We run a cyber security company, and we are a CMMC-AB RPO providing security services to the DIB community. Security in our internal operation is paramount, directly translating into our ability to protect our clients. Most of what's required in NIST 800-171 and CMMC are things we've done since day one. Building security into every process is a normal course of business for us.

Until about two months ago, we tracked ourselves against the CISv8 and ISO27001 frameworks. We used the combination of the two as our checklist but have yet to undergo the final certification audit. It seemed like the perfect time to take on CMMC. 

We eat our own dog food. We only sell what we use or do. We handle cybersecurity for several defense contractors, so we decided to prepare for and undergo our own C3PAO CMMC Level 2 audit. We do not do government contracting work, but we do offer cybersecurity services for those who do. It seemed a natural, common-sense approach. Here are three lessons learned in going through the process. I'll post along the way. Follow us for more lessons learned as we discover them.

• There is a template. Use the template.

• Be as detailed as possible in building out your SSP. Auditors may use your SSP to figure out how much it will cost you for your audit.

• Use a tool to track your progress.

There is a template. Use the template: As mentioned, we tracked our security against CISv8 (a WONDERFUL framework) and ISO27001. When we decided to move to NIST 800-171, we figured (assumed?) that using the SPRS spreadsheet with good details would serve as our SSP. Not so. NIST published a CUI SSP template **[see Planning Note] (docx). It looks like a standard government boring document, and it is, but the three C3PAOs, when we asked about what they would charge us, asked for our SSP –and they didn't want our SPRS worksheet (which we used both as a tracking tool and planning (POAM). Your SSP should start with a page that looks like ours.

Be as detailed as possible in building out your SSP. Auditors may use your SSP to figure out how much it will cost you for your audit.

• Your SSP should be as detailed as possible and 100% factual. Plan the work and work the plan —document as much detail as possible. One C3PAO told me that if he were auditing a subject, they fail the audit at the first sign of a missed control, close their laptops immediately, and leave. You'll be required to redo your work and schedule a new audit. Be prepared. The SSP is not just a document but a tool to help you document or plan your cybersecurity implementation.

• Your SSP will be used to determine what your audit will cost. We contacted three C3PAOs for price comparisons. Our 30-person company operates primarily out of Iron Mountain data centers, taking advantage of their physical security, uptime guarantees, and facility certifications. We don't handle any CUI and retain no data from our clients other than the log data we use to monitor security. Our process is led by a retired Air Force communications officer who'd written these documents and ATO (authority to operate) documentation for years. It is second nature to him, and it documents everything we do.

Use a tool to track your progress. We don't know yet which C3PAO we will choose for our audit. We know from the documentation and experience that every control must show the policy, process, and evidence of that process in use following NIST 800-171A. This document shows exactly what will be needed for every control to prove your compliance. The easier you make it for your auditor to view each of these requirements, the less time the audit will (should) take for every control. Using a good tool to organize your thoughts, works, and documentation will go a long way toward keeping your efforts and audit as efficient as possible.

Which tool do we use? We've tried several of them -simple spreadsheeting, Apptiga, and Cynomi. We settled on Cynomi. All three are fine, but we wanted something that would offer explicit work tracking, pull all of our documents and evidence/links into one location, and reasonably export professional-looking reports on demand. 

We use Cynomi primarily to consolidate everything needed for the audit, but as shown below, it also tracks our tasks and clearly presents everything. 

We offered subscriptions for another similar service until a few months ago but didn't never really cared for the feature set. Unfortunately, very few options were available when we first started that partnership. We use Cynomi internally. It doesn’t offer the standard SPRS scoring, but you can dump out the full spreadsheet of controls and transpose it over with no additional translation. For our clients, we offer a DIY package –a Cynomi subscription with Virtual CISO™ support available for help if/when needed. Work your plan on our infrastructure and get help when needed -billed by the hour. 

Preparing for your C3PAO audit takes time, attention to detail, and effort, like any other. The better your SSP, the easier the path to a successful audit. 

Need help? More information? Contact your Virtual CISO™ or email us at staysafeonline@trustedinternet.io.

Five times in the last 24 hours, Trusted Internet identified domain name queries to recently registered domains by a home automation and security system controller. This is not unusual, but it can show how the analysis of Domain Name System (DNS) queries can be used to find anomalies that security tools or the untrained eye might not otherwise see.  

What is DNS? DNS, or Domain Name System, is like the internet's address book. It translates user-friendly domain names (like www.example.com) into numeric IP addresses that computers use to identify each other on the network. DNS helps you find websites by converting human-readable names into machine-readable addresses. DNS logging plays a crucial role in network security monitoring as it analysis of the logs can lead to the detection of DNS attacks in real-time, facilitating proactive blocking measures to mitigate potential threats to your computer system. And by analyzing DNS queries, an analyst can find hints that might not have been seen elsewhere.  

Trusted Internet's Threat Intelligence team examines tens of thousands of Domain Name System (DNS) logs daily, seeking out potentially malicious domains not otherwise flagged by available threat intelligence sources.  

Like the Internet, the Domain Name System was not built for security. Today, however, malicious actors exploit DNS for various nefarious activities such as data theft, denial-of-service attacks, command-and-control operations (Back Door), and other malicious behaviors. 

What specifically are we looking for? Anything that appears abnormal. For example: 

• Communications with newly registered domains might show that a domain was built for nefarious purposes. 

• Spelling of a domain name could be meant to trick a user. 

• Dashes in the domain name, i.e., bad-domain.com 

• Misspelled brand names i.e., trastedinternet.io 

• A mixture of miscellaneous characters, i.e., asdfye.com 

• Brand name as the sub-domain, i.e., google.domain.com 

• Domains starting with the characters xn-- (This means that the domain name includes non-ASCII characters, for example, ä) 

• Domain name includes service-related words, i.e., support, login, and account. 

The problem? DNS generates a LOT of activity, making it nearly impossible to analyze without filtering or good machines, especially considering a single customer might generate 700,000 log entries in 24 hours (Figure 1). 

 Figure 1 – Raw Unfiltered log 

How do we fix that? Manually and by Machine Learning 

Manually, we implement filters to exclude legitimate domains like google.com, and you'll find that the remaining data becomes significantly more manageable and actionable with only 500 entries to review (Figure 2). 

And by using Machine Learning and AI (Artificial Intelligence) in a secondary analysis setting. While Intel uses our internal analytic stack, we also rely on ML/AI in an Open expanded Detection and Response (XDR) system to watch flows of communication for size, spelling, volume, and other variables that might offer a glimpse into anomalies, that the SOC (Security Operations Center) can then follow up on.  

 Figure 2 – Filtered Log 

Trusted Internet Intelligence and 24/7 Security Operations Center (SOC) teams watch these activities closely, actively tracking ongoing cyber threats and swiftly executing necessary remedies to halt potential threats, staying one step ahead.  

Additionally, we have increased the number of seasoned Virtual Chief Information Security Officers and Threat Intelligence personnel to create a new Executive Cyber Security Support Team, which allows clients to call in, in real-time, for help. 

For more information, don't hesitate to contact Trusted Internet at staysafeonline@trustedinternet.io. 

References: 

1. hxxps://unit42.paloaltonetworks.com/proactive-detector/ 

2. hxxps://dnsabuseinstitute.org/best-practices-identification-mitigation-of-dns-abuse/ 

3. hxxps://unit42.paloaltonetworks.com/malicious-newly-observed-domains/ 

4. hxxps://www.du.edu/it/services/security/5-url-warning-signs 

As the year draws to a close, we find ourselves reflecting on the incredible journey we've had at Trusted Internet. It has been a year filled with challenges, triumphs, and most importantly, growth. We want to take a moment to express our deepest gratitude to you, our valued users, for being an integral part of our success.

This year, Trusted Internet achieved significant milestones that wouldn't have been possible without your trust and support. We launched innovative new features --Expanded Detection and Response (XDR), a new simpler to use VPN, and new iOS and Android security tools to better protect your mobile devices.

As the holiday season is upon us, we hope you find time to relax, unwind, and cherish moments with your loved ones. Whether you're celebrating Christmas, Hanukkah, Kwanzaa, or another festive occasion, may your days be filled with joy, laughter, and the warmth of shared moments.

Happy Holidays from the entire team at Trusted Internet!

'Tis the season once again. The holiday period historically witnesses a surge in cyber-attacks targeting companies globally, and the current scenario aligns with this trend. This year has started out with a bang. Over the past few days, numerous significant ransomware incidents have surfaced, affecting sectors such as banking, healthcare, mortgage companies, and others in the news, with likely continue with countless other unreported cases -with owners suffering in silence. This is no way to spend the Holiday Season. 

Approximately five years ago, we played a pivotal role in recovering a 7500-person engineering company facing near-extinction after halting trading on the NASDAQ. Since then, our efforts have extended to assisting predominantly small companies in bouncing back after ransomware incidents. More importantly, drawing from these experiences, we've developed a protective model applicable to companies across the board, shielding them from the catastrophic aftermath of ransomware. It’s not only how we protect our clients but also our own small business and our homes! 

Presently, more than 70% of our business revolves around cyber protection for small companies, typically those with fewer than 25 employees. Our proactive measures have thwarted hundreds of thousands of potential ransomware events in recent years. In a notable instance, a Boston-based company received a warning from the FBI about an impending ransom threat just before midnight. Swiftly responding to the call on our Incident Response line, we successfully defended the company, sparing them from significant pain, downtime, financial loss, and the possibility of extinction. 

Trusted Internet is poised to lend assistance through the Holiday period.  

• We've secured holiday discounts from our FortiGate firewall supplier, offering a 50% reduction on firewall purchases until year-end. 

• We're extending a complimentary 30-minute consultation with a senior Virtual Chief Information Security Officer. 

• Our 24x7 Executive Cyber Support and Incident Response team is ready and available on our toll-free number for 24x7 immediate response and the next business day for non-critical needs or consultation.  

Need help through the holidays? 

Contact us 24x7: 

800-853-6431 

staysafeonline@trustedinternet.io 

CORPORATE ANNOUNCEMENT PRESS RELEASE

Release Date:

November 14, 2023

FOR IMMEDIATE RELEASE

Trusted Internet Announces Enhanced SOC Services, Spotlighting Key Team Members

Amherst, New Hampshire – Trusted Internet, an elite 24x7 managed cybersecurity service provider, today reaffirms its commitment to cybersecurity excellence with the advancement of its Cyber Security Operations Center (SOC) services. This central pillar of Trusted Internet's defense strategy provides continuous, real-time cybersecurity monitoring, detection, and response services, ensuring comprehensive protection for businesses and homes alike.

Central to Trusted Internet's suite of services is its cutting-edge Security Operations Center (SOC), which operates 24x7 and leverages state-of-the-art cybersecurity tools like FortiGate Next Generation Firewalls and Secure Endpoint Protection. To further enhance its capabilities, Trusted Internet has introduced an Open Expanded Detection and Response (OpenXDR) service. Alongside this technological advancement, the company has welcomed two seasoned professionals as Virtual Chief Information Security Officers. This commitment to advanced technology, continuous vigilance, and the addition of expert leadership positions Trusted Internet as a stronghold against the ever-evolving landscape of cyber threats.

Aligned with the strategic growth of our company and our commitment to delivering unparalleled hyper-responsive services across all regions, Trusted Internet is excited to announce the appointment of two new Virtual Chief Information Security Officers:

Lou Saviano will assume the role of Virtual Chief Information Security Officer, focusing on the New England and Eastern Seaboard markets. Mr. Saviano brings valuable experience, having served as the Chief Information Security Officer at Skillsoft and previously worked as a security and AI engineer at Textron.

Tom Siu will serve as the Virtual Chief Information Security Officer, with a focus on Midwestern markets. Mr. Siu, former Chief Information Security Officer at Michigan State University and Case Western Reserve University, joins our team to enhance our capabilities in this region.

Jeff Stutzman, CEO and Founder of Trusted Internet, expresses, "Our SOC serves as the nerve center of our security operations, leveraging advanced cybersecurity tools and the expertise of top security professionals. With the addition of Lou Saviano and Tom Siu to our team, we are expanding our reach and strengthening our commitment to providing comprehensive Virtual CISO™ and advisory services in the long term.

About Trusted Internet:

Trusted Internet stands at the forefront of the fight against cyber threats. By offering robust cybersecurity solutions, including a 24x7 Cyber Security Operations Center (SOC), National Institute of Standards and Technology (NIST) Special Publication 800-171, Supplier Performance Risk System (SPRS), and Cyber Security Maturity Model Certification (CMMC) compliance support. These standards are crucial for businesses handling sensitive information, as they guide how to protect the information from cyber threats. Trusted Internet is dedicated to protecting the digital integrity of businesses and individuals across the nation.

For more information about Trusted Internet, LLC and its services, please visit www.trustedinternet.io.

###

In a recent incident on October 27th, Kaspersky uncovered a concerning cyber campaign orchestrated by the Lazarus group, a notorious North Korean threat actor. This campaign targeted organizations across the globe, even in the face of reported vulnerabilities and patches. Surprisingly, many organizations continued to use vulnerable software versions, unwittingly providing a gateway for attackers.  

At the heart of this threat campaign lies the LPEClient, a potent HTTP(S) downloader that operates with precision. It relies on an encrypted string containing two critical URLs, enabling communication with primary and secondary command and control servers. Additionally, LPEClient determines the victim's file system path for storing downloaded payloads. The Lazarus group employed sophisticated evasion techniques, deploying the notorious "SIGNBT" malware to control their victims. LPEClient, previously observed targeting high-value sectors like defense contractors, nuclear engineers, and the cryptocurrency industry, plays a pivotal role in this malicious operation. 

What sets LPEClient apart is its ability to gather comprehensive information about the victim's environment, including details such as computer specifications, installed software, and Windows version information. This meticulous data collection assists the attackers in making informed decisions, ensuring the success of their campaign. 

LPEClient's distinctive 32-bit values represent its execution state and the nature of HTTP requests to the command and control servers. These values serve as the building blocks for the malware's actions, allowing it to perform tasks like sending system information, requesting DLL payloads, and reporting the execution of these payloads. Finally, the malware seeks the export function "CloseEnv" and executes it, leaving no room for system security. 

In a landscape fraught with advanced threats like the one orchestrated by the Lazarus group, proactive defense is paramount. Trusted Internet’s OpenXDR is your ultimate solution for staying ahead of emerging threats, such as the one exposed by Kaspersky. With OpenXDR's advanced multi-threaded anomaly detection capabilities, you can shield your organization from malicious actors like Lazarus, ensuring that your systems and data remain secure. 

Please don't wait until it's too late. Embrace the power of Trusted Internet’s OpenXDR monitoring and protection system and fortify your defenses against the ever-evolving landscape of cyber threats. Your security is our priority. 

For more information about Trusted Internet’s OpenXDR Platform, stop by our booth at the SAME Small Business Conference in San Antonio this week or contact one of our Virtual CISOs™ for a consultation. staysafeonline@trustedinternet.io. 

I love some of the Ponema research and this 2022 piece on insider threat is no different.

Insider threat is something we’ve all dealt with. We’ve had it, and I’m certain every LinkedIn reader has had to deal with an insider threat, or knows someone who has.

In 2022, Ponema did a survey on Insider Threat where they benchmarked 278 organizations about insider threats. The numbers are staggering. Of the 278 organizations:

• They experienced 6803 insider incidents

• $15.4 mil in average annual cost

• 56% of the 6803 were due to negligence (at a cost of $6.6 mil, and $484,931 per incident!)

• 26% were malicious/criminal (costing $4.1 mil, $648,062 per incident)

• 18% were related to user credential theft ($4.6 mil)

Ponema breaks out headcount in the companies, and while this is to be expected, I think they could have done a better job on the distribution of headcount for the survey. 84% of their sample is over 500 employees, but over 90% of the population of American companies have fewer than 20 employees. I’d be really interested in understanding what a 25-person company sees.

Trusted Internet run, as part of our MSSP service, an internally hosted Veriato Cerebral server in a dedicated space, on its own network/circuit, operated outside of our normal SOC. We built it internally specifically for security and operate it in a segmented way… specifically to help companies who otherwise likely couldn’t afford it or don’t trust the cloud.

Insider threat is real. The numbers are massive. And now, with all of the tech layoffs, it will only get worse. Privileged users have access. Layoffs make people unhappy… This is the insider threat perfect storm.

MSSP Alert publishes its annual Top 250 MSSPs company list and research — tracking the world’s top managed security services providers, and for the fourth year in a row, Trusted Internet made the list!

Trusted Internet is happy to have been named to the Top 250 MSSP list for the fourth year in a row! Thank you to those who’ve supported us, and to one of the best small teams I’ve had the opportunity to work with!

Check out the entire list at MSSP Alert - https://www.msspalert.com/top250/