By Greg Kent “Follow the CUI.” That is the standard practice that DoD contractors follow to determine exactly what system components and networks are within the scope boundary for Level 3 Cybersecurity Maturity Model Certification (CMMC) compliance. Any system, network, or component that is used to store, process, transmit, or secure CUI should be included [...]
By Tobias McCurry Although remote access into corporate networks isn’t new, such widespread, continuous use of remote access is. Organizations very early on identified capacity issues, but some legacy security risks in remote access solutions may be exacerbated by the extensive use of remote access under a widespread work from home scenario. Accordingly, it may [...]
By Josh Griswell One approach that contractors can take in approaching CMMC is including all of their infrastructure within the scope boundary for a CMMC certification. This means that all of the company’s components and devices would have to follow the processes and practices required by CMMC. The larger the company’s environment, the more complex [...]
By Greg Kent Many organizations leverage control points specifically architected into their on-premise infrastructure to enforce security policies. When employees work from home, their computers may not access the corporate IT infrastructure, which bypasses these on-prem controls. Consider, for example, an organization that controls the websites that employee laptops can access by routing outbound web [...]
By Tobias McCurry As part of our penetration testing and vulnerability assessment services, SecureIT uses an application security testing (AST) tool called Burp by PortSwigger. (No, I don’t know why they’ve selected that name!.) We regularly use Burp to scan web applications, identify vulnerabilities and misconfigurations, and actively exploit to penetrate and escalate privileges. Burp’s [...]
By Corey Clements As a certified third-party assessment organization (3PAO), SecureIT has wide-ranging experience with the issues and challenges that cloud service providers (CSPs) encounter as they prepare for FedRAMP assessments. One area that generates lots of questions is FIPS 140-2 validated encryption. FIPS 140-2 stands for Federal Information Processing Standard 140-2, a security standard [...]
Because vulnerability scanning and penetration testing (pen testing) sound like two phrases for the same activity, we often take time to demystify the confusion surrounding these two information security activities. Unfortunately, some companies often receive a pen testing report from a third-party security firm that is little more than a glorified vulnerability scanning report. Understanding [...]
