Inside Cybersecurity provides useful legal perspectives on the Defense Department’s recent changes to its Cybersecurity Maturity Model Certification program for defense contractors.
The evolution of DOD’s Cybersecurity Maturity Model Certification program reflects a response to concerns from the defense industrial base, according to attorneys, who said recent major changes show the Pentagon is taking into account pre-existing mechanisms for contractor compliance with cyber standards and is considering how the program can be implemented effectively.
CMMC 2.0 consolidates DOD’s cyber certification effort into three levels and relies heavily on NIST publications 800-171 and 800-172. The extra 20 controls in level two (formerly level three) are removed from the new model along with maturity processes.
Attorneys surveyed by Inside Cybersecurity questioned whether the Pentagon’s decision to walk back the CMMC model to align with the 110 controls in NIST 800-171 for level two is an effective approach and where things stand with assessment organizations who have been preparing to conduct assessments since the first version of the maturity model debuted in early 2020.
Check it out.
In Security Week a cybersecurity consultant Torsten George reflects on the recent Cybersecurity Awareness Month.
Despite all the new technologies, strategies, and artificial intelligence being employed by security experts and threat actors alike, one thing remains constant: the human element. As humans we’re fallible — a fact that threat actors frequently exploit when launching phishing and social engineering campaigns to establish a foothold in their victim’s IT environment. Ultimately, hackers don’t hack in anymore—they log in using weak, default, stolen, or otherwise compromised credentials.
The reality is that many breaches can be prevented using some basic cyber hygiene tactics, coupled with a Zero Trust approach. Yet most organizations continue investing the largest percentage of their security budget on protecting their network perimeter rather than focusing on security controls which can actually effect positive change to protect against the leading attack vectors: credential abuse and endpoints serving as main access points to an enterprise network.
And as usual Bleeping Computer’s The Week in Ransomware is chock full of news:
This week, law enforcement struck a massive blow against the REvil ransomware operation, with multiple arrests announced and the seizure of cryptocurrency.
On Monday, the US Department of Justice, Europol, and Interpol announced arrests of REvil affiliates and members in Kuwait and Romania. The FBI also announced the arrest of the REvil affiliate behind the July Kaseya attack that encrypted over 1,500 organizations.
In addition, the US announced that $6 million in ransom payments was seized from the REvil ransomware operation.
This week, the other big news is a massive attack on the European electronics retailer MediaMarkt by the Hive Ransomware operation.
What’s more Krebs on Security reports that
The Federal Bureau of Investigation (FBI) confirmed today [November 13] that its fbi.gov domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation. According to an interview with the person who claimed responsibility for the hoax, the spam messages were sent by abusing insecure code in an FBI online portal designed to share information with state and local law enforcement authorities.