Harnessing the Power of NIST Cybersecurity Framework for SMEs

Today, I am excited to delve into a topic that continues to be of paramount importance to our clients and partners — cybersecurity. Specifically, I would like to shine a light on the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and why it’s the best fit for companies with fewer than 1,000 employees.

In a rapidly evolving digital landscape, cybersecurity is not a luxury; it’s a necessity. As SMEs, we may not have the vast resources that larger corporations possess, but that does not mean our cybersecurity efforts should be any less robust. That’s where the NIST Cybersecurity Framework comes into play.

The NIST Cybersecurity Framework is an adaptable, voluntary set of guidelines developed to help organizations of all sizes manage and reduce cybersecurity risk. It’s not an all-or-nothing package; it provides an array of options that companies can select and customize according to their specific needs and capacities.

So, why is it particularly beneficial for businesses with under 1,000 employees?

  1. Scalability: Unlike rigid security standards, the NIST Cybersecurity Framework is scalable. Regardless of your company’s size, you can adapt the framework to suit your cybersecurity needs, ensuring you don’t needlessly expend resources on inapplicable security measures.
  2. User-friendly: The Framework was designed to be understood by everyone in your organization, from your IT department to your executive suite. This makes it easier to integrate across all levels and fosters a more cohesive cybersecurity culture.
  3. Prioritization: It helps companies prioritize their security efforts. Smaller companies often lack extensive cybersecurity budgets, so understanding what areas to prioritize is crucial. The NIST Framework assists in identifying the most pressing risks and allocating resources effectively.
  4. Improved Vendor Management: Many SMEs outsource IT services, and having a standard framework can help manage and evaluate these vendors’ security postures. This enhances the overall security chain and promotes a shared responsibility approach.
  5. Reputation and Trust: Compliance with the NIST Framework signifies to stakeholders – customers, partners, regulators, and the public – that your company takes cybersecurity seriously. This builds trust and enhances reputation, critical aspects of business success in today’s digital age.

The NIST Cybersecurity Framework offers a highly flexible, user-friendly, and practical approach to managing cybersecurity risks, especially for companies with fewer than 1,000 employees. It’s not a silver bullet but offers a pathway towards a robust and resilient cybersecurity posture.

Until next time, stay safe and secure in the digital world.

Brad Hudson

Cybersecurity Practice Leader

About Columbia Advisory Group

Founded in Dallas in 2012, Columbia Advisory Group LLC (CAG) is an established IT consulting firm renowned for delivering cost-effective, meaningful, and practical IT solutions that solve complex business problems. Our seasoned teams offer comprehensive insight across diverse regulatory and economic environments, providing unbiased, straightforward analysis and recommendations. We pride ourselves on our deep understanding of IT while remaining software and hardware-agnostic. Regardless of your organization’s growth trajectory or economic landscape, we at CAG are adept at adapting to your unique needs and complexity, offering tailored solutions to drive your success.

Contact us at info@columbiaadvisory.com.

Securing Texas’ Defense Industry: Why CMMC 2.0 Compliance Matters for Manufacturers

Texas-based Defense Industrial Base manufacturers (DIB) are crucial in supporting national security initiatives. However, these companies must navigate the increasingly complex landscape of cybersecurity regulations to maintain their competitive edge. In this blog post, we’ll discuss the importance of compliance with CMMC 2.0, a cybersecurity standard set by the U.S. Department of Defense (DoD), and how Texas-based DIB manufacturers can achieve and maintain compliance.

The Importance of CMMC 2.0 Compliance (source: CISA.gov) CMMC 2.0 is designed to ensure the security of sensitive government information on contractors’ networks (CISA, n.d.). Companies must demonstrate robust cyber protections against malicious actors and properly store and manage classified information. Failing to comply with CMMC 2.0 could result in losing lucrative government contracts and putting customers’ data and intellectual property at risk.

The Impact on Texas’ Defense Industry (source: raytheon.com) According to DTC Global Research and Raytheon Technologies Corp., federal contracts account for more than 40% of total economic activity in Texas’s defense industry sector (Raytheon Technologies, n.d.). Therefore, compliance with CMMC 2.0 is critical for Texas-based DIB companies to remain competitive, especially those involved in national security initiatives such as missile defense and space exploration.

Achieving CMMC 2.0 Compliance: Five Steps for Texas Manufacturers To achieve full CMMC 2.0 compliance, Texas manufacturers can take the following steps:

  1. Update Internal Policies: Ensure your internal policies align with current regulations and best practices (CISA, n.d.).
  2. Conduct Regular Assessments: Regularly assess your existing cybersecurity infrastructure to identify vulnerabilities and areas for improvement.
  3. Implement New Controls or Upgrade Existing Ones: Actively work to enhance your cybersecurity measures by implementing new controls or upgrading existing ones (CISA, n.d.).
  4. Establish Employee Training Programs: Develop a training program focused on cybersecurity awareness to help employees understand and mitigate potential threats (CISA, n.d.).
  5. Hire a Certified Third-Party Auditor: Engage a certified auditor who can independently assess your systems and guide how best to comply with CMMC 2.0 requirements (CISA, n.d.).

For Texas-based defense manufacturers, complying with CMMC 2.0 standards is essential to remain competitive in the government contracting market. By taking proactive steps to enhance cybersecurity and following best practices, these companies can protect their networks from potential threats and secure high-value contracts from the DoD in the coming years.

 

References: Cybersecurity and Infrastructure Security Agency (CISA). (n.d.). Cybersecurity Maturity Model Certification (CMMC). Retrieved from https://www.cisa.gov/cybersecurity-maturity-model-certification-cmmc

Raytheon Technologies. (n.d.). Texas Defense Industry. Retrieved from https://www.raytheon.com/texas-defense-industry

 

Brad Hudson

Cybersecurity Practice Leader

About Columbia Advisory Group

Founded in Dallas in 2012, Columbia Advisory Group LLC (CAG) is an established IT consulting firm renowned for delivering cost-effective, meaningful, and practical IT solutions that solve complex business problems. Our seasoned teams offer comprehensive insight across diverse regulatory and economic environments, providing unbiased, straightforward analysis and recommendations. We pride ourselves on our deep understanding of IT while remaining software and hardware-agnostic. Regardless of your organization’s growth trajectory or economic landscape, we at CAG are adept at adapting to your unique needs and complexity, offering tailored solutions to drive your success.

Contact us at info@columbiaadvisory.com.

Strengthening Cybersecurity: The Imperative of Testing Controls against PRC State-Sponsored Cyber Attacks in Texas Mid-Market Manufacturing Firms

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued an advisory (AA23-144A), underscoring the persistent threat posed by PRC state-sponsored cyber actors. This advisory detailed how these actors employ the Living off the Land technique, exploiting commonly used software, tools, and protocols, and blending their malicious activities within regular network traffic. Consequently, the threat is difficult to detect and can linger undetected within networks for extended durations.

Faced with such sophisticated threats, firms must proactively test their cyber controls. The importance of identifying system vulnerabilities susceptible to exploitation using the Living off the Land technique cannot be overstated. Testing controls also presents the opportunity to understand the modus operandi of these cyber actors, enabling firms to adopt proactive measures to counter these threats.

The mid-market manufacturing firms in the Defense Industrial Base (DIB) in Texas operate in a world of unprecedented cyber threats, with the People’s Republic of China (PRC) state-sponsored cyber actors being of notable concern. These malicious actors use a technique referred to as “Living off the Land,” leveraging legitimate processes and services within a system to infiltrate and evade detection. Understanding why these firms should robustly test their cyber controls in this context is crucial for national security and industrial resilience.

Today’s globalized marketplace has created interdependencies that significantly threaten national security. For example, Texas, a significant contributor to the U.S. DIB, has experienced the strategic focus of PRC’s cyber actors on mid-market manufacturing firms. These organizations, often less equipped to withstand sophisticated cyber threats than larger counterparts, are considered soft targets, and their compromise can negatively impact U.S. defense capabilities.

One primary reason to test cyber controls is the proliferation of the Living off the Land technique. This strategy sees PRC state-sponsored cyber actors exploit commonly used software, tools, and protocols, effectively masking their activities amidst regular network traffic. It’s an alarming prospect, given that these attacks are hard to detect and can persist in networks undetected for extended periods.

Thoroughly testing controls provides an opportunity to identify vulnerabilities within the system that may be exploited using the Living off the Land technique. It also allows organizations to understand how these actors operate, enabling them to take proactive measures to mitigate the risk of infiltration.

Moreover, the constant evolution of cyber threats necessitates the frequent testing of controls. The PRC’s cyber capabilities are evolving, continuously seeking new ways to exploit vulnerabilities in their targets. Staying ahead of these threats requires constant vigilance, regular review, and updating of cyber controls. The ability to anticipate and swiftly respond to these ever-changing threats hinges on a keen understanding of the landscape, which is only achievable through regular testing.

Additionally, the potential economic impact of a successful cyber-attack on mid-market manufacturing firms cannot be overstated. From production disruptions to the leakage of sensitive information, the financial repercussions can be crippling. Such firms play a significant role in the Texas economy, and the broader U.S. DIB, and their compromise could have a cascading effect on the economic and security landscape.

The regulatory environment necessitates robust testing of cyber controls. For example, regulations such as the Cybersecurity Maturity Model Certification (CMMC) require that DIB contractors demonstrate a level of cybersecurity maturity that matches the sensitivity of their work. Regular testing of controls helps meet these regulatory requirements but also helps create a cybersecurity culture within the organization.

All in all, testing cyber controls in mid-market manufacturing firms in Texas within the DIB is not a choice but a necessity. To remain resilient, these firms must adopt robust and frequently tested controls amid sophisticated PRC state-sponsored cyber threats. By understanding and preempting the techniques used by malicious actors, these firms can maintain the integrity of their networks and continue to contribute safely and securely to U.S. defense capabilities.

Brad Hudson

Cybersecurity Practice Leader

About Columbia Advisory Group

Founded in Dallas in 2012, Columbia Advisory Group LLC (CAG) is an established IT consulting firm renowned for delivering cost-effective, meaningful, and practical IT solutions that solve complex business problems. Our seasoned teams offer comprehensive insight across diverse regulatory and economic environments, providing unbiased, straightforward analysis and recommendations. We pride ourselves on our deep understanding of IT while remaining software and hardware-agnostic. Regardless of your organization’s growth trajectory or economic landscape, we at CAG are adept at adapting to your unique needs and complexity, offering tailored solutions to drive your success.

Contact us at info@columbiaadvisory.com.

A Deep Dive into the Updated GLBA Safeguards Rule

On December 9, 2021, the Federal Trade Commission (FTC) introduced final regulations amending the Standards for Safeguarding Customer Information, a critical component of the Gramm-Leach-Bliley Act (GLBA) mandates on customer privacy protection. The alterations, effective from June 9, 2023, impact postsecondary institutions and highlight changes in the Department of Education’s (Department) enforcement of GLBA stipulations. Consequently, institutions are urged to update their practices to meet the requirements of the revised rule.

Under the previous GLBA Safeguards Rule, postsecondary institutions and third-party servicers agreed to shield student financial aid information related to the administration of Federal student financial aid programs. This obligation extended to include all Federal Student Aid applicant information and any data obtained from the Department’s systems for administering Title III and Title IV programs.

The Department has consistently encouraged these institutions to adhere to GLBA requirements and adopt security standards, such as NIST 800-171, to fulfill ongoing obligations under GLBA. As a result, institutions have been subject to periodic audits to ensure compliance with GLBA requirements.

The newly revised GLBA Safeguards Rule brings a refreshed understanding of customer definition and new requirements for safeguarding information. Customer information, as defined by the rule, refers to data procured while providing a financial service to a current or former student. The main objective of the GLBA standards is to ensure student information’s security, protect against threats, and prevent unauthorized access.

Institutions must develop, implement, and maintain a comprehensive written information security program featuring nine critical elements to achieve these objectives. These include designating a qualified individual for implementing and overseeing the program, basing it on a risk assessment, implementing safeguards to control identified risks, and regularly testing and monitoring its effectiveness, among other things. Institutions with fewer than 5,000 consumers must address only the first seven elements.

In April 2022, the FTC released a publication titled “FTC Safeguards Rule: What Your Business Needs to Know,” which serves as a compliance guide for entities. It provides in-depth information about the nine required elements and outlines what a good security program should look like.

Failure to comply with the Safeguards Rule after June 9, 2023, the effective date, may affect an institution’s participation in the Title III and Title IV programs. The Department plans to resolve GLBA findings from a compliance audit or other means by evaluating the institution’s information security safeguards to determine its administrative capability.

In cases where an institution or servicer is found not to comply with the Safeguards Rule, they will need to revise their information security program and provide the Department with a Corrective Action Plan (CAP). Repeated non-compliance may result in administrative action by the Department, affecting the institution’s or servicer’s participation in Title III and Title IV programs.

The Department intends to issue further guidance on NIST 800-171 compliance. However, it reiterates that meeting GLBA requirements differs from complying with NIST 800-171 and encourages institutions to integrate information security controls required under NIST 800-171 as soon as possible.

Where can I find more information? For additional information, see FSA’s electronic announcement: Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements. If you have questions regarding the Department of Education’s enforcement of GLBA, please get in touch with FSA_IHECyberCompliance@ed.gov. More information is also available on the Federal Trade Commission’s website. Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements | Knowledge Center

Brad Hudson

Cybersecurity Practice Leader

About Columbia Advisory Group

Founded in Dallas in 2012, Columbia Advisory Group LLC (CAG) is an established IT consulting firm renowned for delivering cost-effective, meaningful, and practical IT solutions that solve complex business problems. Our seasoned teams offer comprehensive insight across diverse regulatory and economic environments, providing unbiased, straightforward analysis and recommendations. We pride ourselves on our deep understanding of IT while remaining software and hardware-agnostic. Regardless of your organization’s growth trajectory or economic landscape, we at CAG are adept at adapting to your unique needs and complexity, offering tailored solutions to drive your success.

Contact us at info@columbiaadvisory.com.

Columbia Advisory Group Selected to Continue Providing Texas A&M University System Best-in-Class Technology Services

"We selected CAG for this Agreement because of our previous experience with the company. They are fully committed to TAMUS success. We can always count on them to respond quickly when we need them."

DALLAS, TEXAS, UNITED STATES, April 18, 2023/EINPresswire.com/ — Columbia Advisory Group (CAG) has been selected by Texas A&M University System (TAMUS) to significantly lower the operating cost of delivering Student Information Services while providing enhanced support of audit and compliance functions.

“We selected CAG for this Agreement because of our previous experience with the company and its consultants. They are fully committed to TAMUS success. We can always count on them to respond quickly when we need them, do an outstanding job with some of the toughest issues, and help keep costs under control,” said Mark Stone, Chief Information Officer, Texas A&M University System. “We look forward to continuing to work with CAG across many technology challenges.”

“Our substantial experience with student information and related systems at several TAMUS campuses and many other higher education clients, and our ability to operate systems across many platforms efficiently and securely, has helped us again win the opportunity to provide these and other expanded services to all members,” said David McLaughlin, President and CEO of CAG. “Our team excels technically but also cares about the outcomes for our clients and students. Our trusted consultants have led us to become the first call to address key issues that arise.”

CAG will continue to provide Ellucian Banner support to Texas A&M University System and its members under this agreement, helping to integrate, update, patch, and maintain this critical business system. As Banner and other systems migrate to cloud environments, CAG can provide support to advise and manage those migrations. In addition, TAMUS has selected CAG to provide ancillary IT support for cybersecurity, infrastructure, application support, and IT project management as needs arise across the state.

About Columbia Advisory Group
Columbia Advisory Group (CAG) is a dynamic Information Technology (IT) consulting firm. An established and proven company with 100+ years of combined technology experience and business acumen, CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments. By focusing on simple, meaningful, and practical solutions combined with straight­ forward analysis and recommendations, CAG’s team has experience in many regulatory and economic environments with companies and organizations of all sizes. The industries representative of their clients includes higher education, healthcare and pharmacy, private equity and venture capital, manufacturing, financial services, real estate, media and publishing. CAG offers a deep understanding of IT, and its solutions are software and hardware agnostic. Whether a client is a high growth or economically challenged, CAG can adapt to the complexities and nuances of that organization. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit www.columbiaadvisory.com.

About The Texas A&M University System
The Texas A&M University System is one of the largest systems of higher education in the nation, with a budget of $7.2 billion. Through a statewide network of 11 universities, a comprehensive health science center, eight state agencies, and the RELLIS Campus, the Texas A&M System educates more than 152,000 students and makes more than 24 million additional educational contacts through service and outreach programs each year. System-wide, research and development expenditures exceed $1 billion and help drive the state’s economy.

Haley Rose, CMO
Columbia Advisory Group
hrose@columbiaadvisory.com

Why are Compliance and Related Controls so important in IT?

Policies and industry standards help to ensure the confidentiality, integrity, and availability of sensitive information. For example, higher education institutions must protect student data and financial information through FERPA and other regulations, healthcare organizations must comply with HIPAA regulations to protect patient information, and financial institutions must comply with PCI-DSS to protect credit card information. Compliance with these regulations helps prevent data breaches and other security incidents that could significantly harm individuals or organizations.

Maintaining compliance helps to protect organizations from financial and reputational damage. Failing to comply with regulations can result in significant fines and penalties and damage to the organization’s reputation. For example, organizations that fail to comply with GDPR can be fined up to 4% of their annual revenue or $20 million, whichever is greater.

Maintaining regulatory compliance also helps to ensure the proper functioning of IT systems and processes. For example, IT general controls such as change management and incident management help to ensure that changes to systems and processes are made, controlled, and authorized and that incidents are quickly identified and resolved. One of the biggest causes of a data breach is the failure to patch software systems, so many companies and institutions have policies and compliance controls to ensure this is done. This helps minimize the risk of system failures and other issues that disrupt business operations.

In summary, compliance and related IT controls are critical for protecting sensitive information, preventing financial and reputational damage, and ensuring the proper functioning of IT systems and processes.

Gartner and EDUCAUSE recognize this importance and have published several reports, papers, and studies on the topic. Gartner, for example, has published reports on IT risk management and compliance, as well as studies on developing a successful compliance program. EDUCAUSE has published several papers and guides on various compliance-related topics, such as data security and HIPAA compliance for higher education institutions. Both organizations offer a wealth of information, guidance, and best practices for organizations looking to improve their compliance and control practices.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

Picture of David McLaughlin

David McLaughlin

CEO

Phishing: How The Monster Is Changing Its Shape and Size – Phishing Protection in a Post-COVID World

Cyber scams during COVID-19 have shaped a new term – scamdemic: a global epidemic of frauds and scams. There was an unprecedented rise in cybersecurity scams during the pandemic. Phishing emerged as the most frequent attack type. Read on to learn how malicious actors changed their tactics in 2022 and how you can protect yourself.

The COVID-19 pandemic changed how people live, including how all conduct business and social interactions and how work lives function. Regarding the latter, enforcement of social distancing and lockdowns resulted in an increasing number of people experiencing changed work habits. Some employees adapted – often even abruptly – to using messaging apps, digital platforms, and other communication channels for everyday activities. Thus, there was a worldwide shift from office to remote (home) work. The overlooked consequence of the change was the increase in cyber risks, which resulted in a rapid escalation of cyber-attacks.

The State of Phishing Report for 2022 by SlashNext highlights that traditional security strategies, including proxy servers, secure email gateways, and firewalls, no longer prevent phishing threats, especially as attackers increasingly launch these attacks from personal and messaging apps and trusted servers. Thus, phishing attacks are a rising concern, as the following statistics show.

Key Statistics

Here is a look at the key statistics which signify the rising phishing problem:

  • SlashNext analyzed numerous link-based URLs, messages, and attachments in email, browser, and mobile channels in 2022 and found over 255 million attacks – a 61% rise in phishing attack rates compared to 2021.
  • A Check Point Research (CPR) report found emerging social engineering scam trends shifting away from tech giants and shipping establishments toward social networking sites. In Q1 2022, social networks became the most targeted category, followed by shipping.
  • Zscaler pointed out that, from January to March 2020, COVID-19-themed phishing attacks increased by 30,000%.
  • APWG’s Phishing Activity Trends Report says that phishing attacks hit an all-time high in 2021. December 2021 recorded an unprecedented 300,000 attacks, signifying these incidents became over three times more common than they were two years before.
  • UK’s Cyber Security Breaches Survey 2022 signifies that phishing is the most common cyber threat that targets UK businesses and charities. 83% of them suffered a phishing scam.
  • 2022’s first quarter saw a dramatic rise in phishing attacks. CheckPoint revealed in its 2022 Q1 Brand Phishing Report that malicious actors planned phishing attacks impersonating professional social networking websites. Attacks related to LinkedIn alone comprised over half (52%) of all phishing attempts globally. 

Post-COVID Threat Landscape Isn’t Reducing – Threat Actors Are One Step Ahead

Once authorities lifted the COVID-19 restrictions, employees started moving back to their offices, and malicious actors adapted to the change again. While remote workers were their primary targets for 18 months, new phishing campaigns targeted those who were returning to the physical workplace. The following are some prominent examples:

  • Cofense observed an email-based campaign that targeted employees with emails impersonating their CIO and welcoming them back to the office. The emails appeared legitimate and contained the organization’s official logo and the CIO’s signature. The message outlined the organization’s new precautions and business operation changes connected with the pandemic.
  • India saw a surge in new phishing techniques after the government launched electric vehicle (EV) incentives.
  • Some phishing attempts preyed upon financial fear. For example, In a  scam,  bank customers were informed that their accounts were on hold due to suspicious logins or transactions. Users became victims when they attempted to resolve the issue by clicking on the embedded link.
  • The BazarBackdoor attackers send malware-free mail, bypassing email security and directing users to a website contact form. Once a user submits the form, the perpetrators send malware through a purported response file through a file-transfer service to avoid email security.
  • Some latest phishing attacks send malware links through QR codes embedded in emails or stickers in restaurants or public locations. The QR codes directly execute malware or redirect the users to credential-stealing websites.
  • Microsoft recently discovered a multi-stage phishing attack on businesses that don’t use multi-factor authentication. The first stage steals an employee’s email credentials, and the second stage creates a new Office 365 account in their name on a rogue device. After getting established on the new computer, the threat actors use the victim’s account to send internal phishing attacks to the organization or clients using legitimate email accounts.

Top 2022 Phishing Tactics Used By Malicious Actors

In 2022, phishing attacks exploited vulnerabilities unheard of earlier. Here are the year’s top tactics:

  • Typosquatting: Threat actors register domains that users can enter by accident. For example, instead of typing www.phishingexample.com, a user can type www.phishingexanple.com (hitting the ‘n’ key next to the intended ‘m’ key by mistake). If an attacker registers the www.phishingexanple.com domain, the user enters the attacker’s website instead of the legitimate www.phishingexample.com website. If the imposter website looks the same as the legitimate one, the user can easily get tricked into sharing their credentials.
  • Lookalike Domain Attacks: While typosquatting depends on the victim making a typo, lookalike domains exploit the difficulty of differentiating between words or similar characters. For example, an attacker can craft a phishing email with an uppercase “I” instead of the lowercase “l,” making www.iurethevictim.com look like Iurethevictim.com. Having end users targeted by what they think is a legitimate website opens various challenges, like loss of user confidence, theft, fraud, and reduced traffic (and business) to your website. Thus, if you can quickly discover and avoid scam sites, you can mitigate the risks linked to fraud and loss of brand reputation.
  • Executive Impersonation: Executive impersonation is an effective tactic. If malicious actors can spoof or compromise an executive’s email account, they can craft phishing emails to lure unsuspecting users to legitimate-looking phishing. If the user who suspects the fake email to be from their boss enters their credentials into the spoofed website, the attackers steal them and gain unauthorized access.
  • Credential Reuse Attacks: Unfortunately, credential reuse (using the same password, etc., across different platforms) is common among end users because it is inconvenient to create new credentials for every application. If a phishing attack retrieves a credential set successfully, the attackers can access other applications with the same information. Because of credential reuse, such attacks grant attackers access to multiple accounts across various platforms.
  • High-Level Employee Targeting: High-level employees can access sensitive, confidential, and proprietary information that other employees cannot. If attackers obtain their login credentials, they can access sensitive corporate data in the cloud (which organizations store within their network perimeter). Thus, these credentials are the keys to the domain, and stealing them makes threat actors capable of planning large-scale data breaches traditionally mitigated by network perimeter solutions.
  • Financial Scams: Sophisticated phishing campaigns target login credentials and aim to steal financial information from end users. In a financial scam-type phishing attack, the threat actors trick the user into visiting a phishing site, making them share personal or financial information and conduct financial transfers or transactions with it. For example, threat actors may design a site pretending to be a charity platform raising money for the pandemic victims. The unsuspecting users might get fooled into donating cash through it.
  • Business Email Compromise: In BEC, malicious actors spoof the email credentials of top officials of an organization, like the CEO. They then send orders to subordinates to make money transfers of massive amounts. The assistants follow the instructions thinking it to be their boss’s command. Business email compromise (BEC) is rising, and attackers exploit it to make money from fake wire transfer requests.
  • Spear Phishing on Small Businesses: In today’s growing threat landscape, there is nothing too small to become a phishing attack target. Small businesses get targeted frequently with cyberattacks because they often have less IT security than large organizations. Spear phishing is more dangerous than phishing because it is targeted and not generic. Threat actors deploy it in an attack using BEC.
  • Using Initial Access Brokers to Make Phishing Attacks More Effective: One-way threat actors make more money is by taking help from specialists called Initial Access. They are malicious actors who only focus on initially breaching the network or organizational accounts. The rising use of these experts in the field makes phishing attacks more threatening and difficult for end users to detect.

How To Redefine Cybersecurity in a Post-COVID World

Organizations’ strategies to counter the threats mentioned above will vary according to each organization’s cyber security maturity level. Generally, they must focus more on new cybersecurity models, including ‘zero trust.’ Following are ways individuals and organizations can remain protected:

  • Antivirus Protection: Employees must have an antivirus software license for their information systems. A good antivirus solution can eliminate many attacks.
  • Cybersecurity Awareness: Organizations must brief their staff on best procedures and practices to regulate sending emails or sensitive content to other parties or cloud storage.
  • Phishing Awareness: Employees must remain vigilant when receiving emails and check the sender’s addresses’ authenticity.
  • Home Network Security: Employees must ensure that their home Wi-Fi remains protected by a strong password.
  • Using VPN: Virtual private networks offer an additional protection layer to home internet use. They can remain a stringent barrier against cyberattacks.
  • Identifying Vulnerable Spots: Each IT system has vulnerabilities. Organizations must run tests to identify and patch them quickly. It can take the form of vulnerability scanning or penetration testing. Furthermore, businesses must perform hardening of technical infrastructure components.
  • Frequent Reviews: Organizations must evaluate cybersecurity risk exposure regularly and determine whether the existing controls are robust. The IT teams must consider new cyberattack forms during these reviews.
  • Renewing Business Crisis and Continuity Plans: Top managers must update their business continuity plans considering various cyberattack.

More advanced measures that users can take are:

  • Applying New Tools and Technology: IT teams can use advanced tools like host checking (which checks the endpoint’s security posture before authorizing access) to reinforce remote work security.
  • Intelligence Techniques: Businesses must encourage proactive cyber threat intelligence to identify indicators of attacks (IOC) and address them.
  • Risk Management: Organizations can apply GRC (governance, risk, and compliance) solutions to improve risk management. GRC solutions offer a detailed view of the organization’s risk exposure and help link various risk disciplines (cybersecurity, business continuity, and operational risks).
  • Prepare for Attacks: In today’s high-risk times, businesses must carry out frequent cyber crisis simulation exercises and prepare their response to a phishing attack.
  • Zero Trust Infrastructure: CIOs and CISOs must consider implementing the zero-trust framework for cybersecurity. It is a security model where only authorized and authenticated devices and users get access to applications and data.

The COVID-19 pandemic taught people that preparation is critical to limit the risks linked to cyberattacks. Malicious actors have been clever in changing their tactics to adapt to changing situations and executing sophisticated phishing attacks. The ability of a user to quickly react to unforeseen events helps lower the impact of a cyberattack. Today, organizations that benefit from secure remote work capabilities are better prepared to face the growing risk of phishing attacks. Consequently, businesses fearing risks must quickly assess their exposure to phishing attacks and prioritize initiatives to address cybersecurity gaps.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

References

  1. Al-Qahtani, A. F., & Cresci, S. (2022). The COVID-19 scamdemic: A survey of phishing attacks and their countermeasures during COVID-19. IET Information Security, 16(5), 324–345. doi:10.1049/ise2.12073
  2. Damcova, K. (2022, May 6). Phishing attack trends to beware of in 2022. Retrieved January 4, 2023, from IQ in IT website: https://iqinit.uk/news/phishing-attack-trends-to-beware-of-in-2022/
  3. Nabe, C. (n.d.). Impact of COVID-19 on cybersecurity. Retrieved January 4, 2023, from Deloitte Switzerland website: https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html
  4. Ideal Integrations (2022, March 14). New phishing techniques to watch for in 2022. Retrieved January 4, 2023, from Ideal Integrations® website: https://www.idealintegrations.net/beware-these-new-phishing-techniques/
  5. McCurdy, R. (2022, November 8). The Biggest Phishing Breaches of 2022 and how to avoid them for 2023. Retrieved January 4, 2023, from Security Boulevard website: https://securityboulevard.com/2022/11/the-biggest-phishing-breaches-of-2022-and-how-to-avoid-them-for-2023/
  6. Over 255m phishing attacks in 2022 so far. (2022, October 26). Retrieved January 4, 2023, from Security Magazine website: https://www.securitymagazine.com/articles/98536-over-255m-phishing-attacks-in-2022-so-far
  7. Page, C. (2021, June 1). Hackers are targeting employees returning to the post-COVID office. TechCrunch. Retrieved from https://techcrunch.com/2021/06/01/hackers-phishing-post-covid-office/
  8. (2022, September 28). Webinar wrap-up: Cyber security in a post-COVID world: New challenges & opportunities. Retrieved January 4, 2023, from Simplilearn.com website: https://www.simplilearn.com/cyber-security-challenges-and-opportunities-post-covid-article

 

Picture of Brad Hudson

Brad Hudson

VP of Cyber Security | vCISO - CISSP, CCSP, CCNP, MCSA, MCITP:EA,SA

Unlocking the Benefits of Cloud Migration in Higher Education

Cloud migration modernizes an organization’s data, applications, and infrastructure from on-premises systems to the cloud. The initial process can be complex and time-consuming. Still, it can bring significant long-term benefits to universities and other educational institutions that allow them to focus on their core aims of providing quality education. One of the main benefits of cloud migration for universities is cost savings. On-premises systems require expensive investments in hardware, software licenses, and expensive skillsets to support the many diverse environments, as well as ongoing patching, maintenance, and support costs. In contrast, cloud-based solutions are typically subscription-based, which means that universities can pay for only the resources they use rather than upfront costs for hardware and software. This can result in significant cost savings for universities, especially those with large and complex IT systems.

Another benefit of cloud migration for universities is increased flexibility and scalability. The majority of CAG (Columbia Advisory Group) higher education customers only need their full compute performance a few weeks a year while the rest of the year their hardware runs at less than 20% of its capability. Cloud-based solutions can be easily scaled up or down on demand to meet these changing needs, which can be particularly useful for universities that only experience performance fluctuations during enrollment. Additionally, cloud-based solutions can be accessed from anywhere with an internet connection, which is beneficial for students, faculty, and staff to access University resources and collaborate remotely. The Covid pandemic magnified the significance of educational institutions needing to support this capability.

Cloud migration can also improve the security and reliability of IT systems for universities. Cloud providers have robust security measures in place, such as multi-factor authentication and data encryption, which can help to protect against cyber threats and data breaches. In addition, cloud-based systems can be more reliable than on-premises systems, as they are typically backed by the redundant infrastructure and 24/7 support and can also scale to full parity, dependent on the criticality of the replicated system.

Finally, cloud migration can enable universities to take advantage of the latest technologies, such as artificial intelligence and machine learning. These technologies can improve a range of educational and research activities, from grading assignments and analyzing student data to conducting research and developing modern technologies.

In conclusion, cloud migration is an important consideration for universities looking to improve the efficiency, cost-effectiveness, and flexibility of their IT systems. By moving to the cloud, universities can realize significant benefits, including cost savings, increased scalability, improved security and reliability, and access to the latest technologies.  With tailored support from Columbia Advisory’s cloud experts, universities can ensure that their transition is smooth and secure. By leveraging the latest cloud technology, universities can equip themselves for a digital future and unlock all the benefits that come with it.

Picture of Ernest Bricker

Ernest Bricker

Director of Infrastructure Practice, Columbia Advisory Group

Why is it a good idea for Higher Education to outsource its Cybersecurity Framework Assessments and consider hiring a fractional vCISO

There are several reasons why higher education institutions should consider outsourcing their Cybersecurity Framework Assessments (NIST Cybersecurity Framework, HIPAA, GDPR, etc.) and hiring a fractional virtual Chief Information Security Officer (vCISO).

First and foremost, outsourcing Cybersecurity Framework Assessments can provide higher education institutions with access to a greater level of expertise and experience. Cybersecurity Framework Assessments, such as NIST Cybersecurity Framework, HIPAA, GDPR, etc., are a comprehensive set of security and privacy controls used by many organizations, including higher education institutions, to ensure the confidentiality, integrity, and availability of their systems and data. However, conducting these assessments can be a complex and time-consuming process that requires specialized knowledge and skills. By outsourcing these assessments to a qualified third party, higher education institutions can leverage the expertise and experience of professionals who have a deep understanding of numerous Cybersecurity Frameworks and how to implement their controls effectively.

Another reason to outsource Cybersecurity Framework Assessments is to ensure that the evaluation is conducted unbiasedly and objectively. In organizations that perform internal assessments, the risk of bias or subjectivity creeps into the process. Unfortunately, this can lead to an incomplete or inaccurate measurement of the organization’s security posture; in turn, this can increase the chances of an incident, such as a breach or intrusion, that may result in the loss, damage, or disclosure of assets. By outsourcing the assessment to a third party, higher education institutions can ensure that the evaluation is performed unbiasedly and objectively, providing a more accurate picture of their security posture.

After a cybersecurity framework assessment has been conducted, it’s paramount that a Governance, Risk, and Compliance Program is put in place to manage risk moving forward. In addition, a security program and plan need to be developed to track and remediate deficiencies identified during the assessment. Therefore, CAG recommends hiring a fractional vCISO to guide higher education institutions through the Governance, Risk, and Compliance minefields. A fractional vCISO is a professional who works remotely part-time or on a contract basis, providing expert guidance and support to the organization’s security efforts. In addition, a fractional vCISO can offer a range of services, including conducting risk assessments, developing, and implementing security policies and procedures, and providing guidance on compliance with regulatory requirements such as NIST, GDPR, HIPAA, and FERPA.

In conclusion, there are several reasons why higher education institutions should consider outsourcing their Cybersecurity Framework Assessments and hiring a fractional vCISO. These approaches can provide higher education institutions access to greater expertise and experience, ensure that assessments are conducted unbiased and objectively, and build a robust Governance, Risk, and Compliance program through a fractional vCISO. In addition, by leveraging these resources, higher education institutions can strengthen their security posture and better protect their systems and data.

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

Picture of Brad Hudson

Brad Hudson

VP of Cyber Security | vCISO - CISSP, CCSP, CCNP, MCSA, MCITP:EA,SA

Microsoft Patch Tuesday: Two zero-day flaws in Windows need immediate attention

Microsoft’s December Patch Tuesday update delivers 59 fixes, including two zero-days (CVE-2022-44698 and CVE-2022-44710) that require immediate attention on the Windows platform. This is a network-focused update (TCP/IP and RDP) that will require significant testing with an emphasis on ODBC connections, Hyper-V systems, Kerberos authentication, and printing (both local and remote).   Microsoft also published an urgent out-of-band update (CVE-2022-37966) to address serious Kerberos authentication issues. 

Known issues

  • ODBC: After installing the December update, applications that use ODBC connections through Microsoft ODBC SQL Server Driver (sqlsrv32.dll) to access databases might not connect. You might receive the following error messages: “The EMS System encountered a problem. Message: [Microsoft] [ODBC SQL Server Driver] Unknown token received from SQL Server”.
  • RDP and Remote Access: After you install this or later updates on Windows desktop systems, you might be unable to reconnect to (Microsoft) Direct Access after temporarily losing network connectivity or transitioning between Wi-Fi networks or access points.
  • Hyper-V: After installing this update on Hyper-V hosts managed by SDN-configured System Center Virtual Machine Manager (VMM), you might receive an error on workflows involving creating a new Network Adapter (also called a Network Interface Card or NIC) joined to a VM network or a new Virtual Machine (VM).
  • Active Directory: Due to additional security requirements in addressing the security vulnerabilities in CVE-2022-38042, new security checks are implemented on domain net join requests. These extra checks may generate the following error message: “Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: An account with the same name exists in Active Directory. Re-using the account was blocked by a security policy.”

About Columbia Advisory Group:
Columbia Advisory Group (CAG) is a leading Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many higher education institutions, state agencies, and Fortune 50 customers. Practice specialty areas include Infrastructure, IT Service Management, Cybersecurity, and A/V Services. CAG improves business outcomes with IT insights and expert technical support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. Contact us at .

Picture of Brad Hudson

Brad Hudson

VP of Cyber Security | vCISO
CISSP,CCSP,CCNP,MCSA,MCITP:EA,SA