Stacey Champagne

CMMC Level 2 Assessment Objective: Alternative Work Sites PRACTICE: Organizations must enforce safeguarding measures for containing controlled unclassified information (CUI) at alternative work sites. ASSESSMENT: Alternative work sites may include government facilities or the private residences of employees. Organizations must define and implement safeguards to account for protection of CUI beyond the enterprise perimeter. Safeguards may include physical protections, such as locked file drawers, as well as electronic protections such as encryption, audit logging, and proper access controls. Be prepared! Your assessor could ask to: 🔍 EXAMINE a list of safeguards required for alternative work sites 🗣 INTERVIEW personnel approving use of alternative work sites 📝 TEST organizational processes for security at alternative work sites (CMMC Assessment Guide: Level 2 Version 2.11, page 186) #CMMC #DoD #cybersecurity #NIST #InformationSecurity

47

ECS selected #Axonius to support DHS's CDM program. Axonius will provide comprehensive #Cybersecurity asset visibility and vulnerability management, enabling efficient risk management: https://dy.si/m5nFJ

2

I often hear the question "Where/What are our biggest security exposures?" Cyentia Institute recently had the opportunity to explore this question using data from hundreds of thousands of attack path assessments conducted through the XM Cyber Continuous Exposure Management (CEM) platform. The attached figure gives a categorical breakdown of what we observed based on all entities (digital assets), total security exposures, and exposures affecting critical assets. . The left-most chart represents the attack surface based on broad categories of digital entities discovered during attack path assessments. Active Directory constitutes just over half of entities identified across all environments. On-premises IT and network devices account for another 31% of entities and cloud environments house the remaining 17%. Not all entities, however, are exposed via attack paths. If we change the scope of the attack surface to include only vetted exposures (entities susceptible to attack techniques), things look different. The middle chart captures this perspective and Active Directory exposures dominate the attack surface. But not all of those exposures affect critical assets. To be truly effective, Exposure Management must encompass all environments and account for where critical assets are most at risk. If we once again rescope the attack surface to focus on exposures to critical assets, a very different picture emerges, which is captured in the rightmost chart. Cloud environments now encompass over half of all critical asset exposures, followed by AD at 33% and IT/Network devices at 11%. Does this sync with exposures across your attack surface? Which perspective/view/chart is your primary guide for managing exposures? The full report contains tons of additional insights on exposure management. Download here: https://lnkd.in/dPfqXG7y #cybersecurity #exposuremanagement #cyberrisk

48

8 Comments

It is easy to fall into the trap of confirmation bias, where investigators see something that aligns with what they expect while missing key context that might paint a different picture. Drawing conclusions about a subject’s intent from a single post or interaction can lead your team down the wrong path.

1

This is the kind of effort we need to really tackle vulnerability management with a proper effort around accurate prioritizations. This effort is aimed at bringing “Common Platform Enumeration, Common Vulnerability Scoring System, Common Weakness Enumeration, and Known Exploited Vulnerabilities to CVEs” together, including a pass through an SSVC decision tree. I am beyond excited to see such an effort and yet I remain concerned that without the required support and adoption by our vendors, this will merely represent another data point we cannot easily normalize with our tools. #VulnerabilityManagement #Security #BlueTeam

14

"(1) Affirming Official. The Affirming Official is the senior level representative from within each Organization Seeking Assessment (OSA) who is responsible for ensuring the OSA’s compliance with the CMMC Program requirements and has the authority to affirm the OSA’s continuing compliance with the specified security requirements for their respective organizations. (2) Affirmation content. Each CMMC affirmation shall include the following information: (i) Name, title, and contact information for the Affirming Official; and (ii) Affirmation statement attesting that the OSA has implemented and will maintain implementation of all applicable CMMC security requirements to their CMMC Status for all information systems within the relevant CMMC Assessment Scope." #cmmc #dod #cybersecurity

25

One of the ways we can all fight back against human trafficking is knowing the signs. Follow The Exodus Road to learn more about their excellent online training that will teach you what to look for and practical steps to take.

39

1 Comment

A good friend Sumita Jonak asked me how you can prevent spam calls. I decided to collect and post some things people can do, they can’t be truly stopped entirely but maybe slowed? Obviously stopping spam calls can be very challenging, but there are some steps that can maybe reduce them. 🧡 Register on the National Do Not Call List. In the U.S., you can register your phone number with the National Do Not Call Registry at www.donotcall.gov. While this won’t stop all calls, it can reduce legitimate telemarketing calls. 🧡 Check your phone for Built-in Phone features • Most smartphones have an option to block calls from unknown numbers or numbers not in your contacts. • On iPhones, you can enable this feature in your phone settings, which sends unknown calls straight to voicemail. • Both iPhones and Androids allow you to block and report individual spam numbers directly from your call log. 🧡 Make sure you are careful about where you download the app from, make sure it’s legitimate but you can download a Call-Blocking App • Apps like Hiya, RoboKiller, Nomorobo, and Truecaller help detect and block spam and robocalls. These apps often use a database of known spam numbers and can automatically block or filter them 🧡 Cell Carrier Tools - note this is a pay per service • Many cell carriers offer their own spam blocking services, some free and others for a small fee: • AT&T: Call Protect • Verizon: Call Filter • T-Mobile: Scam Shield • Contact your carrier to see what options are available 🧡 Avoid Engaging with Spam Calls • If you accidentally answer a spam call, don’t engage with the caller or press any numbers (even if prompted to “remove yourself from the list”). This may confirm that your number is active, leading to more calls. I have heard this from many people and sources 🧡 If you want to help the greater good, you can report Spam Calls • Report spam calls to your carrier or to the Federal Trade Commission (FTC) at reportfraud.ftc.gov. Many carriers also allow you to forward spam texts to 7726 (SPAM) to help them block numbers 🧡 it’s always best to avoid sharing your number publicly although that is hard to do • Be cautious when sharing your phone number, especially online or in situations where it could be sold to marketers Using one or some of these methods can reduce at least some of the spam calls you receive. If you have any additional ideas please add! #donotcall #spam #cybersecuritryawarenesmonth #scd #spamcallers

9

1 Comment

I'm excited to share a recent milestone in my journey—passing the NACD (National Association of Corporate Directors) Directorship Certification. This achievement isn't just a personal milestone but a testament to the vital role of continuous learning in leadership and cybersecurity governance. Having been on both sides of the boardroom table, I've seen firsthand how navigating the complexities of modern enterprises requires more than deep expertise in a single domain—it demands a broad, strategic understanding across multiple disciplines. Here are a few key points for those aspiring to board roles or looking to deepen their C-level impact: Broaden Your Horizons: Understand your business beyond the technical details. For those seeking a board seat, look behind simply having cyber experience and to what else you can contribute. Commit to Excellence: Pursue excellence in all you do. Hold yourself to high standards, learn from setbacks, and continuously seek ways to improve—even when things go right! Stay Curious: Keep ahead of industry trends, challenges, and innovations. Staying informed and proactive is crucial for making strategic decisions and fulfilling a director's duty of care. The path to a board role can be challenging but it is also rewarding and can have significant impact. For CISOs looking to improve their board interactions, focus on translating technical details into business impact to enhance your role as a strategic partner. Keep learning. Keep growing.

98

12 Comments

Attention Police Officers and veterans: Looking to get a better career transition experience? Wanting to know if cybersecurity is for you? Are you searching for the right pathway and certifications to get into the industry? If so then this webinar is for you. ************ ♻️ Please repost this to your network if you found this post interesting or relevant, and follow Professor Neil Curtis for more content about military and police transition, cybersecurity career and personal branding. #CybersecurityCareers #VeteranTransition #KnowYourPath

17

2 Comments

Attention Police and Police Veterans... Last chance top register for this insightful webinar learning how to transition to a career in cybersecurity.

2

1 Comment

As you've probably heard by now, Verizon's 2024 Data Breach Investigations Report (DBIR) just dropped. I'm proud to say that Cyentia Institute was a contributor again this year. I should say "one of the many, many data contributors." I know most people focus on the findings from the DBIR - and they should. But to me, this is the most remarkable and important aspect of the DBIR. I can't think of any other report/project in the #cybersecurity field that can unite all these logos in a common effort of data sharing and analysis. And do it for 15 years! Yes - I know the DBIR first published more than 15 years ago (I was there). But 2010 was the first time we included non-Verizon data from the U.S. Secret Service. That initial step took quite a bit of effort, but then they introduced us to the Dutch High Tech Crime Unit, the Australian Federal Police, London Metropolitan Police...and the dominos kept going. I clearly remember when I got a "yes" from the first private sector IR service provider that was a competitor of Verizon at the time. The execs HATED the idea of sharing the spotlight, but they eventually conceded. And their participation paved the way for all the others you see here. And though I'm no longer leading the DBIR production effort, I'm honored to be one of those logos I started adding so long ago. Also - it's not easy managing all those contributors and datasets. As you review and apply all the insights from this year's DBIR, raise a toast of appreciation to the DBIR team that is dedicated to what they do for the community. Many thanks David Hylender Suzanne Widup Philippe Langlois Alex Pinto #databreaches #cyberrisk

259

15 Comments

CrowdStrike Responds to Delta's Legal Threats Over Software Update Outage 💥 Cybersecurity firm CrowdStrike is pushing back against Delta Air Lines' legal threats following a recent software update that disrupted Delta's operations. In a strongly worded letter, CrowdStrike claims Delta misrepresented the situation and that it was Delta's own IT decisions that worsened the outage. CrowdStrike also states that they repeatedly offered assistance to Delta, including a direct offer from their CEO to Delta's CEO, but received no response. This public exchange escalates the tension between the two companies. It remains to be seen whether Delta will pursue legal action or if the companies can find a way to resolve this dispute. #cybersecurity #aviation #software #Delta #CrowdStrike #dispute https://lnkd.in/ezRb24cJ

6

4 Comments

Key quotes from the new 48CFR Rule for #CMMC. This rule is the one that goes into new and renewing contracts and requires having a CMMC certificate or self-assessment upon contract award. They tightened up the language quite a bit. On quick scan, it looks well done. The first 40 pages give a lot of information about the DoD's thought process on CMMC, including some technical clarifications like whether joint ventures need to be individually certified, and whether talking about CUI over the phone is in scope.

31

Getting ready to lead discussions in Boston this week. Come join to talk about supply chain attacks - think about all your devices, not just software - and better security testing in your software development lifecycle.

4

I dislike using the term “crisis communications” when talking about security incidents because it gives people permission to accept chaos and panic. These are red flags that your decision-making process isn’t ready for prime time. Anyway, I’m always glad to see more security teams recognize that incident communications isn’t just what you say publicly, it’s also how you communicate internally so that you’re proud of how you show up for the people impacted.

24

While I might not have been as impactful as my good friends in the industry, I feel like it was a pretty successful 2024. Looking forward to an even more impactful 2025 of getting out the word of cybersecurity and auditing together to provide an even stronger layer of prevention to organizations programs! Here's my 2024 LinkedIn Rewind, by Coauthor.studio: In cybersecurity, the most powerful defense isn't just technical controls - it's the combination of governance, awareness, and human understanding. 2024 reinforced this truth in every presentation, assessment, and conversation. Leading cybersecurity assessments and training across healthcare, government, and education sectors showed me that organizations succeeding in cybersecurity focus on three elements: • Strong governance frameworks aligned with business objectives • Continuous security awareness training and testing • Practical implementation of controls that work for real people Key impact areas from 2024: • Led cybersecurity assessments helping organizations identify and address critical vulnerabilities • Presented at major conferences including Healthcare Conference Webcast, TCTC, and IIA San Antonio • Expanded board service with IIA Albany Chapter • Participated in charitable initiatives including Maurer Foundation Motorcycle Ride and Regional Food Bank support Three posts that resonated most with our community: "Healthcare Conference Webcast" Integrating cybersecurity and AI considerations requires both technical depth and practical implementation https://lnkd.in/e8i2fyRf "The Conference That Counts (TCTC)" Building connections with others passionate about cybersecurity creates stronger defensive networks https://lnkd.in/eBC5mvx9 "Maurer Foundation Motorcycle Ride" Professional expertise gains meaning through community engagement https://lnkd.in/e6XVZMTY Looking ahead: 2025 focuses on helping organizations build robust cybersecurity programs that combine technical excellence with practical implementation. The mission isn't just about protection - it's about enabling organizations to thrive securely. To every organization working to strengthen their cybersecurity posture: start with understanding your assets and risks, focus on practical controls that work for your people, and remember that security awareness is your strongest defense. hashtag #cybersecurity hashtag #informationsecurity hashtag #audit hashtag #riskmanagement hashtag #LinkedInRewind hashtag #2024wrapped hashtag #Coauthor

25

7 Comments