CMMC I Defense Complience

Win more DoD contracts through achieving the correct
CMMC (Cybersecurity Maturity Model Certification)
qualification
.
As of June 2020, many companies that work with the US DoD will need to meet CMMC requirements to bid on contracts. Companies cyber behaviour based on their controls and practices, will receive a level rating between 1 and 5, which will determine their eligibility to bid on certain contracts. Getvisibility are offering FREE CMMC ASSESSMENTS to relevant organisations to ensure you can make
informed actions, ensuring you reach the maturity level needed to qualify for your desired DoD contract.

CMMC will come into effect from June 2020 for all DoD contractors


How CMMC Affects Your Organization
CMMC will be replacing the existing self-certification model under the Defense
Federal Acquisition Regulation Supplement (DFARS) – more specifically NIST
800-171. It is a unified standard for implementing cybersecurity across the
defense industrial base, this is estimated to be over 300,000 companies in the
supply chain. So simply, if you currently comply with the existing DFARS and NIST 800-171 requirements you have taken the first step but the new CMMC guidelines establish new expectations and security controls that you must now comply with.

The CMMC is designed to improve protection of controlled unclassified
information (CUI) and Covered Defense Information (CDI) within the supply
chain.

Previously, contractors were responsible for implementing, monitoring and
certifying the security of their information technology systems and any sensitive DoD information stored on or transmitted by those systems. Contractors will remain responsible for implementing critical cybersecurity requirements, but the CMMC now changes this pattern by requiring third-party assessments of contractors’ compliance with certain mandatory capabilities, practices and procedures that can adapt to new and evolving cyber threats from challengers. CMMC requirements will now be included in sections L and M of DoD requests for information as of June 2020, and in requests for proposals as of Sept. 2020.


Organisations need to start identifying their gaps against their target CMMC
maturity level to lower their risk of being disqualified when contract bids are
released.

Getvisibility’s FREE CMMC Assessment
As basic cyber and data hygiene is required from even a level 1 contractor, an
understanding of your data landscape is essential for all DoD contractors. Most
organizations have enormous quantities of documents scattered across file servers, cloud infrastructure and personal devices and almost every DoD contractor will have files on their network that are considered sensitive under the CMMC.

Unfortunately, most organizations have no idea what this data is and they’re creating significantly more data on a daily basis. Getvisibility’s approach is to help companies understand their data footprint with the highest accuracy possible and control this data. Without this, unstructured data security simply cannot work.


What to expect from your assessment?
Getvisibility’s team of experts will work closely with your organisation to deal with your specific requirements to carry out a specific scan of CUI/FOUO for CMMC. The Getvisibility solution uses artificial intelligence and machine learning to quickly and accurately classify unstructured data across large data landscapes. Through market leading machine learning models, Getvisibility gives customers an unparalleled understanding of their posture in relation to:


• Governance and Compliance
• Redundant, Obsolete and Trivial Data
• Data Security
• Intellectual Property Protection
• Risk Analysis
• Permission Management

Key Highlights

Affected Organizations
• All companies who wish to successfully apply for a contract with the DoD
(estimated at 300,000 companies).

Key Points
• Contract success dependant on CMMC maturity level.
• Maturity level certification assessed by independent body.

Impact
• Organisations need to fully understand their security posture in relation to data.

Learn more about Getvisibility | Demo Setup

How to protect against COVID-19 emails scams with IRONSCALES

Last week the U.S. Federal Trade Commission reported that approximately $12 million was lost to coronavirus-related scams according to consumer reports reviewed this year. With over 20,000 Cyberattacks per day in April 2020, its is obviously that attackers are taking advantage of the pandemic to lure consumers using various attack vectors including social media, phone calls, text messages and phishing emails.

Security telemetry data obtained depicts that since March there had been a surge in the number of coronavirus outbreak related phishing emails and at the beginning of February 2020, a sudden spike recorded in the registration of domains associated with fraudulent COVID-19 themed extortions and financial scams surrounding the purchase of medical supplies including face masks and PPEs as an example.

How does Cybercriminals work?

Cybercriminals send emails claiming to be from legitimate organizations with information about the coronavirus. The email messages might ask you to open an attachment to see the latest statistics. If you click on the attachment or embedded link, you’re likely to download malicious software onto your device. The malicious software — malware, for short — could allow cybercriminals to take control of your computer, log your keystrokes, or access your personal information and financial data, which could lead to identity theft. The coronavirus — or COVID-19, the name of the respiratory disease it causes — has affected the lives of millions of people around the world.

It’s impossible to predict its long-term impact. But it is possible to use Anti Phising tools that helps your organization protect yourself against coronavirus-related scams.

How do I spot a coronavirus phishing email? Examples

Coronavirus-themed phishing emails can take different forms, including these.

CDC alerts. Cybercriminals have sent phishing emails designed to look like they’re from the U.S. Centers for Disease Control. The email might falsely claim to link to a list of coronavirus cases in your area. “You are immediately advised to go through the cases above for safety hazard,” the text of one phishing email reads.

What do the emails look like? Here’s an example of a fake CDC email. (All examples below come from the U.S. Health and Human Services website.)

Money request emails. Phishers have sent emails that offer purported medical advice to help protect you against the coronavirus. The emails might claim to be from medical experts near Wuhan, China, where the coronavirus outbreak began. “This little measure can save you,” one phishing email says. “Use the link below to download Safety Measures.”

Here’s what a fake money request email will look like.

Workplace policy emails. Cybercriminals have targeted employees’ workplace email accounts. One phishing email begins, “All, Due to the coronavirus outbreak, [company name] is actively taking safety precautions by instituting a Communicable Disease Management Policy.” If you click on the fake company policy, you’ll download malicious software.

Here’s an example.
 

How do I avoid scammers and fake ads?

Scammers have posted ads that claim to offer treatment or cures for the coronavirus. The ads often try to create a sense of urgency — for instance, “Buy now, limited supply.”

At least two bad things could happen if you respond to the ads.

One, you might click on an ad and download malware onto your device or endpoint.

Two, you might buy the product and receive something useless, or nothing at all. Meanwhile, you may have shared personal information such as your name, address, and credit card number.

Bottom line? It’s smart to avoid any ads seeking to capitalize on the coronavirus.

How IRONSCALES helps you recognizing and avoiding phishing emails

Here are some ways IRONSCALES platform can help you recognize and remove Covid19-themed phishing emails.

Like other types of phishing emails, the email messages usually try to lure you into clicking on a link or providing personal information that can be used to commit fraud or identity theft. Here’s some ways IRONSCALES will prevnrt your organization from getting tricked.

  • Alerting of unusual online requests for personal information. A coronavirus-themed email that seeks personal information like your Social Security number or login information is a phishing scam. Legitimate government agencies won’t ask for that information. Never respond to the email with your personal data.
  • Automation URL and email address scan. IRONSCALES will inspect your links by scanning the URL ongoingly to see where it leads and if the link has changed. Sometimes, it’s obvious the web address is not legitimate. But keep in mind phishers can create links that closely resemble legitimate addresses.
  • Identify spelling and grammatical mistakes. If an email includes spelling, punctuation, and grammar errors, it’s likely a sign you’ve received a phishing email. IRONSCALES will create an alert inside your inbox.
  • FEDERATION Look for generic greetings. Phishing emails are unlikely to use your name. Greetings like “Dear sir or madam” signal an email is not legitimate. IRONSCALES will automatically identify and block these false mails.
  • Admin will remove emails that insist you act now. Phishing emails often try to create a sense of urgency or demand immediate action. The goal is to get you to click on a link and provide personal information — right now.

Where can I find legitimate information about the coronavirus?

It’s smart to go directly to reliable sources for information about the coronavirus. That includes government offices and health care agencies.

Here are a few of the best places to find answers to your questions about the coronavirus.

Centers for Disease Control and Prevention. The CDC website includes the most current information about the coronavirus. Here’s a partial list of topics covered.

  • How the coronavirus spreads
  • Symptoms
  • Prevention and treatment
  • Cases in the U.S.
  • Global locations with COVID-19
  • Information for communities, schools, and businesses
  • Travel restrictions

World Health Organization. WHO provides a range of information, including how to protect yourself, travel advice, and answers to common questions.

The World Health Organization will:

  • Never ask for your username or password to access safety information
  • Never email attachments you didn’t ask for
  • Never ask you to visit a link outside of www.who.int 
  • Never charge money to apply for a job, register for a conference, or reserve a hotel
  • Never conduct lotteries or offer prizes, grants, certificates or funding through email.

National Institutes of Health. NIH provides updated information and guidance about the coronavirus. It includes information from other government organizations.

Cyber threats are evolving, and so are we. Stop Tomorrow’s Phishing Attacks, Today.

The best time to stop phishing emails is before they hit the mailbox, yet 25% of attacks get past existing defenses. With 82 seconds on average until the first click is lured, the second best time is now.

Herman Technologies is a proud partner of IRONSCALES, a comprehensive pre-post-delivery Anti Phishing platform, designed to quickly detect bad emails slipping through the prevention layer and responding to them automatically in seconds, blocking them for good.

Leveraging on both AI and real-time human intelligence with the speed and simplicity to stay ahead of new threat

Info@herman-technologies.com \IRONSCALES

Why people struggle to identify visual similarities in phishing websites

Original article posted at IRONSCALES: Phishing websites, also known as spoofed websites, are a very common deception tactic that attackers now rely on to obtain a person’s login credentials to a legitimate website. The operation, commonly known as credential theft is simple: send unsuspecting recipients an email spoofing a trusted brand and persuade them to click on a link that subsequently takes them to a login page where they will be asked to enter their username and password. Once completed, attackers have the information they need to login to a real account and commence with illegal activity, such as credit card fraud, data extraction, wire transfers and more. 

While such fraudulent URLs aren’t new, the prevalence and sophistication have increased exponentially. In fact, a recent report by Webroot Security identified nearly a 400% increase in new phishing websites, equating to ~1.5 million coming online per month. This is an incredible number when considering phishing websites only stay active for 4-8 hours on average. 

Attackers have turned to phishing websites, most commonly as a means to impersonate the world’s most popular brands, as gateway-level email security and anti-phishing tools have gotten smarter and more efficient at detecting emails with traditional malicious payloads, such as links that deliver automated malware downloads, and malicious attachments. Phishing websites are especially problematic for companies that rely on rules-based email security such as secure email gateways (SEGs), multi AV scanners and sandboxing solutions, as such tools and solutions lack visual anomaly detection capabilities required to assess a fake login page from a legit login page in real-time. 

Analyzing 25,000 emails for links to phishing websites 

To learn more about the prevalence of phishing websites, IRONSCALES analysts reviewed 25,000 emails in Q3 with verified malicious links and attachments. Since IRONSCALES sits in the mailbox and not at the gateway, the 25,000 emails studied had either bypassed a secure email gateway or cloud email security tool, such as Office 365 Advanced Threat Protection (ATP). 

In total, we found that 23% (5,750) of the 25,000 malicious emails included links to active phishing websites. This represents a 5% increase when compared to the previous 90-day period. Of that, the top five most spoofed websites we discovered were:

  • Microsoft (37%)
  • PayPal (25%)
  • HSBC Holdings (8%)
  • Adobe (5%)
  • Wells Fargo (3%)
  • Other (22%)

Why people struggle to identify visual similarities in phishing websites

The success of phishing websites can best be explained by the psychological phenomenon first discovered in the early 1990’s known as inattentional blindness. Defined as an individual failing to perceive an unexpected change in plain sight, inattentional blindness became an internet sensation in 2012 when a video posted asking viewers how many white shirted players passed a ball. Intently focused on the task at hand, more than 50% of the viewers failed to recognize a woman in a gorilla suit in the middle of the picture. 

Recognizing the perils of inattentional blindness, adversaries have begun to see the importance of creating attacks that deceive the human brain in addition to defeating technological controls. Yet there are often clear indicators within phishing websites that can help people identify fake URLS should they know what to look for. 

Of the 5,750 phishing websites we identified last quarter, each had a visual or verbal anomaly or flaw that wasn’t recognized by technology, such as blurred or resized images or an undue sense of urgency. This is because the closer the page looks to the real one, the easier advanced anti-phishing technology can detect that it’s a fake. Thus, attackers are constantly trying and make phishing websites different enough to defeat technical email controls but similar enough that a human would think it’s legit.

Specifically, we identified five categories to which each phishing website fell into. This included:

  • Blurred (45%) – When an image appears blurry and out of focus.
  • Resized – (25%) – When an image is appears stretched or elongated.
  • Creative – (15%)- When an attacker tries to make a connection through design. 
  • Retro – (10%) When an image or copy uses outdated branding and messaging .
  • Sense of Urgency (5%) – When copy contains uncommon immediacy in copy and calls to action.

Thanks to intentional blindness, most people do not immediately see these visual similarity clues, wrongly assuming the spoofed login page as legitimate and entering their credentials which unbeknown to them are about to be used in a cyberattack.  

Preventing phishing website links from laying idle in an inbox

Traditional signature-based email gateway security solutions are challenged to stop these types of attacks as they were designed to scan the source code that lays behind the HTML page in order to match the signatures of previously known attacks. Consequently, savvy criminal groups must strike the right balance between creating spoofed landing pages that look similar enough to legitimate pages to dupe their intended victims but not identical enough to be snared by anti-phishing technologies. By taking a polymorphic approach, attackers can automate and refine the process of deploying pages that do not surpass predefined detection thresholds. By comparing the visual similarity of legitimate landing pages to spoofed ones, computer vision enabled solutions provide a critical additional layer of defense since they do not rely on simple pattern matching technologies.

About IRONSCALES

IRONSCALES is the future of phishing protection, incubated inside the world’s top venture program for cybersecurity and founded by alumni of the Israel Defense Forces’ elite Intelligence Technology unit. We offer security professionals and end users an AI-driven, self-learning email security platform that provides a comprehensive solution to stop tomorrow’s phishing attacks today. Using the world’s most decentralized threat protection network, our platform accelerates the prevention, detection and remediation of phishing attacks already inside your email with threat removal times in seconds, not minutes or hours. We give organizations of all sizes complete anti-phishing protection against any type of phishing attack, right now. Visit www.ironscales.com to learn more about The Power of Now.

To learn more about how we use computer vision to protect against fake login pages, read IRONSCALES blog Fight Phishing & Credential Theft with AI

Some examples of fake Office 365 login pages captured by IRONSCALES’ visual similarity detection.

Resize:

Users are expecting the login box and they are focused on it, not noticing the background – this is exactly what the attacker is relying on since they can change it slightly to evade visual similarity detection.

The future of product management

In Late 2015 Nokia acquired Alcatel-Lucent. The two giants behind this $16 billion deal are not citing “synergy from cost reduction” or similar phrases that often accompany large corporate mergers. In this case, improving the speed at which they innovate was cited as the catalyst.

Neither brand is really known for innovation these days. That fact has been a major problem for both as they try to excite their customers and grow market share. Quite simply, they have failed to produce products that customers love. This is true for both their consumers and enterprises.

“Nokia’s acquisition of smaller rival Alcatel-Lucent may avoid the pitfalls that befell earlier telecom network equipment marriages, thanks to a revolution over the past decade in how products are launched and developed,” Reuters declared in its report on the merger.

shutterstock_171217538_Nokia

The rationale behind Nokia’s acquisition invites a broader question: how will both brands increase their speed of innovation? And who will be responsible for this acceleration?

Most likely, that will fall on the shoulders of product development teams. Those teams will be led by product managers – who will, in turn, be tasked with prioritizing features, gathering new ideas from customers, and driving innovation through cross-functional releases.

Over the past decade, technology companies – and product managers – have become more mainstream. Tech leaders like Marissa Mayer have made it to the c-suite through product management roles. Steve Jobs became beloved for his deep, holistic product approach when he said, “it’s in Apple’s DNA that technology alone is not enough — that it’s technology married with liberal arts, married with the humanities, that yields us the result that makes our hearts sing.”

Leaders like Jobs and Mayer have helped usher in a new era of product management. But there is still much work to be done.

Product managers make the most crucial decisions in any tech company today. Yet despite all the advances in software innovation, the product management discipline is still immature. Without the right tools, education, and guidance, product managers are flying blind.

Outdated Methodology

In the 1990s, a series of new methods meant to combat ‘heavyweight’ and ‘gate-to-gate’ software development emerged. These methods ranged from SCRUM methodology to feature-driven development. At a meeting in Utah in 2001, a group of developers coined the term “Agile” to represent these methods. Their manifesto proclaimed, “We are uncovering better ways of developing software by doing it and helping others do it.”

But Agile was defined and often adopted with a specific point of view. It was developed to accelerate how quickly engineers could get their work done and be happy doing it.

outdated-methodologies

To research his book, Look Beyond the ProductSteve Johnson of Under10 Consulting interviewed more than 100 product managers. He is convinced that, in many cases, following strict methodologies like Agile has, “broken product management.”

“For too many teams, product managers and product owners are now providing development and operational support rather than gathering and sharing market insights. Contrary to what the Agile movement envisioned, the product manager or product owner is no longer able to provide up-to-date market information and strategic vision because they’re immersed in development activities.”

Rich Mironov, author of The Art of Product Management, agrees that rigid frameworks have alienated product managers from their end users. “In 2008, Agile was just beginning to hit mass adoption, and the current generation of Lean Startup/LeanUX hadn’t happened yet,” Mironov reflects. “Now, both are mainstream, but from opposite sides.

“Ever larger Agile and Scrum development organizations are pulling product managers into heads-down product owner roles, crowding out our time to understand complex markets and determine what our customer segments really want. As product managers, we have to avoid orthodoxy and choose the right mix of tools and methodologies for our unique situations.”

So while product management was taking off, methodologies emerged to streamline product development. Unfortunately, product teams remained in need of a better way to work.

The Software Revolution

We have entered an era where large-scale change is improving how teams build products – software, in particular. These changes are having a deep impact on tech companies like Nokia and Alcatel-Lucent, which depend on software innovation. At Aha! we believe that the years between 1980 — 2050 will be recognized as the Software Revolution era.

This era will be defined by the augmentation of intelligence and experience by computers. Similar to the Industrial Revolution, a period of major industrialization is taking place right now. Although the Software Revolution began in the United States, it is spreading throughout the world and will continue to do so.

Processed with VSCOcam with hb2 preset

This time period has seen the computerization of business and personal life, which has had a massive effect on economic, social, and cultural conditions. If you work in technology, you likely agree that this time period is unique and being driven by several powerful factors. These include the democratization of software development; widespread broadband access; and the emergence of mobile devices.

Software has been commercialized at a dizzying pace. And yet, paradoxically, efficient idea development and execution remains in its infancy — just like product management. It’s why new approaches to product management have emerged during the Software Revolution.

Product management is evolving from an art to a science. The best products of the next several years will be driven by data based on direct user feedback — but it is taking time and the right tools to drive this meaningful change.

To bring the world’s best future products to life, mature product teams use the following techniques. Over the next several years, you can expect these to become the norm.

Goal-First Planning

The most successful products share the same initial attribute: a goal-first product vision that is informed by customer conversations. Too many products are born without a goal in mind; without knowing where you want to go, you cannot expect to get there.

product-management-goal-first-approach

Goal-first planning starts with product vision. This vision captures the essence of what the product aims to achieve, opportunities available, and potential threats. Over the next several years, product managers’ visions will become more business focused. They will tie these visions back to business objectives – and clearly communicate how users and business alike will benefit.

Daniel Elizalde, an enterprise software product manager who blogs at Tech Product Management, says his four pillars of product management start with soft skills for a reason. Like Johnson and Mironov, Elizalde worries that today’s product managers are too disconnected from their products’ end users. He argues that product leaders must understand their customers and share their product’s vision with its stakeholders.

“Product managers spend most of their days communicating ideas, product direction, roadmaps, delays, etc.,” explains Elizalde. “Having the ability to communicate efficiently and with empathy is a must for the role. No amount of technical, business, or domain knowledge can make up for poor communication skills.”

The popularity of Eric Ries’ Lean Startup is an indication that product teams want more strategic leadership,” adds Johnson. “In addition to customer discovery, teams want to know more about the market, the product buyers and users, and the competitive landscape. These are the business aspects of product management that have gotten lost in recent years.

Crowdsourced Ideas

Great product managers know the value of shipping features that delight users. It’s one of several reasons why Slack is riding its unicorn over the proverbial rainbow.

Better ideas lead to innovation, and innovation leads to market leadership. But the first step in successful ideation is to understand how innovative your product truly is. Shardul Mehta, VP of Products at Diamond Mind, says most of today’s product management practices are designed to optimize strategy for a proven product. But when it comes to innovation, these practices fall woefully short.

crowds-people-product-idea-management

“…As such, most product management practices today are designed to optimize the execution of an existing product strategy. However, when it comes to new product innovation, be it in a startup or an existing company, it involves a search for a repeatable and scalable product strategy and business model. There are many unknowns – both with products built by startups and established corporations.”

As product management becomes a more tightly defined role within organizations, more solutions will allow product managers to collect product ideas from colleagues and customers alike. Innovation is about iteration.

Data Driven Feature Prioritization

Prioritizing roadmaps based on feature requests is far from easy – but it is possible if you keep empathetic focus on your users. Prabhakar Gopalan – also known as the Craftsman PM – champions this idea through his Whole Product approach. Whole Product envisions customers and corresponding product features as you move along a product timeline.

The first step in this process is qualitative: it involves writing your product’s story.

writing-product-story

“I think product managers should take a step back from the requirements process and look at the system as a whole – all the way through from the customer pain you are trying to solve, to asking which brand positioning your company has or is developing, and which story you would like your customers to say. Then, work backwards to build that kind of product.”

To make data-driven decisions about feature prioritization, you must know what is meant by “data” in the first place. To begin, evaluate where your product is in its lifecycle. This will help you determine whether data refers to customer interviews, internal feedback requests, surveys, etc.

Once you’ve confirmed your product’s lifecycle stage and which data you need, there are several ways to prioritize features. Let’s review some of them:

  • Value – In more flexible systems, product managers should rank features against their key business drivers. Each product should have a unique scorecard comprised of metrics that reflect strategy and also make sense at a feature level. Product managers can customize the metrics, scale, weighting, and complexity used to quantify these features.
  • Opportunity – Since Sales and Support teams work with product users every day, they should not be excluded from product management. Feature prioritization based on revenue potential offers holistic views of users by using data from software systems such as Salesforce. Sales data empowers product teams to invest in the ideas that matter most to users by connecting product features to sales opportunities.
  • Feedback – Once you’ve begun to practice ideation, you need a strong way to manage the ideas that you collect from colleagues and customers. The most advanced systems allow product managers to see a high level of all submitted ideas. They also capture key information about an idea, including its submitter, title, and description.

Cloud-Based Tools

Cloud-based tools – and their mass adoption – matter deeply to product managers. These tools allow teams to build better products, delight their users, and grow their business for less time and money than was used in the past.

If you are working with a dynamic team, it’s important that you have one place to manage and view all things related to your product. This enables cross-functional teams to collaborate in real time. It also allows product nuances to be shared beyond the product team – which empowers anyone at an organization to consistently describe a particular product.

Building great product is a collaborative process that works best if everyone is on the same page. This has led to the emergence of software built specifically for product teams, including Aha! (for product roadmaps), JIRA (for engineering), and Zapier (for task automation). These tools help streamline cross-functional workflows.

way-forward-product-management

All of these factors will drive new innovation – and more lovable products. The availability of product management software makes it easier than ever to build products that users will love via shorter release cycles, crowdsourced ideas, and data driven feature prioritization.

The Way Forward

How should Nokia innovate more quickly? That answer is obvious. Product managers will help Nokia – and tech companies at large – speed up everything they do. They will accelerate the pace of innovation and delight customers at the same time. In contrast to the past, they will not get caught up in the development methodology of the day. Instead, they will lead product teams with a flexible approach.

“I think avoiding frameworks and thinking of the product as a whole is the kind of work one needs to stand out,” says Gopalan. “It’s not easy, but it can be rewarding. The most delightful products we see tend to be built that way!”

It is not easy to build lovable products. But with a goal-first approach, deep customer connections, and a rigorous way to tie features to business value, it can be achieved. This approach will help product managers accelerate innovation — and define the future of product management.

As seen on: The Next Web