RegDOX Solutions

The Secure Data Room solution provider for Corporate, EAR, HIPAA, DFARS and ITAR compliance in the cloud.

CALL US NOW:
+1.603.589.4845
ADDRESS: One Tara Boulevard, Suite 300, Nashua, NH 03062

2019 – Cybersecurity Compliance for DoD Contractors / Conducting an Assessment to Ensure DFARS Compliance

By

Since December 31, 2017 DoD contractors have needed to be compliant with cybersecurity requirements or risk losing their contracts. Compliance with Defense Federal Acquisition Regulation Supplement (DFARS) section 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting is required of all DoD contractors dealing in Controlled Unclassified Information (CUI).  This DFARS Clause cites NIST Special Publication 800-171 containing minimum cybersecurity compliance standards.  It describes 14 areas of security requirements for protecting the confidentiality of (CUI).

RegDOX in collaboration with PTAC New Hampshire Office is hosting a free webinar on Cybersecurity Compliance for DoD Contractors on July 31, 2019 from 10:30 to 11:30am.  Mr. William L. O’Brien, President, COO of RegDOX Solutions, Inc. will discuss the DFARS’ requirements such as the gap analyses, and a plan of action and milestones so companies do not lose contracts or encounter penalties due to a lack of DFARS compliance.

TOPIC: Cybersecurity Compliance for DoD Contractors / Conducting an Assessment to Ensure DFARS Compliance

WHEN: July 31 2019 from 10:30 to 11:30am EST.

WHERE: https://nhptap.ecenterdirect.com/events/4942

Registration Link : https://zoom.us/meeting/register/6e74726dfc55e6bf34538d7d4481ef37

 

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® offers compliance options for the transference and storage of ITAR, DFARS, EAR, HIPAA, and Corporate technical data within the cloud through highly intuitive, feature-rich virtual data room solutions. In addition, RegDOX offers DFARS assessment services for contractors and subcontractors of the DoD.

www.RegDOX.com

The U.S. Loses Over $1.5 Trillion in a Decade of Data Breaches

By

A decade’s collection of data breaches shows a bleak picture with billions of records exposed in this type of incidents and financial damages of more than $1.6 trillion.

Data collected from public sources reveal that since 2008 there were close to 9,700 breach events in the U.S., involving more than 10.7 billion records, with an average cost calculated in 2018 at $148 per record.

Open-source info outlines sad situation

The information relies only on details made public by state-based sources and in media reports. The figures are likely conservative as data breach disclosure laws differ from one state to another; in some cases, even notifying the individuals whose data was exposed is not a requirement.

“Disclosure of a breach of security to a customer shall not be required under this section if the business or public entity establishes that misuse of the information is not reasonably possible. Any determination shall be documented in writing and retained for five years.” – New Jersey security breach disclosure act.

The details were compiled by researchers at Comparitech, who broke it down per state to determine the regions that were affected the most by data breach incidents. The data includes both a tally of the events and of the records exposed.

According to the report, California is the state with the most publicly documented breaches, and also one where consumer privacy is taken seriously. 1,493 incidents affected 5.59 billion personal records.

It is worth noting that the state law requires that a sample copy of a breach notice to be submitted to the Attorney General if more than 500 California residents are affected.

Taking second place is the state of New York. Comparitech found 729 data breach incidents that were publicly documented over the past decade. The records exposed this way amounted to 293 million.

Close behind is Texas, with 661 events and 288 million records exposed. Most of the personal information came from unauthorized access in 2011 of up to 250 million email addresses and names managed by marketing company Epsilon. The firm acknowledged the intrusion.

As one may observe, there isn’t always a balance between the records exposed and the number of breaches. Data Comparitech collected for Oregon shows that the state suffered at least 157 data security incidents that exposed 1.37 billion records.

Most of the email info came from a faulty backup event in 2017 impacting a fake marketing company called River City Media (RVC). Researchers at MacKeeper said at the time that RVC was a spam factory “responsible for up to a billion daily email sends.”

As we mentioned before, the figures presented in Comparitech’s report are only a minimum. The researchers agree that the real numbers are higher as some breach reports do not disclose the number of records exposed; furthermore, the information “might be unknown or below the threshold imposed by the state,” or new details may emerge at a later date.

For instance, it was revealed this week that a phishing attack in January at the Department of Human Services (DHS) in Oregon impacted data belonging to 645,000 individuals. Although the attack was reported in March, the complete number of people impacted could only be roughly estimated at that time.

Comparitech makes available in an online document a complete list with publicly reported data breaches they found for each state.

CREDIT: Ionut Ilascu, Bleeping Computer

Data Encryption 101: Keeping Your Files Secure In The Cloud

By

When it comes to Controlled Unclassified Information (CUI) compliance, data encryption is always at the forefront of the conversation. Today, leading edge features require a high level of security when information is both in-transit and at rest.

Let’s begin with a little bit of history on the topic. In 2001, the National Institute of Standards and Technology (NIST) established Advanced Encryption Standard (AES) as an encryption specification. It is a standard within the US Government, because it offers the highest level of security when it comes to electronic data. Specifically, 256-bit encryption refers to the length of the encryption key used to protect data streams or files.

If you are not aware of the security dangers you are up against how do you plan on making that a reality? Saying you have an IT guy is not the solution. You as the business owner must learn what you are up against and how to arm yourself properly. At RegDOX Solutions, we concentrate on technological solutions that reflect the reality of how electronic storage and collaboration can be best used by a company and the cyber-security risks of any use. Customer data is protected with a 256-bit Advanced Encryption Standard (AES) encryption. But what exactly does it mean?

What this means is that an intruder would require 2256 different combinations to break an encrypted message. This is virtually impossible to do, even by the world’s fastest computers. This type of encryption prevents unauthorized users, including IT service providers and administrators from accessing the data as well, to ensure that your system is fully compliant. All data transmission between the client and the server (document upload and download, viewing of content) is also protected with 256-bit encryption. So, while your data is being protected at rest within a server with 256-bit AES encryption, RegDOX Solutions also protects your data in transit – this is done via another high-security capability feature: 256-bit SSL encryption. SSL stands for Secure Sockets Layer. SSL is type of data transfer that utilizes encryption to scrambles data in transit, keeping sensitive data unintelligible over the connection to unauthorized users.

Secure links to documents can be sent to licensed users of the technology, as well as to external users, i.e. third parties not brought in as a part of a client’s group of authorized, full functioned users. When a document is sent to an external user via RegDOX Secure Data Room, a time-limited link to the item is sent. After the link validity has expired, externals can no longer access the document. Secure, traceable delivery of documents is achieved and recorded in a tamper-proof audit-trail. Most importantly as well, not only are actions of users and all events involving documents and other files included in a non-editable, permanent record, but also RegDOX’s clients can identify events for which they want immediate notification. This is done via alerts which promptly helps identify any possible cyber-security breach so that rapid remedial action can be taken.  For more information, get in touch with RegDOX Solutions and schedule a demo today.

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® offers compliance options for the transference and storage of ITAR, DFARS, EAR, HIPAA, and Corporate technical data within the cloud through highly intuitive, feature-rich virtual data room solutions. In addition, RegDOX offers DFARS assessment services for contractors and subcontractors of the DoD.

www.RegDOX.com

 

Six Cybersecurity Tips Every Business Owner Should Know In 2019

By

For large organizations with deep pockets, an information security breach is an expensive and embarrassing debacle whose ramifications can last years. But for small and medium-sized businesses (SMBs), a severe incident could mean the end of their business entirely. Centered around people, processes and technology, there are steps organizations of any size can and should take to protect themselves and their clients.

According to Global Market Insights (registration required), the cybersecurity industry was worth over $120 billion at the start of 2017, and it grows by the minute as more frequent and more sophisticated attacks are reported. With data breaches in large corporations and government agencies getting the most attention in the press, it would be easy to think that a smaller company doesn’t have much to worry about. Unfortunately for many SMBs, the growing number of security attacks says something very different.

In 2018, SMBs were the target of 43% of cyber attacks, according to the small business mentor group SCORE. Often, hackers use smaller, more vulnerable companies as a way into larger targets that they do business with. This can ruin the smaller organization’s reputation and its ability to partner with other businesses in the future.

It’s not all bad news, though. Most attempted security breaches can be thwarted with some planning, vigilance and basic precautions. Here are some tips that you can follow as a business owner to get the most out of your information security efforts:

1. Bake security into your systems and software.

Security shouldn’t be an add-on or an afterthought, but rather a fundamental part of your organization’s information assets from the outset. It should be part of the foundation of both end-user product design and internal system architecture. Whenever feasible, your systems should be secure by design, following (among other practices) the “principle of least privilege,” where system users only have the access rights needed to do their jobs. It’s never too late, though, to beef up your existing systems. From minor tweaks to total redesigns, it’s worth the effort to protect your company’s assets and reputation.

2. Embed cybersecurity in your company’s culture.

Unfortunately, even the most secure systems in the world have one Achilles’ heel: people. People are almost always the weak link in the chain when it comes to cybersecurity. Whether due to a lack of awareness or an unwillingness to follow security practices, one non-compliant employee can potentially render all of your security efforts useless. For SMBs without the capital to recover from a major incident, everyone’s jobs are on the line. Training and frequent refreshers are critical, but you should also strive to embed good cybersecurity into the culture of your organization by setting a good example at the management level, as well as emphasizing best practices in all aspects of your operations. Employees should not only be trained on what to do but also why they are doing it. It’s important to remind them of the consequences of a data breach.

3. Plan your incident and disaster response.

Part of being proactive is being ready in the unfortunate event of a cybersecurity incident, or a disaster (natural or man-made) that compromises your systems. No organization’s information security strategy is complete without formal, in-depth incident management and response plans, as well as a disaster recovery plan (DRP). Although your IT department is not typically your cybersecurity team, it is closest to your systems and often at the tip of the spear in the event of an incident. They should be prepared, both through training and through involvement in response planning, to work closely with cybersecurity experts during response and recovery. Consider including other departments as well in your response and recovery procedures — and hold mock incidents or drills to prepare everyone for their role.

4. Monitor and patch your security.

Hackers can, and do, strike from anywhere at any time. Constant network monitoring is critical for not only detecting and potentially thwarting attacks but also for fast and effective recovery from a breach. Network monitoring software produces event logs that help your security team identify where and how hackers are focusing their efforts. Part of this constant vigilance is to consistently update and maintain the latest versions and security patches of all software on your systems. Software patches shore up known vulnerabilities — servers with out-of-date software become easy prey for opportunistic hackers who are always on the lookout for such an opportunity.

5. Think like a bad guy.

Securely designed systems can still have vulnerabilities. Hackers always seem to be a step ahead of both law enforcement and information security professionals, but they also prefer to take the path of least resistance. They are constantly probing their targets for weaknesses and waiting for their moment to strike. You don’t want cybercriminals to be the first to discover a vulnerability that compromises your business, partners or customers. By taking a proactive security approach — with thorough penetration testing — you can use the same tools as malicious hackers, beating them to the punch by finding and closing security gaps in your systems.

6. Get an external view of your current security posture.

Large, prominent companies can afford to throw substantial amounts of money at cybersecurity, often employing a Chief Information Security Officer (CISO) and other support personnel to handle all aspects of cybersecurity. Despite recognizing the importance of information security, not all organizations can afford or even need to have the expertise in-house. Consider getting a third party to assess your cybersecurity needs and help you determine what threats and vulnerability your SMB faces or could face as you grow. With this information, you’ll be best equipped to make decisions regarding how to proceed in protecting yourself.

The bottom line is that smaller organizations can no longer afford to put information security on the back burner — the risks are too real and the stakes are too high.

CREDIT: Jaime Manteiga, Forbes

What is ITAR and Why is it Important?

By

The International Traffic in Arms Regulation (ITAR) is an established authoritative and mandatory list of compliance guidelines. These guidelines are set by the State Department’s Directorate of Defense Trade Controls “DDTC”. It is particularly stringent with companies that export products or information outside the United States.

These protocols that the DDTC provides can be complicated, which could leave your company vulnerable to varying degrees of both civil and criminal repercussions. ITAR compliance dictates that not only must your business be fully compliant, they must also be current with amendments and updates to ITAR regulations. Keep in mind that ITAR commodities are not just specific to the shipping of physical goods, but also virtual commodities such as technical data, sensitive files and CUI documents.

With each ITAR violation comes a risk for heavy penalties and fines. The DDTC expects all exporters of defense commodities to be organizationally sound and resourceful enough to ensure all the standards that the ITAR requires.

What are the penalties?

Due to the nature of ITAR regulations, Small and Medium Sized Enterprises (SMEs) are most at risk due to nuances of export compliance. Companies working with CUI are carefully monitored by The State Department, who partner with other government agencies to monitor businesses to ensure compliance to export control laws. The State Department takes ITAR violations very seriously, with criminal violations reaching $1 Million Dollars and 10 years imprisonment. Civil penalties, which are much more common can reach millions of dollars in fines. While large companies are financially insulated against such fines, they may also be subject to debarment, which blacklists the company from government contracts and working with companies who have government contracts.

What if you fail to comply?

Communication is key when it comes to preventing fines from the DDTC. Willful failure to comply with ITAR is subject to the highest degree of fines and penalties. Being prepared also goes a long way—if your company appears to have knowledge of an ITAR compliance issue, there should be a system in place that would allow your company to report the issue to officials.

What if you make a mistake?

When working with ITAR related materials, mistakes can happen simply due to human error. This is something that becomes possible given the scope of the regulations and can affect companies of any size. The DDTC might consider leniency on such occasions, under the right circumstances. ITAR provides the opportunity for voluntary disclosure. By being forthcoming about any mistakes and having a solid action plan to improve, fines and penalties may be reduced or eliminated.

Why honesty is important to compliance.

Given the nature of ITAR, it is in your company’s best interest to be fully honest. By misrepresenting or even not disclosing pertinent information, then the same penalties can apply as being noncompliant. You can prevent this by taking a thorough approach to compliance and ensuring that any and all information is disclosed.

What can you do to avoid a violation?

There will continue to be increasingly complex regulations in response to both attempts at cyber-hacking of cloud-based storage by bad actors as well as lax cyber-security practices by those using and providing cloud services. But if you love your export business and the thought of excessive penalties scares you (which they should), then don’t chance non-compliance of ITAR. Intentionally or not, there is a lot to lose violating regulatory compliance (ITAR/DFARs). Disaster can be pending on the horizon for you and your business from a single infraction that could have been avoided.

Take the step to secure your business and prevent future dilemmas by partnering with an ITAR compliant secure data room solution provider like RegDOX so you can focus on what’s important, your business! We at RegDOX have been innovative in responses to new and revised cyber-security regulations and provided our customers with solutions so inventive that they warrant patent protections for meeting and exceeding entirely justifiable regulatory requirements. Configurable, affordable, and coming with a “DDTC-reviewed” advisory opinion for ITAR compliance – what’s not to love? Get started now – https://www.regdox.com/contact/

 

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® offers compliance options for the transference and storage of ITAR, DFARS, EAR, HIPAA, and Corporate technical data within the cloud through highly intuitive, feature-rich virtual data room solutions. In addition, RegDOX offers DFARS assessment services for contractors and subcontractors of the DoD.

www.RegDOX.com

N.S.A. Denies Its Cyberweapon Was Used in Baltimore Attack, Congressman Says

By

BALTIMORE — A Maryland congressman said on Friday that the National Security Agency had denied that one of its hacking tools, stolen in 2017, was used in a ransomware attack on Baltimore’s government that had disrupted city services for more than three weeks.

The statement, made by Representative C.A. Dutch Ruppersberger, came in response to an article in The New York Times last weekend. The Times was told by people directly involved in the investigation in Baltimore that the N.S.A. tool, EternalBlue, was found in the city’s network by all four contractors hired to study the attack and restore computer services.

Investigators are still trying to determine the exact chronology of the attack. The leading theory is that hackers broke in through an open server in Baltimore’s network, installed a back door and then used EternalBlue to move across the city’s computers searching for valuable servers to infect, said the people involved in the investigation.

This week, the contractors discovered an additional software tool, called a web shell, on Baltimore’s networks. They believe the web shell may have been used in conjunction with EternalBlue and another hacking technique known as “pass-the-hash,” which uses stolen credentials, to spread the ransomware.

The people involved in the investigation spoke to The Times on the condition of anonymity because they were not authorized to discuss it on the record.

N.S.A. officials are naturally sensitive to reports of continuing damage done by their hacking tools, stolen and released on the internet in 2017 by a still-unidentified group calling itself the Shadow Brokers. EternalBlue and other N.S.A. tools were used in attacks by North Korea and Russia later that year that caused billions of dollars in damage to corporations and governments around the world.

More recently, according to cybersecurity experts, EternalBlue has turned up in attacks on local governments in the United States, which often used aging equipment and fail to keep their software up to date. A patch issued by Microsoft in 2017, but apparently never installed in Baltimore, should have made Windows secure against EternalBlue.

An N.S.A. spokesman declined to comment on the congressman’s statement or the Times article, which was published online on Saturday. A spokesman for Baltimore’s mayor’s office also said he could not comment on the continuing investigation.

Mr. Ruppersberger, a Democrat whose district includes the N.S.A.’s Fort Meade campus south of Baltimore, said in his statement that he had been briefed by “senior leaders” of the N.S.A. They told him that “there is no evidence at this time that EternalBlue played a role in the ransomware attack affecting Baltimore City.”

He added: “I’m told it was not used to gain access nor to propagate further activity within the network.”

The statement did not explain how N.S.A. learned the details of the forensic investigation in Baltimore, which is being carried out by the private contractors. The Federal Bureau of Investigation has also opened an inquiry but has not commented publicly on any findings.

The N.S.A. routinely hunts for security flaws in widely used software and uses them to penetrate foreign computer networks and gather intelligence. It used EternalBlue for such spying for at least five years before the Shadow Brokers stole the tool and posted it on the web to be grabbed and used by foreign states and criminal hackers.

“Our country needs cybertools to counter our enemies, including terrorists, but we also have to protect these tools from leaks,” Mr. Ruppersberger said. “We can’t ignore the damage that past breaches have done to American companies and, possibly, American cities. Now, our focus now should be on Baltimore’s recovery.”

Some former N.S.A. officials have suggested that Baltimore bears some responsibility for the attack, because it evidently had not installed updates to Windows that might have kept its system safe. But Mr. Ruppersberger said “the reality is that patching can be hard and requires resources that many municipalities don’t have.”

He said he thought the federal government “needs to do more to help municipalities better protect their networks.”

CREDIT: Scott Shane and Nicole Perlroth, The New York Times

Microsoft Tech Support Scams Invade Azure Cloud Services

By

Azure Tech Support Scam

Tech support scams have always been a problem, but they typically were located on small web hosting services throughout the world. Researchers have now observed these scams increasingly moving towards the Microsoft Azure cloud platform for ease of deployment and inexpensive web hosting.

Microsoft Azure has a feature called App Services that allows you to quickly and easily mass deploy web sites to the cloud. When a web site is deployed in Azure, they will be hosted on the azurewebsites.netdomain using names like my-app-name.azurewebsites.net.

App Services in the Azure Portal

App Services in the Azure Portal

As an example of bad actors utilizing Azure services, since May 10th, security researchers MalwareHunterTeam and JayTHL have discovered close to 200 web sites hosted on the Azure App Services platform that were displaying tech support scams.

Tweet from MalwareHunterTeam

When these sites were found, JayTHL has been reporting them to Microsoft using their abuse API. Unfortunately, due to the overwhelming amount of abuse reports Microsoft receives, these links can stay active for 4-5 days before Microsoft shuts them down.

This gives the scammers plenty of time to create new Azure accounts and mass deploy another batch of web sites to display tech support scams.

Mostly Apple and Microsoft tech support scams

When BleepingComputer examined some of the URLs shared by MalwareHunterTeam with us, we saw that all of these scams were pretending to be support sites for Microsoft and Apple.

When users visit these sites, JavaScript will check if the browser is on Windows or a macOS based on the browser’s useragent string. If the browser’s useragent contains the string ‘Mac’ it will redirect the user to a Mac tech support scam, otherwise it will display a Windows one.

Tech Support Scam Source Code

Tech Support Scam Source Code

Below are various tech support scams being pushed by these sites. All of them pretend to be an alert from Microsoft or Apple that states your computer is infected with spyware or a virus.

Microsoft Tech Support Scam 1

Microsoft Tech Support Scam 1
Microsoft Tech Support Scam 2

Microsoft Tech Support Scam 2
Microsoft Tech Support Scam 3

Microsoft Tech Support Scam 3
Mac tech Support Scam

Mac tech Support Scam

One of the advantages of using Azure to host your site is that every web site is secured using a SSL certificate from Microsoft. This can make some users think that they are on a legitimate site owned and operated by Microsoft.

Microsoft Certificate

Microsoft Certificate

Many of these scam sites also utilize techniques to lock up the browser or prevent you from leaving the site. Therefore, to close these scams you typically have to close the tab, and if not possible, the browser process itself.

Phishing too

In addition to tech support scams, phishing sites are moving to Azure cloud services as well. As you can see below, a fake Microsoft account login screen is being hosted on azurewebsites.net.

Phishing site on azurewebsites.net

Phishing site on azurewebsites.net

Azure App Services is not the only Azure service being used to host phishing scams. Scammers are also utilizing Azure Blob Storage to store their phishing scams.

Azure Blob Storage Scam

Azure Blob Storage Scam

Sites hosted on blob storage will utilize the hostname.blob.core.windows.net and also take advantage of a Microsoft SSL certificate.

CREDIT: Lawrence Abrams, Bleeping Computer

 

HR and Security in the Era of Cyberattacks

By

Understanding the role of HR and security in protecting sensitive data

The human resources department is one of the crown jewels of any organization, housing some of the most sensitive and private information. Cybercriminals frequently target HR with the goal of collecting financial and personal identifiable information—think social security numbers, dates of birth, bank detail and home addresses, to name a few. However, when your primary resource for potential new employees and record-keeping also happens to be the most popular access point for cybercriminals, the margin for error in your security strategy is almost non-existent.

Recruiting agencies and HR departments are constantly bombarded with emails and attachments from aspiring talent, making them an ideal target for hackers and cybercriminals. Staff literally cannot avoid opening emails and attachments from people they do not know. This means the job description of a recruiter is no longer just finding quality candidates; now they also must be cyber-conscious, spotting security threats before their organization’s infrastructure is compromised.

Nowadays we’re seeing an action as simple as opening a resumé document having the potential to completely devastate an organization. A prime example was the variant of the Petya ransomware, GoldenEye, in a campaign in 2017 that distributed ransomware through malicious email attachments aimed at HR departments via fake job applications. This was a specific effort to abuse the fact that HR employees must open emails and attachments from unknown sources.

While many companies have room for improvement in their threat-prevention plans, they must also turn their focus to their employees’ awareness of the dangers associated with email correspondence. Here are some ways HR executives can keep their company safe from a cybercriminal’s go-to weapon, but still keep the wheels in their department turning.

The Basics

While it seems like one of the basics, ensuring that your HR team is properly vetted is one of the most important first steps that a company can do to secure its information. HR professionals should be of the highest character and integrity given that they will handle the most sensitive employee data and be involved in some of the most complex organizational issues such as hiring, promoting and even firing of staff. There should be extra scrutiny for those charged with working through and handling the data for the most intimate of situations in an organization.

Good Rapport With Information Security Team

While many HR employees don’t have a cybersecurity background, they do play a crucial role in thwarting cyberattacks. They need to be aware of and practice fundamental principles of information security such as being attentive of suspicious grammar, texts and URLs and not opening emails that raise concerns. They also need to be diligent about alerting their information security teams when correspondence is viewed as suspicious. In fact, it is critical that the HR and information security teams have well-established, open communication channels so that everyone is aware of their role and responsibility when an incident occurs. Not only is HR staff the last line of defense against attacks targeted through their department, but they also are empowered to train employees and implement cybersecurity policies in the company as a whole. Knowing how to spot suspicious activity and training and enforcing other employees to do the same will help immensely.

Understand Third-Party Risks

If an organization is using a recruiting or staffing agency, it’s imperative to do an assessment of the agency you’re working with. Just as the broader organization may evaluate its supply chain, partners and integrators, there needs to be some level of assessment with a recruiting or staffing agency. As with any third party, there is inherent risk to an agency operating on behalf of an organization and gaining access to sensitive information.

HR is considered to be one of the most vulnerable departments within any organizations, since one of its primary functions is to constantly receive and open files and documents from unknown senders. By understanding the inherent risks and implementing each of these best practices, HR departments can be better equipped to deal with malicious activity and help protect their organization and employees’ sensitive information.

Credit: Daniel V. Medina

How Operator Shielding Keeps Your CUI and ITAR Data Safe

By

When evaluating a secure data room cloud computing vendor, trust is a very important and crucial prerequisite apart from the evident need of a company’s data being in safe hands. Maintaining a culture of risk-based security innovations, keeping up with trends that emerge from new cyber threats and making sure you are in control of your workload is what any organization wants when looking to move their CUI to a secure cloud-based storage.

Operator shielding is meant to provide that trust. It is one of the next gen features that offers to keeps clients secure and protect against any kind of cyber-attacks by bad actors. This feature protects confidential documents from being accessed by both internal or external IT administrators due to the complete separation of application and systems administrative duties.

Coupled with integrated two-person approval process for all security-related administration functions, data becomes more insulated against malicious attacks. This provides a natural defense against breaches, reverse-engineering and tampering, keeping your confidential files accessible only by you as an added layer of security.

RegDOX is always looking for new ways to enhance security features and provide the best possible platform for clients to use. The RegDOX Secure Data Room implements the operator shielding technology in an intuitive and specific way. On the base level, operator shielding relies on the cloud provider (AWS) to control the traffic that reaches the operator’s servers. This technology then modifies the operator’s binary code to make the Data Room inaccessible to anyone but the operator.

Operator shielding (provider) has several functions:

  • System monitoring
  • Configuration & application monitoring
  • Data room backup / restore
  • NO Access to data rooms

On the other end, the end-user manages all security settings, licenses and storage.

With this consistent separation between operator and user-end IT admins, you are in complete control of who sees your documents, regardless of who they are. This is just one of the many core features that the RegDOX Secure Data Room offers to keep you ahead of the curve and compliant.

 

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® offers compliance options for the transference and storage of ITAR, DFARS, EAR, HIPAA, and Corporate technical data within the cloud through highly intuitive, feature-rich virtual data room solutions. In addition, RegDOX offers DFARS assessment services for contractors and subcontractors of the DoD.

The How-To: Protect Your Business From A Data Breach

By

Running a business without adequate data security is a massive risk. Crippling data breaches are increasingly common and no business is immune. In 2018, Dubai’s fastest growing startup –Careem– was hit by a cyberattack affecting 14 million users. SMEs are especially vulnerable to attack. Without adequate information and network security you risk damaging your profits and reputation. The good news is you can greatly reduce the risk of attack with a few cost-effective security measures such as restricting data access and ensuring adequate monitoring.

Here are five ways to protect your data from getting into the wrong hands:

1. Role-based access 
Control who gets access to your data 
Employees are viewed by cybercriminals as the path of least resistance into a business, according to global cybersecurity company Kaspersky. To minimize the risk, you need to make sure that only authorized employees have access to your data and that you have adequate information and network security.

Role-based access control (RBAC) is a cost-effective method to determine who gets access to what data depending upon their role in the company. Benefits include low maintenance costs and increased efficiency. With RBAC, you can restrict data access to what’s necessary for an individual to do their job. This can help prevent information from being leaked– a significant threat to data security. To reduce complication and costs, it’s important to tailor RBAC to your company’s business model and security risk. Start by creating a list of every software, hardware and app with some sort of security, such as a password. Clarify every employee’s role and create a policy explaining how RBAC is to be used. Don’t forget to continually adapt it as your business evolves.

2. Employee education 
Tighten cyber security by training staff on security measures 
One of the top causes of data breaches is careless or uninformed employee actions. Cybercriminals know that, and they use it to their advantage. A human error is more likely to cause a security breach for companies in maturing economies. To counter the threat, approximately nine in 10 firms now employ security training to assess or improve knowledge among employees. One wrong click on a virus-infected email could endanger your entire business network. To reduce the risk of this happening, it’s important to train staff to identify “phishing emails” (fraudulent emails to gain access to sensitive information) and emails containing attachments sent from strangers. Employees should also be educated on safe internet navigation, effective passwords and the use of mobile devices. A well-trained workforce could protect your bottom line.

3. Remote monitoring 
Keep watch on cyber threat 24/7 
When Dubai-based ride-hailing app Careem was hit by a cyberattack in 2018, access was gained to a computer system that stored customer and driver account information. Attacks such as this highlight the need to monitor your company’s network at all times. Downtime can be extremely costly to a business. Remote monitoring provides 24/7 cover, allowing your IT team to stay on top of incidents at all times. Your servers will be on watch 24/7 so that the moment a potential problem arises it can either be resolved automatically or escalated and addressed remotely. A cost-effective option is to work with a managed IT services provider (MSP) to maintain continuous remote monitoring of your company’s network. This allows your IT staff to focus on core activities. Quality MSPs should be available at all times to receive immediate notifications of potential data security threats, and to respond in the appropriate way.

4. Data backup and recovery 
Protect against loss of data and what to do in an attack 
Data backup is a must if you want to protect your business against data loss but what happens in the event of a natural disaster, server crash, power outage or human error or deliberate attack? To ensure data continuity, it is vital to replicate and host your data on backup servers.
Your strategy should include:
• Planning and testing responses to different kinds of failures
• Configuring the database environment for backup and recovery
• Setting up a backup schedule
• Monitoring the backup and recovery environment
• Troubleshooting backup problems
• Recovering from a data loss
To save time and money, consider working with an IT specialist that provides regular, remote backup using an automated system. Remote data backup you can rest assured knowing that your data is protected, backed up, and up-to-date.

5. Endpoint and edge protection 
Invest in software to prevent accidental or deliberate data breaches 
The endpoint protection software prevents end-users from accidentally causing a data breach by blocking access to an unsecured web page. Endpoint security should protect all endpoints– servers, desktops, laptops, smartphones and other devices connected to your IT network. Edge protection blocks harmful websites or emails from entering your network though the use of firewalls, spam filters and web filters. If malicious data does get through to your system, end-point protection software should immediately disable it. Used together, endpoint and edge protection software are a relatively simple and low-cost way to provide efficient, effective and easier security management.

Protecting your business from data breaches and minimizing disruption in the event of a disaster should be a priority from the outset. However, implementing the right level of data protection for your business, and managing it effectively, isn’t always easy, especially for small companies. To ensure you have adequate protection, consider outsourcing all or part of your data security requirements to a proven managed service provider (MSP) which can represent a more cost-effective and hassle-free way to ensure that your data is protected, allowing you to focus on the smooth-running of your business.

Credit: George Hojeige, Entrepreneur

How To Do Digital Spring Cleaning For Your Business

By

Spring is here, which means it’s time for spring cleaning. This year, in addition to tidying up the office and sprucing up your operations, make sure you keep digital spring cleaning in mind. After all, a data breach can not only potentially harm your customers, but it can result in a severe loss of trust in your brand, one that your business may never recover from. That makes digital spring cleaning one of the most important preventive actions you can take.

Unfortunately, cybercrime is just as much a threat as ever. In September 2017, the Equifax breach revealed to hackers the personal information of 148 million Americans. Last year, the Meltdown and Spectre vulnerabilities could have allowed the exploitation of potentially every Intel processor made in the past decade — without leaving any evidence of the hack. Facebook, MyFitnessPal, and others have sustained breaches affecting tens of millions of users.

And cybercrime doesn’t just threaten corporate giants. The Better Business Bureau’s 2017 “State of Cybersecurity Among Small Businesses in North America” report estimated that cybercrime costs small businesses $80,000 per year on average.

Most businesses, large or small, have plenty of things they should clean up during a good cybersecurity spring cleaning. But often, it’s challenging to know where to begin and which actions will yield the most value. There are, however, some key steps you can take to reduce the chance that cybercrime will damage your business.

1. Polish your logins.

One way cybercriminals gain access to places they shouldn’t is through logins to various online accounts. Sometimes, it’s just a matter of employees using easily guessed passwords. Worse, gaining access to one account can often provide a hacker the username and password to other accounts, including ones relevant to your business. Therefore, it’s critical that you and your team members adopt best practices regarding all your online accounts.

As part of your digital spring cleaning efforts, start an awareness campaign at your company. Encourage all employees to delete unused accounts and “harden” the ones they do use by creating difficult-to-guess passwords through use of a password manager such as 1Password or LastPass. You should then go one step further and enable two-factor authentication, which will require a second code delivered to users’ mobile devices in addition to a password. This means that unless a hacker has an individual’s device in hand — hopefully an unlikely occurrence — he or she will be unable to hack the user’s account.

Finally, emphasize that hackers often get access through deceptive phishing emails that send seemingly legitimate login links for an actual service; then, show your team examples of what these phishing emails look like. By educating your team members on the telltale signs of a fake login, you can prevent them from giving away their login credentials.

2. Dust off your archives.

Not only can it be very useful to maintain and archive all company communication — from emails to texts to social media posts and responses — but it’s often a matter of regulatory compliance.

Protecting the personal information of those you employ and serve requires that these communications be locked down and safe from the prying eyes of hackers. Yet the “2017 Electronic Communications Compliance Survey Report” from Smarsh found that many companies are still struggling to achieve the proper oversight and protection of their communications.

If your company is finding digital archive compliance a challenge, consider seeking third-party help. For example, Anchor Pointe Wealth Management, a Missouri-based independent financial planner, used ZixArchive to automatically archive emails and other information according to specific retention policies and legal requirements. Your archived information could be vulnerable; change that situation when doing your digital spring cleaning this year.

3. Scrub your routers.

Most of us know to use malware removal and protection software on our computers and to apply the latest updates as they’re released. What we often overlook is that any web-connected device could be harboring malware. To be safe, assume all of yours are, and get to work rooting it out.

One of the first places to start is with your routers. Because they aren’t computers themselves, they tend to get ignored when considering security vulnerabilities, but routers are a prime way that hackers can get in to your systems, whether at work or at home. In 2017, for example, malware took control of 100,000 ZyXEL routers in Argentina.

To be safe, use newer routers, which have a better chance of including hardware that has patched previous security holes. Also, have your IT team check for and install firmware updates frequently. Finally, be sure to change the default username and password of all routers you and your team use. Routers often come with a default login that any savvy cybercriminal can exploit to access your systems.

A digital spring cleaning of these basic components of your electronic life at work can give you peace of mind all year. While the temptation is always to do it “later,” in a world where a cyber break-in can cripple a business overnight, you don’t have that luxury.

So don’t put your digital clean sweep off until the flowers bloom; implementing these basic changes can be a great way to start your spring off right. Knowing you’re as protected as you can be means you can focus on the actual work of your company instead of losing sleep over long-overdue cybersecurity maintenance.

CREDIT: Serenity Gibbons, Forbes

 

Multiple Enterprise VPN Apps Allow Attackers to Bypass Authentication

By

Enterprise VPN applications developed by Palo Alto Networks, Pulse Secure, Cisco, and F5 Networks are storing authentication and session cookies insecurely according to a DHS/CISA alert and a vulnerability note issued by CERT/CC, potentially allowing attackers to bypass authentication.

As detailed in the Common Weakness Enumeration database in CWE-311, the fact that an app fails to “encrypt sensitive or critical information before storage or transmission” could allow would-be attackers to intercept traffic data, read it and inject malicious code/data to perform a Man-in-the-Middle (MitM) attack.

The alert issued today by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also states that a potential “attacker could exploit this vulnerability to take control of an affected system.”

Also, the vulnerability note written by Carnegie Mellon University’s Madison Oliver says that “If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.”

CERT/CC says:

The following products and versions store the cookie insecurely in log files:
– Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
– Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2

The following products and versions store the cookie insecurely in memory:
– Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
– Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
– Cisco AnyConnect 4.7.x and prior

In addition, according to CERT/CC’s note, “It is likely that this configuration is generic to additional VPN applications,” which means that hundreds of VPN apps from a total of 237 vendors can potentially be impacted by this information disclosure vulnerability reported by the National Defense ISAC Remote Access Working Group.

While VPN apps from Check Point Software Technologies and pfSense were found to not be vulnerable, Cisco and Pulse Secure haven’t yet issued any info regarding this vulnerability.

Palo Alto Networks published a security advisory with further information on this information disclosure vulnerability tracked as CVE-2019-1573, and published the GlobalProtect Agent 4.1.1 and later for Windows and GlobalProtect Agent 4.1.11 and later for macOS security updates.

F5 Networks on the other hand, while being “aware of the insecure memory storage since 2013” decided not to patch it and provides the following solution as a mitigation measure: “To mitigate this vulnerability, you can use a one-time password or two-factor authentication instead of password-based authentication.”

However, the insecure log storage issue has been patched in the F5 Networks BIG-IP app since versions 12.1.3 and 13.0.1, released in 2017.

Update April 15 07:09 EDT: PulseSecure also published an out-of-cycle security advisory regarding the improper handling of session cookies in some versions of the Pulse Desktop Client and Pulse Connect Secure (for Network Connect customers) apps. The vendor says that patched versions of Pulse Desktop Client or Pulse Connect Secure (for Network Connect customers) are available via the Pulse Secure Download Center.

CREDIT: Sergiu Gatlan, Bleeping Computer

 

How Dynamic Watermarking Can Help You Stay Compliant

By

Before we begin, let’s take a second to explore the world of ‘watermarking’. Most people are familiar with watermarks— they show up on banknotes, checks, stamps. Others are familiar with the ones that appear in pictures or music. These are the types that are obviously or invisibly embedded in photos, videos and music to prove the authenticity of the file. These are not the types of watermarks that we are talking about today when we discuss protecting digitally stored documents.

There are two types:

Static

  • Does not change regardless of user
  • Typically used to identify a document’s owner

Dynamic

  • Identifies user
  • Changes upon opening the document
  • Can display different types of documents depending on whether the document is viewed or printed

How does digital watermarking work? In the case of “Digital Rights Management” (DRM) Software, digital watermarking is a core feature that provides an extra layer of security and authorized access. In banknotes, watermarks are typically used to ensure that a document is authentic. In the case of a ‘static’ digital watermark, the effect is the same on an electronic document—the file cannot be reproduced without removing its proof of authenticity. However, in the case of digital dynamic watermarking, the software’s algorithm creates an added layer over the document with a unique ID and time stamp that identifies who accessed the document and when it happened.

Of course, this would all be useless without some type of feature that can ‘freeze’ the file which essentially means the modification of the file is impossible in that setting. The RegDOX™ Secure Data Room Solution offers such an approach as part of its robust set of features called Brainmark™. Brainmark management includes all functions that help users to simplify the secure distribution of Brainmark documents. These include security categories, secure document viewer and embedding of watermarks, as well as further functions that help centralize document conversions and manage them efficiently.

So, what exactly does this mean?

A Brainmark-secured download delivers an automatically generated and protected version of a document to the user. The sender can select from the following security options:

  • The document has a unique identifier using digital fingerprint technology
  • The document is delivered as a simple but clearly marked print version with all edits removed
  • The document is delivered with a personalized watermark
  • The user can only view the document, not forward or print

This feature protects sensitive user data by removing the capability for specific files to be downloaded, printed, or photographed by identifying when and how it happened. It is also integrated with an automatic tracking and alerting feature that will allow for real-time administrative notice of aberrant behavior. The overarching effect of this intuitive feature is that not only does it record crucial data about how the file was accessed that would also deter copying, but it is impossible to remove or tamper with the watermark in any form. This is one of the core ways that RegDOX helps you maintain ITAR and DFARS compliance. Want to learn more about our Brainmark™ feature and how it works? Contact Us Today!

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® offers compliance options for the transference and storage of ITAR, DFARS, EAR, HIPAA, and Corporate technical data within the cloud through highly intuitive, feature-rich virtual data room solutions. In addition, RegDOX offers DFARS assessment services for contractors and subcontractors of the DoD.

FEMA Data Breach Impacting Disaster Survivors a Cause For Concern

By

In what the Federal Emergency Management Agency (FEMA) has acknowledged is a “major privacy incident,” nearly 2.5 million U.S. disaster survivors had their personal information shared with a third-party contractor responsible for setting up temporary housing. This data breach represents a violation of the Privacy Act of 1974 as well as official policy of the Department of Homeland Security (DHS). This means that U.S. government officials should be taking this FEMA data breach very seriously.

The details of the FEMA data breach

According to a report dated March 15 that was filed by the DHS Office of Inspector General (OIG), the data breach occurred when FEMA shared the information of disaster survivors who used the agency’s Transitional Sheltering Assistance Program. These disaster survivors included the victims of the California wildfires in 2017 as well as hurricanes Harvey, Irma and Maria. In order to get these victims into short-term housing, FEMA needed to collect information about all people signing up for the transitional housing program, and then ensure that they were properly taken care of by third-party contractors who were setting up the housing.

As FEMA press secretary Lizzie Litzow explains, this is where the data breach occurred. Instead of only sharing the very basic amount of information that would be expected of such a large-scale government program (e.g. name, date of birth, FEMA registration number), FEMA ended up “over-sharing” all possible information that it had collected on the disaster survivors – including full home address, bank name, bank account information, and the last four digits of each person’s Social Security Number).

Obviously, the potential for identity and theft would have been very high in this case. Using all the personal data collected on the disaster survivors, an unscrupulous hacker or cyber criminal might have been able to open up new bank accounts, drain away financial resources of very vulnerable disaster survivors, or commit other forms of online fraud. However, as FEMA press secretary Lizzie Litzow notes, a thorough review of the matter by the Office of Inspector General did not find any detrimental uses of this personal data. No information was released or compromised, so FEMA said it would not be individually contacting all of the disaster survivors impacted by the data breach.

FEMA cleans up the data breach

The good news is that FEMA has taken aggressive measures to correct the data breach. Once it discovered the problem in December 2018, it immediately put a data filter on all information being shared with its third-party contractor, thereby making sure that all extraneous information would no longer be shared. FEMA also sent out internal security experts two times to conduct on-site checks in order to correct this error. FEMA also worked directly with the contractor (who has thus far remained unnamed) to scrub all data that had been released as part of the data breach. At the same time, FEMA took further aggressive measures to ramp up privacy training for staff members.

Perhaps the best way to think about this data breach is that it was effectively discovered and then sanitized before it could ever develop into a much greater problem. FEMA continues to assure the public that no information was ever compromised in any detrimental way, and that sensitive personal data was no longer being shared with the contractor.

Privacy scenarios involving disaster survivors

The bigger picture issue, of course, is that cybercriminals are known to prey on victims of natural disasters. Whenever a natural disaster strikes – whether it is a hurricane, a flood, a tornado or wildfire – people are naturally in a very vulnerable state. Their homes may have just been destroyed, they may have lost loved ones in the tragedy, and they may be dealing with extreme financial duress. At the same time, disaster recovery staff simply may not have the necessary resources or bandwidth to keep an eye out for cyber threats. Instead of carefully monitoring potential cyber attack vectors, they may be more concerned with restoring different IT and tech resources.

Not surprisingly, cybercriminals have taken advantage of this opportunity to cause financial mayhem with disaster survivors. Until now, the favorite attack tactic was a variation on a “phishing” scheme, in which the cybercriminals would impersonate insurance companies, aid agencies, or disaster relief organizations in an effort to gain access to the personal information of disaster survivors. Given the popularity of crowdfunding relief efforts around natural disasters, they have also posed as online charities attempting to solicit funds from good-hearted people trying to help out disaster survivors.

So, you can immediately see how the FEMA data breach, by transferring disaster survivor information to a contractor, might have unwittingly aided and abetted such a scheme. Since the FEMA data breach involved 2.5 million disaster survivors (1.8 million of whom had their banking information and home address information shared), it would have been a very rich trove of data for any cybercriminal. In the past, the Federal Trade Commission has warned of such schemes, and FEMA itself has issued alerts about scams related to natural disasters.

How to avoid becoming a victim of a data breach

In the event of a natural disaster, say security experts, it’s best to be vigilant and use common sense. Never let your guard down, even for a moment. That means keeping a watchful eye out for fake URLs, fake Facebook pages, fake fundraising pages, and malicious links. If at all possible, type in the address of a website yourself, instead of just clicking on a link found in an email. While it might not be possible to prevent a U.S. agency from sharing data with a contractor, it is possible to take steps to safeguard your personal data. FEMA, for example, has no reason to ask for your personal banking information – so if an email arrives from an unknown source asking for personal banking information, that should be a red flag.

Given the millions of survivors who have used FEMA services in the past, it is incumbent upon all federal agencies to impose tighter rules and controls to prevent a data breach in the future. For its part, FEMA says it will have tighter controls in place by June 2020, hopefully ensuring that when the next natural disaster strikes, vulnerable disaster survivors will not have to worry about a data breach at the same time.

CREDIT: Nicole Lindsey, CPOMagazine

Audit Trails 101– What You Need To Know

By

What exactly is an audit trail? 

To be considered ITAR compliant, the US Government requires the implementation of a program that involves detailed tracking and monitoring of technical data. This is a particularly rigid aspect of ITAR because having a thorough log that shows how controlled data was accessed is crucial to the protection of any type of controlled document.

What is an audit trail used for?

Having an audit trail means that there is a secure and easily accessible reference point that the DDTC or external auditor can review in case of a data breach. Essentially, the point is to make sure that confidential information does not fall into the wrong hands by either deterring attacks or pointing authorized individuals in the right direction as to how the data had changed hands.

Why are audit trails important to data rooms?

If resources allow, it is typically recommended to periodically employ an outside auditor for an in-house solution or utilize software that is DDTC-reviewed. This is generally considered good practice to ensure that your platform is secure and avoid unnecessary fines. Audit trails within a data room should be able to recognize and record whether:

  • What users accessed the data room and/or a specific document
  • When and where a specific document was accessed
  • Identify any gaps or inconsistencies in how, when and why data was accessed

What are some things to look out for within an audit trail?

Within a data room, it is important to be able to set restrictions as to how and when certain data can be accessed. One thing to make note of is geographical access. When sensitive information is shared constantly, it is important to limit access to specific regions where that information will be used. If your data is staying within the country, make sure you restrict outside access.

The last most important aspect of having an audit trail is a back-up. Arm your IT departments with proper tools such as on demand reports and historical analytics to be able to regularly assess whether the data stays secure. By doing so, you will be able to mitigate risk should anything happen to the back-up and ensure your compliance foundation is rock-solid.

To satisfy ITAR specifications, RegDOX provides a robust and effective audit trail service within the platform which will ensure confidential documents stay protected. How does it work? All actions on the application, Data Room and object level can be time-stamped and recorded in our tamper-proof audit trail. These actions usually include configuration changes as well as document access, editing, and the addition of new documents to a Data Room. The display of individual pages in the Secure Document Viewer is also logged in the audit trail. Users are only able to see information for which they have viewing permissions. Further actions, such as downloading documents, can be recorded separately. You can also limit access to the audit trail itself and the application ensures that it cannot be Secure Document Viewer altered later. Want to Learn More? Contact Us Today!

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® offers compliance options for the transference and storage of ITAR, DFARS, EAR, HIPAA, and Corporate technical data within the cloud through highly intuitive, feature-rich virtual data room solutions. In addition, RegDOX offers DFARS assessment services for contractors and subcontractors of the DoD.

www.RegDOX.com

Why You Should be Using a Multi-Factored Authentication Process

By

One of the biggest challenges that IT professionals face today is the ever more urgent need for tight security. Services struggle to keep up with an increasingly globalized network of clients, customers, and stakeholders, and with this challenge comes a risk of data breach. With some very high profile data breaches in recent years, the public at large have legitimate concerns over how safe their information is online.

Hackers and data pirates target now target not only large corporations or businesses but also private individuals and small businesses. In fact, 31 percent of all targeted attacks are aimed at small businesses, who are not as well insured as the larger businesses. It’s wise, then, to take a good hard look at how we can approach the challenge of security when running a website.

You may have noticed in the past year that web services such as Google and Facebook are now utilizing technologies other than the simple password login. Increasingly, websites are turning to Multi-Factor Authentication to ensure their consumer’s data is well protected.

Here are a few reasons why.

Stronger Security

MFA is made up of three basic elements: the password, authentication through a mobile device, or personal identification, such as voice recognition or fingerprint technology. It boils down to one basic premise – authentication based on something only the user can provide.

“In the past, users have traditionally relied on passwords alone,” writes Benjamin D Stephenson, author at Academized and Revieweal,”But increasingly, as data becomes more widespread and hackers use more advanced AI, these passwords can be decrypted quite rapidly. Often this has left users wide open to attack, without ever even seeing it coming.”

To combat this breach, the data security industry has harnessed emerging technology to implement further steps to the login process. With increasing access to mobile technology, an integrated approach to logging in has taken place. In addition, as voice, facial and fingerprint recognition technology has advanced, so too have web technologies ability to identify the unique traits of a user. 

Protection against malicious software

It is important to recognize not just your own websites need for a Multi-Factor approach to logging in, but also to actively promote it in the wider world. Much like organic viruses, a user who takes a laid back approach to their own cyber-security runs the risk of becoming a danger to the data they interact with.

“When a breach takes place and malicious software is installed, web security in general is compromised,” writes Carl Higginson, security content writer at Boomessays and UKWritings,  “Anti-virus software and firewalls are very good at combatting malicious attacks, but when encryption is breached, this provides a backdoor for such attacks. Promoting good data practice carries the benefit of ‘herd immunity’ against virus software.” 

Greater trust in websites providing MFA

Knowing the above, many web users are increasingly wary of web services that don’t utilize up-to-date security measures. Showing your users that you provide multi-factor authentication legitimizes your security protocols and promotes your business as a fortress against malware and data attacks.

The internet as a whole has become susceptible to destructive cybercriminals, who not only steal data but manipulate or destroy it, some even using it to promote hostile ideologies. For this reason, users look to authentication to validate trust in secure web services.

Ease of Use

Finally, for many users, passwords have been a bit of a pain. Remembering or refreshing passwords in ever more inventive ways has left a trail of passwords, which, if discovered by cybercriminals. can open up a user to attacks.

A Multi-Factor Authentication process, with the use of mobile and recognition technology, simplifies the process, allowing users access without tempting users to document their passwords.

 

CREDIT: Chloe Bennet, PaymentsJournal

ITAR Technical Data – Infographic

By

RegDOX’s ITAR solution is dedicated to U.S. incorporated and based customers seeking to achieve ITAR compliance. This infographic provides a definitive guide on how you can assess your security needs and how RegDOX can help you stay compliant. Bring your ITAR technical data safely into the cloud with our first-to-market certified ITAR-compliant data room solution. For more information, contact us today.

ITAR Technical Data (009)

Share this page.