RegDOX Solutions

The Secure Data Room solution provider for Corporate, EAR, DFARS and ITAR compliance in the cloud.

CALL US NOW: +1.800.517.3171
ADDRESS: 1 Elm Street, Suite 201, Nashua, NH 03060

The Catalog of Cyber Vulnerabilities Grows

By

As it promised two weeks ago when it first announced the publication of a federal government’s Catalog of Known Exploited Vulnerabilities, CISA (Cybersecurity & Infrastructure Security Agency) has just updated the catalog by adding four new vulnerabilities. All of them represent significant risks.

The CISA catalog is directed to non-military agencies and their contractors so they can identify open and new cybersecurity vulnerabilities. It also allows CISA to announce remediation deadlines. This bimonthly updating process should prove to be a valued resource to agencies, their contractors, and all of us in staying up-to-date in maintaining cybersecurity hygiene.

Three of the four newly added vulnerabilities involve Microsoft products. In one, a security feature bypass in Excel could allow for an attacker to perform arbitrary code execution. Another allows an attacker to use an improper validation in a cmdlet (a small script that performs a specific function) argument to perform remote code execution in Microsoft Exchange servers. The third identifies a vulnerability in Windows OS that could allow for an authorized user to escalate privileges.

The fourth newly listed vulnerability is in the Perl ExifTool. In this second listing in as many weeks, a vulnerability in ExifTool, a set of Perl modules that read and write metadata in a variety of formats, has been identified. This most recently described vulnerability could allow improper neutralizing of user data and arbitrary code execution.

December 1, 2021, is the remediation deadline for all four of these vulnerabilities, which are now being actively exploited by threat actors. And as with all the rest, the remediation action for these vulnerabilities is to apply updates per vendor instructions.

So What Is In This New CISA Cybersecurity Directive?

By

Well, the reports were right. On November 3rd the federal government’s Cybersecurity and Infrastructure Agency (CISA) issued a directive prioritizing vulnerability management by federal civilian agencies and establishing remediation deadlines.

This new directive is referenced as Binding Operational Directive 22-01 (BOD 22-01) and has a very straightforward title: Reducing the Significant Risk of Known Exploited Vulnerabilities. It establishes a CISA-managed catalog of known and exploited vulnerabilities that must be targeted for remediation by federal agencies. The directive can be accessed here and the catalog here.

The catalog lists the vulnerabilities by name, reference software vendor, description, remediation action, and remediation due date, most of which so far are two weeks from the listing. In all instances for the initially listed vulnerabilities, remediation action is simply to “Apply updates per vendor instructions.”

The catalog will be updated on an ongoing basis. CISA allows for a subscription to catalog updates through simply submitting an email address and choosing a password here. Doing that also provides an opportunity to subscribe to a long list of other CISA updates, many of which are industry-specific.

While the directive and catalog are addressed to a civilian federal agency audience, CISA does point out that the targeted federal information systems included those operated or used by any entity “on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.” This broad statement of applicability really seems to put required compliance on some federal contractors despite CISA merely recommending that private business and local jurisdictions review and monitor the catalog, and remediate accordingly.

CISA noted in its fact sheet accompanying the directive that in 2020 alone, 18,358 new cybersecurity vulnerabilities were identified and 10,342 of those – 28 a day – were considered “critical” or “high severity.” Equally concerning is that as recently as 2015 it took federal agencies between 200 to 300 days to remediate vulnerabilities.

Just as with industry, there have been improvements by federal agencies over the last several years, but much remains to be done. This newly issued BOD 22-01 is requiring federal civilian agencies to continue improvements in their remediation efforts from this dismal record. Many contractors need to acknowledge that they also need improvement and accept CISA’s invitation to use the CISA catalog.

Standby: New, Far-Reaching Executive Order on Cybersecurity Expected

By

Reports are that on Wednesday, November 3, 2021, Jen Easterly, who is the director of Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security, will issue a directive imposing new federal government cybersecurity mandates. Here’s what we know about it:

  • The directive, which is intended to move forward some agencies that have been slower in addressing cyber-vulnerabilities, will require federal agencies to patch up to 300 known cybersecurity risks that could result in damaging hacks.
  • These risks will be listed in a new federal catalog that will be updated periodically.
  • Security flaws listed already in 2021 will require fixes in two weeks with those listed from now on requiring even quicker fixes. Older flaws will have to be fixed in six months.
  • The directive will apply to all federal agencies except DoD, the CIA, and the Office of the Director of National Intelligence.
  • The directive will also apply to all federal information systems, including those hosted by third parties and federal contractors, and including not just those that are considered critical or high risk.

We will post an update when the directive is published.

A New Potentially Significant EAR Rule Has Been Proposed by BIS

By

The Department of Commerce’s Bureau of Industry and Security (BIS) today issued an interim rule on revised export controls pertaining to certain cybersecurity items and implementation of those controls. BIS requested comments addressing the impact of these controls on industry and the cybersecurity community. Those comments are to be received by December 6, 2021, and can be submitted through the Federal Rulemaking Portal. The new rule is to become effective on Monday, January 19, 2022*.

The rule will establish a new export control over certain items along with a new exception for Authorized Cybersecurity Exports (ACE). The ACE allows exports of the controlled items except in circumstances described in the rule.

Everything covered by this new interim rule, and the final rule in January, require a conscientious review of the proposed controls. It began with earlier attempts to define and control “intrusion software”, the technology of “development”, “production” or “use”, and “command and control” software. It led to a May 20, 2015, interim rule that was not finalized in favor of further negotiations of controls and outreach to industry. This interim rule is the result of further negotiation and is described by BIS as “limited scope” and, it believes, minimal impact. Given the nature of the changes, it’s important to look over the changes and submit comments to ensure that belief applies to your organization.

*Of course, these changes do not affect items subject to the ITAR. As the BIS interim rule notes, “[i]tems and services described on the U.S. Munitions List (USML) at ITAR § 121.1, including military training, technical data directly related to a defense article, and certain hardware and software specially designed for intelligence purposes, remain subject to the ITAR.”

Quick Take: DHS is Implementing the President’s Cybersecurity Memorandum

By

Following up on the July 28, 2021 cybersecurity memorandum by the President, the Department of Homeland Security (DHS) announced this week the results of a review of resources and practices by DHS’s Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST). This review led CISA and NIST to identify nine categories of cybersecurity practices and to use those categories as the preliminary basis of related cybersecurity performance controls.

The following are the nine identified categories and related high-level goals listed by the DHS, each of which has a familiar ring for all of us who have been involved over the years in implementing ITAR, DFARS, and NIST 800-171 controls and best practices:

  1. Risk Management and Cybersecurity Governance
  2. Architecture and Design
  3. Configuration and Change Management
  4. Physical Security
  5. System and Data Integrity, Availability, and Confidentiality
  6. Continuous Monitoring and Vulnerability Management
  7. Training and Awareness
  8. Incident Response and Recovery
  9. Supply Chain Risk Management

In its written announcement, DHS provided a brief explanation of the goals, rationale, and baseline objectives for each category.

Each of us involved in trade compliance or federal contracting, or providing support for those who are, should become very familiar with what the DHS has announced as it will no doubt form the basis for what is coming.

UPDATED: Get Ready for More CMMC Changes

By

The DoD weighed in yesterday with a promise of additional changes, and soon, to the Cybersecurity Maturity Model Certification (CMMC) program.

We are told these changes will reflect industry feedback plus “internal government activities”. It appears they are a result of ongoing and wide-ranging reviews of the CMMC program that started this past spring.

All aspects of the CMMC program are under consideration in this review. This includes all levels of cybersecurity compliance as well as the role of the independent, third-party CMMC “Accreditation Body” of industry representatives overseeing auditors to review DIB companies’ cybersecurity practices.

The CMMC Accreditation Body has been criticized both generally and in comments considered in this review as being opaque and characterized by a lack of clarity in results and direction. This criticism perhaps led to the statement by Christine Michienzi, CTO of Defense, at a recent conference in Maryland that even the process of independent auditors versus DOD certification versus self-certification are all being reviewed as the best mechanism to use. Choosing the latter two would constitute a departure from the CMMC as it has been rolled out over the last few years, perhaps making the efforts of the accreditation body superfluous.

The best advice we can give right now is this:
Stay tuned because there is one thing we know for sure. There will be changes to the CMMC and those will change as well.

UPDATE 09/20/2021:

We told you there would be changes. According to InsideCybersecurity.com, the Department of Defense is not planning to release the final rule cementing CMMC until the end of 2021, due to ongoing internal reviews. As is tradition, that could also change at any minute. We’ll be sure to keep you updated with any additional changes.

Statement on Issuance of U.S. Patent no. 11,115,413

By

RegDOX Solutions Inc. is pleased to announce that as an additional expansion on its August 20, 2019, U.S. patent for an online secure storage system on September 7, 2021, the U.S. Patent and Trademark Office granted RegDOX an additional patent recognizing the system covers not just data regulated under U.S. export laws, but also more generally any regulatory controlled data.

Together with the prior four patents in this family starting with patent no. 10,389,716, patent, this most recent patent (no. 11,115,413) establishes the unique advantage provided to customers and users of the RegDOX® secure file storage, management, and collaboration system. The RegDOX system enables compliance with all federal regulatory schemes such as the ITAR, EAR, NIST 800-171/2, the DFARs, and the CMMC.

As William O’Brien, President and Chief Operating Officer of RegDOX Solutions has noted,

“Through this latest patent grant, the U.S. Patent and Trademark Office has recognized the achievement of a milestone in the development of RegDOX’s solution for companies needing to comply with federal regulations for storing and collaborating with controlled data, such as the federal government’s Controlled Unclassified Information (CUI). It is a clear demonstration that RegDOX’s customers are at the leading edge of technology and efficiency in achieving the protections and efficiencies of a cloud solution for cybersecurity compliance. The RegDOX system cannot be matched by any other.”

Quick Take: Zoom’s $85 Million Lawsuit Settlement

By

As the provider of a compliant storage and collaboration platform for ITAR technical data and other forms of federal Controlled Unclassified Information, we often look on with amazement when some companies claim compliance with ITAR, NIST SP(s)800-171/172, and the CMMC for products and services that clearly don’t meet those standards. We assume that those companies just don’t understand what it takes to be compliant but suspect at times that there may be intentional misrepresentations.

It seems from Zoom’s $85 million lawsuit settlement for lying about end-to-end encryption and sharing confidential information with Facebook and Google that our suspicions often are justified. Trust but verify.

Are Browser Plugins a Necessary Evil?

By

This weekend, we did a little ‘housekeeping’ and went through an old machine. We took a look at the Google Chrome browser and pulled up all the plugins. What to our surprise did we see on a VPN plug-in: A red triangle with an exclamation point and the words, “This extension contains malware.” (Yes, the irony is strong with this one).

Our minds immediately thought several things at the same time:

  1. Who does quality/screening for plugins in the store? What does this process look like?
  2. How can you know enough about my browser to feed me this warning (I am pretty sure I would not have downloaded this if the warning had been there previously)?
  3. What else do you know about my plugins? My browsing history?
  4. Why didn’t Elton John go with ‘John Elton’?

So, after reviewing a few other plugins, we saw something that we found ‘concerning’. Many plugins required a LOT of permissions when installing, so they could ‘function properly’.

What exactly is ‘a lot’? Well, take a look at a VPN Chrome extension:

  1. Read and change all your data on the websites you visit
  2. Display notifications
  3. Manage your apps, extensions, and themes

WHY would you ever give a plugin the ability to read and CHANGE data on the sites you visit?! Or manage other apps, extensions, and themes (keep in mind that this particular plugin was supposed to keep communications private and secure)?

The answer is: Because apparently, we don’t get a choice. Any extension that interacts with websites will almost always require “Read and change all your data on the websites you visit” permission.

Our good friends over at howtogeek.com also explained that Chrome is one of the few browsers that asks for your permission, instead of just blindly installing it. So, that’s something?

Chrome has a permission system for its extensions, while Firefox and Internet Explorer do not. Every Firefox and Internet Explorer extension has full access to the entire browser and can do anything it wants.

OK…so Explorer/Edge and Firefox, are just installing extensions without even asking me for my permission or telling me what they are able to do. Huh, good to know. Time to go dig out the Netscape 3.0 floppy disk.

What should you do when faced with this scary warning? Theoretically, do not worry. Any ‘store’ that offers browser extensions should have a screening process monitored by the company, and the ability to remove bad extensions. Obviously, the reality is different.

The ‘best practice’ is the usual when installing any type of software.

  • Ask if you really need it
  • Is there an alternative?
  • Is it worth the risk?

You may want to run some anti-virus/malware scans on your device after installing it – just to be safe. Something to think about when you’re not freaking out about all the other things happening.

Stay Safe!

Cybersecurity Nightmares

By

A nightmare is usually defined as,” a frightening or unpleasant dream”, and while we tell children that there are no such things as ghosts or bogeymen, there are real cyber nightmares that have happened and could happen. Some of the most significant events in recent years that have caused many people to cower in fear are discussed below.

2020 Election

If there is one thing that has been in the news for literally years now, is that the 2020 US election was a major target for foreign entities across the globe. Casting doubt on the validity of the election was intended to sow dissent and cause chaos-it has succeeded. Allegations of missing votes, improper counting of ballots, miscounting, or even stealing and destroying votes have all been put forth as reality by several groups. Using social media platforms, these agents caused immeasurable damage and chaos amongst US citizens.

Microsoft detected cyberattacks targeting people and organizations in the presidential election predominantly from groups operating in Russia, China, and Iran -although accurate attribution is a very difficult thing to prove with 100% accuracy. Both candidates’ campaigns were targeted, including social engineering/Phishing attacks on campaign staff, vendors, and consultants.

Vulnerable Children’s Devices

As a parent, we worry about our children and go to great lengths to protect them. Sometimes the tools we use to protect them make them even more vulnerable. Researchers at the Münster University of Applied Sciences in Germany found vulnerabilities in several different children’s smartwatches, allowing for the tracking, listening to voice messages, and reading text messages. These weaknesses could allow for exploitation of the communication channels to such an extent, that a malicious individual could send voice and text messages purported to be coming from parents. The potential for abuse is beyond scary, and despite responsible disclosure, some of the manufacturers have still not addressed all the concerns.

Bluetooth Vulnerability

Do you have a cellular phone? Of course, you do. You may even be reading this on your phone now. Phones have become ubiquitous around the world, and nearly every phone has the ability to connect to other devices (headphones, speakers, etc.) through a wireless technology commonly called “Bluetooth”. Bluetooth is generally limited to a range of fewer than 10 meters or 30 feet, but for most users, this is plenty of range. For example, you wear headphones on your head, and your phone is in your pocket. Bluetooth is extremely popular and has been a target for abuse for many years.

In September of 2009, the Bluetooth SIG organization announced a vulnerability that could affect hundreds of millions of devices around the globe. The flaw could allow an attacker to connect to a device without any authentication. While you may not care if some criminal listens to your favorite Swedish Death-Metal band, this vulnerability could allow someone to access data on your cell phone. Most people have a lot of information and personal items on their phones, including passwords and photographs of family and friends – some of which you may not want to be published on the internet. Additionally, many laptops have a Bluetooth device that you may or not even be aware of.

Technology and the tools we use can be an incredible thing, bringing music, information, and instant communication to our lives. But that same technology can also expose us to more risks, dangers, and cause nightmares for people around the world.

For more information on these nightmares:

Share this page.