Cyber Compliance & Beyond

Email remains the most common form of non-verbal communication in organizations worldwide. It’s where our professional and personal lives often collide – making it a prime target for malicious actors. While the junk mail of the digital age – spam – has mostly faded into the background, the threats haven’t gone away. In fact, they’ve grown far more sophisticated. Our experts explore how email threats evolved from basic to spam to today’s complex phishing campaigns, spear phishing, whaling, and business email compromise. These attacks target people first – exploiting human behavior, namely our desire to trust, be helpful, and be someone who comes through in a time of need. You will learn about: The history of email threats How phishing attacks weaknesses in human psychology Real-world examples of phishing and spear phishing Best practices organizations can adopt to reduce risk

The cyber workforce is as diverse as the challenges it faces. From process designers and behavioral analysts to business strategists and communicators, cybersecurity thrives on a diversity of skill sets. It’s important to understand what it takes to join the field, especially given the current shortage of cybersecurity professionals. In today’s episode, we’re breaking down the misconception that cybersecurity is only for hackers and codebreakers. We’ll dive into why soft skills like communications and organizational collaboration are just as essential as technical skills. We’ll talk about how to break into the field. Spoiler alert: it’s not as hard as you might think. On this episode, we discuss: Why the cyber workforce is broader than you might think How non-technical skills are critical in a technical field The importance of soft skills Why cybersecurity needs process thinkers, analysts, and business minds, too Today’s guest is Mike Thompson. Mike brings a unique perspective to the table. Mike’s experience spans recruitment, compliance sales, and cybersecurity assessments. His journey through the field offers great insight into the many ways professionals can contribute to cybersecurity without fitting the traditional mold. Links: FedRAMP’s R311 Requirements CMMC: Ecosystem Professionals > Assessing and Certification

Managing identities may be the most difficult and complex task facing any organization today. Often treated as an afterthought in system development, mishandling identity management can lead to serious consequences. Because identities aren’t just people — they’re also systems and facilities, and managing them effectively requires more than just technology. From powerful service accounts to poorly defined access controls, identity management is the frontline of doing security right. On this episode, we break down the following: Why identity is the most important security function The unique risks posed by non-human identities (service accounts) How to define and prioritize assets using a risk-based approach Practical strategies for managing identities and their privileges Why perfection isn’t required Today’s guest is Terry McGraw. Terry is a retired Lieutenant Colonel from the United States Army and now serves the CEO of Cape Endeavors, Inc, with over 20 years of providing expertise in cyber security threat analysis, security architectural design, network operations and incident response across both commercial and government sectors. Links: Fido-2 Alliance Kerberoasting Attack Microsoft’S Enterprise Access Model

What are the real costs of cybersecurity implementation? Spoiler alert: it’s far more complex than it appears on the surface. Cybersecurity is a people and process problem, not a technology problem. Most of implementation costs come in the form of time, effort and coordination throughout the organization. In this episode, we reach back to the classroom for a refresher on how to conduct effective risk analyses. Risk analyses –or risk assessments– are critical tools for guiding smart cybersecurity investments and decisions. They’re the best tool for successfully navigating the intersection of business and cybersecurity. Whether you’re a compliance professional, business leader or just curious about how cybersecurity aligns with real-world business needs, this episode is full of insights to help you think more strategically. A few highlights: Why the cost of cybersecurity is hard to measure – but why it’s necessary Why many organizations struggle to properly conduct risk analyses How risk analyses help bridge the gap between business goals and cybersecurity priorities The importance of gaining executive buy-in for cybersecurity initiatives How to conduct a risk analysis Today’s guests are Dr. T. Selwyn Ellis and Dr. Jae Ung (Jake) Lee. Dr. Ellis is the Balsley-Whitmore Endowed Professor in the College of Business at Louisiana Tech University. He is the Chair of the Department of Computer Information Systems and the Director for the Center for Information Assurance. He earned a Bachelor of Science with a double major in Mathematics and Computer Science, as well as an MBA from Mississippi College and DBA in Quantitative Analysis and Management Information Systems from Louisiana Tech University. He has published over forty articles in various academic journals including Communication of the ACM, IEEE Transactions on Professional Communication, and European Journal of Information Systems. His research is mainly in data analytics and behavioral aspects of information technology. Dr. Lee is an Associate Professor of Computer Information Systems in the College of Business, Louisiana Tech University. He earned a Ph.D. in Management Science and Systems from the State University of New York at Buffalo. His research interests include information security and privacy, emergency response, cloud computing, and telework. His research has appeared in European Journal of Information Systems, Information Systems Frontiers, and the International Journal of Information Management, among others.

Nothing introduces more complexity to an organization than access control as with access comes privileges. Privileges are needed for many activities within an organization. Couple the need for privileges with the complexity organizational structures and the usual personnel churn and an already complex problem becomes nearly unmanageable. Attackers target credentials for this very reason. Compromising an end-user with no privileges may seem trivial and unlikely to cause harm. However, as we discuss in this episode, if a privileged user logged in on that end-user’s machine, their privileged credentials are now comprised, allowing the attackers to exploit other parts of the organization’s network. While the problem can reach a place of being unmanageable, there are methods and solutions available to tackle this problem. Links: Enterprise Access Model Credential Harvesting and Mitigations (PDF) Point of Entry: Why Hackers Target Stolen Credentials for Initial Access The Growing Threat from Infostealers

Mobile devices have become an extension of ourselves, seamlessly integrated into our daily lives like never before. But as we prioritize convenience—wanting our devices to “just work”—we often overlook security. This episode dives into the growing cybersecurity challenges that come with mobile adoption and what individuals and organizations can do to stay protected. We’ll go over: Why reliance on convenience creates security vulnerabilities (hint: it isn’t primarily vulnerabilities in the technical sense, more in the human sense) Key technical and compliance components driving mobile device security Technologies organizations can leverage to balance security and usability Links: https://www.hypori.com/use-cases  

Rolling out a new program always comes with challenges and CMMC has been no exception. Fortunately, we’ve moved into the implementation phase, with assessments now underway. This milestone not only helps organizations see the real value of the program but also gives us the chance to address lingering questions and clarify uncertainties that could only be resolved through full implementation. With this progress, we’re encountering fresh challenges and questions we hadn’t anticipated — while still fielding many of the same inquiries we’ve heard from the beginning. The good news? Full implementation means we can now provide more concrete, experience-backed answers to both new and long-standing concerns.

The CMMC training and certification ecosystem is ambitious as it aims to support training material development and certification of both instructors and assessors. It is currently on a path to providing a strong foundation for CMMC as a whole. In this episode our cybersecurity experts dive into the details and nuances of the training and certification requirements in the CMMC ecosystem. Hear them define the terms, discuss the requirements, contrast CMMC training and certification with other compliance frameworks, grapple with challenges and finally address what lies ahead. Joining host Cole French is Joe Lissenden, CEO of Precision Execution, provider of CMMC training and certification services. Joe has more than 25 years of consulting, training, and auditing experience over a wide range of systems and standards. Reference material: Acronyms: APP: Approved Publishing Partner (formerly Licensed Publishing Partner) ATP: Approved Training Provider (formerly Licensed Training Provider) CCI: CMMC Certified Instructor (formerly Provisional Instructor) CAICO: Cybersecurity Assessor & Instructor Certification Organization CAP: CMMC Assessment Process CATM: CAICO Approved Training Material CCP: CMMC Certified Professional CCA: CMMC Certified Assessor OSC: Organization Seeking Certification RPO: Registered Provider Organization Links: Cybersecurity Assessor & Instructor Certification Organization (CAICO) CMMC Assessment Process (CAP)

The news about cybercrime is overwhelming to those who fight to secure our organizations. Cybercrime organizations are sophisticated and constantly changing. But there’s a hidden truth in cybercrime attacks: cybercriminals exploit the same weaknesses they’ve been exploiting for years. This should give us some hope; we know where our organizations are weakest, which gives us a good place to start. But these weaknesses are often hard to address. They require not just technical solutions, but a lot of thought, coordination, planning, and continual re-evaluation. Most often thought of as technical problems, compliance frameworks provide a solid starting point for properly framing the thought, coordination, planning, and continual re-evaluation that is necessary. Our guest, Terry McGraw will walk us through these solutions and the support that compliance frameworks provide to ensure continued success. Terry is a retired Lieutenant Colonel from the United States Army and now serves the CEO of Cape Endeavors, Inc, with over 20 years of providing expertise in cyber security threat analysis, security architectural design, network operations and incident response for both commercial and government sectors. Links: Ransomware Stages of Grief 2024 State of the Threat – A Year in Review Detecting Top Initial Attack Vectors in 2024 3 Common Initial Attack Vectors Account for Most Ransomware Campaigns Meeting a Greater Demand for Cybersecurity  

CMMC’s security requirements are not new. What is new about CMMC is the level of rigor. With the recent publication of the CMMC rule, DoD is ever closer to requiring contractors to comply with CMMC security requirements and back them up with an assessment. The CMMC Rule, like any new regulation, is packed with details. Details that have been rumored, speculated, and drafted. Now that they’re known and final, we’re here to help you see clearer. In today’s episode, our host, Cole French becomes the expert guest. As Director of Cybersecurity Services and CMMC Capability Lead at Kratos, Cole answers all the questions you might still have about CMMC and its impact on your organization: ·       When will assessments start? ·       What can my organization do now? ·       When will CMMC be required in DoD contracts? ·       How does the rule impact my use of external service providers? ·       Can I qualify for a self-assessment or must I go through a C3PAO assessment? And more! Links: The Rule Kratos’ CMMC Services Data Sheet DoD’s CMMC Overview CMMC’s New Rule Has Finally Arrived: 7 Key Takeaways to Help You Move Forward

AI is bringing speed and velocity never seen before. Some studies show that the output is the equivalent to what 35-40 humans can produce. This speed and velocity is applied to countless use cases across just about every economic sector. Cybersecurity compliance is laden with repetitive, redundant, and time-consuming manual tasks. While humans bring nuanced ingenuity and problem-solving capabilities, we are prone to errors, especially across such repetitive, redundant, and time-consuming tasks. Worse, cybersecurity compliance requirements are far from standardized, though there is a tremendous amount of overlap. In these circumstances, humans take short cuts. It’s not a matter of whether short cuts result in errors, only how many errors. The real power of AI in the world of cybersecurity compliance is the ability to bridge all gaps of compliance documentation with minimal to no errors. Furthermore, AI can then be trained to leverage compliance documentation to code and perform actual tasks within a system. In the world of cybersecurity, AI opens the doors to a world in which security truly is baked in from the beginning. Today’s guest is Nic Chaillan, technology entrepreneur, software developer, cyber expert and inventor. He has over 23 years of domestic and international experience with strong technical and subject matter expertise in cybersecurity, software development, product innovation, governance, risk management and compliance. Specifically, these fields include Cloud computing, Cybersecurity, DevSecOps, Big Data, multi-touch, mobile, IoT, Mixed Reality, VR, and wearables. Resources: ·         AskSage Training Materials: https://chat.asksage.ai

Supply chain security is not new, though it certainly feels as though it is. Thanks to globalization, supply chains are ever growing in their depth, complexity, and interconnectedness. Unfortunately, like so many other systems, security of supply chains hasn’t been at the top of the list of things to consider when evaluating supply chains. Understandably, economics led the way. A supply chain exists to foster economic growth and profit-making. None of these are bad but there’s a painful irony: the less security is considered, the greater the costs, which drives down growth and profit-making. Costs aren’t just financial, either. The cost of losing a competitive edge is significant but almost impossible to quantify in dollars. It runs much deeper. As data theft has proliferated on an unprecedented scale, the need for securing supply chains has begun it’s rise to the top of our consciousness. The intriguing thing about supply chain security is that it isn’t all that different than traditional risk management activities. Today’s guest is John Santore, Director of Cybersecurity Services here at Kratos. Together, we’ll dive into supply chain security. We’ll outline what a supply chain is, what to consider when evaluating your supply chain, some of the challenges you might encounter along the way and we’ll outline a basic supply chain risk management approach. Resources: The core tenants of a supply chain risk management approach: Inventory your supply chain Ensure strong relationships are in place with those in your supply chain Develop criteria for evaluating the risk of suppliers within your organization Work with your suppliers to obtain the information necessary to perform the evaluation Develop a process for scrutinizing suppliers that are identified as high-risk Repeat the process on a defined frequency Ensure that it is applied as part of any supplier intake Links: NIST SP 800-161: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations C-SCRM Factsheet NIST SP 800-218: Secure Software Development Framework Executive Order 14028 OMB M-22-18 OMB M-23-16

IT support is tricky for most businesses, especially for those not in the IT business. Thus, IT is a cost of doing business and a high cost at that. High costs drive down profits. Less profit makes it harder for businesses to invest in the products or services that they’re making and selling. Retaining IT staff is even more difficult. This is due to the extremely low unemployment rate and the higher-than-average annual salary. These two factors almost guarantee that IT staff hired by non-IT businesses will eventually get a better offer some place else. To mitigate the problem with IT staff, businesses have turned to outsourcing to managed service providers or external service providers. By doing so businesses are giving up the information necessary to make well-informed choices, instead choosing to trust the IT service providers they’re buying from. This asymmetry of information creates a market phenomenon called a market for lemons. A market for lemons phenomenon exists when sellers hold more knowledge than buyers. Because buyers are price-sensitive and are only willing to pay a certain price the market becomes distorted such that high-quality sellers are gobbled up quickly and the market is left with lemons. In sum, the market for lemons works to drive quality out of the market. Today’s guest is Andy Paul. Andy is an engineer, data privacy professional and a Certified CMMC Assessor from Gray Analytics with more than 15 years of experience helping firms design, implement and secure everything from globally spanning networks to small boutique and highly specified and regulated networks. During our conversation, we discuss the current situation in the IT services market, the market for lemons phenomenon, how the CMMC ecosystem is setup to alleviate the problems that markets for lemons introduce, and how you can outsource confidently. Resources: Links: ·       George Akerlof – The Quarterly Journal of Economics, Vol. 84, No. 3 (Aug. 1970), pp. 488-500 ·       Cyber AB Marketplace

Vulnerabilities are everywhere and on every IT asset within an organization. This makes vulnerability management one of the most important – if not the most important – risk mitigation activities an organization undertakes. But, the complexities inherent in many organizations combined with the sheer number of vulnerabilities leaves many not knowing where to even begin when it comes to vulnerability management. On today’s episode, we’ll demystify vulnerability management by defining some context, outlining an effective vulnerabilities management program, discussing potential challenges, tying it all to compliance, and decoupling vulnerability management from the inherent complexities. Today’s guest is Andrew Overmyer, Security Assessor, subject matter expert, and general cybersecurity jack-of-all-trades at Kratos. During our conversation, we distill this often-nebulous concept into the concrete tenets necessary to build an effective program to drive vulnerability remediation efforts. Resources: ·       The Core Tenets of Vulnerability Management o   Asset Management: a tool or set of tools accompanied by a process that build and maintain an accurate asset inventory; an asset inventory must include but not be limited to network segments and IT assets across all types o   Patch Management: a tool or set of tools accompanied by a process that supports identifying and applying patches o   Vulnerability Scanning: a tool or set of tools accompanied by a process that support identifying vulnerabilities on IT assets; vulnerability scans must be run with credentials, to the greatest extent possible, to fully identify vulnerabilities present o   Compliance Scanning: a tool or set of tools accompanied by a process that support identifying misconfigurations on IT assets; misconfigurations are deviations from a defined baseline (e.g., Center for Internet Security benchmarks) ·       Vulnerability Scanning Schedule o   Daily: Asset scans to identify assets on the network; these are not vulnerability scans, but rather simple scans to identify assets on the network o   Weekly: Vulnerability scans of all assets on the network o   Monthly: Compliance scans of all applicable assets on the network ·       CVSS: Common Vulnerability Scoring System Version 4.0 ·       EPSS: Exploit Prediction Scoring System ·       SSVC: Stakeholder-Specific Vulnerability Categorization

The number of compliance frameworks is seemingly endless. The lack of standards is problematic enough. Even more problematic, however, is how the compliance frameworks overlaps with one another. When it comes to International Trade and Export Compliance, the problem is overlap is accentuated by the fact that there is not a definitive ‘framework’ for export compliance. Nearly everything is determined on a case-by-case basis. Today’s guest is Sara Hougland, Director of Trade Compliance here at Kratos. During our conversation, we cover export compliance at a high level, discuss the concept of “due diligence”, distinguish ITAR from EAR (and vice versa), and talk about the specifics of export compliance. As mentioned above, ITAR compliance is not a one-size fits all approach. Sara brings her extensive knowledge and experience in the field to provide great information on what, exactly, “ITAR compliant” means and how it benefits an organization.

Some recent estimates have postulated that data is now the world’s most valuable asset. Unlike other assets, like oil, for example, data proliferates on a staggering scale. In other words, it doesn’t seem to be finite, subject the law of scarcity. This hammers home the importance of answering the question that each of you are wrestling with: how do I protect all this data? A simple answer to this question is encryption. But any simple answer has you immediately asking more questions: what encryption should I use? How should I configure it? How can I be sure it is adequate? And, perhaps most interestingly, is it possible to future proof my data protection techniques? Today’s guest is Evgeny Gervis, CEO of SafeLogic. SafeLogic, founded in 2012, is a leading cryptographic solutions provider. Their validated, holistic, and interoperable cryptographic solutions enable enduring privacy and trust in the ever-changing digital world. Used by many of the world’s top technology firms, SafeLogic expedites and streamlines the adoption of FIPS 140-validated classical and post-quantum cryptography. Beyond simply using encryption to protect data, we dive into the intersection of compliance and encryption, specifically the role of the FIPS standard for encryption. While Evgeny provides technical expertise, I share some important compliance guidance and nuance we’ve learned from years of supporting our clients in evaluating FIPS 140 implementations. To close, Evgeny and I discuss the future of encryption, standards, and the likely effect of quantum computing.

One of the greatest challenges to security compliance are exception cases. What are exception cases? They are the cases in which a particular compliance objective cannot be achieved, as required. The reasons are myriad: cost, environmental constraints, vendor dependency, and technical limitations. Building an exception case is key to achieving compliance objectives, such as an authorization to operate. The pre-requisite to exception cases is transparency. An organization must transparently articulate the need for an exception. Understanding exceptions is important for fully understanding the risk present within an environment or system. Today’s guest is John Santore, Director of the FedRAMP Capability at Kratos. John and I dive deep into the specifics of the exception cases, including justification, compensating controls, and fallback plans, and the important role each plays in determining the viability and permissibility of exceptions. Using exception cases as a launching point, we also discuss the need to move beyond compliance as an exercise and toward maturity built into cybersecurity practices. Finally, we veer left a bit for a discussion on the recently-released DoD FedRAMP Equivalency Memo.