CMMC Level 3 Control – Email Sandboxing (SI.3.220)

In the CMMC process, one of the controls that many organizations may have some issues understanding or implementing is Email Sandboxing or SI.3.220.  An overview for this control states an organization should utilize sandboxing to detect or block potentially malicious email.  The action can prevent malicious files from entering the network and should be document in the Configuration Management Policy.

An email sandbox provides an isolated environment to execute an attached file or linked URL.  Before allowing attachments or links to be opened on the production network, they are executed within the sandbox and their behavior is observed. By opening these files or links in a protected environment, the system detects malicious activity before it is introduced into the network.

Office365 and its Advance Threat Protection can provide these services with their URL Detonation and Dynamic Delivery.  The Dynamic Delivery feature allows recipients to read and respond to emails while the attachment is being scanned. Dynamic Delivery delivers emails to the recipient’s inbox along with a “placeholder” attachment notifying the user that the real attachment is being scanned—all with minimal lag time.  If a user clicks the placeholder attachment, they see a message showing the progress of the scan. If the attachment is harmless, it seamlessly re-attaches to the email so the user can access it. If it is malicious, Office 365 Advanced Threat Protection will filter out the attachment.

URL Detonation can be enabled through the policy controls in the Safe Links admin window under settings. To enable URL Detonation, select the “On” radio button and then select the Use Safe Attachments to scan downloadable content checkbox.

Dynamic Delivery can be activated through the policy controls from the Safe Attachments admin control window under Settings. Simply select the Dynamic Delivery radio button.

Other email services also provide the sandboxing service as well.  For example, this feature is available with G Suite Enterprise and G Suite Enterprise for Education.  So, contact your email provider if you are not sure.

Password Security Question Recommendations

Can these answers be found on your Facebook account, or other social media accounts?  Things like, what city did you grow up in?  What is your dog’s name? What is your favorite book? What was your first job? What is your mother’s maiden name?

It is risky to post this information on social media because of security questions.  Security questions exist on pretty much every website that requires a username and password.  So for instance, does something like this look familiar?  It asks you first to enter in your birthday, then it asks you for your security questions, such as those just mentioned.

These are things that friends know, that family members know and that anyone who is a social media connection can likely find out.  Typically, users are very honest when it comes to security questions.  Whenever they ask for their pet’s name, they enter their pet’s name.  Malicious parties can utilize your social media account to find the answers to these questions, which then allows then to reset your password.

This is especially a concern when people’s Facebook, Twitter or other accounts are public.  Anyone can search the Internet, find your account, and then view the information on that account.  The best practice is not not be honest when filling out these questions.  Just threat the security questions as another password field.  If it asks you for your pet’s name.  Enter something completely unrelated.  If it asks for your mother’s maiden name, do the same thing, enter something completed unrelated.

Now you do not have that security concern of giving strangers answers to these questions.  Also check out our best practices to creating passwords.

Let me know if you agree with this recommendation.

Zoom enacts security and privacy control to prevent Zoombombing

Zoom enacts security and privacy control to prevent Zoonbombing

In our recent article, “What is Zoombombing and how to defend against it” we explained Zoombombing is when an unauthorized person or stranger joins a Zoom meeting/chat session and causes disorder by saying offensive things and even photobombing your meeting by sharing pornographic and hate images.

This has been occurring because most Zoom meetings have a public link that, if a person were to click it, it will allow them to join that meeting even though they are not a participant.  Zoombombers have been collecting these links and sharing them in private chat groups, and conducting disruptions.

Fortunately, on April 5th, Zoom turned on the passwords and waiting room features for meetings by default aimed at users of their free version and those with a single license version to help prevent “Zoombombing”.

These changes came right on time as Trent Lo, a cybersecurity researcher and members of a Kansas City-based security meetup group, SecKC, developed a program that can automatically scan for Zoom meeting IDs on the Internet.  The program titled “zWarDial” is able to identify approximately 100 Zoom meeting IDs in an hour and collect nearly 2,400 Zoom meetings IDs in a single day.

Another added benefit from the April 5th change is previously scheduled Zoom meetings will also have Zoom passwords automatically enabled.  Some experts have gone as far to categorize Zoom as malicious software or Malware as described in a recent article by The Guardian titled, “‘Zoom is malware’: why experts worry about the video conferencing platform”.  I personally would not take it that far to describe it as malware, but do fault Zoom for not following adequate SecSDLC procedures.  In additional, as in many applications, there are always deficiencies and bugs that will need to be remediated.

Hopefully these changes will provide the privacy protection needed to keep our events private and safe.

Please share your thoughts below.

WordPress 5.4 “Adderley” Released

WordPress 5.4 “Adderley” Released

WordPress 5.4 “Adderley” was released to the public on March 31, 2020. Check WordPress 5.4 announcement blogpost for more information on this release.

For Version 5.4, the database version (db_version in wp_options) updated to 47018, and the Trac revision was 47541.

You can find the full list of tickets included in 5.4 on Trac.

The WordPress 5.4 Field Guide has pertinent, in-depth information on the major technical changes for this release.

What is Zoombombing and how to defend against it

Before I define Zoombombing let me explain what Zoom is.  Zoom is a very popular video conference service that has a free option that allows many users to have meetings and chat sessions with each other.  It has been on the rise as more people are using it to stay in touch during the coronavirus restrictions.

Zoombombing is when an unauthorized person or stranger joins a Zoom meeting/chat session and cause disorder by saying offensive things and even photobombing your meeting by sharing pornographic and hate images.  Imagine if your young kids are participating in an online school meeting and suddenly it is interrupted in that manner.  Well unfortunately is has happened numerous times.

Most Zoom meetings have a public link that, if a person were to click it, it will allow them to join.  Malicious individuals or Zoombombers have been collecting these links and sharing them in private chat groups, then signing on to other people’s conferences to cause disruption.

On Monday the FBI warned users of a nationwide rise on this issue, as more people have turned to the Zoom video-teleconferencing service.  Zoom the company encouraged users hosting public group meetings to review settings for their safety as well as report incidents to its support team so it could “take appropriate action.”

When using Zoom for online classrooms, meetings or events, the host is advised to making meetings private and require a password or use the waiting room feature to control the admittance of additional people.  The links to a teleconference or classroom should be sent directly to the individual participants and never be publicly available on a social media post.  Finally, those managing a conference in Zoom should change the screen sharing option to “Host-Only.”

Experts in the field of information security and privacy have provided numerous suggestions when hosting a Zoom event.  Compiled below is a list of recommendations.  I have provided a few of the implementation process to apply these security and privacy features.  For items not covered in this post, please check on the Zoom web page for additional instructions.

Zoom Safety Checklist

Before Meeting:

  • Disable autosaving chats
  • Disable file transfer
  • Disable screen sharing for non-hosts
  • Disable remote control
  • Disable annotations
  • Use per-meeting ID, not personal ID
  • Disable “Join Before Host”
  • Enable “Waiting Room”

During Meeting:

  • Assign at least two co-hosts
  • Mute all participants
  • Lock the meeting, if all attendees are present

If you are Zoombombed:

  • Remove problematic users and disable their ability to rejoin when asked
  • Lock the meeting to prevent additional Zoombombers

If you schedule a meeting from the web interface, you won’t see the option to disable screen sharing. Instead:

  • Click on “Settings” in the left-hand menu
  • Scroll down to “Screen sharing” and under “Who can share?” click “Host-Only”
  • Click on “Save”

On the Zoom Settings page, turn off participant controls:

  1. Sign in to Zoom
  2. Click on the Settings link on the upper right (it looks like a gear).
  3. On the right side of the page, turn off: Autosaving chats, file transfer, screen sharing, and remote control.

Assign a Co-Host

For larger meetings, identify a co-host or two ahead of time whose role is to be a virtual room monitor and manage order during the meeting by managing the participants. Co-hosts are assigned during a meeting and cannot start a meeting.

  1. Sign into Zoom.us.
  2. Click on the Settings link on the left of the screen.
  3. Scroll down to the Co-host option on the Meeting tab and verify that the setting is enabled.
  4. Turn on Co-Host. If a verification dialog displays, choose Turn On to verify the change.

Prevent Screen Sharing by non-hosts

To prevent participants from screen sharing during a call, use the host controls at the bottom of the window, click the arrow next to Share Screen and then choose Advanced Sharing Options.

  • Under “Who can share?” choose “Only Host” and close the window. You can also lock the Screen Share by default for all of your meetings in your web settings.

Enable the Waiting Room

Before you start your meeting, enable the Waiting Room for your meeting. You and your co-host will then play an active role in choosing who to allow into the room through the participants’ list.

Meeting hosts can customize Waiting Room settings for additional control, and can even personalize the message that people see when they enter the Waiting Room so they know they’re in the right spot. This is a great way to post rules and guidelines for your event, like your screen-sharing or muting policy.

Locking the Meeting to Prevent Re-Joining of Removed Participants

During the meeting, a host or co-host can click on the More and Mute All Controls at the bottom of the Participants List.

  1. When viewing the Participants List, click Lock Meeting (under More) to prevent other participants from joining the meeting in progress.

Muting All Participants

During the meeting, a host or co-host can click on the More and Mute All Controls at the bottom of the Participants list.

  1. On the Participants List, click Mute All to mute all meeting attendees.

 

I hope this information was helpful, more importantly, I hope this information lets you know you do not have to sit back and be a victim and that you have options that can protect your events.  Please share this information with your peers and colleagues.

 

Good luck and be safe during these trying times…

The CMMC Accreditation Body signs MOU with the U.S. Department of Defense

The CMMC-AB is pleased to announce that it has mutually signed the Memorandum of Understanding (MOU) with the Department of Defense.  We are working to make additional information available to the public in conjunction with our DoD partners, who are necessarily focused on the COVID-19 public crisis.

The CMMC-AB continues its collaboration with DoD and industry across multiple lines of effort related to implementing CMMC in support of current milestones.

We are grateful for the opportunity to establish and implement CMMC assessment, certification, training, and accreditation processes to help the Department achieve the goals of improving cybersecurity in the Defense Supply Chain.

-The Cybersecurity Maturity Model Certification Body