RegDOX Solutions

The Secure Data Room solution provider for Corporate, EAR, HIPAA, DFARS and ITAR compliance in the cloud.

CALL US NOW:
+1.603.589.4845
ADDRESS: One Tara Boulevard, Suite 300, Nashua, NH 03062
  • Facebook
  • Linkedin
  • Twitter
  • YouTube
  • Home
  • Product Overview
    • Secure Data Room
    • Use Cases
      • Real Estate Management
      • RegDOX Board Solution
      • Life Sciences Out-Licensing
      • Mergers & Acquisitions
      • Secure Collaboration
      • IPOs & 701 Disclosures
      • Secure Email
      • Aerospace & Defense
      • Research & Development
      • Universities & Education
    • Free Trial
    • Extensions
      • RegDOX For Tablets
      • RegDOX For Mobile
      • Microsoft Office Integration
      • RegDOX Secure File Editing
  • Regulatory Compliance Solutions
    • Solution for ITAR
    • Solution for EAR
    • Solution for DFARS
    • RegDOX On the Fives
  • Enterprise Solutions
    • Financial Services
    • Real Estate
    • Energy & Utilities
    • Healthcare & HIPAA
    • Legal Services
    • Life Science & Chemicals
    • Consulting
    • Manufacturing & Technology
  • News & Events
    • News
    • Blog
    • Events
    • Media Resources
  • About
    • About RegDOX
    • Careers
    • Certificates & Awards
    • Customer Support
    • High Security Platform
  • Downloads & Videos
    • Downloads
    • RegDOX Desktop tools
    • Videos
  • Contact

Cybersecurity Maturity Model Certification (CMMC) Version 0.6 Arrives

November 15, 2019 By RegDOX Marketing

The Cybersecurity Maturity Model Certification (CMMC) Draft Version 0.6 is live and available here.

Draft version 0.6 includes CMMC Levels 1 – 3. Of note, “CMMC Levels 4-5 are not included in this release because public comments are still being addressed.” The updates to CMMC Levels 4 – 5 are expected to be provided in the next public release.

This draft is one step closer to the final version — CMMC 1.0.

The CMMC will be a new contractual requirement for all DoD contractors. The new certification requirement is intended to push defense contractors to strengthen their cybersecurity programs and standards. It will not be a self-attestation model, but rather a third-party certification and compliance model.

More in-depth analysis will follow!

Timeline

Draft version 0.4 was released for public comment in September 2019.

Draft Version 0.6 was released on Friday, November 8, 2019.

According to the CMMC website, “Version 1.0 of the CMMC framework will be available in January 2020 to support training requirements. In June 2020, industry should begin to see the CMMC requirements as part of Requests for Information.”

More Information

For more information on the Cybersecurity Maturity Model Certification program and the upcoming November 19, 2019 CMMC Accreditation Body Kickoff Meeting in Arlington, Virginia, visit the CMMC website.

 

 

 

CREDIT: Colleen H. Johnson, Sera-Brynn

Filed Under: Blog Tagged With: CMMC, compliance, compliance regulations, control export, CUI, cyber security, Cybersecurity Maturity Model Certification, data privacy, DFARS, DFARS compliance, DOD, ear compliance, export, export administration regulations, export control, federal government contracts, itar procedure, Nist, Nist compliance, RegDOX, regulated compliance

2019 – Cyber Security Summit: New York

September 30, 2019 By RegDOX Marketing

RegDOX Solutions Inc. is proud to be a silver sponsor at New York’s Cyber Security Summit USA on Oct 3rd 2019. Don’t miss the chance to check out a demo of our technology platform RegDOX a “patented” online storage and collaboration solution that has redefined how export control documents and electronic files can be handled within regulatory requirements. 

Join us at the summit, booth #7 to know more about RegDOX Solutions.

 

EVENT : Cyber Security Summit: New York 2019

WHEN: Thursday, Oct 3rd 2019 from 7:45 AM – 6:00 PM EDT

WHERE: New York, NY

Registration Link : https://bit.ly/2oyfRM5

 

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions. RegDOX’s first-to-market ITAR and NIST 800-171 (DFARS) compliant online storage and collaboration product has redefined how export-controlled and CUI documents and electronic files can be handled within regulatory requirements. This was recognized by the formal opinion of compliance provided by the US State Department’s Directorate of Defense Trade Control (DDTC). RegDOX’s unique capabilities were confirmed on August 20, 2019 when the US Patent and Trademark Office issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716). The RegDOX® ITAR/EAR solution provides ground-breaking and unsurpassed technology enabling the efficiency and flexibility of a cloud solution to allow multiple users located at numerous locations to collaborate using controlled data while remaining fully in compliance with the strict regulatory and licensing requirements of the ITAR and DFARS.

www.RegDOX.com

Filed Under: Events Tagged With: compliance, compliance regulations, control export, CUI, cyber security, cybersummitUSA, data privacy, data security, DFARS, DFARS compliance, dod contracts, export control, export guidelines, federal government contracts, itar policy, itar procedure, Nist, Nist compliance

RegDOX Solutions Inc. Granted a US Patent for Its Cloud-based System To Secure and Exchange Export-controlled Data

September 5, 2019 By RegDOX Marketing

NASHUA, NH, Sept 04, 2019–(BUSINESS WIRE)–RegDOX Solutions Inc., the leading company for securing and exchanging documents and files in the cloud while complying with Federal regulations governing exports (ITAR/EAR), as well as those incorporated in NIST publication 800-171, today announced that the US Patent and Trademark had issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716).

RegDOX’s patented technology for permission-based storage of US export-controlled technical data confirms its ground-breaking and leading role in bringing the efficiency and flexibility of a cloud solution to solve the problem of allowing multiple member and locations to collaborate using controlled data while complying with the strict regulatory and licensing requirements of US export laws.

“I want to congratulate the RegDOX team for this effort,” stated William O’Brien, Chief Operating Officer of RegDOX Solutions and the named inventor on the patent.

He further said, “Following on the US State Department Directorate of Defense Trade Controls (DDTC) having issued a formal compliance opinion for this now patented solution, RegDOX is well-positioned to provide this off-the-shelf, unique, highly efficient and cost-effective solution to companies who want to ensure they are compliant while using the latest technology.”

 

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® products and services include storage and data management services, as well as DFARS assessment services. Click here for a free trial and product demo today.

Contacts

Aarti Khurana
RegDOX.Sales@RegDOX.com
www.RegDOX.com
+1 603.651.0633

 

Filed Under: News Tagged With: compliance, compliance regulations, control export, CUI, cyber security, DOD, dod contracts, export administration regulations, federal government contracts, itar, itar compliance, itar compliant, itar export, itar export control, itar policy, itar procedure, itar program, itar regulations, Patent, patent technology, US Patent

Secure Messaging 101: Use of Email for Regulatory Communications

August 28, 2019 By RegDOX Marketing

When it comes to industry regulations like ITAR and DFARS, the need for Secure Messaging is at the forefront of reaching and maintaining compliance. For the layman, Secure Messaging relies on a server-based approach that utilizes encryption standards. When a file or email is encrypted, it can only be read by someone who has the cryptographic key.

With end-to-end protection, the sender should also be equipped with a certificate encryption that ensures that the public key used belongs to the sender. This ensures that not only are e-mails safe from hackers, cyber-spies, and internal threats, but also provides proof of identity for those sending the e-mails.

Part of ITAR compliance entails that all phases of data transfer muse be secure, including sending, routing, and receiving. Under ITAR, end-to-end encryption requires “uninterrupted cryptographic protection of data between an originator and an intended recipient, including between an individual and himself or herself.” Also, the “means to access the data in unencrypted form is not given to any third party, including to any Internet service provider, application service provider or cloud service provider.” Through Secure Messaging features, the cloud data is never decrypted or re-encrypted before the recipient accesses the data.

With the RegDOX Secure Data Room Solution, Secure Messaging is built within the data room platform to keep users compliant through an X.509 certificate which includes:

  • Version – which X.509 version applies to the certificate (which indicates what data the certificate must include)
  • Serial number – the identity creating the certificate must assign it a serial number that distinguishes it from other certificates
  • Algorithm information – the algorithm used by the issuer to sign the certificate
  • Issuer distinguished name – the name of the entity issuing the certificate (usually a certificate authority)
  • Validity period of the certificate – start/end date and time
  • Subject distinguished name – the name of the identity the certificate is issued to
  • Subject public key information – the public key associated with the identity

These features sufficiently provide proof of authentication. Through utilizing end-to-end encryption as well as the X.509 certificate within the Data Room, users of the data room can maintain compliance through a fully customizable interface and ease-of-use.

Here is a screenshot of what users receive in their inbox – they won’t receive the content of the message itself but a note saying “A message is awaiting you in a Secure Data Room”.

Secure msg

 

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® offers compliance options for the transference and storage of ITAR, DFARS, EAR, HIPAA, and Corporate technical data within the cloud through highly intuitive, feature-rich virtual data room solutions. In addition, RegDOX offers DFARS assessment services for contractors and subcontractors of the DoD.

www.RegDOX.com

 

Filed Under: Blog Tagged With: compliance, compliance regulations, control export, CUI, cyber security, data privacy, data security, ddtc, DFARS, DFARS compliance, dod contracts, ear compliance, export guidelines, itar, itar export control, itar policy, itar regulations, RegDOX, securemessaging

Uncle Sam Wants You — and Your DFARS Compliance

August 7, 2019 By RegDOX Marketing

Following rules of engagement is a common concept, but knowing the rules — and whether they really apply to one’s own business — is not always a common condition. The federal market can be especially confusing for smaller companies that may be delivering similar products or services to both civilian and military/defense/aerospace agencies.

If you know enough to ask about DFARS 252.204-7012 compliance, hold grants or contract awards subject to the provisions, or are contemplating entering the Department of Defense (DoD) market, you should at least be on the path to Defense Federal Acquisition Regulation Supplement (DFARS) compliance. By September 2020, meeting the required security level contained in a DoD solicitation will be the basis for a go/no-go decision on further consideration of an offeror’s cost, schedule, and performance qualifications.

Announced changes to federal procurement practices, particularly for DoD-related contracts, put into play provisions for supply chain security and resiliency based, in part, on the 2018 “Deliver Uncompromised” study from MITRE Corporation. Widely publicized leaks of government-funded intellectual property and other proprietary information have intensified concerns about the vulnerability of the defense industrial base (DIB), one of the 16 industry sectors defined by the Department of Homeland Security (DHS) as “critical infrastructure.” The Office of the Under Secretary of Defense for Acquisition & Sustainment notes on its website that DoD is “planning a series of engagements across the United States in order to solicit inputs and feedback from the [DIB] sector.”

Starting this year, the compliance model will begin to move from self-attestation (i.e., the current NIST SP 800-171 compliance model) to third-party validation in accordance with the new, five-level Cybersecurity Maturity Model Certification (CMMC). Presentations and discussions of the CMMC process and expectations are scheduled in 12 cities around the U.S. The intention is to release the Defense 5000 acquisitions document with updated RFP Sections L and M this summer, allow some costs related to compliance, and build out a CMCC center for cybersecurity education and training. Meanwhile, NIST SP 800-171 Revision 2 has also been published in draft form.

So how does a manufacturer navigate Uncle Sam’s growing emphasis on DFARS compliance? Here are questions existing and prospective manufacturers involved in DoD supply chains often ask, along with some actionable answers.

My organization is a federal vendor. Do I need to worry about cybersecurity?

Yes. The federal acquisition regulation (FAR) governs all federal government acquisitions and contracting procedures; DFARS is the special supplement for DoD-related contracts. The FAR Final Rule 52.204-21 on “Basic Safeguarding of Contractor Information Systems,” which became effective 15 June 2016, contains 15 controls that are considered the minimal baseline for federal contractors. These controls resonate with basic security objectives contained in NIST SP 800-171 Revision 2.

My organization is a Tier 3 supplier to the DoD, and the prime contractor is compliant with NIST SP 800-171. Does that mean my organization is covered?

No. NIST SP 800-171 requires that prime contractors “flow down” security control objectives to organizations within their supply chains. Primes must clearly mark information identified as Covered Defense Information (CDI) or Controlled Unclassified Information (CUI) that is passed through their supply chain, and may provide secure project or work order communications platforms as well as training for their vendors. At present, organizations can self-attest to compliance.

How will compliance be verified?

DoD will develop an automated tool to assist in gathering data, simplify reporting requirements, and deploy DoD-accredited third-party auditors to verify a vendor’s appropriate security based on the data it handles. Cybersecurity will become an allowable expense in DoD contracts, meaning that the DoD may pay for cybersecurity in some instances.

What are the consequences of being out of compliance with DFARS?

Misrepresenting compliance with DFARS may result in work order termination, liability under the False Claims Act, and/or a contract action report (CAR) against your organization or the upstream prime.

Where can my organization go for additional information?

The NIST MEP Cybersecurity Self-Assessment Handbook explains the current NIST SP 800-171 security requirements. You can also use the MEP National Network online Cybersecurity Self-Assessment tool. Plus, your local MEP Center can offer further assistance in navigating the FAR and DFARS requirements and compliance process.

Rather than characterize the FAR and DFARS rules of engagement as unwelcome costs of doing federal business, organizations should consider them proactive measures to guard against a much broader range of risks that businesses face regardless of customer market. Such risks include the loss (or unintentional sharing) of intellectual property, vulnerability to ransomware, exposure of confidential employee information, and financial issues associated with business email compromise (e.g., fake invoices and fraudulent wire transfer requests). Cybersecurity simply helps control business risk!

CREDIT: Jennifer Kurtz, IndustryWeek

Filed Under: Blog Tagged With: compliance, compliance regulations, control export, CUI, cyber security, data privacy, data security, ddtc, DFARS, DFARS compliance, DOD, dod contracts, ear compliance, export, export administration regulations, export control, export controls, export guidelines, federal government contracts, itar, itar compliance, itar compliant, itar export, itar export control, itar policy, itar procedure, itar program, itar regulations, microsoft azure, Nist, Phishing, RegDOX, regulated compliance, regulations, scammers

Will Defense Contractors Be Ready For CMMC?

August 5, 2019 By RegDOX Marketing

Defense contractors will face big changes and tight timelines over the next year as the Department of Defense rolls out its new Cybersecurity Maturity Model Certification framework, experts say.

The framework, which aims to certify a company’s compliance with federal cybersecurity regulations around controlled unclassified information (CUI), was announced by DOD officials in June. It will be used to evaluate and rate contractors’ ability to protect sensitive data on a 1-5 scale starting next year.

The initial version of the framework is scheduled to go public in January 2020. By June 2020, its requirements will start appearing in requests for information, and will become a regular feature of defense procurement by September 2020. That means defense contractors will have less than eight months to implement changes for compliance with the Defense Federal Acquisition Regulation Supplement and National Institute of Standards and Technology guidance on protecting CUI.

“Any timeline would seem ambitious. One that looks to have this in operation by 2020, it’s going to be difficult,” said Robert Metzger, a lawyer specializing in government contracts and commercial litigation and a consultant for MITRE focusing on supply chain security issues. “Naturally industry has a lot of questions about the mechanics…. Companies are understandably uncertain as to how these changes will affect what they’re doing, how they will demonstrate eligibility for contracts and what the costs might be upon their operations.”

High costs, confusing guidance and low return on investment have all been cited as reasons for compliance challenges among defense contractors. Traditionally, DOD has declined to cover the costs associated with implementing acquisition regulations related to cybersecurity for CUI, but that has slowly changed over the past 12 months as military contractors have faced unprecedented attacks from foreign-sponsored hackers.

Last year, then-Deputy Secretary of Defense Patrick Shanahan expressed reluctance of the part of DOD to help contractors cover added costs for cybersecurity, saying security should be a baseline expectation in contracts. However, at a Professional Services Council event earlier this month, Katie Arrington, special assistant to the assistant secretary of defense for acquisition, announced that the department would allow contractors to write off a portion of their cybersecurity spending for government contracts, including implementing NIST guidance.

Alan Chvotkin, executive vice president and counsel for the Professional Services Council, welcomed the shift, telling FCW that it would be contradictory for DOD to refuse to provide financial incentives around cybersecurity at the same time it has expressed a desire to expand the number businesses that make up the defense industrial base.

Allowing contractors to write off a portion of their cybersecurity compliance activity is “an acknowledgement by the department that cybersecurity is not free,” he said.

“To be a smart businessman, let alone a contractor, you ought to undertake this [level of security], because our adversaries are stealing everything,” Chvotkin said. “On the other hand, [DOD] is trying to entice nontraditional companies and small companies who otherwise … might not see the need to incur such significant costs to reach the level that is expected as a contractor or subcontractor.”

Still, it’s not clear how DOD’s reimbursement policy will work, which contracts it would apply to or what percentage of a company’s costs would be covered. DOD is using the summer to conduct “roadshow” outreach sessions, sending officials across the country to meet with contractors, explain the new maturity model and take feedback from industry on the best way to structure the framework.

James Goepel, CEO and general counsel for the cybersecurity consulting firm Fathom Cyber, told FCW he has serious doubts as to whether many defense contractors will be ready by September 2020. For most companies, the associated costs are less about assets and technology and more about human resources, training employees and allocating the personnel to map out and formalize internal IT policies. Still, the potential for an initial shock to the federal contracting system is real.

“I do think that it’s going to hurt us in the short term from a product-availability perspective,” said Goepel, who also teaches cybersecurity at Drexel University’s Law and Business schools. “The government is going to miss out on stuff, and there are going to be companies that go out of business because of this. But in the end, I think that it may actually be a better thing for country, unfortunately.”

Metzger doesn’t go that far, but said he does believe one short-term effect of the framework could be that a certain percentage of companies end up exiting the federal contracting space. In particular, the impact might be hardest on small and medium-sized businesses — both subcontractors and primes — with fewer financial resources that have traditionally evaded the same level of scrutiny directed towards prime contractors. Still, Metzger said he expects most companies will shoot for a middle ground that balances cost with business opportunity.

“I think the short-term impact is that companies of all sizes are going to be looking at affordable, effective ways to improve their cybersecurity. Nobody knows exactly today what you will need to do to get a security rating score of [1-5],” Metzger said. “Very few companies are going to strive for a 5 … but very few are going to want to have only a 1. I’m thinking that many companies will be targeting their investments and actions to be sure that when the scoring method comes into place that they will get at least a 3.

“I think the short-term impact is that companies of all sizes are going to be looking at affordable, effective ways to improve their cybersecurity. Nobody knows exactly today what you will need to do to get a security rating score of [1-5],” Metzger said. “Very few companies are going to strive for a 5 … but very few are going to want to have only a 1. I’m thinking that many companies will be targeting their investments and actions to be sure that when the scoring method comes into place that they will get at least a 3.”

CREDIT: Derek B. Johnson, FCW

Filed Under: Blog Tagged With: compliance, compliance regulations, control export, CUI, cyber security, data privacy, data security, ddtc, DFARS, DFARS compliance, DOD, dod contracts, ear compliance, export, export administration regulations, export control, export controls, export guidelines, federal government contracts, itar, itar compliance, itar compliant, itar export, itar export control, itar policy, itar procedure, itar program, itar regulations, microsoft azure, Nist, Phishing, RegDOX, regulated compliance, regulations, scammers

SMBs: How to Make Your Workforce Your Cybersecurity Protectors

July 25, 2019 By RegDOX Marketing

It’s tough for small-to-medium businesses (SMBs) to feel cyber-secure when there are newsworthy breaches that have hit major, household-name companies, affecting millions of customer records. Equifax (148 million customer records), JPMorgan Chase (83 million), Marriott International (500 million), Target (110 million), and Yahoo (3 billion) are just a few examples. The situation for SMBs is even worse: they are inherently limited, by comparison, in the amount of money, the number of employees and the kind of technology they can devote to cybersecurity. But that doesn’t mean SMBs are helpless.

When it comes to seeking protection from emerging cybersecurity threats, there are four key challenges that SMBs often run into:

  1. SMBs are very concerned about security but face constraints ranging from a lack of funds to in-house expertise.
  2. Because most SMBs lack sufficient cybersecurity staff, they need to rely on simple, but effective, security solutions.
  3. Attacks on SMBs continue to escalate, particularly phishing attacks, which often result in malware infecting their networks.
  4. Adding to the complexity of cybersecurity is the increased reliance by SMBs on new IT architecture with new services such as cloud computing and software-defined networks.

We dove into this particular topic further with our 2018 SMB IT Security Report. We found that as many as 80 percent of SMB operators we surveyed rank security as a top business concern for them. However, 52 percent of them share cybersecurity responsibilities across several people in their workforce. Only 27 percent have a dedicated security professional on staff, and only 17 percent of them contract with an outside vendor for cybersecurity.

Thankfully, there are several steps SMBs can take now to mitigate future problems and educate their employees on how they can be more cybersecurity aware when it comes to  issues such as hacking, malware, phishing, and other threats. As it’s often said, employee training is the best first line of defense to protect the organization against breaches.

To focus your SMB’s attention on cybersecurity, here are five key steps to secure your organization’s network and future.

Email security

Though email is a critical system for you to communicate with your colleagues, customers, vendors and others, it’s also a key tool of cybercriminals. “Phishing” emails are designed to look legitimate but often contain malicious links or attachments designed to trick you into clicking them. Once you do, the attacker can gain access to your device to obtain your credentials, personal information or other critical information about your business. Further, the hacker can also gain access to any other devices on the same network, causing further damage. A high-profile example of this is the Target breach in 2013 that involved hackers getting into the retailer’s network via a trusted third-party vendor called Fazio Mechanical Services, which, once infiltrated, gave them access to Target’s servers. The hackers targeted the third-party vendor knowing they had a better chance of accessing their systems than Target’s directly.

Companies need to train employees — and others with access to the network — to be on the lookout for suspicious emails and to avoid being tricked into opening them.

Virtual Private Networks (VPN)

VPNs are designed to provide a safe and secure connection when people are communicating with the corporate network from remote locations. While VPNs ensure a secure connection between bilateral traffic on a corporate network, not all employers offer them. When employees use their own or work-provisioned devices over a public Wi-Fi network, such as at a coffee shop or an airport terminal, without a VPN, they can be vulnerable to a range of issues such as packet sniffing or man-in-the-middle attacks. Your employees need to be trained to avoid using public Wi-Fi without a VPN, particularly when it involves sharing sensitive company or personal information. Better yet, seek out VPN solutions to provide a secure connection to a safe network anywhere the device may roam.

Bring Your Own Device (BYOD)

When smartphones and tablets became popular, employees started using devices they bought for personal use in the workplace, causing employers to scramble to protect the network against promiscuous devices that could carry malware payloads.

To accommodate BYOD and secure your network, SMBs should adopt an Acceptable Use Policy (AUP) — just as enterprises do — that provides rules for what individuals can access when connecting to the network. Companies can also create a Captive Portal page, forcing users to agree to certain terms before accessing the network. Once accepted, the IT administrator can enforce rules and have visibility over what those devices are doing.

SMBs should also force all guest devices, and personally owned devices, to connect to a separate network that does not have access to the company’s critical data. This limits the impact in the event one of those devices is breached, protecting company data and minimizing the reach the hacker could have on other devices.

Antivirus and Anti-malware Solutions

It’s critical for your SMB to deploy technology on your network that protects against spam, malware and computer viruses. But this is not a set-it-and-forget-it solution. Cybercriminals are constantly changing their plan of attack and revising their formulae to outsmart security solutions. You may have heard the term “zero-day attacks,” which are cyberattacks that don’t match existing signatures. To keep up with these constant attacks, your malware or antivirus solution must be constantly monitored and upgraded as the threats change.

General Security Awareness

Besides all the specific policies and strategies we’ve mentioned so far, it’s important for your SMB to adopt cybersecurity as a core function of your organization just like sales, marketing, finance, product development and the like. You should consider conducting cybersecurity training and continuous testing to keep employees aware of the evolving tactics hackers are using. Adding basic cybersecurity hygiene and awareness training will pay dividends.

No organization is too small to risk being a target for cybercriminals. When it comes to cybersecurity, an ounce of prevention is worth a pound of cure. Start conversations early and often about what you can do to protect your business-critical systems and data. Otherwise, you risk losing not only time and money, but also the trust of your customers.

CREDIT: Dirk Morris, Smallbizdaily

Filed Under: Blog Tagged With: compliance, compliance regulations, control export, CUI, cyber security, data privacy, data security, ddtc, DFARS, DFARS compliance, DOD, dod contracts, ear compliance, export, export administration regulations, export control, export controls, export guidelines, federal government contracts, itar, itar compliance, itar compliant, itar export, itar export control, itar policy, itar procedure, itar program, itar regulations, microsoft azure, Nist, Phishing, RegDOX, regulated compliance, regulations, scammers

The U.S. Loses Over $1.5 Trillion in a Decade of Data Breaches

July 3, 2019 By RegDOX Marketing

A decade’s collection of data breaches shows a bleak picture with billions of records exposed in this type of incidents and financial damages of more than $1.6 trillion.

Data collected from public sources reveal that since 2008 there were close to 9,700 breach events in the U.S., involving more than 10.7 billion records, with an average cost calculated in 2018 at $148 per record.

Open-source info outlines sad situation

The information relies only on details made public by state-based sources and in media reports. The figures are likely conservative as data breach disclosure laws differ from one state to another; in some cases, even notifying the individuals whose data was exposed is not a requirement.

“Disclosure of a breach of security to a customer shall not be required under this section if the business or public entity establishes that misuse of the information is not reasonably possible. Any determination shall be documented in writing and retained for five years.” – New Jersey security breach disclosure act.

The details were compiled by researchers at Comparitech, who broke it down per state to determine the regions that were affected the most by data breach incidents. The data includes both a tally of the events and of the records exposed.

According to the report, California is the state with the most publicly documented breaches, and also one where consumer privacy is taken seriously. 1,493 incidents affected 5.59 billion personal records.

It is worth noting that the state law requires that a sample copy of a breach notice to be submitted to the Attorney General if more than 500 California residents are affected.

Taking second place is the state of New York. Comparitech found 729 data breach incidents that were publicly documented over the past decade. The records exposed this way amounted to 293 million.

Close behind is Texas, with 661 events and 288 million records exposed. Most of the personal information came from unauthorized access in 2011 of up to 250 million email addresses and names managed by marketing company Epsilon. The firm acknowledged the intrusion.

As one may observe, there isn’t always a balance between the records exposed and the number of breaches. Data Comparitech collected for Oregon shows that the state suffered at least 157 data security incidents that exposed 1.37 billion records.

Most of the email info came from a faulty backup event in 2017 impacting a fake marketing company called River City Media (RVC). Researchers at MacKeeper said at the time that RVC was a spam factory “responsible for up to a billion daily email sends.”

As we mentioned before, the figures presented in Comparitech’s report are only a minimum. The researchers agree that the real numbers are higher as some breach reports do not disclose the number of records exposed; furthermore, the information “might be unknown or below the threshold imposed by the state,” or new details may emerge at a later date.

For instance, it was revealed this week that a phishing attack in January at the Department of Human Services (DHS) in Oregon impacted data belonging to 645,000 individuals. Although the attack was reported in March, the complete number of people impacted could only be roughly estimated at that time.

Comparitech makes available in an online document a complete list with publicly reported data breaches they found for each state.

CREDIT: Ionut Ilascu, Bleeping Computer

Filed Under: Blog Tagged With: breach, compliance, compliance regulations, control export, CUI, cyber security, data privacy, data security, ddtc, DFARS, DFARS compliance, DOD, dod contracts, ear compliance, export, export administration regulations, export control, export controls, export guidelines, federal government contracts, itar, itar compliance, itar compliant, itar export, itar export control, itar policy, itar procedure, itar program, itar regulations, microsoft azure, Nist, Phishing, RegDOX, regulated compliance, regulations, survey

Data Encryption 101: Keeping Your Files Secure In The Cloud

June 26, 2019 By RegDOX Marketing

When it comes to Controlled Unclassified Information (CUI) compliance, data encryption is always at the forefront of the conversation. Today, leading edge features require a high level of security when information is both in-transit and at rest.

Let’s begin with a little bit of history on the topic. In 2001, the National Institute of Standards and Technology (NIST) established Advanced Encryption Standard (AES) as an encryption specification. It is a standard within the US Government, because it offers the highest level of security when it comes to electronic data. Specifically, 256-bit encryption refers to the length of the encryption key used to protect data streams or files.

If you are not aware of the security dangers you are up against, how do you plan on making that a reality? Saying you have an IT guy is not the solution. You as the business owner must learn how to arm yourself properly. At RegDOX Solutions, we concentrate on technological solutions that reflect the reality of how electronic storage and collaboration can be best used by a company and the cyber-security risks of any use. Customer data is protected with a 256-bit Advanced Encryption Standard (AES) encryption. But what exactly does it mean?

What this means is that an intruder would require 2256 different combinations to break an encrypted message. This is virtually impossible to do, even by the world’s fastest computers. This type of encryption prevents unauthorized users, including IT service providers and administrators from accessing the data as well, to ensure that your system is fully compliant. All data transmission between the client and the server (document upload and download, viewing of content) is also protected with 256-bit encryption. So, while your data is being protected at rest within a server with 256-bit AES encryption, RegDOX Solutions also protects your data in transit – this is done via another high-security capability feature: 256-bit SSL encryption. SSL stands for Secure Sockets Layer. SSL is type of data transfer that utilizes encryption to scrambles data in transit, keeping sensitive data unintelligible over the connection to unauthorized users.

Secure links to documents can be sent to licensed users of the technology, as well as to external users, i.e. third parties not brought in as a part of a client’s group of authorized, full functioned users. When a document is sent to an external user via RegDOX Secure Data Room, a time-limited link to the item is sent. After the link validity has expired, externals can no longer access the document. Secure, traceable delivery of documents is achieved and recorded in a tamper-proof audit-trail. Most importantly as well, not only are actions of users and all events involving documents and other files included in a non-editable, permanent record, but also RegDOX’s clients can identify events for which they want immediate notification. This is done via alerts which promptly helps identify any possible cyber-security breach so that rapid remedial action can be taken.  For more information, get in touch with RegDOX Solutions and schedule a demo today.

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® offers compliance options for the transference and storage of ITAR, DFARS, EAR, HIPAA, and Corporate technical data within the cloud through highly intuitive, feature-rich virtual data room solutions. In addition, RegDOX offers DFARS assessment services for contractors and subcontractors of the DoD.

www.RegDOX.com

 

Filed Under: Blog Tagged With: #AES, #encryption, compliance, compliance regulations, control export, CUI, cyber security, data privacy, data security, ddtc, DFARS, DFARS compliance, DOD, dod contracts, ear compliance, encryption at rest, encryption in transit, export, export administration regulations, export control, export controls, export guidelines, federal government contracts, itar, itar compliance, itar compliant, itar export, itar export control, itar policy, itar procedure, itar program, itar regulations, Nist, RegDOX, regulated compliance, regulations

Six Cybersecurity Tips Every Business Owner Should Know In 2019

June 19, 2019 By RegDOX Marketing

For large organizations with deep pockets, an information security breach is an expensive and embarrassing debacle whose ramifications can last years. But for small and medium-sized businesses (SMBs), a severe incident could mean the end of their business entirely. Centered around people, processes and technology, there are steps organizations of any size can and should take to protect themselves and their clients.

According to Global Market Insights (registration required), the cybersecurity industry was worth over $120 billion at the start of 2017, and it grows by the minute as more frequent and more sophisticated attacks are reported. With data breaches in large corporations and government agencies getting the most attention in the press, it would be easy to think that a smaller company doesn’t have much to worry about. Unfortunately for many SMBs, the growing number of security attacks says something very different.

In 2018, SMBs were the target of 43% of cyber attacks, according to the small business mentor group SCORE. Often, hackers use smaller, more vulnerable companies as a way into larger targets that they do business with. This can ruin the smaller organization’s reputation and its ability to partner with other businesses in the future.

It’s not all bad news, though. Most attempted security breaches can be thwarted with some planning, vigilance and basic precautions. Here are some tips that you can follow as a business owner to get the most out of your information security efforts:

1. Bake security into your systems and software.

Security shouldn’t be an add-on or an afterthought, but rather a fundamental part of your organization’s information assets from the outset. It should be part of the foundation of both end-user product design and internal system architecture. Whenever feasible, your systems should be secure by design, following (among other practices) the “principle of least privilege,” where system users only have the access rights needed to do their jobs. It’s never too late, though, to beef up your existing systems. From minor tweaks to total redesigns, it’s worth the effort to protect your company’s assets and reputation.

2. Embed cybersecurity in your company’s culture.

Unfortunately, even the most secure systems in the world have one Achilles’ heel: people. People are almost always the weak link in the chain when it comes to cybersecurity. Whether due to a lack of awareness or an unwillingness to follow security practices, one non-compliant employee can potentially render all of your security efforts useless. For SMBs without the capital to recover from a major incident, everyone’s jobs are on the line. Training and frequent refreshers are critical, but you should also strive to embed good cybersecurity into the culture of your organization by setting a good example at the management level, as well as emphasizing best practices in all aspects of your operations. Employees should not only be trained on what to do but also why they are doing it. It’s important to remind them of the consequences of a data breach.

3. Plan your incident and disaster response.

Part of being proactive is being ready in the unfortunate event of a cybersecurity incident, or a disaster (natural or man-made) that compromises your systems. No organization’s information security strategy is complete without formal, in-depth incident management and response plans, as well as a disaster recovery plan (DRP). Although your IT department is not typically your cybersecurity team, it is closest to your systems and often at the tip of the spear in the event of an incident. They should be prepared, both through training and through involvement in response planning, to work closely with cybersecurity experts during response and recovery. Consider including other departments as well in your response and recovery procedures — and hold mock incidents or drills to prepare everyone for their role.

4. Monitor and patch your security.

Hackers can, and do, strike from anywhere at any time. Constant network monitoring is critical for not only detecting and potentially thwarting attacks but also for fast and effective recovery from a breach. Network monitoring software produces event logs that help your security team identify where and how hackers are focusing their efforts. Part of this constant vigilance is to consistently update and maintain the latest versions and security patches of all software on your systems. Software patches shore up known vulnerabilities — servers with out-of-date software become easy prey for opportunistic hackers who are always on the lookout for such an opportunity.

5. Think like a bad guy.

Securely designed systems can still have vulnerabilities. Hackers always seem to be a step ahead of both law enforcement and information security professionals, but they also prefer to take the path of least resistance. They are constantly probing their targets for weaknesses and waiting for their moment to strike. You don’t want cybercriminals to be the first to discover a vulnerability that compromises your business, partners or customers. By taking a proactive security approach — with thorough penetration testing — you can use the same tools as malicious hackers, beating them to the punch by finding and closing security gaps in your systems.

6. Get an external view of your current security posture.

Large, prominent companies can afford to throw substantial amounts of money at cybersecurity, often employing a Chief Information Security Officer (CISO) and other support personnel to handle all aspects of cybersecurity. Despite recognizing the importance of information security, not all organizations can afford or even need to have the expertise in-house. Consider getting a third party to assess your cybersecurity needs and help you determine what threats and vulnerability your SMB faces or could face as you grow. With this information, you’ll be best equipped to make decisions regarding how to proceed in protecting yourself.

The bottom line is that smaller organizations can no longer afford to put information security on the back burner — the risks are too real and the stakes are too high.

CREDIT: Jaime Manteiga, Forbes

Filed Under: Blog Tagged With: compliance, compliance regulations, control export, CUI, cyber security, data privacy, data security, ddtc, DFARS, DFARS compliance, DOD, dod contracts, ear compliance, export, export administration regulations, export control, export controls, export guidelines, federal government contracts, itar, itar compliance, itar compliant, itar export, itar export control, itar policy, itar procedure, itar program, itar regulations, microsoft azure, Nist, Phishing, RegDOX, regulated compliance, regulations, scammers

What is ITAR and Why is it Important?

June 12, 2019 By RegDOX Marketing

The International Traffic in Arms Regulation (ITAR) is an established authoritative and mandatory list of compliance guidelines. These guidelines are set by the State Department’s Directorate of Defense Trade Controls “DDTC”. It is particularly stringent with companies that export products or information outside the United States.

These protocols that the DDTC provides can be complicated, which could leave your company vulnerable to varying degrees of both civil and criminal repercussions. ITAR compliance dictates that not only must your business be fully compliant, they must also be current with amendments and updates to ITAR regulations. Keep in mind that ITAR commodities are not just specific to the shipping of physical goods, but also virtual commodities such as technical data, sensitive files and CUI documents.

With each ITAR violation comes a risk for heavy penalties and fines. The DDTC expects all exporters of defense commodities to be organizationally sound and resourceful enough to ensure all the standards that the ITAR requires.

What are the penalties?

Due to the nature of ITAR regulations, Small and Medium Sized Enterprises (SMEs) are most at risk due to nuances of export compliance. Companies working with CUI are carefully monitored by The State Department, who partner with other government agencies to monitor businesses to ensure compliance to export control laws. The State Department takes ITAR violations very seriously, with criminal violations reaching $1 Million Dollars and 10 years imprisonment. Civil penalties, which are much more common can reach millions of dollars in fines. While large companies are financially insulated against such fines, they may also be subject to debarment, which blacklists the company from government contracts and working with companies who have government contracts.

What if you fail to comply?

Communication is key when it comes to preventing fines from the DDTC. Willful failure to comply with ITAR is subject to the highest degree of fines and penalties. Being prepared also goes a long way—if your company appears to have knowledge of an ITAR compliance issue, there should be a system in place that would allow your company to report the issue to officials.

What if you make a mistake?

When working with ITAR related materials, mistakes can happen simply due to human error. This is something that becomes possible given the scope of the regulations and can affect companies of any size. The DDTC might consider leniency on such occasions, under the right circumstances. ITAR provides the opportunity for voluntary disclosure. By being forthcoming about any mistakes and having a solid action plan to improve, fines and penalties may be reduced or eliminated.

Why honesty is important to compliance.

Given the nature of ITAR, it is in your company’s best interest to be fully honest. By misrepresenting or even not disclosing pertinent information, then the same penalties can apply as being noncompliant. You can prevent this by taking a thorough approach to compliance and ensuring that any and all information is disclosed.

What can you do to avoid a violation?

There will continue to be increasingly complex regulations in response to both attempts at cyber-hacking of cloud-based storage by bad actors as well as lax cyber-security practices by those using and providing cloud services. But if you love your export business and the thought of excessive penalties scares you (which they should), then don’t chance non-compliance of ITAR. Intentionally or not, there is a lot to lose violating regulatory compliance (ITAR/DFARs). Disaster can be pending on the horizon for you and your business from a single infraction that could have been avoided.

Take the step to secure your business and prevent future dilemmas by partnering with an ITAR compliant secure data room solution provider like RegDOX so you can focus on what’s important, your business! We at RegDOX have been innovative in responses to new and revised cyber-security regulations and provided our customers with solutions so inventive that they warrant patent protections for meeting and exceeding entirely justifiable regulatory requirements. Configurable, affordable, and coming with a “DDTC-reviewed” advisory opinion for ITAR compliance – what’s not to love? Get started now – https://www.regdox.com/contact/

 

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® offers compliance options for the transference and storage of ITAR, DFARS, EAR, HIPAA, and Corporate technical data within the cloud through highly intuitive, feature-rich virtual data room solutions. In addition, RegDOX offers DFARS assessment services for contractors and subcontractors of the DoD.

www.RegDOX.com

Filed Under: Blog Tagged With: compliance regulations, control export, CUI, cyber security, data privacy, data security, ddtc, DFARS, DFARS compliance, dod contracts, export administration regulations, export control, export guidelines, federal government contracts, itar, itar compliance, itar compliant, itar export, itar export control, itar policy, itar procedure, itar program, itar regulations, Nist compliance, operator shielding, protocol, regulations, What is ITAR

N.S.A. Denies Its Cyberweapon Was Used in Baltimore Attack, Congressman Says

June 5, 2019 By RegDOX Marketing

BALTIMORE — A Maryland congressman said on Friday that the National Security Agency had denied that one of its hacking tools, stolen in 2017, was used in a ransomware attack on Baltimore’s government that had disrupted city services for more than three weeks.

The statement, made by Representative C.A. Dutch Ruppersberger, came in response to an article in The New York Times last weekend. The Times was told by people directly involved in the investigation in Baltimore that the N.S.A. tool, EternalBlue, was found in the city’s network by all four contractors hired to study the attack and restore computer services.

Investigators are still trying to determine the exact chronology of the attack. The leading theory is that hackers broke in through an open server in Baltimore’s network, installed a back door and then used EternalBlue to move across the city’s computers searching for valuable servers to infect, said the people involved in the investigation.

This week, the contractors discovered an additional software tool, called a web shell, on Baltimore’s networks. They believe the web shell may have been used in conjunction with EternalBlue and another hacking technique known as “pass-the-hash,” which uses stolen credentials, to spread the ransomware.

The people involved in the investigation spoke to The Times on the condition of anonymity because they were not authorized to discuss it on the record.

N.S.A. officials are naturally sensitive to reports of continuing damage done by their hacking tools, stolen and released on the internet in 2017 by a still-unidentified group calling itself the Shadow Brokers. EternalBlue and other N.S.A. tools were used in attacks by North Korea and Russia later that year that caused billions of dollars in damage to corporations and governments around the world.

More recently, according to cybersecurity experts, EternalBlue has turned up in attacks on local governments in the United States, which often used aging equipment and fail to keep their software up to date. A patch issued by Microsoft in 2017, but apparently never installed in Baltimore, should have made Windows secure against EternalBlue.

An N.S.A. spokesman declined to comment on the congressman’s statement or the Times article, which was published online on Saturday. A spokesman for Baltimore’s mayor’s office also said he could not comment on the continuing investigation.

Mr. Ruppersberger, a Democrat whose district includes the N.S.A.’s Fort Meade campus south of Baltimore, said in his statement that he had been briefed by “senior leaders” of the N.S.A. They told him that “there is no evidence at this time that EternalBlue played a role in the ransomware attack affecting Baltimore City.”

He added: “I’m told it was not used to gain access nor to propagate further activity within the network.”

The statement did not explain how N.S.A. learned the details of the forensic investigation in Baltimore, which is being carried out by the private contractors. The Federal Bureau of Investigation has also opened an inquiry but has not commented publicly on any findings.

The N.S.A. routinely hunts for security flaws in widely used software and uses them to penetrate foreign computer networks and gather intelligence. It used EternalBlue for such spying for at least five years before the Shadow Brokers stole the tool and posted it on the web to be grabbed and used by foreign states and criminal hackers.

“Our country needs cybertools to counter our enemies, including terrorists, but we also have to protect these tools from leaks,” Mr. Ruppersberger said. “We can’t ignore the damage that past breaches have done to American companies and, possibly, American cities. Now, our focus now should be on Baltimore’s recovery.”

Some former N.S.A. officials have suggested that Baltimore bears some responsibility for the attack, because it evidently had not installed updates to Windows that might have kept its system safe. But Mr. Ruppersberger said “the reality is that patching can be hard and requires resources that many municipalities don’t have.”

He said he thought the federal government “needs to do more to help municipalities better protect their networks.”

CREDIT: Scott Shane and Nicole Perlroth, The New York Times

Filed Under: Blog Tagged With: compliance, compliance regulations, control export, CUI, cyber security, data privacy, data security, ddtc, DFARS, DFARS compliance, DOD, dod contracts, ear compliance, export, export administration regulations, export control, export controls, export guidelines, federal government contracts, itar, itar compliance, itar compliant, itar export, itar export control, itar policy, itar procedure, itar program, itar regulations, microsoft azure, Nist, Phishing, RegDOX, regulated compliance, regulations, scammers

Microsoft Tech Support Scams Invade Azure Cloud Services

May 29, 2019 By RegDOX Marketing

Azure Tech Support Scam

Tech support scams have always been a problem, but they typically were located on small web hosting services throughout the world. Researchers have now observed these scams increasingly moving towards the Microsoft Azure cloud platform for ease of deployment and inexpensive web hosting.

Microsoft Azure has a feature called App Services that allows you to quickly and easily mass deploy web sites to the cloud. When a web site is deployed in Azure, they will be hosted on the azurewebsites.netdomain using names like my-app-name.azurewebsites.net.

App Services in the Azure Portal

App Services in the Azure Portal

As an example of bad actors utilizing Azure services, since May 10th, security researchers MalwareHunterTeam and JayTHL have discovered close to 200 web sites hosted on the Azure App Services platform that were displaying tech support scams.

Tweet from MalwareHunterTeam

When these sites were found, JayTHL has been reporting them to Microsoft using their abuse API. Unfortunately, due to the overwhelming amount of abuse reports Microsoft receives, these links can stay active for 4-5 days before Microsoft shuts them down.

This gives the scammers plenty of time to create new Azure accounts and mass deploy another batch of web sites to display tech support scams.

Mostly Apple and Microsoft tech support scams

When BleepingComputer examined some of the URLs shared by MalwareHunterTeam with us, we saw that all of these scams were pretending to be support sites for Microsoft and Apple.

When users visit these sites, JavaScript will check if the browser is on Windows or a macOS based on the browser’s useragent string. If the browser’s useragent contains the string ‘Mac’ it will redirect the user to a Mac tech support scam, otherwise it will display a Windows one.

Tech Support Scam Source Code

Tech Support Scam Source Code

Below are various tech support scams being pushed by these sites. All of them pretend to be an alert from Microsoft or Apple that states your computer is infected with spyware or a virus.

Microsoft Tech Support Scam 1

Microsoft Tech Support Scam 1
Microsoft Tech Support Scam 2

Microsoft Tech Support Scam 2
Microsoft Tech Support Scam 3

Microsoft Tech Support Scam 3
Mac tech Support Scam

Mac tech Support Scam

One of the advantages of using Azure to host your site is that every web site is secured using a SSL certificate from Microsoft. This can make some users think that they are on a legitimate site owned and operated by Microsoft.

Microsoft Certificate

Microsoft Certificate

Many of these scam sites also utilize techniques to lock up the browser or prevent you from leaving the site. Therefore, to close these scams you typically have to close the tab, and if not possible, the browser process itself.

Phishing too

In addition to tech support scams, phishing sites are moving to Azure cloud services as well. As you can see below, a fake Microsoft account login screen is being hosted on azurewebsites.net.

Phishing site on azurewebsites.net

Phishing site on azurewebsites.net

Azure App Services is not the only Azure service being used to host phishing scams. Scammers are also utilizing Azure Blob Storage to store their phishing scams.

Azure Blob Storage Scam

Azure Blob Storage Scam

Sites hosted on blob storage will utilize the hostname.blob.core.windows.net and also take advantage of a Microsoft SSL certificate.

CREDIT: Lawrence Abrams, Bleeping Computer

 

Filed Under: Blog Tagged With: azure, compliance, compliance regulations, control export, CUI, cyber security, data privacy, data security, ddtc, DFARS, DFARS compliance, DOD, dod contracts, ear compliance, export, export administration regulations, export control, export controls, export guidelines, federal government contracts, itar, itar compliance, itar compliant, itar export, itar export control, itar policy, itar procedure, itar program, itar regulations, microsoft azure, Nist, Phishing, RegDOX, regulated compliance, regulations, scammers

How Operator Shielding Keeps Your CUI and ITAR Data Safe

May 16, 2019 By RegDOX Marketing

When evaluating a secure data room cloud computing vendor, trust is a very important and crucial prerequisite apart from the evident need of a company’s data being in safe hands. Maintaining a culture of risk-based security innovations, keeping up with trends that emerge from new cyber threats and making sure you are in control of your workload is what any organization wants when looking to move their CUI to a secure cloud-based storage.

Operator shielding is meant to provide that trust. It is one of the next gen features that offers to keeps clients secure and protect against any kind of cyber-attacks by bad actors. This feature protects confidential documents from being accessed by both internal or external IT administrators due to the complete separation of application and systems administrative duties.

Coupled with integrated two-person approval process for all security-related administration functions, data becomes more insulated against malicious attacks. This provides a natural defense against breaches, reverse-engineering and tampering, keeping your confidential files accessible only by you as an added layer of security.

RegDOX is always looking for new ways to enhance security features and provide the best possible platform for clients to use. The RegDOX Secure Data Room implements the operator shielding technology in an intuitive and specific way. On the base level, operator shielding relies on the cloud provider (AWS) to control the traffic that reaches the operator’s servers. This technology then modifies the operator’s binary code to make the Data Room inaccessible to anyone but the operator.

Operator shielding (provider) has several functions:

  • System monitoring
  • Configuration & application monitoring
  • Data room backup / restore
  • NO Access to data rooms

On the other end, the end-user manages all security settings, licenses and storage.

With this consistent separation between operator and user-end IT admins, you are in complete control of who sees your documents, regardless of who they are. This is just one of the many core features that the RegDOX Secure Data Room offers to keep you ahead of the curve and compliant.

 

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® offers compliance options for the transference and storage of ITAR, DFARS, EAR, HIPAA, and Corporate technical data within the cloud through highly intuitive, feature-rich virtual data room solutions. In addition, RegDOX offers DFARS assessment services for contractors and subcontractors of the DoD.

Filed Under: Blog Tagged With: compliance regulations, control export, CUI, cyber security, data privacy, data security, ddtc, DFARS, DFARS compliance, dod contracts, export administration regulations, export control, export guidelines, federal government contracts, itar, itar compliance, itar compliant, itar export, itar export control, itar policy, itar procedure, itar program, itar regulations, Nist compliance, operator shielding, protocol, regulations, shielding, zero knowledge encryption, zero knowledge proof, zero knowledge protocol

Why You Should be Using a Multi-Factored Authentication Process

March 27, 2019 By RegDOX Marketing

One of the biggest challenges that IT professionals face today is the ever more urgent need for tight security. Services struggle to keep up with an increasingly globalized network of clients, customers, and stakeholders, and with this challenge comes a risk of data breach. With some very high profile data breaches in recent years, the public at large have legitimate concerns over how safe their information is online.

Hackers and data pirates target now target not only large corporations or businesses but also private individuals and small businesses. In fact, 31 percent of all targeted attacks are aimed at small businesses, who are not as well insured as the larger businesses. It’s wise, then, to take a good hard look at how we can approach the challenge of security when running a website.

You may have noticed in the past year that web services such as Google and Facebook are now utilizing technologies other than the simple password login. Increasingly, websites are turning to Multi-Factor Authentication to ensure their consumer’s data is well protected.

Here are a few reasons why.

Stronger Security

MFA is made up of three basic elements: the password, authentication through a mobile device, or personal identification, such as voice recognition or fingerprint technology. It boils down to one basic premise – authentication based on something only the user can provide.

“In the past, users have traditionally relied on passwords alone,” writes Benjamin D Stephenson, author at Academized and Revieweal,”But increasingly, as data becomes more widespread and hackers use more advanced AI, these passwords can be decrypted quite rapidly. Often this has left users wide open to attack, without ever even seeing it coming.”

To combat this breach, the data security industry has harnessed emerging technology to implement further steps to the login process. With increasing access to mobile technology, an integrated approach to logging in has taken place. In addition, as voice, facial and fingerprint recognition technology has advanced, so too have web technologies ability to identify the unique traits of a user. 

Protection against malicious software

It is important to recognize not just your own websites need for a Multi-Factor approach to logging in, but also to actively promote it in the wider world. Much like organic viruses, a user who takes a laid back approach to their own cyber-security runs the risk of becoming a danger to the data they interact with.

“When a breach takes place and malicious software is installed, web security in general is compromised,” writes Carl Higginson, security content writer at Boomessays and UKWritings,  “Anti-virus software and firewalls are very good at combatting malicious attacks, but when encryption is breached, this provides a backdoor for such attacks. Promoting good data practice carries the benefit of ‘herd immunity’ against virus software.” 

Greater trust in websites providing MFA

Knowing the above, many web users are increasingly wary of web services that don’t utilize up-to-date security measures. Showing your users that you provide multi-factor authentication legitimizes your security protocols and promotes your business as a fortress against malware and data attacks.

The internet as a whole has become susceptible to destructive cybercriminals, who not only steal data but manipulate or destroy it, some even using it to promote hostile ideologies. For this reason, users look to authentication to validate trust in secure web services.

Ease of Use

Finally, for many users, passwords have been a bit of a pain. Remembering or refreshing passwords in ever more inventive ways has left a trail of passwords, which, if discovered by cybercriminals. can open up a user to attacks.

A Multi-Factor Authentication process, with the use of mobile and recognition technology, simplifies the process, allowing users access without tempting users to document their passwords.

 

CREDIT: Chloe Bennet, PaymentsJournal

Filed Under: Blog Tagged With: authentication, compliance, compliance regulations, control export, ear compliance, export, export control, export controls, export guidelines, itar, itar compliance, itar export, itar export control, itar policy, itar procedure, itar program, itar regulations, MFA, Multi-factor authentication, regulations

ITAR Technical Data – Infographic

March 20, 2019 By RegDOX Marketing

RegDOX’s ITAR solution is dedicated to U.S. incorporated and based customers seeking to achieve ITAR compliance. This infographic provides a definitive guide on how you can assess your security needs and how RegDOX can help you stay compliant. Bring your ITAR technical data safely into the cloud with our first-to-market certified ITAR-compliant data room solution. For more information, contact us today.

ITAR Technical Data (009)

Filed Under: Blog Tagged With: compliance, compliance regulations, control export, ear compliance, export, export control, export controls, export guidelines, itar, itar compliance, itar compliant, itar export, itar export control, itar policy, itar procedure, itar program, itar regulations, regulations, What is ITAR

Looking for something else?

Share this page.

  • share 
  • tweet 
  • share 
  • e-mail 
  • rss feed 
  • Home
  • Product Overview
  • Regulatory Compliance Solutions
  • Enterprise Solutions
  • News & Events
  • About
  • Downloads & Videos
  • Contact
Contact Us
Free Trial
RegDOX®
About RegDOX
Certificates & Awards
Site Map
Privacy Policy
SERVICES
Schedule a Demo
Training
Start Your Free Trial
Customer Support
CONTACT US
+1.603.589.4830
RegDOX.Sales@RegDOX.com
One Tara Blvd. Suite 300
Nashua, NH 03062 USA

Copyright © 2019 - RegDOX Solutions Inc. - All Rights Reserved
Powered by EWS & CwD
  • 
  • 
  • 
  • 