U.S. Department of Education Reinforces Compliance with Updated Safeguards Rule

On February 9, a significant update was issued by the U.S. Department of Education’s Federal Student Aid (FSA) office. The update pertains to compliance with the Safeguards Rule, a component of the Gramm-Leach-Bliley Act (GLBA) that deals with customer records and information security and confidentiality. The GLBA, as described by the Federal Trade Commission (FTC), sets out to provide a robust framework for financial institutions to protect their customers’ personal data.

The GLBA applies to institutions of higher education that engage in financial activities such as providing student loans or banking services. Non-compliance with GLBA regulations may lead to the loss of eligibility for federal funding, potentially impacting the institution’s ability to offer financial aid to students. Non-compliance with GLBA regulations may lead to the loss of eligibility for federal funding, potentially affecting the institution’s ability to provide financial assistance to students.

The notice from the FSA emphasized the FTC’s decision to bring the revised Safeguards Rule into effect from June 9, 2023. The update outlines the major points of the Safeguards Rule following modifications made by the FTC in December 2021, highlighting FSA’s expectations for compliance.

A critical aspect of the announcement lies in how it applies the GLBA-defined term “customer information” to higher education, the domain of FSA’s oversight. “Customer information,” as defined under the GLBA, refers to data obtained during the provision of financial services to a student, whether current or past. The scope of financial assistance can include administering Title III and Title IV programs, offering institutional loans, including income share agreements, or servicing a private education loan for a student.

The FSA notice zeroes in on two main provisions of the revised Safeguards Rule, set to become effective in June:

  1. The requirement for institutions to encrypt customer data both at rest within institutional systems and during transmission across external networks.
  2. The mandate for multi-factor authentication (MFA) for anyone accessing customer information via institutional systems.

These provisions underscore the FSA’s commitment to enhancing data security and privacy within higher education institutions. However, the notice also alludes to some uncertainties in the enforcement process for Safeguards Rule compliance. It mentions that the FSA will resolve compliance issues linked to the new Safeguards Rule provisions once they come into effect, primarily through institutional Corrective Action Plans (CAPs). It doesn’t clarify what “other means” could lead to a compliance investigation nor provides any framework for the CAPs that institutions need to create and execute.

The reference to “other means” may stir apprehension, echoing a situation years ago when an FSA official sent compliance notices based on media reports of alleged cybersecurity incidents. This necessitates clear communication from the FSA regarding potential triggers for compliance investigations, apart from federal single audit findings.

Concluding the notice, FSA reinforces the importance of institutions adopting the NIST SP 800-171 cybersecurity guidelines concerning federal student financial aid data. The federal government’s controlled unclassified information (CUI) regulations will soon mandate institutional compliance with NIST SP 800-171.

As these changes unfold, CAG is committed to closely collaborating with community members to ensure that FSA’s guidance and enforcement adequately address the regulations and compliance areas.

Where can I find more information? For additional information, see FSA’s electronic announcement: Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements. If you have questions regarding the Department of Education’s enforcement of GLBA, please get in touch with FSA_IHECyberCompliance@ed.gov. More information is also available on the Federal Trade Commission’s website. Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements | Knowledge Center

 

Brad Hudson

Cybersecurity Practice Leader

About Columbia Advisory Group

Founded in Dallas in 2012, Columbia Advisory Group LLC (CAG) is an established IT consulting firm renowned for delivering cost-effective, meaningful, and practical IT solutions that solve complex business problems. Our seasoned teams offer comprehensive insight across diverse regulatory and economic environments, providing unbiased, straightforward analysis and recommendations. We pride ourselves on our deep understanding of IT while remaining software and hardware-agnostic. Regardless of your organization’s growth trajectory or economic landscape, we at CAG are adept at adapting to your unique needs and complexity, offering tailored solutions to drive your success.

Contact us at info@columbiaadvisory.com.

How Can a Phishing Attack Lead to More Fatal Cybercrimes Like Ransomware, and How Can Educational Institutions Keep Them at Bay?

As phishing attacks continue to threaten individuals and organizations, educational institutions are particularly at risk due to the sensitive information they handle. This article will explore the connection between phishing attacks and ransomware and discuss practical strategies for educational institutions to protect themselves from such threats.

One of the biggest threats that all internet users face is phishing. Phishing schemes attempt to trick individuals into providing their personal information, such as login credentials and credit card numbers, to cybercriminals masquerading as legitimate sources. Not to mention, the consequence of falling for these schemes can be dire.

However, things can get much worse. Cybercriminals are also on the prowl for even more damaging attacks, such as ransomware hacks. Ransomware attacks can lock down critical information to prevent users from accessing it unless they pay the ransom demanded by the attackers.

Unfortunately, educational organizations are even more susceptible to these attacks due to the sensitive information they possess, such as student records, financial reports, and research data. This reality puts even more pressure on educational institutions to stay vigilant and proactive to avoid security breaches.

To ensure the safety and integrity of such sensitive data, educational institutions need to take proactive measures to avoid phishing and ransomware attacks. A robust security system is crucial in ensuring the confidentiality, integrity, and availability of sensitive data stored on the organization’s systems.

Reasons Phishing Attacks are Rampant

In 2020, phishing emails and websites were the most common entry points for ransomware, with over 610,000 unique phishing websites identified. The concerning trend has continued into 2023, highlighting the ongoing threat posed by phishing attacks in the current digital landscape. But how does phishing run rampant throughout the digital world? The following sections have an answer.

1. Use of AI-ML-based Tools by Attackers
Phishing attacks have become increasingly sophisticated with attackers’ use of AI-ML-based tools. These tools allow attackers to automate and personalize their attacks, making them more convincing and harder to detect. For instance, attackers use machine learning algorithms to create compelling phishing emails that mimic the writing style and language used by the victim’s contacts, making it easier to dupe the victim to fall for the scam. And with the advancement of AI-related tools widely available on the market, the malicious attacks of threat actors have become more efficient, effective, and profitable.

2. Availability of Phishing Kits
Phishing kits have empowered threat actors by providing them with professionally written, pre-built tools that enable them to launch phishing attacks with minimal effort or expertise. These kits, available for purchase on the dark web, contain thousands of lines of code and can be easily configured based on the attacker’s campaign. Following such an approach allows threat actors to launch campaigns quickly and effortlessly, making it difficult for defenders to keep up with the rapidly changing threat landscape.

3. Inadequate Security Awareness
The most significant vulnerability malicious actors exploit is the inadequate employee training on security awareness in some institutions, particularly in phishing and ransomware. This deficiency is the primary reason why such attacks continue to succeed. It can severely undermine employees’ ability to recognize phishing attacks and respond appropriately, resulting in devastating consequences. Failing to address this training and security gap leaves organizations vulnerable to threat actors who are too eager to exploit it.

Understanding the Connection Between Phishing and Ransomware

Phishing has emerged as the primary vehicle for delivering ransomware, making it the most significant cyber threat to organizations in recent years. 78% of organizations experienced at least one ransomware attack in 2021, with 68% attributing the cause to direct email payload or second-stage malware delivery. In addition to that, IBM’s Cyber Resilient Organization Study identified the top three causes of ransomware as phishing (45%), malicious websites (22%), and social media (19%). Phishing and ransomware are closely related because phishing is one of the root methods for delivering ransomware.

The success of a ransomware attack often depends on the attackers’ ability to deliver the malware to the victim’s system, which is why they frequently use phishing emails as a delivery method. The social engineering schemes, carefully crafted to appear legitimate and customized to specific targets, making them difficult to identify, and the sheer volume of emails received by individuals, especially students, has made it challenging for them to scrutinize incoming emails and note suspicious red flags, increasing successful phishing attacks.

Why are Educational Institutes Easy Targets for Phishing and Ransomware Threat Actors?

With limited IT resources, some educational institutes may be unable to keep up with patch management and other maintenance processes that keep systems safe from exploits. The inadequacy of cybersecurity countermeasures limited IT resources, and the pressure to deliver educational services make schools and educational systems an attractive target for malicious actors.

All educational institutes are not adequately immune to phishing and ransomware attacks, as revealed by an 18-year-old student named Bill Demirkapi at the recent Def Con hacker conference. Demirkapi revealed that his school’s software, including Blackboard’s Community Engagement software and Follett’s Student Information System, contained multiple vulnerabilities that could be exploited using SQL injection and XML inclusion attacks to steal PII (Personally Identifiable Information) or even manipulate grades.

Here are some recent ransomware attacks on school districts to showcase how all educational institutes are not safe:

    • Louisiana Schools: Three school districts in Louisiana were targeted by a ransomware attacker in July 2019. It crippled several phones, IT systems and the state-activated emergency cybersecurity powers to bring in the National Guard and cyber experts.
    • Columbia Falls School District: The school district was threatened by malicious actors with a data lockup expecting a ransom of $150,000. The attackers declared they would expose student names, addresses, and grades if they didn’t receive the demanded amount.
    • Syracuse: The New York City schools were hit with a ransomware attack that locked down one of their computer systems. The district paid the ransom, partially covered by insurance, but they were still locked out of their servers even after paying the ransom.

How Can a Phishing Attack Lead to More Fatal Cyberthreats Like Ransomware?

A phishing attack is a common and effective method used by threat actors to gain unauthorized access to sensitive data in educational institutes by tricking victims into disclosing personal information or downloading malware. While phishing attacks seem independent, they could be a first step to more severe cyber threats such as ransomware, malware, data theft, and more.

Malicious actors often use phishing attacks to deliver ransomware or malware payloads because they can customize phishing emails to target specific individuals. In a successful phishing attack, the attacker can introduce ransomware into the victim’s system, rendering their data inaccessible unless a ransom is paid, causing significant harm to the victim.

Strategies for Preventing Phishing and Ransomware Attacks in Educational Organizations

Here are a few practical strategies for preventing phishing and ransomware attacks in educational institutes:

    • Leveraging AI-Based Anti-Phishing Solutions: One vital strategy to prevent phishing and ransomware attacks in educational institutes is leveraging AI-based anti-phishing solutions. These solutions use machine learning algorithms to detect and block phishing emails before they reach their targets. They can also analyze email content and metadata to identify suspicious patterns and behavior, such as unusual IP addresses or domain names, and flag them for further investigation.
    • Engaging a Trusted Vendor or Managed Security Service Provider (MSSP): Engaging a trusted vendor or MSSP is critical in preventing phishing and ransomware attacks in educational institutes. These providers have the expertise, experience, and resources to provide comprehensive security solutions, including threat intelligence, risk assessments, vulnerability management, and incident response. They can help educational institutes implement security best practices and provide ongoing support.
    • Educate Faculty, Staff, and Students: Among the most effective ways to prevent phishing and ransomware attacks is educating everyone in the educational institution on the risks of such attacks. Conduct regular training sessions that help them identify and avoid suspicious emails, attachments, and links. This way, they can recognize phishing emails and report them to the IT department before any damage is done.
  • Implement a Strong Security Policy: The first step is establishing a robust security policy. School networks should block access to potentially risky sites, and student app downloads should be monitored and restricted. Educational institutions must also include mobile security in their cybersecurity strategies since threat actors often use mobile IoT devices, such as laptops, desktops, smartphones, or tablets, to gain access to the network. IoT device testing and implementing end-to-end encryption can significantly reduce the risk of attackers.
  • Access Control Implementation: Given that educational institutions have a vast network of students, teachers, and staff, it is crucial to implement access control measures that limit individuals’ access to only the required programs. IAM (Identity and Access Management) systems working on the ‘least-privilege’ and ‘need-to-know’ principles are found to be efficient in preventing malicious infiltration significantly. Access control offers two critical advantages. Firstly, it prevents unauthorized individuals from accessing sensitive information. Secondly, it limits attackers’ ability to cause harm if they compromise someone’s account.

Higher Ed must prioritize investing in modern and effective cybersecurity technologies to protect themselves against the constantly evolving threat of cybercrime.

Educational institutions face a significant threat from phishing attacks, which can escalate into more dangerous cyber threats like ransomware. To safeguard against such risks, educational institutes must proactively implement practical strategies for preventing and mitigating the damage caused by phishing attacks and other related cyber threats. It can be achieved by raising awareness among staff and students, implementing strong security measures, and working with experienced cybersecurity experts. Education institutes can ensure their systems and data safety and security by taking concrete steps, such as adopting AI-based anti-phishing solutions to keep their information assets secure from malicious actors.

Picture of Brad Hudson

Brad Hudson

VP of Cyber Security

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

Phishing: How The Monster Is Changing Its Shape and Size – Phishing Protection in a Post-COVID World

Cyber scams during COVID-19 have shaped a new term – scamdemic: a global epidemic of frauds and scams. There was an unprecedented rise in cybersecurity scams during the pandemic. Phishing emerged as the most frequent attack type. Read on to learn how malicious actors changed their tactics in 2022 and how you can protect yourself.

The COVID-19 pandemic changed how people live, including how all conduct business and social interactions and how work lives function. Regarding the latter, enforcement of social distancing and lockdowns resulted in an increasing number of people experiencing changed work habits. Some employees adapted – often even abruptly – to using messaging apps, digital platforms, and other communication channels for everyday activities. Thus, there was a worldwide shift from office to remote (home) work. The overlooked consequence of the change was the increase in cyber risks, which resulted in a rapid escalation of cyber-attacks.

The State of Phishing Report for 2022 by SlashNext highlights that traditional security strategies, including proxy servers, secure email gateways, and firewalls, no longer prevent phishing threats, especially as attackers increasingly launch these attacks from personal and messaging apps and trusted servers. Thus, phishing attacks are a rising concern, as the following statistics show.

Key Statistics

Here is a look at the key statistics which signify the rising phishing problem:

  • SlashNext analyzed numerous link-based URLs, messages, and attachments in email, browser, and mobile channels in 2022 and found over 255 million attacks – a 61% rise in phishing attack rates compared to 2021.
  • A Check Point Research (CPR) report found emerging social engineering scam trends shifting away from tech giants and shipping establishments toward social networking sites. In Q1 2022, social networks became the most targeted category, followed by shipping.
  • Zscaler pointed out that, from January to March 2020, COVID-19-themed phishing attacks increased by 30,000%.
  • APWG’s Phishing Activity Trends Report says that phishing attacks hit an all-time high in 2021. December 2021 recorded an unprecedented 300,000 attacks, signifying these incidents became over three times more common than they were two years before.
  • UK’s Cyber Security Breaches Survey 2022 signifies that phishing is the most common cyber threat that targets UK businesses and charities. 83% of them suffered a phishing scam.
  • 2022’s first quarter saw a dramatic rise in phishing attacks. CheckPoint revealed in its 2022 Q1 Brand Phishing Report that malicious actors planned phishing attacks impersonating professional social networking websites. Attacks related to LinkedIn alone comprised over half (52%) of all phishing attempts globally. 

Post-COVID Threat Landscape Isn’t Reducing – Threat Actors Are One Step Ahead

Once authorities lifted the COVID-19 restrictions, employees started moving back to their offices, and malicious actors adapted to the change again. While remote workers were their primary targets for 18 months, new phishing campaigns targeted those who were returning to the physical workplace. The following are some prominent examples:

  • Cofense observed an email-based campaign that targeted employees with emails impersonating their CIO and welcoming them back to the office. The emails appeared legitimate and contained the organization’s official logo and the CIO’s signature. The message outlined the organization’s new precautions and business operation changes connected with the pandemic.
  • India saw a surge in new phishing techniques after the government launched electric vehicle (EV) incentives.
  • Some phishing attempts preyed upon financial fear. For example, In a  scam,  bank customers were informed that their accounts were on hold due to suspicious logins or transactions. Users became victims when they attempted to resolve the issue by clicking on the embedded link.
  • The BazarBackdoor attackers send malware-free mail, bypassing email security and directing users to a website contact form. Once a user submits the form, the perpetrators send malware through a purported response file through a file-transfer service to avoid email security.
  • Some latest phishing attacks send malware links through QR codes embedded in emails or stickers in restaurants or public locations. The QR codes directly execute malware or redirect the users to credential-stealing websites.
  • Microsoft recently discovered a multi-stage phishing attack on businesses that don’t use multi-factor authentication. The first stage steals an employee’s email credentials, and the second stage creates a new Office 365 account in their name on a rogue device. After getting established on the new computer, the threat actors use the victim’s account to send internal phishing attacks to the organization or clients using legitimate email accounts.

Top 2022 Phishing Tactics Used By Malicious Actors

In 2022, phishing attacks exploited vulnerabilities unheard of earlier. Here are the year’s top tactics:

  • Typosquatting: Threat actors register domains that users can enter by accident. For example, instead of typing www.phishingexample.com, a user can type www.phishingexanple.com (hitting the ‘n’ key next to the intended ‘m’ key by mistake). If an attacker registers the www.phishingexanple.com domain, the user enters the attacker’s website instead of the legitimate www.phishingexample.com website. If the imposter website looks the same as the legitimate one, the user can easily get tricked into sharing their credentials.
  • Lookalike Domain Attacks: While typosquatting depends on the victim making a typo, lookalike domains exploit the difficulty of differentiating between words or similar characters. For example, an attacker can craft a phishing email with an uppercase “I” instead of the lowercase “l,” making www.iurethevictim.com look like Iurethevictim.com. Having end users targeted by what they think is a legitimate website opens various challenges, like loss of user confidence, theft, fraud, and reduced traffic (and business) to your website. Thus, if you can quickly discover and avoid scam sites, you can mitigate the risks linked to fraud and loss of brand reputation.
  • Executive Impersonation: Executive impersonation is an effective tactic. If malicious actors can spoof or compromise an executive’s email account, they can craft phishing emails to lure unsuspecting users to legitimate-looking phishing. If the user who suspects the fake email to be from their boss enters their credentials into the spoofed website, the attackers steal them and gain unauthorized access.
  • Credential Reuse Attacks: Unfortunately, credential reuse (using the same password, etc., across different platforms) is common among end users because it is inconvenient to create new credentials for every application. If a phishing attack retrieves a credential set successfully, the attackers can access other applications with the same information. Because of credential reuse, such attacks grant attackers access to multiple accounts across various platforms.
  • High-Level Employee Targeting: High-level employees can access sensitive, confidential, and proprietary information that other employees cannot. If attackers obtain their login credentials, they can access sensitive corporate data in the cloud (which organizations store within their network perimeter). Thus, these credentials are the keys to the domain, and stealing them makes threat actors capable of planning large-scale data breaches traditionally mitigated by network perimeter solutions.
  • Financial Scams: Sophisticated phishing campaigns target login credentials and aim to steal financial information from end users. In a financial scam-type phishing attack, the threat actors trick the user into visiting a phishing site, making them share personal or financial information and conduct financial transfers or transactions with it. For example, threat actors may design a site pretending to be a charity platform raising money for the pandemic victims. The unsuspecting users might get fooled into donating cash through it.
  • Business Email Compromise: In BEC, malicious actors spoof the email credentials of top officials of an organization, like the CEO. They then send orders to subordinates to make money transfers of massive amounts. The assistants follow the instructions thinking it to be their boss’s command. Business email compromise (BEC) is rising, and attackers exploit it to make money from fake wire transfer requests.
  • Spear Phishing on Small Businesses: In today’s growing threat landscape, there is nothing too small to become a phishing attack target. Small businesses get targeted frequently with cyberattacks because they often have less IT security than large organizations. Spear phishing is more dangerous than phishing because it is targeted and not generic. Threat actors deploy it in an attack using BEC.
  • Using Initial Access Brokers to Make Phishing Attacks More Effective: One-way threat actors make more money is by taking help from specialists called Initial Access. They are malicious actors who only focus on initially breaching the network or organizational accounts. The rising use of these experts in the field makes phishing attacks more threatening and difficult for end users to detect.

How To Redefine Cybersecurity in a Post-COVID World

Organizations’ strategies to counter the threats mentioned above will vary according to each organization’s cyber security maturity level. Generally, they must focus more on new cybersecurity models, including ‘zero trust.’ Following are ways individuals and organizations can remain protected:

  • Antivirus Protection: Employees must have an antivirus software license for their information systems. A good antivirus solution can eliminate many attacks.
  • Cybersecurity Awareness: Organizations must brief their staff on best procedures and practices to regulate sending emails or sensitive content to other parties or cloud storage.
  • Phishing Awareness: Employees must remain vigilant when receiving emails and check the sender’s addresses’ authenticity.
  • Home Network Security: Employees must ensure that their home Wi-Fi remains protected by a strong password.
  • Using VPN: Virtual private networks offer an additional protection layer to home internet use. They can remain a stringent barrier against cyberattacks.
  • Identifying Vulnerable Spots: Each IT system has vulnerabilities. Organizations must run tests to identify and patch them quickly. It can take the form of vulnerability scanning or penetration testing. Furthermore, businesses must perform hardening of technical infrastructure components.
  • Frequent Reviews: Organizations must evaluate cybersecurity risk exposure regularly and determine whether the existing controls are robust. The IT teams must consider new cyberattack forms during these reviews.
  • Renewing Business Crisis and Continuity Plans: Top managers must update their business continuity plans considering various cyberattack.

More advanced measures that users can take are:

  • Applying New Tools and Technology: IT teams can use advanced tools like host checking (which checks the endpoint’s security posture before authorizing access) to reinforce remote work security.
  • Intelligence Techniques: Businesses must encourage proactive cyber threat intelligence to identify indicators of attacks (IOC) and address them.
  • Risk Management: Organizations can apply GRC (governance, risk, and compliance) solutions to improve risk management. GRC solutions offer a detailed view of the organization’s risk exposure and help link various risk disciplines (cybersecurity, business continuity, and operational risks).
  • Prepare for Attacks: In today’s high-risk times, businesses must carry out frequent cyber crisis simulation exercises and prepare their response to a phishing attack.
  • Zero Trust Infrastructure: CIOs and CISOs must consider implementing the zero-trust framework for cybersecurity. It is a security model where only authorized and authenticated devices and users get access to applications and data.

The COVID-19 pandemic taught people that preparation is critical to limit the risks linked to cyberattacks. Malicious actors have been clever in changing their tactics to adapt to changing situations and executing sophisticated phishing attacks. The ability of a user to quickly react to unforeseen events helps lower the impact of a cyberattack. Today, organizations that benefit from secure remote work capabilities are better prepared to face the growing risk of phishing attacks. Consequently, businesses fearing risks must quickly assess their exposure to phishing attacks and prioritize initiatives to address cybersecurity gaps.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

References

  1. Al-Qahtani, A. F., & Cresci, S. (2022). The COVID-19 scamdemic: A survey of phishing attacks and their countermeasures during COVID-19. IET Information Security, 16(5), 324–345. doi:10.1049/ise2.12073
  2. Damcova, K. (2022, May 6). Phishing attack trends to beware of in 2022. Retrieved January 4, 2023, from IQ in IT website: https://iqinit.uk/news/phishing-attack-trends-to-beware-of-in-2022/
  3. Nabe, C. (n.d.). Impact of COVID-19 on cybersecurity. Retrieved January 4, 2023, from Deloitte Switzerland website: https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html
  4. Ideal Integrations (2022, March 14). New phishing techniques to watch for in 2022. Retrieved January 4, 2023, from Ideal Integrations® website: https://www.idealintegrations.net/beware-these-new-phishing-techniques/
  5. McCurdy, R. (2022, November 8). The Biggest Phishing Breaches of 2022 and how to avoid them for 2023. Retrieved January 4, 2023, from Security Boulevard website: https://securityboulevard.com/2022/11/the-biggest-phishing-breaches-of-2022-and-how-to-avoid-them-for-2023/
  6. Over 255m phishing attacks in 2022 so far. (2022, October 26). Retrieved January 4, 2023, from Security Magazine website: https://www.securitymagazine.com/articles/98536-over-255m-phishing-attacks-in-2022-so-far
  7. Page, C. (2021, June 1). Hackers are targeting employees returning to the post-COVID office. TechCrunch. Retrieved from https://techcrunch.com/2021/06/01/hackers-phishing-post-covid-office/
  8. (2022, September 28). Webinar wrap-up: Cyber security in a post-COVID world: New challenges & opportunities. Retrieved January 4, 2023, from Simplilearn.com website: https://www.simplilearn.com/cyber-security-challenges-and-opportunities-post-covid-article

 

Picture of Brad Hudson

Brad Hudson

VP of Cyber Security | vCISO - CISSP, CCSP, CCNP, MCSA, MCITP:EA,SA

Unlocking the Benefits of Cloud Migration in Higher Education

Cloud migration modernizes an organization’s data, applications, and infrastructure from on-premises systems to the cloud. The initial process can be complex and time-consuming. Still, it can bring significant long-term benefits to universities and other educational institutions that allow them to focus on their core aims of providing quality education. One of the main benefits of cloud migration for universities is cost savings. On-premises systems require expensive investments in hardware, software licenses, and expensive skillsets to support the many diverse environments, as well as ongoing patching, maintenance, and support costs. In contrast, cloud-based solutions are typically subscription-based, which means that universities can pay for only the resources they use rather than upfront costs for hardware and software. This can result in significant cost savings for universities, especially those with large and complex IT systems.

Another benefit of cloud migration for universities is increased flexibility and scalability. The majority of CAG (Columbia Advisory Group) higher education customers only need their full compute performance a few weeks a year while the rest of the year their hardware runs at less than 20% of its capability. Cloud-based solutions can be easily scaled up or down on demand to meet these changing needs, which can be particularly useful for universities that only experience performance fluctuations during enrollment. Additionally, cloud-based solutions can be accessed from anywhere with an internet connection, which is beneficial for students, faculty, and staff to access University resources and collaborate remotely. The Covid pandemic magnified the significance of educational institutions needing to support this capability.

Cloud migration can also improve the security and reliability of IT systems for universities. Cloud providers have robust security measures in place, such as multi-factor authentication and data encryption, which can help to protect against cyber threats and data breaches. In addition, cloud-based systems can be more reliable than on-premises systems, as they are typically backed by the redundant infrastructure and 24/7 support and can also scale to full parity, dependent on the criticality of the replicated system.

Finally, cloud migration can enable universities to take advantage of the latest technologies, such as artificial intelligence and machine learning. These technologies can improve a range of educational and research activities, from grading assignments and analyzing student data to conducting research and developing modern technologies.

In conclusion, cloud migration is an important consideration for universities looking to improve the efficiency, cost-effectiveness, and flexibility of their IT systems. By moving to the cloud, universities can realize significant benefits, including cost savings, increased scalability, improved security and reliability, and access to the latest technologies.  With tailored support from Columbia Advisory’s cloud experts, universities can ensure that their transition is smooth and secure. By leveraging the latest cloud technology, universities can equip themselves for a digital future and unlock all the benefits that come with it.

Picture of Ernest Bricker

Ernest Bricker

Director of Infrastructure Practice, Columbia Advisory Group

Why is it a good idea for Higher Education to outsource its Cybersecurity Framework Assessments and consider hiring a fractional vCISO

There are several reasons why higher education institutions should consider outsourcing their Cybersecurity Framework Assessments (NIST Cybersecurity Framework, HIPAA, GDPR, etc.) and hiring a fractional virtual Chief Information Security Officer (vCISO).

First and foremost, outsourcing Cybersecurity Framework Assessments can provide higher education institutions with access to a greater level of expertise and experience. Cybersecurity Framework Assessments, such as NIST Cybersecurity Framework, HIPAA, GDPR, etc., are a comprehensive set of security and privacy controls used by many organizations, including higher education institutions, to ensure the confidentiality, integrity, and availability of their systems and data. However, conducting these assessments can be a complex and time-consuming process that requires specialized knowledge and skills. By outsourcing these assessments to a qualified third party, higher education institutions can leverage the expertise and experience of professionals who have a deep understanding of numerous Cybersecurity Frameworks and how to implement their controls effectively.

Another reason to outsource Cybersecurity Framework Assessments is to ensure that the evaluation is conducted unbiasedly and objectively. In organizations that perform internal assessments, the risk of bias or subjectivity creeps into the process. Unfortunately, this can lead to an incomplete or inaccurate measurement of the organization’s security posture; in turn, this can increase the chances of an incident, such as a breach or intrusion, that may result in the loss, damage, or disclosure of assets. By outsourcing the assessment to a third party, higher education institutions can ensure that the evaluation is performed unbiasedly and objectively, providing a more accurate picture of their security posture.

After a cybersecurity framework assessment has been conducted, it’s paramount that a Governance, Risk, and Compliance Program is put in place to manage risk moving forward. In addition, a security program and plan need to be developed to track and remediate deficiencies identified during the assessment. Therefore, CAG recommends hiring a fractional vCISO to guide higher education institutions through the Governance, Risk, and Compliance minefields. A fractional vCISO is a professional who works remotely part-time or on a contract basis, providing expert guidance and support to the organization’s security efforts. In addition, a fractional vCISO can offer a range of services, including conducting risk assessments, developing, and implementing security policies and procedures, and providing guidance on compliance with regulatory requirements such as NIST, GDPR, HIPAA, and FERPA.

In conclusion, there are several reasons why higher education institutions should consider outsourcing their Cybersecurity Framework Assessments and hiring a fractional vCISO. These approaches can provide higher education institutions access to greater expertise and experience, ensure that assessments are conducted unbiased and objectively, and build a robust Governance, Risk, and Compliance program through a fractional vCISO. In addition, by leveraging these resources, higher education institutions can strengthen their security posture and better protect their systems and data.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

Picture of Brad Hudson

Brad Hudson

VP of Cyber Security | vCISO - CISSP, CCSP, CCNP, MCSA, MCITP:EA,SA

Microsoft Patch Tuesday: Two zero-day flaws in Windows need immediate attention

Microsoft’s December Patch Tuesday update delivers 59 fixes, including two zero-days (CVE-2022-44698 and CVE-2022-44710) that require immediate attention on the Windows platform. This is a network-focused update (TCP/IP and RDP) that will require significant testing with an emphasis on ODBC connections, Hyper-V systems, Kerberos authentication, and printing (both local and remote).   Microsoft also published an urgent out-of-band update (CVE-2022-37966) to address serious Kerberos authentication issues. 

Known issues

  • ODBC: After installing the December update, applications that use ODBC connections through Microsoft ODBC SQL Server Driver (sqlsrv32.dll) to access databases might not connect. You might receive the following error messages: “The EMS System encountered a problem. Message: [Microsoft] [ODBC SQL Server Driver] Unknown token received from SQL Server”.
  • RDP and Remote Access: After you install this or later updates on Windows desktop systems, you might be unable to reconnect to (Microsoft) Direct Access after temporarily losing network connectivity or transitioning between Wi-Fi networks or access points.
  • Hyper-V: After installing this update on Hyper-V hosts managed by SDN-configured System Center Virtual Machine Manager (VMM), you might receive an error on workflows involving creating a new Network Adapter (also called a Network Interface Card or NIC) joined to a VM network or a new Virtual Machine (VM).
  • Active Directory: Due to additional security requirements in addressing the security vulnerabilities in CVE-2022-38042, new security checks are implemented on domain net join requests. These extra checks may generate the following error message: “Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: An account with the same name exists in Active Directory. Re-using the account was blocked by a security policy.”

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

Picture of Brad Hudson

Brad Hudson

VP of Cyber Security | vCISO
CISSP,CCSP,CCNP,MCSA,MCITP:EA,SA

Cybercrime Expected To Skyrocket in Coming Years

Early today Statista’ published the following post Chart: Cybercrime Expected To Skyrocket in Coming Years | Statista.   According to estimates from Statista’s Cybersecurity Outlook, the global cost of cybercrime is expected to surge in the next five years, rising from $8.44 trillion in 2022 to $23.84 trillion by 2027. Cybercrime is defined by Cyber Crime Magazine as the “damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm. ”As more and more people turn online, whether, for work or their personal lives, there are more potential opportunities for cybercriminals to exploit. At the same time, attacker techniques are becoming more advanced, with more tools available to help scammers. The coronavirus pandemic saw a particular shift in cyber-attacks, as Statista’s Outlook analysts explain: “The COVID-19 crisis led to many organizations facing more cyberattacks due to the security vulnerability of remote work as well as the shift to virtualized IT environments, such as the infrastructure, data, and network of cloud computing.”

Source: Statista Technology Market Outlook, National Cyber Security Organizations, FBI, IMF

One of the largest hurdles for cyber-security compliance is to develop and document a security program plan and measure that plan as it complies with a specific framework. Accomplishing this is our niche at Columbia Advisory Group. We have developed an approach where we document your current Security Program (what you have in place), assess your current state (define current maturity level), and then define a Plan (roadmap for the future). The best place to start is to perform vulnerability scanning and address weaknesses before they are exploited. We then evaluate current policies and procedures and recommend remediation and improvement. We can provide a Risk Register which is a tool utilized to track identified Information Technology Security risks and define potential solutions. We provide many services that help an organization achieve compliance with a variety of security frameworks (CSF, CMMC, NIST 800-52, TAC 202) or prepare for certification (SOC 2 Type 2, ISO 27001, PCI). We can also help an organization write many policies and procedures required for compliance.

About the Author:
Lori DeMello is Columbia Advisory’s Director of Risk and Compliance. Lori is an expert in areas of Risk Management, Compliance, Security, Regulatory Reviews, Security Assessments, Audit Preparation and Response, Security Services, Continuity of Operations Planning, Risk Assessments, Risk Management Planning, Disaster Recovery, and Change Management. Lead efforts in creating and maintaining critical process documentation for CAG internal and customers. She has 25 years of IT experience with Certifications in PMP, ITILv2 and ITiLv3.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

Columbia Advisory Group Expands Availability of its Services via TIPS-USA Contract

IT issues are mission-critical, and we are glad to be able to help our education, municipal, county and state agency clients to respond to increased IT needs and tightening budgets.

DALLAS, TEXAS, UNITED STATES, August 29, 2022/EINPresswire.com/ — Columbia Advisory Group (CAG), the leading IT managed services and cybersecurity provider to public and private sector organizations, today announced the availability of its industry-leading services on The Interlocal Purchasing System (TIPS-USA).

The TIPS Program evolved to help streamline the procurement process and expedite purchases. As a co-op, both awarded technology vendors and public sector members – which include K-12 and private schools, colleges, universities, cities, counties, non-profits, and other government entities – can accelerate business transactions by requirements up-front.

Leveraging the TIPS-USA contract, higher-education and other government buyers can realize significant cost savings by reducing the overall time and expense of a cumbersome bid process. Because TIPS provides access to high-performance vendors, agencies can also achieve quick and efficient delivery of goods and services, particularly when it comes to cybersecurity and other IT services. In addition, TIPS provides access to state-of-the-art purchasing procedures to provide competitive contracts, bulk purchasing, and other efficiencies. For these reasons, TIPS has become a preferred purchasing vehicle for state and local entities.

The Interlocal Purchasing System currently serves entities such as state and local governments and non-profit organizations, including but not limited to K-12 school districts, Charter Schools, Colleges and Universities (State and Private), Cities/Municipalities, Counties/Parishes, State Agencies, Emergency Services Districts and Non-profit organizations as defined by the Internal Revenue Service, as well as many other entities with legislated purchasing/bidding requirements. TIPS-USA membership is free.

Now, with the addition of the CAG the TIPS-USA contract, members can realize digital transformation with a best-in-class IT services firm designed for public sector frameworks. CAG is trusted by multiple higher-education, government institutions, state agencies and school districts to manage their IT environments via cybersecurity services, digital optimization, and IT innovation.

“Our public sector clients appreciate the ability to secure our services via vetted contracts like that of TIPS-USA,” explains David McLaughlin, President and CEO of Columbia Advisory Group. “TIPS-USA will help our clients to move swiftly when they discover a need within their organization for our IT expertise. In today’s business age, IT issues are mission-critical, and we are glad to be able to help our education, municipal, county and state agency clients to respond to twin dynamics of increased IT needs and tightening budgets.”

For more than 10 years, CAG has helped leading public agencies to improve their cybersecurity postures and to improve their IT environment through managed service. CAG provides access to specialized practice teams, including cybersecurity, application support, IT governance, IT due diligence, project management, IT infrastructure and comprehensive audio-visual services.

To learn more about purchasing from CAG on the TIPS-USA contract, contact CAG.
About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many institutions of higher education, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity and A/V Services. CAG improves business outcomes with IT insights and expert technology support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit www.columbiaadvisory.com.

Columbia Advisory Group Adds Extended Detection and Response to IT Managed Service Portfolio with Abacode Partnership

"In this time of increasing global attacks, it is critical to have around-the-clock eyes on the network.”

DALLAS, TEXAS, UNITED STATES, June 13, 2022 /EINPresswire.com/ — Dallas-based Columbia Advisory Group (CAG), a leading provider of IT Managed and Cybersecurity Services, today announced the expansion of its services via a partnership with Abacode, a leading provider of managed Extended Detection and Response (XDR).

The partnership between CAG and Abacode will allow clients to one-stop-shop for specialized IT Managed Services, Governance, Risk Management, and Compliance (GRC), Virtual CISO services and managed XDR services to analyze data breaches as they occur.

As organizations face increasing threats of ransomware, data breach, and phishing, they must simultaneously upgrade their governance and compliance activities to minimize risk while simultaneously detecting and responding to breaches as they arise to understand, contain and prevent them. This capability requires increasingly scarce competent cybersecurity leadership and specialized, virtual Security Operations Center (vSOC) services that can investigate problems in real-time and provide visibility across the enterprise of controls compliance.

“Our many public-sector, educational, manufacturing, and health care clients already rely upon CAG for cybersecurity guidance and IT expertise. CAG is pleased to bolster our leading Cybersecurity practice by offering 24x7x365 SOC 2 Type 1 and 2 XDR services via our partner, Abacode. In this time of increasing global attacks, it is critical to have around-the-clock eyes on the network,” said David McLaughlin, President and CEO of Columbia Advisory Group.

“Abacode is constantly striving to push the technology industry forward by partnering with top-notch leaders in the MSP space,” said Greg Chevalier, Senior Vice President – Partners and Sales Strategy for Abacode. “Partnering with Columbia Advisory Group ensures that clients not only have their information technology operations humming along at peak efficiency with their managed services but now includes Abacode’s Managed Detection and Response and Security Operations Center support.”

About Columbia Advisory Group:

Columbia Advisory Group (CAG) is a well-respected Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many institutions of higher education, state agencies, and Fortune 500 customers. By focusing on practical solutions and straightforward analysis, CAG’s team supports many regulatory and economic environments and organizations of all sizes. Practice specialty areas include Cybersecurity, Infrastructure, IT Service Management, Application Management and A/V Services. Whether a client is high-growth or economically challenged, CAG can improve business outcomes with IT insight and support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit www.columbiaadvisory.com.

About Abacode

Abacode combines leading technologies and professional services to implement Cybersecurity and Compliance programs for clients throughout the world. Abacode enables clients to implement a Cyber Capability Maturity Model and benefit from our expert Extended Detection and Response capabilities. Offices in the Americas and Europe. Learn more at Abacode.com or connect with us at insight@abacode.com

Log4J: Neutralizing the latest global cybersecurity threat

 

Every day we see news about cybersecurity attacks, exploits, and hacks to the point that we are relatively immune to what feels like sensationalized news about the latest and most devastating threat no matter how legitimately concerned we should be.
And on December 6th when we were getting ready to go to the office holiday party and a weekend of shopping, the world was read-in on a significant security vulnerability known as LogJ4.

What is Log4J?

Log4J is a widely used open-source Java code library from the Apache Software Foundation used by many servers across the world to record a log of activity and send it to a centralized server. It is integrated into thousands of software applications, services, and systems, and websites from Fortune 100 firms down to small providers.

What is the new vulnerability?

It was discovered that some common versions of Log4J are vulnerable to being forced to execute code via specially crafted URLs (web address) that pass through the logs. This address passes through the system and is used to download and execute code that can provide remote access to the machine or perform other malicious tasks. Having information pass through the logs can be done from a chat, submitting an online form, sending an email that is processed by a system that uses Log4J to log emails, or any other means in which data enters the logs, effectively allowing someone with nefarious intentions to see sensitive user data, install malware and spyware, or even take over machines for nefarious purposes.

How widespread is this?

As noted on Wired.com, Twitter users have experimented with changing their display names to trigger the vulnerability, users in the game Minecraft triggered it through the in-game chat, and an iPhone user changed their device name to trigger the vulnerability (and did notify Apple). Cloud service providers, such as Cloudflare, rolled up temporary fixes for their customers while heavily used systems from companies such as VMWare, Oracle, Adobe, RedHat, and others have worked to update to the latest release of Log4j released by Apache that addresses the remote code execution vulnerability and downgrading the risk to moderate.

What do I need to do?

Your institution’s IT departments and security teams should be assessing their catalog of systems and software that use Apache with Java libraries to determine which systems may be vulnerable. Initial focus should be on public-facing systems, most likely to be ERP and SIS systems used by the institution. They should also be working with those vendors on obtaining patches and scheduling updates to the systems as soon as practical.

In addition, it is important to make sure that faculty, staff and students are aware of the exploit and how it can impact their personal BYOD (Bring Your Own Device) devices such as iPhones and share best practices such as using 2-Factor Authentication and keeping their devices up to date with the latest security patches.

If your IT department and security teams are unsure of a system’s potential vulnerability, they should check with the vendor to validate those systems have the latest security patches. If your institution does not have a security team, check with your managed security services provider. If you do not have a managed security service provider, reach out to Columbia Advisory Group as part of E&I contract CNR01469 to engage our team of experts to ensure your institution adheres to appropriate NIST standards and can manage, detect and respond to Log4j and other threats.

Summary

The Log4J vulnerability has been patched by Apache with the introduction of Log4j 2.17.1, yet the threat is being actively exploited across the globe and still poses one of the largest security threats to date. The National Institute of Standards and Technology (NIST) that maintains a database of vulnerabilities has listed this at its highest severity classification. Due to the widespread use of the open-source Log4J application by vendors from small software applications to large enterprise systems and cloud services, there is a high-likelihood most organizations will have some risk to mitigate.

While the risk associated with Log4J has concrete solutions, the next cyber exploit will present a danger to your university’s operations.