slider

Netizen Cybersecurity Bulletin (October 24th, 2024)

Overview:

  • Phish Tale of the Week
  • SEC Fines Four Companies for Misleading Disclosures in SolarWinds Hack
  • CMMC 2.0 Program: Key Timeline for Defense Contractors
  • How can Netizen help?

Phish Tale of the Week

Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as a university professor: Professor Johan H Enslin. The message tells us that they are seeking a research assistant to support our project, and that no previous experience is required. It seems both urgent and genuine, so why shouldn’t we send them our information? Luckily, there’s plenty of reasons that point to this being a scam.

Here’s how we can tell not to fall for this phish:

  1. The first warning sign for this email is the sender’s email address. While the messaging tells you they are a professor, the sender tells a different story: “profjohanhenslin@gmail.com” is very clearly not a professor from a university like they want you to believe. Professors sending email in this way will almost always use their .edu email address.
  2. The second warning signs in this email is the messaging. The email seems almost too good to be true: remote work, a healthy weekly stipend, flexibility, everything a college student could want. If you’re seeing an email, and it seems to good to be true, it probably is. Scams like this targeting college students will commonly ask for your cell phone number/other personal information in this way in an attempt to gain PII from you.
  3. The final warning we have, and probably the easiest way to clock this as 100% a phishing email, is the signature. If we weren’t already convinced that the sender isn’t Professor Henslin, the signature tells us itself. Uygar Abaci, also without a .edu email, is now the one sending this to us. Perhaps the cybercriminal thought that adding two professors in the email would add credibility. In all seriousness, inconsistencies like this are by far the easiest way to detect a phishing email, and this final clue puts the nail in the coffin for this poor phishing attempt.


General Recommendations:

phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

  1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  2. Verify that the sender is actually from the company sending the message.
  3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
  4. Do not give out personal or company information over the internet.
  5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.


Cybersecurity Brief

In this month’s Cybersecurity Brief:

SEC Fines Four Companies for Misleading Disclosures in SolarWinds Hack

The U.S. Securities and Exchange Commission (SEC) has imposed hefty fines on four major companies—Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited—for failing to accurately disclose the impact of breaches linked to the notorious SolarWinds Orion cyberattack. The SEC’s actions highlight the growing regulatory scrutiny over how organizations handle cybersecurity disclosures, particularly in incidents involving widespread and damaging cyberattacks like SolarWinds.

The SolarWinds hack, first revealed in late 2020, was a large-scale supply chain attack that compromised the networks of numerous government agencies and private companies worldwide. A vulnerability in SolarWinds’ Orion software allowed sophisticated hackers—widely attributed to Russian state-sponsored groups— to infiltrate systems and steal sensitive data. The ramifications of the breach rippled through the technology and security industries, raising concerns about the effectiveness of supply chain security and organizational transparency in reporting cybersecurity incidents.

In this case, the SEC determined that Unisys, Avaya, Check Point, and Mimecast had downplayed the true extent of the breaches they experienced. According to the SEC, these companies misled shareholders and the public by minimizing the severity of the incidents, even though they knew attackers had accessed their systems via the SolarWinds vulnerability.

Unisys, for example, suffered two breaches involving the exfiltration of gigabytes of data, yet continued to describe its cybersecurity risks as purely theoretical. This lack of transparency violated SEC regulations that require companies to provide accurate, timely disclosures about material events that could affect their business operations. As a result, Unisys faces the largest fine of $4 million.

The SEC’s findings also revealed that Avaya misrepresented the scope of the breach it experienced, initially reporting that hackers had accessed only a limited number of email messages. In reality, the attackers had also accessed a much larger set of files stored in Avaya’s cloud environment.

Check Point and Mimecast similarly issued vague and incomplete disclosures. Check Point was aware of the intrusion but did not clearly explain the nature or scope of the breach in its public statements. Mimecast, which had encrypted credentials stolen by the attackers, failed to disclose the full extent of the stolen data.

The penalties issued by the SEC were as follows:

  • Unisys Corp.: $4 million
  • Avaya Holdings Corp.: $1 million
  • Check Point Software Technologies Ltd.: $995,000
  • Mimecast Limited: $990,000

These fines reflect the SEC’s broader push to hold companies accountable for how they report cybersecurity incidents. As cyberattacks become more frequent and damaging, regulators are increasing pressure on businesses to ensure they are transparent about the risks and incidents they face. The SolarWinds hack, one of the most significant breaches in recent history, serves as a case study of how critical accurate and timely cybersecurity disclosures have become. The SEC’s actions in this case emphasize the importance of cybersecurity governance and the need for companies to maintain strong internal controls for managing and reporting cyber risks.

To read more about this article, click here.


CMMC 2.0 Program: Key Timeline for Defense Contractors

On October 15, 2024, the U.S. Department of Defense (DOD) unveiled the final rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 Program. This pivotal update sets forth the guidelines for establishing cybersecurity standards aimed at safeguarding federal contract information (FCI) and controlled unclassified information (CUI). As the DOD prepares to implement this framework, understanding the timeline is crucial for defense contractors looking to remain competitive.

The CMMC implementation will unfold in four distinct phases, starting after the related DFARS Acquisition rule takes effect. Each phase builds on the previous one, establishing escalating requirements for contractors:

  • Phase 1 (1 Year): This initial phase commences after the DFARS Acquisition rule takes effect. The DOD plans to require CMMC Status Level 1 (Self) or Level 2 (Self) in all applicable DOD solicitations and contracts as a condition of award. Contracting officers will also have the discretion to require CMMC Status Level 2 (C3PAO) for specific contracts. This phase provides contractors with a year to prepare for the initial compliance requirements.
  • Phase 2 (1 Year): Following Phase 1, the second phase will also last one year. During this period, the DOD will extend the CMMC requirements to include Level 1 (Self), Level 2 (Self), or Level 2 (C3PAO) in relevant solicitations and contracts. Contracting officers may choose to delay the requirement for CMMC Status Level 2 (C3PAO) to an option period. This allows additional time for contractors to adapt to the growing security expectations.
  • Phase 3 (1 Year): The third phase will mirror the previous two, lasting one year. In this phase, the DOD will mandate CMMC Status Level 1 and Level 2 (Self and C3PAO) for all applicable solicitations and contracts. Additionally, CMMC Status Level 3 (DIBCAC) may also be included as a requirement for certain contracts. As contractors prepare for this stage, they must ensure their cybersecurity practices align with the elevated standards.
  • Phase 4 (Full Implementation): Beginning three years from the effective date of the CMMC Acquisition rule, CMMC 2.0 will be fully implemented. At this point, all DOD contracts will require adherence to the appropriate CMMC levels, effectively reinforcing a culture of cybersecurity across the defense industrial base.

The structured timeline allows contractors to progressively align their cybersecurity practices with the DOD’s requirements, emphasizing the necessity of preparation and compliance. As the phased approach unfolds, contractors will need to actively assess their cybersecurity measures, ensuring they meet the specified CMMC levels to be eligible for contract awards.

To read more about this article, click here.


How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 


Copyright © Netizen Corporation. All Rights Reserved.