Browsed by
Category: Cyber

10 Regulatory Actions to Take Immediately If You’re a Manufacturer in the Greater D.C. or Maryland Area

10 Regulatory Actions to Take Immediately If You’re a Manufacturer in the Greater D.C. or Maryland Area

If you’re a manufacturer within 50 miles of Washington D.C., your organization is probably working with the United States government in some way, shape or form. Whether you have a contract directly with the government or you provide products or materials to someone who does, your company is now responsible for ensuring that you are compliant with NIST 800-171 standards.

Are you interested in how a comprehensive IT solution could benefit your business? Click here to browse our Managed IT homepage!

WHAT IS NIST 800-171?

As of December 31st 2017, the National Institute of Standards and Technology (NIST) has published a document stating that all manufacturers that work with the US government (Department of Defense, General Services Administration, and NASA), are now responsible for maintaining compliance with their cybersecurity standards, outlined in document NIST 800-171. The document spells out the strict data management guidelines that manufacturers must meet in order to work with the government.  And take note– just because you do not have a direct contract with the government does not mean you are not affected. Even if your organization does something as removed as supplying parts to a subcontractor of the government, it is required that your organization become compliant as well.

This document outlines the standards to which all manufacturers must update their systems in order to maintain cybersecurity best practices. With hackers attempting to breach the infrastructure of government agencies and private organizations alike, this document strives to protect both Controlled Unclassified Information (CUI) and Covered Defensive Information (CDI). Even though this information is technically unclassified, it is still sensitive data. This document strives to control the dissemination of this information.

Failure to meet these standards could mean the loss of your contract altogether.

10 Data Security Actions Your Business Should Consider Today to Work towards Compliance with NIST 800-171

While the actual document lists over 100 points that your organization will need to address, we’ve outlined 10 impactful data security changes you can make to your infrastructure to get started immediately.

  1. Limit access to your internal systems to authorized users and devices
  2. Apply a limit to the number of unsuccessful log in attempts for each user
  3. Automatically log off of devices after a certain amount of inactivity
  4. Provide security-awareness training to employees
  5. Restrict employees from self-installing software on their devices
  6. Require users to sign in to all systems before accessing any internal systems
  7. Prohibit password reuse for a specified number of generations
  8. Enforce a minimum password complexity when creating new passwords
  9. Restrict the use of portable storage devices if they do not have an identifiable owner
  10. Only allow physical access to organizational systems and equipment to authorized individuals

How Can I Become Fully Compliant with NIST 800-171?

Clocking in at 110 standards that your organization must meet in order to maintain compliance, it is clear that you will need to seek the help of an expert to get these updates underway. Due to the complexity of some of the requirements and what is at risk you don’t comply, we recommend utilizing an internal IT team or partnering with a resource that you trust to apply these changes. Equally as important, is establishing a process or resource to ensure you remain compliant!

If you do not have the capacity or expertise to apply these updates internally, seek the help of a dedicated 3rd Party IT company that understands the complexities of maintaining compliance in the manufacturing industry. With a third-party resource, you can stick to running your business while your third party handles the rest.

Posted by
Olivia Bushong
Author Bio
As a business solutions provider, Advance helps organizations become more efficient and more effective through technology, processes and services backed by industry leading support. Whether it’s proactively managing a customer’s IT infrastructure, providing multifunctional devices or an electronic document management software solution, Advance provides solutions for productivity so organizations can focus on their core business. Celebrating over 50 years of serving Maryland businesses, Advance has deep roots throughout the state. As an independent, family owned business, Advance is proud to partner with organizations such as the Baltimore Ravens, Maryland Zoo, Maryland Athletics, and the National Aquarium for office efficiencies and to demonstrate its commitment to the local community.
We Digitized Our Lives, We Just Forgot to Secure Them

We Digitized Our Lives, We Just Forgot to Secure Them

We are a connected, digital society that depends heavily on networks, databases and other digital systems to operate. Almost every aspect of our lives, from the most basic tasks at the workplace to our personal communication and social interactions, to the way we shop and the tools we use to study and learn, depends on some form of electronic interaction or data exchange. These digital environments are practical, useful and fast, but in our excitement to use, leverage and widely deploy them, we have forgotten to secure them.

The spree continues

Last year, the national fast food restaurant chain, Arby’s, acknowledged that malware installed on payment systems inside specific corporate stores might have compromised more than 355,000 credit and debit card numbers. A few months later, personal information and the medical diagnoses of at least 7,000 patients at the Bronx Lebanon Hospital Center in New York had leaked. By the end of the summer, Kmart and Verizon had revealed malware infections and data leaks, all leading to the Equifax compromise, a breach potentially affecting up to 143 million customers. Even Uber suffered a data breach allegedly exposing personal information of 57 million users and drivers. Even companies in cybersecurity can be affected. Take Deloitte for example, a company once named by Gartner Research as the “best cybersecurity consultant in the world,” which had its email system hacked. The naive justification of all these compromises can be attributed to profit-driven “corporate irresponsibility”—companies and organizations minding their bottom lines rather than exercising care about securing their data.

Not my problem

Terms like breach, data leak, attack, hack, exploit and malware have become common in our vernacular, and they are immediately associated with malicious intent. For most individuals, cybersecurity incidents remain distant acts of socially awkward—but brilliant—teenagers or nefarious hackers in far-away countries. That’s until someone’s financial or health records become available on the Internet.

Companies on the other hand are aware of the impact of breaches, but for many, they are only identified as risks that are hedged against with the cost of actively protecting digital assets and that of inaction. For small businesses, a hacking attack may be detrimental, with 60 percent of small companies being unable to sustain more than six months after a compromise. For large organizations, cybersecurity insurance policies give a sense of safety from financial risk, yet there is no policy that could ever recover the reputational cost and loss of trust.

Cybersecurity compromises are not always the product of malicious intent and unauthorized access. Data breaches are also caused by unintentional omissions, software errors, poor maintenance of systems and software operator negligence or misplaced trust in careless third parties. In all cases and at all levels, dealing with cybersecurity incidents, whether malicious or inadvertent, will not be reduced until all stakeholders, from organizations to individuals, assume their share of responsibility.

The hunt for cybersecurity talent

The need for qualified cybersecurity staff has become a mainstay discussion. Cybersecurity professionals are expected to have specific, technical, specialized skills that match each organization’s technology mix. The result has been the springing up of an entire industry of cybersecurity certifications that existing information technology professionals flock to obtain. These are good options to meet current demand, but their value is often as short-lived as the product or technology they are based on.

Unlike other fields, specific technology skills are required in cybersecurity, but they are not sufficient to succeed. The field is highly technical and requires professionals to continuously cross the lines between computer science, information technology and mathematics. It also requires many important skills such as problem solving and critical thinking. These skills can’t be obtained by a weeklong vendor training or series or set of professional certifications. These are skills that are cultivated with formal education, enriched with technical training and further enhanced with on-the-job work experience.

For information on our cybersecurity program, click here.

Posted by
Written by:Dr George Dimitoglou, submitted by: Ivana Shuck
Author Bio
George Dimitoglou is an Associate Professor in the Department of Computer Science and Director of the Center for Computer Security and Information Assurance at Hood College, Frederick, MD. Before joining the faculty he spent time in the industry and government working in the areas of information systems, telecommunications, data archiving and space science. He holds a doctorate in Computer Science with concentration in Parallel and Distributed Systems from the School of Engineering & Applied Science of The George Washington University; a M.S. from the University of Maryland and a B.S. from Temple University. He is the recipient of a Mission Contribution Award from the European Space Agency, a NASA Goddard Space Flight Center National Resource Award, a Kobe City (Japan) Mayor's Award for Outstanding Performance (robotics competition) and a Faculty Advisor Award by the IEEE National Capital Area Section. He is a member of the the IEEE, the ACM, the Mathematical Association of America and the ϕKϕ Honor Society.
For Companies, Defense is Still the Best Defense

For Companies, Defense is Still the Best Defense

As a strategy, attacking one’s enemies as a way to protect oneself has been promoted  throughout history as the best kind of defense. This doctrine has been suggested by Machiavelli, Sun Tzu and even Abraham Lincoln when he referred to “…offensive operations, being the surest, if not the only means of defence…” [1].

The problem is this doctrine of counter-attack doesn’t work well in cyberspace. When a company’s assets are hacked, all a company can do is endure the reputation damage, attempt a quick recovery of compromised assets, address vulnerabilities, harden security and move forward.

Options such as attacking the hackers, “hacking back”, counter-hacking,  or the more eloquent “active defense” surely go through the minds of every person dealing with a compromise.

Doing so in the U.S. is illegal. The Computer Fraud and Abuse Act (CFAA) [2] makes most forms of counter-hacking unlawful. Also retaliation significantly increases the risk of putting the company in the cross-hairs of more hackers and becoming subject to more attacks.

The legal aspect and increased risk notwithstanding, the ability, effectiveness and value of hacking back is questionable.

A key factor is attribution, the ability to identify the attacker with a degree of confidence that doesn’t turn the victimized company into a reckless villain. Even during naive cyber attacks, hackers attempt to hide their tracks either by spoofing their IP addresses or using intermediate, often compromised systems of other organizations as staging platforms to launch their attacks. Counter-hacking the wrong network, IP or another innocent company’s systems would not accomplish anything.

The effectiveness of counter-hacking should be evaluated against the type and might of the adversary. Starting from the least to the most powerful, the first category are opportunistic hackers, individuals that hunt for technological vulnerabilities. Their motivations range from asserting bragging rights in subversive online forums to asking for ransom in bitcoin to return deleted data and restore defaced websites. Their methods are based on blunt attack instruments that scan thousands of networks and system for vulnerabilities, using code and instructions found on the internet. For a company attempting to retaliate against these hackers, it resembles an infinite game of whack-a-mole.  And typically the hackers have no assets to attack — launching a cyber attack doesn’t require more infrastructure than a computer and an internet connection.

The second category are professional hackers, or hired guns. These freelancers operate with surgical precision. Their targets are specific companies and their motivation can be industrial espionage or disrupting operations to reduce capability and provide competitive advantage for the hacker’s “employer”. Attribution in this case is very hard as a company attempting to retaliate must distinguish between the attack executioner and the party that paid them.

The third category is state-sponsored hackers. These are literal armies of hackers that deploy coordinated hacking campaigns on a variety of targets and may range from industrial espionage against a country’s entire business sector to the disruption of power plants and electrical grids. The asymmetry of power in this case is so pronounced that companies have little or no chance to accomplish anything by launching a counter-attack against a state ,other than becoming a prime target.

It is clear from the above that hacking back is a lost cause. Yet companies are becoming increasingly frustrated and continue to discuss options for retaliation. If not active counter attacks, perhaps baiting hackers and planting software that operates either as a timebomb or a beacon in fake but sensitive-looking documents. In the first case, the planted software “explodes” after being stolen, infecting the hacker’s files and network similar to dye packs planted in bags of money in banks. In the second case, a beacon software generates location signals, revealing the location of the perpetrator.

While these methods may make potential hackers think twice about conducting operations, they will do very little to thwart their activities.

It is safe to say that a state-to-state adversarial engagement in cyberspace is a completely different matter. The balance of power is different and its resemblance to military combat lends itself to applying more traditional engagement doctrines such as the strategic offensive principle of war. The number of stories of clandestine sabotage as a counter or preemptive attack are increasing.

The unconfirmed release from US and Israel of Stuxnet [3-5], a virus released to impede Iran’s nuclear plants by destroying centrifuges is a case of a preemptive attack.   Another, borderline funny, retaliation example is the outing of a hacker by the country of Georgia. Frustrated by continuous Russian cyber attacks, they baited a hacker with software that once stolen by the hacker, took photos of him using his webcam.

While these and many other similar stories are newsworthy and often have political implications, vigilantism has no place in industry. Companies should focus on excelling in their domains of operation.  Organizations in all sectors, manufacturing, banking, health and technology should act legally and maintain an ethical advantage against hacking attacks, while acting to harden their cyber defenses and make it as hard as possible for hackers to profile, attack and profit from their crimes.

REFERENCES

  1. “From George Washington to John Trumbull, 25 June 1799,” Founders Online, National Archives, last modified February 1, 2018, http://founders.archives.gov/documents/Washington/06-04-02-0120. [Original source: The Papers of George Washington, Retirement Series, vol. 4, 20 April 1799 – 13 December 1799, ed. W. W. Abbot. Charlottesville: University Press of Virginia, 1999, pp. 156–159.]
  2. Computer Fraud and Abuse Act of 1986, U.S. Code, Title 18, Part I, Chapter 47, § 1030
  3. Ellen Nakashima, Greg Miller, and Julie Tate; June 19, 2012; “U.S. Israel Developed Flame Computer Virus to Slow Iranian Nuclear Efforts, Officials Say;” The Washington Post; http://www.washingtonpost.com/world/national-security/us-israeldeveloped-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html.
  4. David E. Sanger, June 1, 2012, “Obama Order Sped Up Wave of Cyber Attacks Against Iran,” New York Times, http://www.nytimes.com/2012/06/01/world/middleeast/ obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all&_r=0
  5. Joby Warrick; February 16, 2011; “Iran’s Nuclear Natanz Facility Recovered Quickly From Stuxnet Cyber Attack;” The Washington Post Online; http://www.washingtonpost.com/wp-dyn/content/article/2011/02/15/AR2011021505395.html
Posted by
George Dimitoglou
Author Bio
George Dimitoglou, Ph.D., is an associate professor of computer science at Hood College and director of the Cybersecurity master’s program at the Hood College Graduate School. He is also the director of the Center of Computer Security and Information Assurance. Professor Dimitoglou earned a bachelor's degree in computer science from Temple University and a Ph.D. in computer science from The George Washington University.
Big Announcements from Maryland Tech Council

Big Announcements from Maryland Tech Council

Please see important information below regarding our office move, guest blogs and member videos! Let me know if you have questions.  I’m looking forward to seeing you soon!

  • Big Move

    Maryland Tech Council is saying goodbye to our old digs on September 20, 2017.  Please make note, our communications will be down that day and we will resume full activity on September 21, 2017.  MTC’s new headquarters will be located at Launch Workplaces in Gaithersburg MD, 9841 Washingtonian Boulevard, Suite 200, Gaithersburg MD 20878.

  • Be a Guest Blogger

    Maryland Tech Council is launching the Member Point of View (POV) guest blogs.  We are inviting members to submit content for our blog page.  The content will be focused on your niche/industry where you can add a new POV for the MTC audience. Our goal is to position you as an authority and well-known name in the industry. And for us, we will have fresh new content for the page and get new readers to our blogger community.  It’s simple and a win-win.  We will have numerous categories that you can write articles for; those will be available in the next few weeks.  We are kicking off the Member POV blogs during Cyber Security Awareness month in October.  If you are interested in submitting a blog on that topic, please let me know and we will get you started.

  • Become a Familiar Face in the Community

    Maryland Tech Council is revitalizing the “member spotlight” that is featured in the VIBE E-newsletter. We now offer the opportunity to feature you, the member, through our new and exciting video blog or vlog.  The video will be 30-45 seconds, prerecorded at our offices, about your company. We will then feature the vlog in our monthly VIBE E-newsletter.  The vlogs allow us to distribute the member spotlight through other formats such as twitter, Facebook, etc. to get you more exposure.  I mean, we are the Tech Council, right?  

 

Remember, everyone in your company is a member of MTC. Please share this important information with your team.

Warm Wishes,
Michelle

Michelle Ferrone
EVP, Operations
Maryland Tech Council
240-243-4047