the risk associated with Log4J has concrete solutions, the next cyber exploit will present a danger to your university’s operations.

Financing Innovation and Hedging Against Technology Uncertainty in Higher Education

Posted on by Lindsay Boykin

In the EDUCAUSE Top 10 IT (INFORMATION TECHNOLOGY) Issues for 2022, one leader stated, I believe that we have the opportunity to reconceptualize how it is that we are no longer going to be in front of the classroom but, instead, we’re going to be facilitators of knowledge. 1

As your organization considers how to facilitate knowledge, I draw your attention to the article’s Point #5, The Digital versus Brick-and-Mortar Balancing GameCreating a blended campus to provide digital and physical work and learning spaces. 

The traditional classroom learning model is in flux. Administrators, facilitators, and students are all looking for more efficient and accommodating ways to transfer information. Classroom schedules are becoming less rigid as online and on-demand resources are emerging.

There will be a lot of trial and error as innovative thinkers try to create a balance between the digital and the physical learning spaces. Some ideas will work better than others. It will be a tremendous demand for both the technical and functional resources.

As always, we consider the cost. When innovative technology delivers on expectations, it is well worth the investment. But, too often, the technology is too new and does not deliver exactly as hoped and budget resources are wasted.

While businesses may have some of the same challenges as education, businesses innovate using a different acquisition model. Many businesses have gone to a “as a Service” for their technology. Instead of capital expenditure purchases (CapEx) for depreciating assets, businesses are opting for monthly service fee (OpEx)  for innovative technologyAs with most software licenses, institutions pay a monthly fee for equipment, Installation, warranty, and ongoing support. As technology changes, they simply roll out the old technology and replace it with new without the need for additional CapEx.

Higher Education can benefit from this model, too. Instead of making large acquisitions for depreciating technology like audio visual and classroom education technology, many institutions are moving to “Audio Visual as a Service (AVaaS). 

AV as a Service: 

  • Provides budget predictability – no unforeseen costs 
  • Allows flexibility to scale up or down as needs change 
  • Makes it possible to standardize AV systems while taking advantage of manufacturer volume discounts 
  • Frees up IT resources with centralized systems monitoring to enable focus on other strategic initiatives 
  • Provides the benefit of an ongoing, consistent, reliable AV technology partnership with industry professionals  

As you think about how you will create the perfect blend of the physical and the digital for your organization, consider AV as a Service. If you want some ideas on how it might work best for your organization, we can help.

Columbia Advisory Group offers design, procurement, Logistics, installation, configuration, financing, and maintenance as a Service over 36- and 60-month periods.

1. Susan Grajek and the 2021–2022 EDUCAUSE IT Issues Panel, “Top 10 IT Issues, 2022: The Higher Education We Deserve,” EDUCAUSE Articles, November 1, 2021.