Since our February 2021 article was published on the topic of Cyber Maturity Model Certification (CMMC) compliance, many high-profile cyber-attacks have taken place worldwide that have made the national headlines. While it certainly is a good thing to dedicate a whole month of the year to cybersecurity awareness, we don't want to let our guard down come November through September. After all, recent studies have found that cyberattacks take place every eleven seconds on average. Fortunately, the vast majority fail due to the preventative measures that are described below.
With our cloud-hosted SYMPAQ platform, a high level of trust is placed in us by our clients to keep their data as secure as possible. While it is very difficult if not impossible to guard against zero-day exploits, even these threats can be mitigated and the damage minimized if detected in time. For these reasons, we have partnered with Microsoft to host our solutions on Azure. Microsoft employs over 3,500 IT professionals in its 95+ data centers around the globe to provide 24x7 monitoring against potential breaches. However, that in itself is not enough.
We in turn use best practices to do our part that go beyond around-the-clock monitoring to further secure our cloud networks. These include, but are not limited to:
Multi-factor authentication: All of us have likely had experience with 2-factor authentication or what is commonly referred to as MFA, so we won't discuss the particulars. Simply put, MFA adds an extra layer of security over and above your User ID and password when logging into a secure website or virtual machine. MFA represents the most reliable method of preventing a breach by a threat actor using a brute force attack when your login credentials are compromised.
Azure Sentinel ®: The Sentinel is a SIEM (Security Information and Event Manager) product deployed on our Azure cloud platform to detect and respond to threats. We deploy this solution and monitor the analytics to ensure the security of our network.
Long Passwords: Enforcing long passwords is yet another deterrent to a successful brute force attack. A 7-character password can be cracked within one hour by a sophisticated threat actor whereas a 12-character complex password would take about 77,000 years to break. Without being too specific here, we set our minimum password length and complexity to be sufficient enough to ensure that even with the best password cracking tools at one's disposal, a threat actor's failed login attempts would span thousands of years before the right combination were to succeed.
Vulnerability Scans: Vulnerability tests are pre-emptive cyber hygiene assessments that involve a weekly scan of a computer network to identify vulnerabilities by severity level - critical, high, medium, or low. Government contractors can take advantage of free resources offered by the Cyber & Infrastructure Security Agency. By identifying vulnerabilities before cyber-terrorists do, a company can be proactive in mitigating threats and eliminating potential intrusions.
Security Updates: Microsoft releases updates to its Windows operating systems on the second Tuesday of every month. This is known as "Patch Tuesday". Together with assistance from the Azure team, we apply these updates each and every month at regularly scheduled intervals without exception and with a minimal amount of downtime.
Data Backups: Last but certainly not least, keeping nightly backups of databases and archiving the encrypted backups in a secure, third-party cloud data center is a cornerstone of any emergency recovery plan. This not only minimizes damages from a cyberattack involving ransomware, but also from the accidental deletion of data or from data corruption.
As many government contractors know by now, cybersecurity clauses have made their way into the Federal Acquisition Regulations, DFARS and other regulations with respect to safeguarding, reporting and recovery. In addition, the DCMA has taken an expanded role in recent years in enforcing contractor compliance with the regulations.
Whether the calendar says it's October or any of the other eleven months in a year, we're on top of securing our cloud networks in a variety of ways. Cybersecurity awareness is our 24/7, 365.25 day per year focus.