Category: Cyber Security

CMMC Series: Preparing for your assessment
This is our fifth article on this topic and as we bring it to a close, I’d like to first look back at what we’ve covered so far.

We started the series looking at what’s ahead for the Cybersecurity Maturity Model Certification (CMMC) program in 2022. Then we covered tiers one, two and three as they exist in the current 1.0 model of the program. We’re anticipating that tiers two and three will be merged going forward as version 2.0 rolls out (placing a larger burden on defense contractors looking to scale past the beginner controls in tier one and become more competitive in the marketplace).

So, if you’re reading this you’ve hopefully begun the process of implementing the controls within your business and are thinking it’s time to begin the process of obtaining your certification. There are several steps that come before actually obtaining your certification (although it should be noted that the CMMC Accreditation Body is currently in the process of hiring and waiting lists for certification could be lengthy at this time). The sooner you begin implementing the CMMC controls within your business, the sooner you can attempt to get on the waiting list to receive your certification.

The assessment process will follow these steps:
1. You will need to begin implementing a plan for CMMC within your business, and conduct a self-assessment against the NIST 800-171 (or partner with a provider like Valley Techlogic to assist you with this).
2. As you improve your processes you can submit your score to the Department of Defenses’ (DoD) Supplier Performance Risk System (SPRS).
3. From there you will need to identify the scope you wish to obtain for your business (it’s our opinion maturity level 3 will be required for most defense contractors in the future).
4. Obtain a third-party gap assessment, this will show you where your business is and where it needs to be to achieve your goals.
5. After addressing the gaps found in the assessment, you can look to the CMMC Accreditation Marketplace and choose a CMMC Third-Party Assessment Organization (C3PAO) to conduct your CMMC assessment.
6. The CMMC Accreditation Body will review the assessment submitted by your C3PAO and award you your CMMC certification.
Of course, this is boiling down many months (or even years) of preparation into what looks like 6 easy steps. The process will be time consuming and potentially costly, but for those who wish to continue doing business with the DoD it’s a necessary investment in the future.

As we’ve mentioned in past articles on the topic, defense contractors who refuse to comply with the CMMC process will no longer be eligible for defense contracts in the future. Beyond that, if you reach a higher level of certification, you will be in a better position to receive more contracts as it will be used as a comparative tool going forward.

If you’re like assistance with the CMMC self-assessment process or preparing for your CMMC AB assessment, Valley Techlogic has experience in this area. We have helped businesses begin the process of becoming CMMC ready, if you’d like to learn more schedule a consultation with our experts today.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
February 4, 2022
Cyber Insurance – What you can do to ensure your business will be covered in 2022
Last month we released our new cyber insurance report which is an in depth look into this topic, but we wanted to touch on what we’re specifically seeing so far in 2022 in today’s article because from what we’re seeing in from our clients and in the industry – cyber insurance requirements are on the rise.

If you’re new to cyber insurance or aren’t sure what’s covered under this sort of policy, for most insurance providers cyber insurance offers coverage for technology related disasters. This could include a cybersecurity event such as ransomware or a data breach but depending on your level of policy it might also include IT related downtime not related to cybersecurity such as internet outages. You may even see coverage for specific device issues, such as the loss of an office server that’s critical for day-to-day operations.

When it comes to the cybersecurity related coverage what many people don’t realize is it’s not only meant for covering your own losses, but also the potential loss incurred by your customers. If you have a data breach, your cyber insurance coverage will cover the cost of any litigation brought by your customers and it may also cover items such as on-going credit monitoring if their PII (personal identifying information) was exposed in the data breach your company suffered.

It can be easy to feel detached from a loss you haven’t suffered yet. To put some perspective to, it during the Anthem data breach in 2015 when involved 80 million patient records, their costs to notify their customers (which HIPAA regulations stipulate must be done by snail mail) exceeded $40 million in just postage. That’s not even taking into consideration all of the other costs associated with that breach.

They’re a major corporation, so again it may be difficult to imagine yourself in those shoes, but even for small companies the average costs are as high as $200,000 per breach. Also, if you’re hit with a ransom and think you can just pay it and get out intact, think again. Many times, even if you receive the de-encryption key from the hackers your data may still be lost.

It’s not surprising that insurance providers are looking at this and wondering how they can alleviate some of the risk they’re taking providing insurance to customers going forward. The requirements are increasing, even for us as a technology provider for businesses we’re seeing longer forms that we’re assisting our customers with when they go to acquire a new cyber insurance policy.

These longer forms are featuring more difficult questions as well. We have made cybersecurity a staple feature of our plans so our customers are in a good place for obtaining a cyber insurance policy, but the truth is if cybersecurity has been on the back burner for your business, you may have a difficult time in 2022 and beyond finding an insurer that’s willing to cover you.

As an idea of where to start before you go to obtain a cyber insurance policy, we’ve created this checklist of items you can begin to work on to put your business in a better position this year.

Click to grab the full size version.

Many of the items listed are easy for even someone who’s not very tech savvy to tackle, but if you’d really like to protect your business from hackers this year, we suggest teaming up with a tech provider like Valley Techlogic.

Cybersecurity is a core focus for our business, we will match your business with a cybersecurity framework that makes sense – for example CMMC for defense contractors, HIPAA for healthcare providers, NIST or CIS for small and medium sizes businesses of any industry – and use that framework to have a concrete game plan for making sure your networks and devices are impenetrable to bad actors. Learn more today with a quick consultation

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
February 3, 2022
CMMC Series: Tier Three Overview
We’ve covered tier one and tier two of the Cybersecurity Maturity Model Certification (CMMC) program, and this week we’ll be tackling tier three.

Before we dive in, we want to mention that we’re covering tier three as it exists currently (in 2022), version 1.0 has five tiers but once version 2.0 of the program releases it will be reduced to three tiers.

What is currently tiers two and three will just be tier two version 2.0 of CMMC in the future, so it’s still worthwhile to pursue up to tier three in the existing model.

Tiers four and five in the existing model (or tier three in the future in version 2.0 of CMMC) feature the highest level of protection and may not be necessary for most businesses pursuing Department of Defense (DoD) contracts. It’s estimated less than 1% of businesses will need to pursue beyond tier three.

If you were to give the first three tiers’ labels, tier one would be considered “basic hygiene”, tier two would be “progressive hygiene” and in tier three you reach “good cyber hygiene”. By tier three your business will be well protected from cyber-attacks.

Tier one had 17 controls, tier two added 55 more for 72 total, and tier three almost doubles the controls adding another 58 for 130 total.

Level three expands on Access Control, which adds 8 more controls that focus on encryption and preventing unauthorized access to sensitive systems.

Next, we see a new control in Asset Management that requests that you develop plans and procedures for handling CUI data.

Audit and Accountability has 7 new controls that ask you to expand on your logging efforts as well as restrict access to those logs to only authorized users.

Awareness and Training has one new control and it’s solely around providing and maintaining cyber training for your employees.

Configuration Management adds three new controls, the CMMC controls in this category are looking for you to tighten up the configurations on your business’s devices, such as preventing downloads of unauthorized software and disallowing users to make security changes on their own.

In Identification and Authentication we see four controls aimed at tightening up your user security, such as not allowing passwords to be reused and requiring MFA (multi-factor authentication).

The two controls found in Incident Response ask you to track any incidents that occur and regularly test your organization incident response capabilities.

Tier three Maintenance adds two new controls, one that asks you to sanitize any equipment of CUI data before it’s removed for maintenance and another that asks you monitor any media meant for testing or diagnostic purposes for malicious code before installing it on your devices.

Media Protection adds four new controls, they all involve properly marking and restricting access to CUI data.

Physical Protection in tier three of CMMC adds one control and it asks you to continue expanding on your efforts to prevent physical outside threats to the CUI data your business holds.

Recovery also adds just one control and it’s aimed at having a schedule for your businesses backups that is strictly maintained and that proper storage capacity for your backups is provided and prioritized.

Risk Management adds three controls, two are about maintaining risk assessments and developing plans to mitigate any identified risks. The third asks you to manage products not supported by vendors separately, including enforcing access and use restrictions on them. What they mean by this is if your business utilizes an older piece of software you’re not able to discontinue yet – you need to quarantine it to be in compliance with CMMC. Any piece of software not updated is a potential threat vector for your business.

Security Assessment adds two new controls, they want you to monitor your security controls for ongoing efficacy and also have an independent security assessment conducted to identify any areas of risk that may be missed in your internal efforts.

Not seen in tiers one or two, tier three introduces the first Situational Awareness control, and it asks that you begin to share cyberthreat intelligence found from reputable sources with your stakeholders. An example would be if there’s been an announcement of a breach occurring with a software your business uses, you would be obligated to share your knowledge of that breach as it becomes available to you.

System and Communications in tier three adds the most new controls of any category with 15 controls in total. Controls in this category cover items such as ensuring proper information security across your in-house efforts in software engineering and system development to maintaining cryptographic keys for all the cryptography used on your systems. All of the controls are aimed at completing finishing touches when it comes to tightening up the security on your systems.

Finally, System and Information Integrity adds three new controls. One asks that you beef up your efforts to block spam at all entry points, the second asks that you utilize all available efforts to prevent and detect document forgery and the third asks that you implement “sandboxing” to filter and block potentially malicious emails.

As you can see, tier three greatly expands on the active role your business will need to take when it comes to cybersecurity measures. Implementing tier three will be made easier though as your business conducts the cumulative process of preparing better cyber readiness.

For example, in tier two we saw monitoring efforts increase substantially, in tier three you can use the records that have been obtained to fill in the gaps that were uncovered in that process.

Because such a small portion of businesses will need to obtain tiers four and five, we are not planning to have an in-depth article on those tiers. If you would like to have a consultation with Valley Techlogic on the CMMC process and the maturity level you will need to obtain for your business, you can schedule one here. In next weeks article we’ll talk about the CMMC auditing process and what you’ll need to do to prepare as your audit approaches.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
January 28, 2022
CMMC Series: Tier Two Overview
This is the third week of our Cybersecurity Maturity Model Certification (CMMC) Series. You can find week one, which was a look at what’s happening with CMMC in 2022 here. Last week, we gave you an overview of tier one which you can review here.

Tier one in CMMC really covers the basic foundational steps you must take to move on to tier two and tier three. For some contractors, tier one will be enough to keep and maintain compliance with their Department of Defense (DoD) contracts. Every situation is unique, but broadly speaking if you don’t handle Controlled Unclassified Information (CUI) in your business – tier one will probably be the extent that you need to reach.

If you do handle any CUI data, then we recommend you strive towards tier two or tier three. Many of the protections that come in the later tiers specifically cover how to safeguard this data and it’s in your businesses best interest to meet the requirements. While there are no direct financial penalties at the time of writing for not doing so, the DoD is considering a system of rewarding businesses who achieve greater CMMC maturity levels.

If you and another business are exactly the same in what you do and, in your pricing, – or even if their pricing is a bit higher than yours – if they have achieved tier three cybersecurity maturity model certification and your business is tier one or not certified at all yet, it’s likely your competitor will win the bid.

So, what goes into reaching tier two in CMMC?

Tier two is the next milestone within CMMC, and the difficulty does scale considerably with each level. While tier one had 17 provisions, tier two introduces 55 more for a total of 72 practices you’ll need to cover to meet the requirements (the practices are cumulative).

In addition to more practices tier two also introduces new domains.

First there is Access Control, tier two access control looks to limit access to who can log into your organizations systems (and how much they can access when they do).

Next is Awareness and Training, in tier two you will need to make sure your managers, administrators and anyone else you who would have access to sensitive systems is attending regular cybersecurity training.

In Audit and Accountability, we look to maintain logs of user activity for review.

Security Assessment is where we really begin to see accountability being held on organizations, you will need to conduct regular assessments as you work towards your cybersecurity goals and develop cybersecurity plans based on the assessment results.

Configuration Management covers the need to manage the configurations of your office devices and equipment with cybersecurity best practices in mind.

Identification and Authentication is similar to access control, but it specifically looks to limit sensitive systems to only those who should have authorization to access them.

While tier one in CMMC only covered the basics and didn’t address what happens when you have a cyber incident, tier two starts to cover that with the Incident Response control.

The Maintenance control in tier two actually refers to your devices and how you maintain them, and what you will need to do in case of their failure.

Media Protection in tier two covers specific provisions around the handling and destruction of removable media, such as flash drives.

We started looking at Physical Protection in tier one by keeping visitor logs, but tier two asks that you actually begin to escort guests through your facilities and screening personnel.

Tier one surprisingly doesn’t ask that you backup your data (even though we would always recommend that) – in tier two Recovery you must have a plan for backing up your data.

In tier two Risk Management, CMMC asks that you begin to conduct risk assessments and fix any vulnerabilities that are uncovered during the process.

Systems and Communications Protection in tier two includes controlling communications within your organization, not just monitoring them.

Finally, the System and Information Integrity domain covers actively monitoring your systems for breaches and quickly resolving any that come up.

As you can see, CMMC maturity tier two dives into the deep end of cybersecurity, but the provisions it covers will make a discernible impact in your cyber readiness throughout your entire business.

Does your business need to meet the requirements for being certified with CMMC? Valley Techlogic can help, we have experience helping DoD contracted businesses reach their cybersecurity and CMMC goals, as well as helping with the certification process itself. Learn more today in a free consultation.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
January 21, 2022
CMMC Series: Tier One Overview
Last week we covered a general overview of what the Cybersecurity Maturity Model Certification (CMMC) program is and what’s been announced for 2022 so far. Presently, there are five maturity tiers found in program, although if (or when) version 2.0 is released it’s been announced that the program will be simplified down to just three tiers.

The changes that will be happening with version 2.0 however don’t affect tier one very much. Tier one covers basic cybersecurity hygiene in both versions of the program. It sets the groundwork for the later tiers and while the topics covered are “basic”, the foundational coverage they provide is imperative for any business – not just those required to adhere to CMMC for contractual or compliance reasons.

The Cybersecurity Maturity Model Certification (CMMC) program includes 17 controls at the moment with 171 practices. Thirty of those practices are only found within CMMC and not in the framework which formed the basis for it (NIST) and are anticipated to be removed in version 2.0. However, in both version 1.0 and 2.0 there are 17 practices that must be adhered to for tier one.

It’s important to note as well this process is not one and done, you must actively maintain your cybersecurity compliance to continue being certified within CMMC. Failure to do so could result in losing your certification, losing contracts that require CMMC compliance, and or even being fined for violating the False Claims Act (FCA) which will talk about in more detail in a future article.

It’s beneficial to maintain your compliance to both adhere to the program and protect your business from cyber threats.

In tier one the program begins with “Access Control” and there are five components. These components cover topics such as user privileges and controlling remote access and access to internal systems.

The next control is “Identification and Authentication” which aligns well with Access Control, the two practices found within that control involve documenting those that access your systems and maintaining reports for those logins.

Then we have “Media Protection” which has just one practice and it’s aimed at maintaining sanitation of your devices (such as removing sensitive data from hard drives).

Next, we have “Physical Protection” and in tier one of CMMC this topic covers improving the way you surprise visitors to your office location (a lot of cyber threats stem from an attack known as “spear phishing”). There are four practices found under “Physical Protection”.

“System and Communication Protection” has two practices and they’re both aimed at securing the private communication you and your employees have (that may include CUI – Controlled Unclassified Information – data).

Finally, we have “System and Information Integrity” which has five practices that cover better securing your businesses systems, including performing needed updates, and monitoring for malicious code.

As you can see, these basic practices set a good baseline for activities found in higher maturity tiers. In tier one “System and Information Integrity” you’re monitoring for malicious code – in tier two and three there are practices that stipulate how to actually deal with it.

We will be continuing to provide more information on CMMC in this series, next week we will take an in depth look at tier two. If your business needs to meet the requirements for being CMMC certified, Valley Techlogic can help. We have experiences helping businesses achieve greater cybersecurity compliance and assisting them with the certification process. Learn more today.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
January 14, 2022
Norton’s Antivirus Software Comes with a Crypto Miner, and They’re Not Alone
Last week a claim unfolded on Twitter that Norton was installing crypto mining software without authorization on PC’s which then rose to the level of outrage amongst some Norton antivirus software customers.

The truth on the subject is a mixed bag, while it’s true they are installing a crypto miner on customer machines it’s not active on every machine, customers must authorize the process before the device will begin mining crypto (in this case Ethereum). If you authorize Norton to begin mining cryptocurrency on your device they will setup a wallet for you and after a small cut, and then deposit your earnings there when you meet a certain threshold.

Norton did make an announcement that they were planning on including a crypto miner within their software before rolling it out to a small number of users last summer, however at the time of writing we’re uncertain any announcement was made when they decided to make it a component for every user.

Their goal was to provide a “safer alternative” to other sketchy mining programs a user may find on the web. Although we suspect that the cut (15% at the time of writing) they’re receiving from users who opt in is an added bonus.

Even with the news that you must activate the crypto mining intentionally before Norton will crypto mine on your behalf, many aren’t happy that the application is a default addition to their antivirus services and there Isn’t a clear-cut way to remove it.

We do have instructions for removing it, you must temporarily turn off Norton’s anti-tamper feature (instructions on how to do so here) and then you’re able to remove the NCrypt.exe from your PC. If you do decide to instead use the crypto miner, it works as others do where it will only begin mining when your computer is idle.

Norton aren’t the only antivirus software providers including a crypto miner built in either, Avira antivirus (which for transparencies sake has been recently purchased by Norton 360) has also announced Avira Crypto.

Although the details on Avira Crypto are even more sparse than with Norton Crypto, they don’t currently specify what they’re cut is from the currency you mine for instance.

It’s also worth noting that the inclusion of crypto mining into these antivirus software has caused other unrelated antivirus software to flag them as potentially malicious. Users currently annoyed by the inclusion believe Norton should be on the same page, that they should be flagging and removing unauthorized crypto miners – not installing their own.

Also, the fees taken by Norton or Avira stack up with the fees associated with moving the Ethereum out of the wallet they create into one where you can actually use it, which means it can take a while before a user accrues a usable balance (while at the same time increasing wear and tear on their machine and adding to their power bills).

All and all it’s a pretty mixed bag and for users who are not yet savvy in the crypto mining space, maybe not the best additive to a software meant to protect their machines from destructive intrusions.

Speaking of destructive inclusions, we have created this chart with some tell-tale signs your computer may have a virus or malware. It’s in a format meant for printing and can even be printed as a poster.

Click to grab the full (poster) sized format.

If you’ve ever experienced a malware attack in your office, Valley Techlogic can help. We have assisted businesses in their recovery, or if you’ve been lucky enough to avoid it so far, we can help make sure things stay that way. Cybersecurity coverage is included in all of our plans. Learn more today in a quick consultation.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
January 12, 2022
LastPass say they didn’t leak your password, however some users still received alarming alerts
Yesterday, a number of LastPass users received alarming alerts in their email inbox that their passwords – including their master password – had been compromised. The news quickly spread across the internet, starting with forums, and then making its way to Twitter where it was picked up by larger news outlets.

LastPass immediately denied that a breach had occurred within their organization and at first indicated that the alerts were happening to users who were the victims of “credential shuffling”. That means these users had reused their passwords on other websites who may have had a breach in the past, and now bots trolling the internet for compromised accounts have stumbled upon their password vault credentials.

This didn’t end up being the case either, but it is a good reminder NOT to password shuffle, especially with the master password for your password vault (if any password should be unique – it should be that one).

As of this morning LastPass determined that the alerts were sent in error by systems that were set up to be too stringent. They’ve indicated they now adjusted the alerts systems so inaccurate alerts will not be sent again. They also clarified that they don’t store user passwords on their own servers, and that they work on a “zero knowledge” security model which means they are not able to see your master password at all.

The fact that this news took off in a flash may be indicative of the heightened awareness users have around the security of their data, especially those who currently use a password manager as part of their security repertoire. Even if the alerts occurred in error that may be cold comfort to the scare those users experienced.

To us, it’s a reminder that the best cybersecurity efforts are multi-layered. We believe it’s equal parts implementation of security measures, monitoring of those measures, and behavioral changes on the part of the users.

Even if the alerts that occurred yesterday were the result of a system issue not a security issue, we think the users that responded had the right idea when they chose to investigate. It’s also a good idea to change your password if you get a security alert, even if it turns out to be a false alarm. It won’t hurt anything to take that extra step to protect yourself, the old adage “Better Safe Than Sorry” rings especially true when it comes to cybersecurity threats.

We created this resource on the topic of good password hygiene that you can keep to review, or even pass along to your co-workers/employees.

Click to view the full size.

Finally, even if the unthinkable occurs and your passwords are leaked, again a multi-layered approach will protect you. You should enable 2-factor/multi-factor authentication when and where you can. So if someone does get your password somehow, they still will be blocked from logging in.

If the security measures in your workplace aren’t up to snuff or you’re interested in cybersecurity training for your employees, Valley Techlogic can help. Boosting the security measures for your business and providing a digestible cybersecurity training program for your employees is included as part of our technology service plans. Schedule a free consultation with us today to learn more.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
December 29, 2021
If you’ve never heard of the Log4J vulnerability, you’re probably at risk
News is moving fast on the Log4J vulnerability, also known as “Log4shell”. It was first discovered in the video game Minecraft, developers realized hackers could exploit the vulnerability to gain access to the targeted computer and take it over. They quickly released a patch but also made a disclosure that brought the exploit to the public’s view.

The Cybersecurity & Infrastructure Security Agency (CISA) has now made a running repository that lists all of the software and devices vulnerable to this exploit. There you will find guidance on patching the effected products.

So, what is the Log4J vulnerability and what does it do?

It all stems from the building blocks that are used when a programmer is creating their code. Programmers will take bits of code that commonly available and used to act as a foundation for the program they’re trying to write, and in this case one of those foundational bits of code was Log4J. Log4J is used by Java to create a log of activity for the device it’s running on. It copies everything that happens as the program runs, and it makes sense that the vulnerability was initially discovered in Minecraft (a Java based game).

This communicative bit of code is found in many different programs, which is why it could be devastating if it was widely exploited. Hackers would be able to send a message to the “Log4J” effected product giving it commands. This would essentially allow them to take over the device and have full access.

Minecraft Isn’t the only thing based in Java either, Java is an extremely popular programming language and bits of it can be found in almost everything. Created in 1995, Java can be found on everything from your own personal laptop to the supercomputers used to solve complex scientific equations. 9937 companies openly report including Java in their tech stack, including Google, Airbnb, Amazon and more.

Java is also the preferred language for mobile applications, such as Android. Any business interested in having a mobile facing application (which they absolutely should considering mobile devices command the highest percentage of the worldwide web traffic at 54.8%) will need to utilize Java to accomplish it.

This is so much to say, Java is in nearly everything which makes an exploit that targets a common component of it a recipe for disaster.

All is not lost however, now that the exploit has been discovered many businesses are working furiously on patches and notifying their customers. You can check the CISA link found at the beginning of this article to keep track of what’s being done by specific businesses.

Click to open the full size version.

This ordeal is a good reminder to stay up to date on patches that are offered by the software you utilize, but if you’re running a business, orchestrating patching across many different devices company wide can be much more difficult.

Valley Techlogic offers preventative maintenance in all of our service plans, as well as disaster recovery services if the unthinkable does occur. Learn more today by scheduling a short consultation with us.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
December 16, 2021
Hackers and the holidays, US government warns ransomware doesn’t take days off
As you prepare to take some time off to enjoy with your families (especially if a certain health crisis kept the festivities to a minimum in 2020) it’s important to take some steps to make sure your business is still protected in your absence.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory yesterday to businesses and consumers alike, warning that hackers often take advantages of holidays and other times people may let their guard down to wreak more havoc.

The advisory included a warning of a possible increase on the following cyber threat events:
1. Phishing attacks: That email from your Aunt Beth seeing if you’re going to bring the green bean casserole with a “Google Form” to check it off may not be what it seems to be.
2. Fraudulent site spoofing: Especially for sites that may be seeing increased traffic due to holiday shopping (Black Friday anyone?).
3. Unencrypted financial transactions: An easy way to check, is to look for the S in HTTPS, don’t enter your financial data into unencrypted websites.
Beyond attacks aimed at individuals, attacks aimed at businesses also tend to rise during the holidays and on weekends.

Such was the case for the attack on Kaseya, which occurred over Fourth of July weekend in 2021, and the Colonial Pipeline hack happened during Mother’s Day weekend the same year. Hackers realize there is less coverage on the weekend and during Holidays and they have taken advantage of it to great success.

It’s not just large businesses that are a target either, many wannabe hackers have day jobs too and more time on their hands during the holidays to target businesses that could be local to them. That includes yours.

So, here’s a list of things to check off before you leave the office this week to enjoy some well deserved time off.

Click to view the full size version.

As you can see, our number one recommendation is knowing who is going to cover your business if a cyber event does happen while everyone is home for the holidays. If you try to think of who that person is and you either come up empty or maybe it’s you, that’s a problem.

Another problem is if your normal IT coverage is on a one time or break fix solution basis. The service you normally use could either be too swamped themselves to help you during the holidays, or maybe they’re taking time off too and are simply unavailable to help you.

This is where having a contract with a technology service provider could really save the day during a crisis. When you have a contract with a business to provide your technology services, they’re bound by the service level agreement (SLA) you sign at the start of service. They will be better equipped to help your business if there’s a crisis – even during the holidays.

If you’re in the Fresno, Modesto, Sacramento or anywhere else in the Central Valley and aren’t really sure who you would turn to if a technology crisis occurred during the holidays, Valley Techlogic is here for you. Learn more today.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
November 24, 2021
Cybersecurity Maturity Model Certification 2.0 has been announced, what it means for you and your business
If you’re a contractor or subcontractor for the Department of Defense (DoD) you probably at least have an awareness of the evolving situation surrounding the CMMC (Cybersecurity Maturity Model Certification) program, or maybe you’ve even begun the self-assessment process.

Announced summer of 2019, version 1.0 was released January 31^st, 2020, and a 5 year roll out was planned to get DoD contractors and subcontractors compliant with the framework. The framework is based on the security controls found in the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, with many of the security controls found in CMMC having a direct correlation to a control found in NIST 800-171.

While the initial CMMC framework was aimed at bringing defense contractors up to speed in their cybersecurity efforts to protect critical Controlled Unclassified Information (CUI), the use of the broad term CUI instead of the defense specific Covered Defense Information (CDI) phrase may indicate that this framework will extend beyond just defense contractors in the future.

The controls found in NIST are applicable to businesses of all sizes and in all sectors so following the CMMC or NIST frameworks whether or not you’re defense contractor/subcontractor will mean your business will be well protected and compliant with rules and regulations set by your vendors, clients, and services for your business such as cybersecurity insurance.

In it’s original iteration there were 5 maturity levels found in CMMC, with levels 1-3 really closely following NIST and 4-5 going beyond the scope of what NIST covers. They were described as “maturity levels” as they were meant to measure the maturity of the cybersecurity practices found within your organization.

For most defense contractors, reaching level 3 of CMMC would be an ideal goal. Levels 4 and 5 covered practices outside the scope of most business’s and would require more specialized (and expensive) security practices. Even in version one of CMMC contractors were allowed to self-certify for maturity level 1, but beyond that would require outside certification. The waiting list to receive that certification is long, so planning to implement the required cybersecurity measures and getting on the waiting list to be certified ASAP is a good idea.

Now, as of November 4^th the DoD has announced an update to CMMC. Version 2 may be removing two of the levels and some of the security measures that were unique to CMMC framework, making the framework match NIST even more closely. Below is the chart we have created with the outlined changes as we know them and as of this posting.

Click to view the full size.

This is an evolving situation and as the rollout progresses it’s imperative that businesses that receive DoD contracts begin or continue to increase their efforts in becoming CMMC certified, which may mean drastically increasing your cybersecurity efforts across the board.

Valley Techlogic has experience in helping businesses meet the goals found within the CMMC framework and we’re ready to help your business meet your certification and cybersecurity goals today. Click here to schedule a quick consultation to find out more.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley TechLogic, adns, n IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
November 17, 2021