Why IoT Strategy Matters in Gas Pipeline Networks

The rapid expansion of the Internet of Things (IoT) has led to greater connectivity and improved efficiency across numerous industries, including the gas pipeline network. However, increased reliance on IoT devices also presents new cybersecurity challenges. In this blog post, we’ll discuss the Colonial Pipeline incident as a case study to highlight the importance of cybersecurity in IoT devices used in gas pipeline networks.

The Colonial Pipeline: A Wake-Up Call

In May 2021, Colonial Pipeline, one of the largest fuel pipelines in the United States, fell victim to a ransomware attack that forced a shutdown of its operations (The New York Times, 2021). This cyberattack led to gasoline shortages and price spikes across several states, emphasizing cybersecurity’s crucial role in maintaining the safety and security of gas pipeline networks.

IoT Devices: The Weakest Link?

IoT devices, designed primarily for ease of use, can often be the weak link in the cybersecurity chain for gas pipeline networks (CISA, n.d.). Many of these devices are connected to the internet and possess limited processing power and memory, making it challenging to update their security features. In the Colonial Pipeline incident, hackers exploited the company’s IT infrastructure vulnerability to access its systems, underlining the need for robust cybersecurity measures for IoT devices within gas pipeline networks.

Addressing the Challenge: A Multi-Layered Approach

To ensure the security of IoT devices in gas pipeline networks, it is crucial to adopt a multi-layered approach that includes both physical and software-based security measures (CISA, n.d.):

        1. Physical Security Measures: Implementing firewalls, access control systems, and network segmentation can help limit the spread of potential cyberattacks, reducing the risk of hackers accessing sensitive information or compromising pipeline control systems.
        2. Software-Based Security Measures: Encryption, secure protocols, and regular software updates are critical for safeguarding IoT devices in gas pipeline networks. Encryption protects sensitive data from being intercepted or stolen, while secure protocols like SSL/TLS ensure communication between devices remains private and tamper-proof. In addition, regular software updates help address known vulnerabilities and enhance overall system security

The Colonial Pipeline incident is a stark reminder of the need for robust cybersecurity measures in the gas pipeline network. As IoT devices play an increasingly important role in monitoring and controlling pipelines, it is essential to protect them from cyberattacks by adopting a multi-layered approach to cybersecurity that incorporates physical and software-based security measures.

Sources:

The New York Times. (2021). A Cyberattack Forces Shutdown of a Top U.S. Pipeline. Retrieved from https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html

Cybersecurity and Infrastructure Security Agency (CISA). (n.d.). Internet of Things (IoT) Security. Retrieved from https://www.cisa.gov/iot-security

Brad Hudson

Cybersecurity Practice Leader

About Columbia Advisory Group

Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at info@columbiaadvisory.com.

U.S. Department of Education Reinforces Compliance with Updated Safeguards Rule

On February 9, a significant update was issued by the U.S. Department of Education’s Federal Student Aid (FSA) office. The update pertains to compliance with the Safeguards Rule, a component of the Gramm-Leach-Bliley Act (GLBA) that deals with customer records and information security and confidentiality. The GLBA, as described by the Federal Trade Commission (FTC), sets out to provide a robust framework for financial institutions to protect their customers’ personal data.

The GLBA applies to institutions of higher education that engage in financial activities such as providing student loans or banking services. Non-compliance with GLBA regulations may lead to the loss of eligibility for federal funding, potentially impacting the institution’s ability to offer financial aid to students. Non-compliance with GLBA regulations may lead to the loss of eligibility for federal funding, potentially affecting the institution’s ability to provide financial assistance to students.

The notice from the FSA emphasized the FTC’s decision to bring the revised Safeguards Rule into effect from June 9, 2023. The update outlines the major points of the Safeguards Rule following modifications made by the FTC in December 2021, highlighting FSA’s expectations for compliance.

A critical aspect of the announcement lies in how it applies the GLBA-defined term “customer information” to higher education, the domain of FSA’s oversight. “Customer information,” as defined under the GLBA, refers to data obtained during the provision of financial services to a student, whether current or past. The scope of financial assistance can include administering Title III and Title IV programs, offering institutional loans, including income share agreements, or servicing a private education loan for a student.

The FSA notice zeroes in on two main provisions of the revised Safeguards Rule, set to become effective in June:

  1. The requirement for institutions to encrypt customer data both at rest within institutional systems and during transmission across external networks.
  2. The mandate for multi-factor authentication (MFA) for anyone accessing customer information via institutional systems.

These provisions underscore the FSA’s commitment to enhancing data security and privacy within higher education institutions. However, the notice also alludes to some uncertainties in the enforcement process for Safeguards Rule compliance. It mentions that the FSA will resolve compliance issues linked to the new Safeguards Rule provisions once they come into effect, primarily through institutional Corrective Action Plans (CAPs). It doesn’t clarify what “other means” could lead to a compliance investigation nor provides any framework for the CAPs that institutions need to create and execute.

The reference to “other means” may stir apprehension, echoing a situation years ago when an FSA official sent compliance notices based on media reports of alleged cybersecurity incidents. This necessitates clear communication from the FSA regarding potential triggers for compliance investigations, apart from federal single audit findings.

Concluding the notice, FSA reinforces the importance of institutions adopting the NIST SP 800-171 cybersecurity guidelines concerning federal student financial aid data. The federal government’s controlled unclassified information (CUI) regulations will soon mandate institutional compliance with NIST SP 800-171.

As these changes unfold, CAG is committed to closely collaborating with community members to ensure that FSA’s guidance and enforcement adequately address the regulations and compliance areas.

Where can I find more information? For additional information, see FSA’s electronic announcement: Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements. If you have questions regarding the Department of Education’s enforcement of GLBA, please get in touch with FSA_IHECyberCompliance@ed.gov. More information is also available on the Federal Trade Commission’s website. Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements | Knowledge Center

 

Brad Hudson

Cybersecurity Practice Leader

About Columbia Advisory Group

Founded in Dallas in 2012, Columbia Advisory Group LLC (CAG) is an established IT consulting firm renowned for delivering cost-effective, meaningful, and practical IT solutions that solve complex business problems. Our seasoned teams offer comprehensive insight across diverse regulatory and economic environments, providing unbiased, straightforward analysis and recommendations. We pride ourselves on our deep understanding of IT while remaining software and hardware-agnostic. Regardless of your organization’s growth trajectory or economic landscape, we at CAG are adept at adapting to your unique needs and complexity, offering tailored solutions to drive your success.

Contact us at info@columbiaadvisory.com.

Why is Organized Crime Targeting Higher Education with Ransomware?

Eastern European organized cybercrime organizations are intentionally targeting US Higher Education institutions with ransomware attacks because they believe that these organizations are vulnerable and easy targets. The goal of these attacks is to encrypt the organization’s data, making it inaccessible to the users, and then demand a ransom payment in exchange for the decryption key.

Higher education institutions are particularly vulnerable to ransomware attacks because they have large amounts of sensitive information, such as personal data, research data, and financial information, stored on their networks. They also have limited budgets and resources, which makes it difficult for them to implement and maintain effective security measures. Additionally, many higher education institutions have outdated systems and software, which are more susceptible to exploitation.

The cost-effective approach to preventing ransomware attacks on higher education institutions involves a combination of technical and non-technical measures.

Educause recommends institutions implement a comprehensive security framework that includes the following elements:

       • Network security: This includes the use of firewalls, intrusion detection systems, and antivirus software to prevent unauthorized access to the network.
       • Endpoint security: Including the use of antivirus software and other security tools on end-user devices, such as computers and smartphones, to protect against malware infections.
       • User awareness: Instituting training and communication educating users on safe computing practices, such as avoiding suspicious email attachments and not downloading software from untrusted sources.
       • Data backup and recovery: This involves regularly backing up important data and having a disaster recovery plan in place in case of a security breach.
       • Incident response plan: Institutions need a plan in place for responding to security incidents, such as ransomware attacks, to minimize the impact of the attack and reduce the recovery time.

Gartner recommends that institutions also implement the following measures:

       • Application control: Protocols controlling the execution of software on end-user devices to prevent the execution of malicious software.
       • File integrity monitoring: This involves monitoring the changes to files on the network to detect and prevent unauthorized changes.
       • Security information and event management (SIEM): Systematically collecting, analyzing, and reporting on security-related data to detect security incidents and respond to them.
       • Vulnerability management: Regularly scanning the network for vulnerabilities and patching them to prevent exploitation.

In addition to these technical measures, it is important for higher education institutions to have a culture of security, where data security is considered a top priority and all employees are trained on safe computing practices.

As Eastern European organized cybercrime organizations continually target US Higher Education institutions with ransomware attacks, the large amounts of sensitive information stored on their networks are vulnerable. A cost-effective approach to preventing these attacks involves a combination of technical and non-technical measures, such as network security, endpoint security, user awareness, data backup and recovery, and incident response planning. It is important for higher education institutions to have a culture of security and to educate their employees on safe computing practices.

Brad Hudson

Cybersecurity Practice Lead

About Columbia Advisory Group

Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at info@columbiaadvisory.com.

How Can a Phishing Attack Lead to More Fatal Cybercrimes Like Ransomware, and How Can Educational Institutions Keep Them at Bay?

As phishing attacks continue to threaten individuals and organizations, educational institutions are particularly at risk due to the sensitive information they handle. This article will explore the connection between phishing attacks and ransomware and discuss practical strategies for educational institutions to protect themselves from such threats.

One of the biggest threats that all internet users face is phishing. Phishing schemes attempt to trick individuals into providing their personal information, such as login credentials and credit card numbers, to cybercriminals masquerading as legitimate sources. Not to mention, the consequence of falling for these schemes can be dire.

However, things can get much worse. Cybercriminals are also on the prowl for even more damaging attacks, such as ransomware hacks. Ransomware attacks can lock down critical information to prevent users from accessing it unless they pay the ransom demanded by the attackers.

Unfortunately, educational organizations are even more susceptible to these attacks due to the sensitive information they possess, such as student records, financial reports, and research data. This reality puts even more pressure on educational institutions to stay vigilant and proactive to avoid security breaches.

To ensure the safety and integrity of such sensitive data, educational institutions need to take proactive measures to avoid phishing and ransomware attacks. A robust security system is crucial in ensuring the confidentiality, integrity, and availability of sensitive data stored on the organization’s systems.

Reasons Phishing Attacks are Rampant

In 2020, phishing emails and websites were the most common entry points for ransomware, with over 610,000 unique phishing websites identified. The concerning trend has continued into 2023, highlighting the ongoing threat posed by phishing attacks in the current digital landscape. But how does phishing run rampant throughout the digital world? The following sections have an answer.

1. Use of AI-ML-based Tools by Attackers
Phishing attacks have become increasingly sophisticated with attackers’ use of AI-ML-based tools. These tools allow attackers to automate and personalize their attacks, making them more convincing and harder to detect. For instance, attackers use machine learning algorithms to create compelling phishing emails that mimic the writing style and language used by the victim’s contacts, making it easier to dupe the victim to fall for the scam. And with the advancement of AI-related tools widely available on the market, the malicious attacks of threat actors have become more efficient, effective, and profitable.

2. Availability of Phishing Kits
Phishing kits have empowered threat actors by providing them with professionally written, pre-built tools that enable them to launch phishing attacks with minimal effort or expertise. These kits, available for purchase on the dark web, contain thousands of lines of code and can be easily configured based on the attacker’s campaign. Following such an approach allows threat actors to launch campaigns quickly and effortlessly, making it difficult for defenders to keep up with the rapidly changing threat landscape.

3. Inadequate Security Awareness
The most significant vulnerability malicious actors exploit is the inadequate employee training on security awareness in some institutions, particularly in phishing and ransomware. This deficiency is the primary reason why such attacks continue to succeed. It can severely undermine employees’ ability to recognize phishing attacks and respond appropriately, resulting in devastating consequences. Failing to address this training and security gap leaves organizations vulnerable to threat actors who are too eager to exploit it.

Understanding the Connection Between Phishing and Ransomware

Phishing has emerged as the primary vehicle for delivering ransomware, making it the most significant cyber threat to organizations in recent years. 78% of organizations experienced at least one ransomware attack in 2021, with 68% attributing the cause to direct email payload or second-stage malware delivery. In addition to that, IBM’s Cyber Resilient Organization Study identified the top three causes of ransomware as phishing (45%), malicious websites (22%), and social media (19%). Phishing and ransomware are closely related because phishing is one of the root methods for delivering ransomware.

The success of a ransomware attack often depends on the attackers’ ability to deliver the malware to the victim’s system, which is why they frequently use phishing emails as a delivery method. The social engineering schemes, carefully crafted to appear legitimate and customized to specific targets, making them difficult to identify, and the sheer volume of emails received by individuals, especially students, has made it challenging for them to scrutinize incoming emails and note suspicious red flags, increasing successful phishing attacks.

Why are Educational Institutes Easy Targets for Phishing and Ransomware Threat Actors?

With limited IT resources, some educational institutes may be unable to keep up with patch management and other maintenance processes that keep systems safe from exploits. The inadequacy of cybersecurity countermeasures limited IT resources, and the pressure to deliver educational services make schools and educational systems an attractive target for malicious actors.

All educational institutes are not adequately immune to phishing and ransomware attacks, as revealed by an 18-year-old student named Bill Demirkapi at the recent Def Con hacker conference. Demirkapi revealed that his school’s software, including Blackboard’s Community Engagement software and Follett’s Student Information System, contained multiple vulnerabilities that could be exploited using SQL injection and XML inclusion attacks to steal PII (Personally Identifiable Information) or even manipulate grades.

Here are some recent ransomware attacks on school districts to showcase how all educational institutes are not safe:

    • Louisiana Schools: Three school districts in Louisiana were targeted by a ransomware attacker in July 2019. It crippled several phones, IT systems and the state-activated emergency cybersecurity powers to bring in the National Guard and cyber experts.
    • Columbia Falls School District: The school district was threatened by malicious actors with a data lockup expecting a ransom of $150,000. The attackers declared they would expose student names, addresses, and grades if they didn’t receive the demanded amount.
    • Syracuse: The New York City schools were hit with a ransomware attack that locked down one of their computer systems. The district paid the ransom, partially covered by insurance, but they were still locked out of their servers even after paying the ransom.

How Can a Phishing Attack Lead to More Fatal Cyberthreats Like Ransomware?

A phishing attack is a common and effective method used by threat actors to gain unauthorized access to sensitive data in educational institutes by tricking victims into disclosing personal information or downloading malware. While phishing attacks seem independent, they could be a first step to more severe cyber threats such as ransomware, malware, data theft, and more.

Malicious actors often use phishing attacks to deliver ransomware or malware payloads because they can customize phishing emails to target specific individuals. In a successful phishing attack, the attacker can introduce ransomware into the victim’s system, rendering their data inaccessible unless a ransom is paid, causing significant harm to the victim.

Strategies for Preventing Phishing and Ransomware Attacks in Educational Organizations

Here are a few practical strategies for preventing phishing and ransomware attacks in educational institutes:

    • Leveraging AI-Based Anti-Phishing Solutions: One vital strategy to prevent phishing and ransomware attacks in educational institutes is leveraging AI-based anti-phishing solutions. These solutions use machine learning algorithms to detect and block phishing emails before they reach their targets. They can also analyze email content and metadata to identify suspicious patterns and behavior, such as unusual IP addresses or domain names, and flag them for further investigation.
    • Engaging a Trusted Vendor or Managed Security Service Provider (MSSP): Engaging a trusted vendor or MSSP is critical in preventing phishing and ransomware attacks in educational institutes. These providers have the expertise, experience, and resources to provide comprehensive security solutions, including threat intelligence, risk assessments, vulnerability management, and incident response. They can help educational institutes implement security best practices and provide ongoing support.
    • Educate Faculty, Staff, and Students: Among the most effective ways to prevent phishing and ransomware attacks is educating everyone in the educational institution on the risks of such attacks. Conduct regular training sessions that help them identify and avoid suspicious emails, attachments, and links. This way, they can recognize phishing emails and report them to the IT department before any damage is done.
  • Implement a Strong Security Policy: The first step is establishing a robust security policy. School networks should block access to potentially risky sites, and student app downloads should be monitored and restricted. Educational institutions must also include mobile security in their cybersecurity strategies since threat actors often use mobile IoT devices, such as laptops, desktops, smartphones, or tablets, to gain access to the network. IoT device testing and implementing end-to-end encryption can significantly reduce the risk of attackers.
  • Access Control Implementation: Given that educational institutions have a vast network of students, teachers, and staff, it is crucial to implement access control measures that limit individuals’ access to only the required programs. IAM (Identity and Access Management) systems working on the ‘least-privilege’ and ‘need-to-know’ principles are found to be efficient in preventing malicious infiltration significantly. Access control offers two critical advantages. Firstly, it prevents unauthorized individuals from accessing sensitive information. Secondly, it limits attackers’ ability to cause harm if they compromise someone’s account.

Higher Ed must prioritize investing in modern and effective cybersecurity technologies to protect themselves against the constantly evolving threat of cybercrime.

Educational institutions face a significant threat from phishing attacks, which can escalate into more dangerous cyber threats like ransomware. To safeguard against such risks, educational institutes must proactively implement practical strategies for preventing and mitigating the damage caused by phishing attacks and other related cyber threats. It can be achieved by raising awareness among staff and students, implementing strong security measures, and working with experienced cybersecurity experts. Education institutes can ensure their systems and data safety and security by taking concrete steps, such as adopting AI-based anti-phishing solutions to keep their information assets secure from malicious actors.

Picture of Brad Hudson

Brad Hudson

VP of Cyber Security

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

What is CMMC 2.0, and Why Must I Comply With it if I am a Small Business?

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to ensure that contractors and other organizations that handle sensitive information for the DoD have adequate cybersecurity controls in place. The CMMC framework includes three- levels of cybersecurity maturity, with Level 1 representing the most entry-level of cybersecurity and Level 3 representing the highest level, expert.

CMMC version 2.0 is the latest version of the framework, which was released in 2021. It includes several updates and improvements over previous versions, including:

  1. CMMC 2.0 streamlined model focuses on the most critical requirements. In addition, CMMC 2.0 reduces the model from 5 to 3 compliance levels and is aligned with NIST cybersecurity standards.
  2. A new certification process: CMMC 2.0 introduces a new certification process designed to be more streamlined and efficient. This process includes assessments and audits by third organizations accredited by the CMMC Accreditation Body (CMMC-AB).
  3. A focus on supply chain security: CMMC 2.0 includes a greater emphasis on supply chain security, with specific requirements for protection against the introduction of malicious software and other cyber threats through the supply chain.

If you are a small business that works with the DoD or handles sensitive information for the DoD, it is crucial to comply with CMMC 2.0 to protect your organization and your customers from cyber threats. Failure to comply with CMMC 2.0 could result in lost contracts and other negative consequences for your business.

In addition to helping protect your business and your customers, complying with CMMC 2.0 can also have other benefits, such as:

  1. Improved cybersecurity: By implementing the cybersecurity practices outlined in CMMC 2.0, you can improve your overall cybersecurity posture and reduce your risk of cyber incidents.
  2. Enhanced reputation: By demonstrating your commitment to cybersecurity through CMMC 2.0 compliance, you can enhance your reputation as a reliable and trustworthy business partner.
  3. Increased competitiveness: As more organizations begin implementing CMMC 2.0, compliance may become necessary for doing business with the DoD and other government agencies. Demonstrating compliance can increase your competitiveness and position your business for future growth.

Cybersecurity Maturity Model Certification 2.0 recently entered the Defense Department’s rulemaking process. The rulemaking process is the final step before it becomes an official requirement. However, despite questions about the industry’s cybersecurity capabilities and the challenging documentation process, defense companies could be required to comply with CMMC for new contracts as soon as May 2023.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

Picture of Brad Hudson

Brad Hudson

VP of Cyber Security

Why is it a Good Idea for Higher Education to Outsource its Cybersecurity Framework Assessments and Consider Hiring a Fractional vCISO

There are several reasons why higher education institutions should consider outsourcing their Cybersecurity Framework Assessments (NIST Cybersecurity Framework, HIPAA, GDPR, etc.) and hiring a fractional virtual Chief Information Security Officer (vCISO).

First and foremost, outsourcing Cybersecurity Framework Assessments can provide higher education institutions with access to a greater level of expertise and experience. Cybersecurity Framework Assessments, such as NIST Cybersecurity Framework, HIPAA, GDPR, etc., are a comprehensive set of security and privacy controls used by many organizations, including higher education institutions, to ensure the confidentiality, integrity, and availability of their systems and data. However, conducting these assessments can be a complex and time-consuming process that requires specialized knowledge and skills. By outsourcing these assessments to a qualified third party, higher education institutions can leverage the expertise and experience of professionals who have a deep understanding of numerous Cybersecurity Frameworks and how to implement their controls effectively.

Another reason to outsource Cybersecurity Framework Assessments is to ensure that the evaluation is conducted unbiasedly and objectively. In organizations that perform internal assessments, the risk of bias or subjectivity creeps into the process. Unfortunately, this can lead to an incomplete or inaccurate measurement of the organization’s security posture; in turn, this can increase the chances of an incident, such as a breach or intrusion, that may result in the loss, damage, or disclosure of assets. By outsourcing the assessment to a third party, higher education institutions can ensure that the evaluation is performed unbiasedly and objectively, providing a more accurate picture of their security posture.

After a cybersecurity framework assessment has been conducted, it’s paramount that a Governance, Risk, and Compliance Program is put in place to manage risk moving forward. In addition, a security program and plan need to be developed to track and remediate deficiencies identified during the assessment. Therefore, CAG recommends hiring a fractional vCISO to guide higher education institutions through the Governance, Risk, and Compliance minefields. A fractional vCISO is a professional who works remotely part-time or on a contract basis, providing expert guidance and support to the organization’s security efforts. In addition, a fractional vCISO can offer a range of services, including conducting risk assessments, developing, and implementing security policies and procedures, and providing guidance on compliance with regulatory requirements such as NIST, GDPR, HIPAA, and FERPA.

In conclusion, there are several reasons why higher education institutions should consider outsourcing their Cybersecurity Framework Assessments and hiring a fractional vCISO. These approaches can provide higher education institutions access to greater expertise and experience, ensure that assessments are conducted unbiased and objectively, and build a robust Governance, Risk, and Compliance program through a fractional vCISO. In addition, by leveraging these resources, higher education institutions can strengthen their security posture and better protect their systems and data.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

Picture of Brad Hudson

Brad Hudson

VP of Cyber Security

What is TAC 202?

What is TAC 202?

Texas Administrative Code Chapter 202 (TAC §202) is a set of rules and regulations that outline the minimum information security and cybersecurity responsibilities and roles at state agencies and institutions of higher education in Texas. This chapter is designed to protect the confidentiality, integrity, and availability of information systems and data within these organizations and ensure they are secure against potential cyber threats.

One of the critical provisions of TAC §202 is the requirement that agencies and institutions of higher education use the TAC §202 Security Controls Standards Catalog. This catalog is based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, R4, a widely-recognized security standard for information systems. The security controls catalog is designed to provide a common language and minimum standards for implementing security measures, which helps to ensure that all agencies and institutions use consistent and effective security practices. By adhering to these standards, these organizations can reduce their risk of cyber-attacks and data breaches, which can seriously affect their operations and reputation. Additionally, using a centrally-managed controls catalog can help streamline the implementation of security measures, as it provides a clear set of guidelines that can be followed.

One of the primary responsibilities of agencies and institutions of higher education under TAC §202 is to implement appropriate security measures to protect their information systems and data. Institutions should conduct regular risk assessments to identify potential vulnerabilities and implement controls to mitigate those risks. It also includes implementing measures to protect against unauthorized access to systems and data, such as firewalls and intrusion detection systems.

TAC §202 also requires agencies and institutions of higher education to have robust incident response plans to effectively respond to and recover from cyber attacks or data breaches. An Incident Respons Plan is a document that outlines an organization’s procedures, steps, and responsibilities of its incident response program. In addition, these organizations need to have a strategy to communicate with stakeholders about the incident to minimize any potential impacts on their operations or reputation.

In addition to implementing security measures, TAC §202 also requires agencies and institutions of higher education to have a strong focus on cybersecurity awareness and training. Security awareness includes providing regular training to employees on how to identify and prevent cyber threats and report potential incidents. It is also essential for these organizations to have a culture of cybersecurity in which employees are encouraged to be vigilant about protecting information systems and data.

Overall, TAC §202 is an essential set of rules and regulations that help to ensure the security and integrity of information systems and data within state agencies and institutions of higher education in Texas. By following the standards outlined in the TAC §202 Security Controls Standards Catalog, these organizations can effectively protect themselves against cyber threats and maintain the trust and confidence of their stakeholders. TAC §202 plays a vital role in the cybersecurity landscape of Texas.

SOC 2 compliance refers to a set of privacy and security standards for service providers designated by the AICPA (American Institute of Certified Public Accountants). Although complying with SOC 2 is not mandatory, customers often demand it from organizations they interact with, especially cloud-based services, to ensure that their data is protected. Organizations looking to meet compliance standards must ensure specific service controls and procedures regarding their information systems’ confidentiality, security, availability, and processing integrity. The systems include the organization’s people, processes, technology, physical infrastructure, and servers.

What is a SOC 2 Report?

To get a SOC 2 report, an organization providing services must undergo a third-party audit. The SOC 2 auditor will be either an American Institute of Certified Public Accountants (AICPA) certified firm or a CPA (Certified Public Accountant). They will evaluate your security posture and determine if your controls, policies, and processes comply with the SOC 2 requirements.

The audit reports assess if the service providers undergoing the review have drafted and implemented effective procedures meeting the SOC 2 objectives. Enterprises that successfully pass the SOC 2 audit use the compliance designation to demonstrate that they are committed to the security and privacy of their customers and stakeholders.

SOC 2 is one of the three types of SOC reports. The other two are SOC 1 and SOC 3. A brief description of all three follows:

  • SOC 1 Reports: AICPA mainly developed the SOC 1 framework targeting third-party service providers, which assures your clients that you are handling their financial information safely and securely. SOC1 reports giving your clients an objective evaluation regarding controls addressing compliance, operations, and internal controls over financial reporting.
  • SOC 2 Reports: The SOC 2 framework helps businesses demonstrate their compliance with security controls. After organizations started measuring the effectiveness of their security controls through the SAS 70 audit standard, AICPA developed SOC 2 with an emphasis on security. It is rooted in the Trust Services Criteria or TCS (discussed later). Iassuresut the internal controls related to TSC and comprehensive information on auditor’s testing in an organization.
  • SOC 3 Reports: The AICPA says that an organization prepares a SOC 3 report to meet the requirements of clients who want assurance regarding the controls related to processing integrity, security, availability, privacy, or confidentiality of a service provider but do not know how to use a SOC 2 report effectively. Thus, SOC 3 contains the same information as SOC 2 but is drafted for a general audience.

Understanding SOC 2 Reports:

  • SOC 2 Type 1: This report focuses on the ‘design’ of an enterprise’s security controls at a specific moment. It describes the existing controls and procedures, reviewing the documents around these controls. Furthermore, it validates the adequacy of all administrative, logical, and technical controls.
  • SOC 2 Type 2: It focuses on the ‘design’ and ‘operating effectiveness’ of controls and takes longer to assess the controls, typically between 3-12 months, and includes the auditor running penetration tests to monitor how the organization handles data security risks over a period. The independent review confirms that the enterprise strictly complies with the requirements outlined by AICPA. The SOC 2 Type 2 audit process includes:
    • Reviewing the audit scope
    • Creating a project plan
    • Testing controls for design and operational effectiveness
    • Authenticating the results
    • Delivering the organization’s report.

Organizations new to compliance can easily confuse SOC 2 Type 1 and Type 2 reports. SOC 2 Type 1 differs from Type 2 in that it assesses the security setup and process design at a specific time. On the other hand, the Type 2 report (also written as “Type II”) estimates how adequate the controls are over a more extended period by observing operations for usually six to 12 months.

Why Would You Need to Comply with SOC 2?

Following are the six reasons why organizations must obtain a SOC 2 compliance report:

  • Cost-effectiveness: Some businesses might think that audit costs are high. However, a SOC 2 audit helps avoid security breaches that are far costlier. For instance, in 2021, a data breach cost more than $4.2 million on average – a figure rising yearly.
  • Competitive advantage: A SOC 2 report will give you an edge over competitors who cannot demonstrate compliance.
  • Peace of mind: Passing the stringent SOC 2 audit assures improved security posture for your networks and information systems.
  • Regulatory compliance: SOC 2’s requirements sync with other frameworks, like the International Organization for Standardization’s ISO 27001 and Health Insurance Portability and Accountability Act (HIPAA). Thus, the certification can boost your organization’s overall compliance efforts.
  • Insights: A SOC 2 report gives valuable insights into your business’s risk and security posture, internal controls governance, vendor management, regulatory oversight, and more.

What is Required for SOC 2 Compliance?

You can attract more business with security covered. However, those operating in the finance or banking sector or an industry where confidentiality and privacy are paramount must achieve a higher compliance standard. AICPA defines SOC 2 based on the Trust Services Criteria, which have the following principles:

  • Security: It focuses on operational/governance controls to protect your data and demonstrate that systems at a service organization are protected against unauthorized access and other risks that could impact the service organization’s ability to provide the services promised to clients. All SOC 2 requirements are optional except those that fall under Security. Selecting additional SOC 2 principles may vary based on the type of data you store or process,
  • Availability: It focuses on the accessibility of the system and how you maintain and monitor your infrastructure, data, and software to ensure you have the system components and processing capacity to meet your business objectives.

SOC 2 compliance requirements in the ‘Availability’ category include:

  1. Measuring current usage: Establishing a capacity management baseline to evaluate the risk of availability caused by capacity constraints.
  2. Identifying environmental threats: Assessing ecological threats that can impact system availability, like adverse weather, power cuts, fire, or failure of environmental control systems.
  • Processing integrity: It focuses on delivering the correct data at the right time and place. Furthermore, data processing must be accurate, valid, and authorized.

SOC 2 compliance requirements in the ‘Processing integrity’ category include:

  1. Creating and maintaining records for system inputs: Compiling accurate records of all the system input activities.
  2. Defining processing activities: This ensures that the products or services meet specifications.
  • Confidentiality: It restricts disclosure of and access to private data so that only specific, authorized organizations or people can view it. Confidential data can include business plans, sensitive financial information, customer data, or intellectual property.

SOC 2 compliance requirements in the ‘Confidentiality’ category include:

  1. Identifying confidential information: Implementing procedures to identify personal and sensitive information when you create or receive it and determine how long you must retain it.
  2. Destroying confidential information: Implementing procedures to erase sensitive information identified and marked for destruction.
  • Privacy: It focuses on the organization’s adherence to the client’s privacy safeguards and AICPA’s generally accepted privacy principles (GAPP). The SOC category considers methods for collecting, using, and retaining personal information and the process for the disposal and disclosure of data.

SOC 2 compliance requirements in the ‘Privacy’ category include:

  1. Using clear and conspicuous language: The organization’s privacy notice must be clear and coherent, leaving no chance for misinterpretation.
  2. Collecting information from reliable sources: The organization confirms third-party data sources are trustworthy and operates its data collection process legally and fairly.

Additional SOC 2 Compliance Checklist

SOC 2 compliance bases itself on the five Trust Services Categories: availability, processing integrity, confidentiality, privacy, and security. Security forms the SOC 2 compliance baseline and includes broad criteria familiar to all trust service categories.

The security principle focuses on the service’s asset and data protection against unauthorized access or use. Organizations can implement access controls to prevent unauthorized data removal, malicious attacks, misuse of the organization’s software, or unsanctioned disclosure of organizational information.

The essential SOC 2 compliance checklist (that will satisfy the auditor) should address these controls:

  • Physical and logical access controls: How the organization restricts and manages physical and logical access to prevent unauthorized access.
  • System operations: How the organization manages its system operations to detect and prevent deviations from set procedures.
  • Change management: How the organization implements a controlled change management process and mitigates unauthorized changes.
  • Risk management: How the organization identifies and develops risk mitigation activities while navigating business disruptions and using vendor services.

Does Law Require SOC 2 Certification?

Generally, you do not need SOC 2 compliance certification legally. However, most Software-as-a-system (SaaS) and business-to-business (B2B) vendors should consider getting certified if they haven’t already because SOC 2 is a crucial requirement in vendor contracts.

Can You Use Software to Speed Up SOC 2 Compliance?

As mentioned, SOC 2 primarily revolves around policies and processes and is concerned little about technical tasks. Hence, there is no dedicated, automated tool that will quickly make your business SOC 2 compliant.

Furthermore, the SOC 2 requirements are not prescriptive; hence you must define your processes and controls for SOC 2 compliance and then use automated tools to make their implementation easy. Thus, a system will monitor and alert you whenever a technical control failure occurs. For example, suppose one of the limits of your control offers access to your systems to specific administrators. You can deploy a tool that tracks and retrieves the status of permissions in real-time.

For every implemented control, think of the evidence you will present to the auditor. You must remember that defining a rule is merely a part of the SOC 2 compliance requirements; you must demonstrate that it works effectively. 

SOC 2 Vs. SOC 1: How To Determine if the SOC 2 Audit is for You?

CPAs may choose to go for either a SOC 1 or SOC 2 compliance audit. You must comply with SOC 2 Type 2 if you store customer data. To determine if you require a SOC 2 audit, you must start by knowing how SOC 2 differs from SOC 1.

  • SOC 1: SOC 1 compliance considers controls relevant to an organization’s internal control over financial reporting. The reports can be either Type 1 or Type 2. The Type 1 report signifies that the enterprise suitably defines and implements the rules in operation. The Type 2 report would offer these assurances, including an opinion if the controls were adequate throughout an extended period.
  • SOC 2: SOC 2 compliance is voluntary for service organizations who wish to demonstrate their commitment to information security. Same as above, SOC 2 reports are also of two types.

Your organization must pursue SOC 1 if your services affect your clients’ financial reporting. For example, if your enterprise creates software processing your clients’ collections and billing data, you are impacting their financial reporting, and hence a SOC 1 is appropriate. Another reason enterprises prefer SOC 1 is that their clients demand a “right to audit.” Without SOC 1, it can be a time-intensive and costly process for both parties, especially if a few of your clients ask to submit a similar request. Additionally, you must comply with SOC 1 as a compliance requirement.

On the other hand, no compliance framework like HIPAA or PCI-DSS requires you to be SOC 2 compliant. In other words, if your business does not process financial data but only hosts or processes other data types, you require the SOC 2 report. With today’s business environment becoming extraordinarily aware and sensitive regarding data breaches, your clients will want proof that you are taking adequate precautions to protect their data and prevent any leaks.

Thus, the choice to pursue either SOC 1 or SOC 2 certification depends on your organization’s operational profile. A critical determining factor when choosing between SOC 1 and SOC 2 is your organization’s controls affecting your client’s control over financial reporting. You can engage an audit firm to determine whether SOC 1 or SOC 2 certification (or both) is the right fit for your enterprise.

A thorough understanding of the difference between SOC 2 Type 1 and SOC 2 Type 2 reports will help service providers handle their customers’ data with appropriate security. They must consider investing in the technical audit necessary for a SOC 2 report to protect their clients’ non-financial yet confidential and sensitive data. Many clients today expect SOC 2 compliance from their service providers, and if you are SOC 2 compliant, it demonstrates your dedication to cybersecurity. 

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

References

  1. Brown, S. (2022, October 11). SOC 2 Type 1 guide: Everything you need to know. Retrieved January 1, 2023, from Strongdm.com website: https://www.strongdm.com/blog/what-is-soc-2-type-1
  2. Harrington, D. (2022, August 26). SOC 2 compliance definition & checklist. Retrieved January 1, 2023, from Varonis.com website: https://www.varonis.com/blog/soc-2-compliance
  3. Johnson, B. (2022, September 30). The Differences Between SOC 1 vs SOC 2. Retrieved January 1, 2023, from Strongdm.com website: https://www.strongdm.com/blog/soc-1-vs-soc-2
  4. Picotte, A. (2020, May 5). SOC 2 compliance requirements: Essential knowledge for security audits. Retrieved January 1, 2023, from Uptycs.com website: https://www.uptycs.com/blog/soc-2-compliance-requirements
  5. SOC 2 compliance requirements. (n.d.). Retrieved January 1, 2023, from Secureframe website: https://secureframe.com/hub/soc-2/requirements
  6. SOC 2 Type II: Compliance and certification. (n.d.). Retrieved January 1, 2023, from Getkisi.com website: https://www.getkisi.com/guides/soc-2-type-ii

Reciprocity. (2022, November 9). 6 Reasons Why You Need SOC 2 Compliance. Retrieved January 1, 2023, from Reciprocity.com website: https://reciprocity.com/blog/6-reasons-why-you-need-soc-2-compliance/

Picture of Brad Hudson

Brad Hudson

VP of Cyber Security

Phishing: How The Monster Is Changing Its Shape and Size – Phishing Protection in a Post-COVID World

Cyber scams during COVID-19 have shaped a new term – scamdemic: a global epidemic of frauds and scams. There was an unprecedented rise in cybersecurity scams during the pandemic. Phishing emerged as the most frequent attack type. Read on to learn how malicious actors changed their tactics in 2022 and how you can protect yourself.

The COVID-19 pandemic changed how people live, including how all conduct business and social interactions and how work lives function. Regarding the latter, enforcement of social distancing and lockdowns resulted in an increasing number of people experiencing changed work habits. Some employees adapted – often even abruptly – to using messaging apps, digital platforms, and other communication channels for everyday activities. Thus, there was a worldwide shift from office to remote (home) work. The overlooked consequence of the change was the increase in cyber risks, which resulted in a rapid escalation of cyber-attacks.

The State of Phishing Report for 2022 by SlashNext highlights that traditional security strategies, including proxy servers, secure email gateways, and firewalls, no longer prevent phishing threats, especially as attackers increasingly launch these attacks from personal and messaging apps and trusted servers. Thus, phishing attacks are a rising concern, as the following statistics show.

Key Statistics

Here is a look at the key statistics which signify the rising phishing problem:

  • SlashNext analyzed numerous link-based URLs, messages, and attachments in email, browser, and mobile channels in 2022 and found over 255 million attacks – a 61% rise in phishing attack rates compared to 2021.
  • A Check Point Research (CPR) report found emerging social engineering scam trends shifting away from tech giants and shipping establishments toward social networking sites. In Q1 2022, social networks became the most targeted category, followed by shipping.
  • Zscaler pointed out that, from January to March 2020, COVID-19-themed phishing attacks increased by 30,000%.
  • APWG’s Phishing Activity Trends Report says that phishing attacks hit an all-time high in 2021. December 2021 recorded an unprecedented 300,000 attacks, signifying these incidents became over three times more common than they were two years before.
  • UK’s Cyber Security Breaches Survey 2022 signifies that phishing is the most common cyber threat that targets UK businesses and charities. 83% of them suffered a phishing scam.
  • 2022’s first quarter saw a dramatic rise in phishing attacks. CheckPoint revealed in its 2022 Q1 Brand Phishing Report that malicious actors planned phishing attacks impersonating professional social networking websites. Attacks related to LinkedIn alone comprised over half (52%) of all phishing attempts globally. 

Post-COVID Threat Landscape Isn’t Reducing – Threat Actors Are One Step Ahead

Once authorities lifted the COVID-19 restrictions, employees started moving back to their offices, and malicious actors adapted to the change again. While remote workers were their primary targets for 18 months, new phishing campaigns targeted those who were returning to the physical workplace. The following are some prominent examples:

  • Cofense observed an email-based campaign that targeted employees with emails impersonating their CIO and welcoming them back to the office. The emails appeared legitimate and contained the organization’s official logo and the CIO’s signature. The message outlined the organization’s new precautions and business operation changes connected with the pandemic.
  • India saw a surge in new phishing techniques after the government launched electric vehicle (EV) incentives.
  • Some phishing attempts preyed upon financial fear. For example, In a  scam,  bank customers were informed that their accounts were on hold due to suspicious logins or transactions. Users became victims when they attempted to resolve the issue by clicking on the embedded link.
  • The BazarBackdoor attackers send malware-free mail, bypassing email security and directing users to a website contact form. Once a user submits the form, the perpetrators send malware through a purported response file through a file-transfer service to avoid email security.
  • Some latest phishing attacks send malware links through QR codes embedded in emails or stickers in restaurants or public locations. The QR codes directly execute malware or redirect the users to credential-stealing websites.
  • Microsoft recently discovered a multi-stage phishing attack on businesses that don’t use multi-factor authentication. The first stage steals an employee’s email credentials, and the second stage creates a new Office 365 account in their name on a rogue device. After getting established on the new computer, the threat actors use the victim’s account to send internal phishing attacks to the organization or clients using legitimate email accounts.

Top 2022 Phishing Tactics Used By Malicious Actors

In 2022, phishing attacks exploited vulnerabilities unheard of earlier. Here are the year’s top tactics:

  • Typosquatting: Threat actors register domains that users can enter by accident. For example, instead of typing www.phishingexample.com, a user can type www.phishingexanple.com (hitting the ‘n’ key next to the intended ‘m’ key by mistake). If an attacker registers the www.phishingexanple.com domain, the user enters the attacker’s website instead of the legitimate www.phishingexample.com website. If the imposter website looks the same as the legitimate one, the user can easily get tricked into sharing their credentials.
  • Lookalike Domain Attacks: While typosquatting depends on the victim making a typo, lookalike domains exploit the difficulty of differentiating between words or similar characters. For example, an attacker can craft a phishing email with an uppercase “I” instead of the lowercase “l,” making www.iurethevictim.com look like Iurethevictim.com. Having end users targeted by what they think is a legitimate website opens various challenges, like loss of user confidence, theft, fraud, and reduced traffic (and business) to your website. Thus, if you can quickly discover and avoid scam sites, you can mitigate the risks linked to fraud and loss of brand reputation.
  • Executive Impersonation: Executive impersonation is an effective tactic. If malicious actors can spoof or compromise an executive’s email account, they can craft phishing emails to lure unsuspecting users to legitimate-looking phishing. If the user who suspects the fake email to be from their boss enters their credentials into the spoofed website, the attackers steal them and gain unauthorized access.
  • Credential Reuse Attacks: Unfortunately, credential reuse (using the same password, etc., across different platforms) is common among end users because it is inconvenient to create new credentials for every application. If a phishing attack retrieves a credential set successfully, the attackers can access other applications with the same information. Because of credential reuse, such attacks grant attackers access to multiple accounts across various platforms.
  • High-Level Employee Targeting: High-level employees can access sensitive, confidential, and proprietary information that other employees cannot. If attackers obtain their login credentials, they can access sensitive corporate data in the cloud (which organizations store within their network perimeter). Thus, these credentials are the keys to the domain, and stealing them makes threat actors capable of planning large-scale data breaches traditionally mitigated by network perimeter solutions.
  • Financial Scams: Sophisticated phishing campaigns target login credentials and aim to steal financial information from end users. In a financial scam-type phishing attack, the threat actors trick the user into visiting a phishing site, making them share personal or financial information and conduct financial transfers or transactions with it. For example, threat actors may design a site pretending to be a charity platform raising money for the pandemic victims. The unsuspecting users might get fooled into donating cash through it.
  • Business Email Compromise: In BEC, malicious actors spoof the email credentials of top officials of an organization, like the CEO. They then send orders to subordinates to make money transfers of massive amounts. The assistants follow the instructions thinking it to be their boss’s command. Business email compromise (BEC) is rising, and attackers exploit it to make money from fake wire transfer requests.
  • Spear Phishing on Small Businesses: In today’s growing threat landscape, there is nothing too small to become a phishing attack target. Small businesses get targeted frequently with cyberattacks because they often have less IT security than large organizations. Spear phishing is more dangerous than phishing because it is targeted and not generic. Threat actors deploy it in an attack using BEC.
  • Using Initial Access Brokers to Make Phishing Attacks More Effective: One-way threat actors make more money is by taking help from specialists called Initial Access. They are malicious actors who only focus on initially breaching the network or organizational accounts. The rising use of these experts in the field makes phishing attacks more threatening and difficult for end users to detect.

How To Redefine Cybersecurity in a Post-COVID World

Organizations’ strategies to counter the threats mentioned above will vary according to each organization’s cyber security maturity level. Generally, they must focus more on new cybersecurity models, including ‘zero trust.’ Following are ways individuals and organizations can remain protected:

  • Antivirus Protection: Employees must have an antivirus software license for their information systems. A good antivirus solution can eliminate many attacks.
  • Cybersecurity Awareness: Organizations must brief their staff on best procedures and practices to regulate sending emails or sensitive content to other parties or cloud storage.
  • Phishing Awareness: Employees must remain vigilant when receiving emails and check the sender’s addresses’ authenticity.
  • Home Network Security: Employees must ensure that their home Wi-Fi remains protected by a strong password.
  • Using VPN: Virtual private networks offer an additional protection layer to home internet use. They can remain a stringent barrier against cyberattacks.
  • Identifying Vulnerable Spots: Each IT system has vulnerabilities. Organizations must run tests to identify and patch them quickly. It can take the form of vulnerability scanning or penetration testing. Furthermore, businesses must perform hardening of technical infrastructure components.
  • Frequent Reviews: Organizations must evaluate cybersecurity risk exposure regularly and determine whether the existing controls are robust. The IT teams must consider new cyberattack forms during these reviews.
  • Renewing Business Crisis and Continuity Plans: Top managers must update their business continuity plans considering various cyberattack.

More advanced measures that users can take are:

  • Applying New Tools and Technology: IT teams can use advanced tools like host checking (which checks the endpoint’s security posture before authorizing access) to reinforce remote work security.
  • Intelligence Techniques: Businesses must encourage proactive cyber threat intelligence to identify indicators of attacks (IOC) and address them.
  • Risk Management: Organizations can apply GRC (governance, risk, and compliance) solutions to improve risk management. GRC solutions offer a detailed view of the organization’s risk exposure and help link various risk disciplines (cybersecurity, business continuity, and operational risks).
  • Prepare for Attacks: In today’s high-risk times, businesses must carry out frequent cyber crisis simulation exercises and prepare their response to a phishing attack.
  • Zero Trust Infrastructure: CIOs and CISOs must consider implementing the zero-trust framework for cybersecurity. It is a security model where only authorized and authenticated devices and users get access to applications and data.

The COVID-19 pandemic taught people that preparation is critical to limit the risks linked to cyberattacks. Malicious actors have been clever in changing their tactics to adapt to changing situations and executing sophisticated phishing attacks. The ability of a user to quickly react to unforeseen events helps lower the impact of a cyberattack. Today, organizations that benefit from secure remote work capabilities are better prepared to face the growing risk of phishing attacks. Consequently, businesses fearing risks must quickly assess their exposure to phishing attacks and prioritize initiatives to address cybersecurity gaps.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

References

  1. Al-Qahtani, A. F., & Cresci, S. (2022). The COVID-19 scamdemic: A survey of phishing attacks and their countermeasures during COVID-19. IET Information Security, 16(5), 324–345. doi:10.1049/ise2.12073
  2. Damcova, K. (2022, May 6). Phishing attack trends to beware of in 2022. Retrieved January 4, 2023, from IQ in IT website: https://iqinit.uk/news/phishing-attack-trends-to-beware-of-in-2022/
  3. Nabe, C. (n.d.). Impact of COVID-19 on cybersecurity. Retrieved January 4, 2023, from Deloitte Switzerland website: https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html
  4. Ideal Integrations (2022, March 14). New phishing techniques to watch for in 2022. Retrieved January 4, 2023, from Ideal Integrations® website: https://www.idealintegrations.net/beware-these-new-phishing-techniques/
  5. McCurdy, R. (2022, November 8). The Biggest Phishing Breaches of 2022 and how to avoid them for 2023. Retrieved January 4, 2023, from Security Boulevard website: https://securityboulevard.com/2022/11/the-biggest-phishing-breaches-of-2022-and-how-to-avoid-them-for-2023/
  6. Over 255m phishing attacks in 2022 so far. (2022, October 26). Retrieved January 4, 2023, from Security Magazine website: https://www.securitymagazine.com/articles/98536-over-255m-phishing-attacks-in-2022-so-far
  7. Page, C. (2021, June 1). Hackers are targeting employees returning to the post-COVID office. TechCrunch. Retrieved from https://techcrunch.com/2021/06/01/hackers-phishing-post-covid-office/
  8. (2022, September 28). Webinar wrap-up: Cyber security in a post-COVID world: New challenges & opportunities. Retrieved January 4, 2023, from Simplilearn.com website: https://www.simplilearn.com/cyber-security-challenges-and-opportunities-post-covid-article

 

Picture of Brad Hudson

Brad Hudson

VP of Cyber Security | vCISO - CISSP, CCSP, CCNP, MCSA, MCITP:EA,SA

Why is it a good idea for Higher Education to outsource its Cybersecurity Framework Assessments and consider hiring a fractional vCISO

There are several reasons why higher education institutions should consider outsourcing their Cybersecurity Framework Assessments (NIST Cybersecurity Framework, HIPAA, GDPR, etc.) and hiring a fractional virtual Chief Information Security Officer (vCISO).

First and foremost, outsourcing Cybersecurity Framework Assessments can provide higher education institutions with access to a greater level of expertise and experience. Cybersecurity Framework Assessments, such as NIST Cybersecurity Framework, HIPAA, GDPR, etc., are a comprehensive set of security and privacy controls used by many organizations, including higher education institutions, to ensure the confidentiality, integrity, and availability of their systems and data. However, conducting these assessments can be a complex and time-consuming process that requires specialized knowledge and skills. By outsourcing these assessments to a qualified third party, higher education institutions can leverage the expertise and experience of professionals who have a deep understanding of numerous Cybersecurity Frameworks and how to implement their controls effectively.

Another reason to outsource Cybersecurity Framework Assessments is to ensure that the evaluation is conducted unbiasedly and objectively. In organizations that perform internal assessments, the risk of bias or subjectivity creeps into the process. Unfortunately, this can lead to an incomplete or inaccurate measurement of the organization’s security posture; in turn, this can increase the chances of an incident, such as a breach or intrusion, that may result in the loss, damage, or disclosure of assets. By outsourcing the assessment to a third party, higher education institutions can ensure that the evaluation is performed unbiasedly and objectively, providing a more accurate picture of their security posture.

After a cybersecurity framework assessment has been conducted, it’s paramount that a Governance, Risk, and Compliance Program is put in place to manage risk moving forward. In addition, a security program and plan need to be developed to track and remediate deficiencies identified during the assessment. Therefore, CAG recommends hiring a fractional vCISO to guide higher education institutions through the Governance, Risk, and Compliance minefields. A fractional vCISO is a professional who works remotely part-time or on a contract basis, providing expert guidance and support to the organization’s security efforts. In addition, a fractional vCISO can offer a range of services, including conducting risk assessments, developing, and implementing security policies and procedures, and providing guidance on compliance with regulatory requirements such as NIST, GDPR, HIPAA, and FERPA.

In conclusion, there are several reasons why higher education institutions should consider outsourcing their Cybersecurity Framework Assessments and hiring a fractional vCISO. These approaches can provide higher education institutions access to greater expertise and experience, ensure that assessments are conducted unbiased and objectively, and build a robust Governance, Risk, and Compliance program through a fractional vCISO. In addition, by leveraging these resources, higher education institutions can strengthen their security posture and better protect their systems and data.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

Picture of Brad Hudson

Brad Hudson

VP of Cyber Security | vCISO - CISSP, CCSP, CCNP, MCSA, MCITP:EA,SA

Microsoft Patch Tuesday: Two zero-day flaws in Windows need immediate attention

Microsoft’s December Patch Tuesday update delivers 59 fixes, including two zero-days (CVE-2022-44698 and CVE-2022-44710) that require immediate attention on the Windows platform. This is a network-focused update (TCP/IP and RDP) that will require significant testing with an emphasis on ODBC connections, Hyper-V systems, Kerberos authentication, and printing (both local and remote).   Microsoft also published an urgent out-of-band update (CVE-2022-37966) to address serious Kerberos authentication issues. 

Known issues

  • ODBC: After installing the December update, applications that use ODBC connections through Microsoft ODBC SQL Server Driver (sqlsrv32.dll) to access databases might not connect. You might receive the following error messages: “The EMS System encountered a problem. Message: [Microsoft] [ODBC SQL Server Driver] Unknown token received from SQL Server”.
  • RDP and Remote Access: After you install this or later updates on Windows desktop systems, you might be unable to reconnect to (Microsoft) Direct Access after temporarily losing network connectivity or transitioning between Wi-Fi networks or access points.
  • Hyper-V: After installing this update on Hyper-V hosts managed by SDN-configured System Center Virtual Machine Manager (VMM), you might receive an error on workflows involving creating a new Network Adapter (also called a Network Interface Card or NIC) joined to a VM network or a new Virtual Machine (VM).
  • Active Directory: Due to additional security requirements in addressing the security vulnerabilities in CVE-2022-38042, new security checks are implemented on domain net join requests. These extra checks may generate the following error message: “Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: An account with the same name exists in Active Directory. Re-using the account was blocked by a security policy.”

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

Picture of Brad Hudson

Brad Hudson

VP of Cyber Security | vCISO
CISSP,CCSP,CCNP,MCSA,MCITP:EA,SA