Protecting CUI and the DoD Supply Chain - Security Boulevard

Protecting CUI and the DoD Supply Chain - Security Boulevard

Protecting CUI and the DoD Supply Chain - Security Boulevard

Posted: 23 Feb 2021 02:05 PM PST

Interview with CMMC-AB Standards Chair
Regan Edens – Part 2

Part 1 of our interview with Regan Edens, looked into steps to simplifying and enabling DFARS compliance.
 
Part 2 will look into how contractors are managing their encryption mandate. Additionally, it will look at steps they can take to better secure their supply chain.
 

 
PreVeil: In the companies you're looking at, how are they handling encryption and how far off are they from where they need to be?
 
Regan Edens: According to CMMC, FIPS 140-2 validated algorithms are required when CUI has to be encrypted. That was inherited from NIST 800-171. However, most defense contractors we speak with don't even understand the FIPS 140-2 standards nor where they need to be. They don't realize the requirements for FIPS 140-2 encryption for data in transit and at rest.
 
One point around which there's a log of confusion is that every place in NIST that CUI is required to be encrypted, requires FIPS 140-2, but when encryption can be used to protect CUI, but is not required, neither is FIPS 140-2 required.
 

When is FIPS 140-2 encryption required?

When is FIPS 140-2 required?
 
FIPS 140-2 validated encryption must be used when required by NIST 800-171R2 inside the assessment boundary of the Covered Contractor Information System. CUI must be encrypted in transit on all devices or when stored at rest on mobile devices.
 
When is FIPS 140-2 not required?
 
CUI may be stored at rest on any non-mobile device or data center, unencrypted, as long as it is protected by other approved logical or physical methods. FIPS 140-2 validated encryption is an option not a requirement for CUI at rest for non-mobile devices that "organizations may employ different mechanisms to achieve confidentiality protection, including the use of cryptographic mechanisms and file share scanning."
 
What is the definition of a mobile device?
 
NIST defines mobile devices as devices such as smart phones, tablets and E readers.
 
Note: If the device only has storage capability and is not capable of processing or transmitting/receiving information, then it is considered a portable storage device, not a mobile device."

 
So, when we ask what encryption they are using to protect CUI, most of them don't know the answer. The implications of this are particularly serious for email where often messages are going back and forth on Commercial O365. On Drive, they may have some sort of FTP process for accessing or retrieving emails but that's a really bulky process and doesn't fit well into a company's workflow.
 
I tell them that as an interim methodology, PreVeil can get them started as they move off of O365 Commercial and into an encrypted platform.

PreVeil: The recent Solar Winds attack highlights supply chain vulnerabilities. What has DTC been doing to focus on this challenge?

Regan Edens: The supply chain is an important challenge that DTC has been focused on as well. In order to protect the supply chain, you need to protect the Primes and their subcontractors. What I am trying to do is revolutionize the coalition of the willing and create an ecosystem approach. The next major defense program will be won by the organization that secures their supply chain.
 
This ecosystem approach means I look at large primes and take their suppliers and essentially simplify the technology offerings to a common set of tools and licensing. And then create a cafeteria-style menu where there are technologies for small, medium and large defense contractors.
 
Some will see Microsoft's GCC High as their solution but that's probably only a very small percentage due to price and budget constraints. Additionally, there are only a dozen or so Microsoft integrators and there's no possible way for them to service the whole DIB.
 
Most organizations don't understand what they are doing and they need to make the process affordable then a menu type option is ideal. If an organization needs to make quick and easy choice, then PreVeil is a good choice.
 
PreVeil: Well thank you for talking to us, Regan.
 

Learn more about how PreVeil protects the DoD supply chain. Download our whitepaper.

The post Protecting CUI and the DoD Supply Chain appeared first on PreVeil.

*** This is a Security Bloggers Network syndicated blog from Blog – PreVeil authored by Orlee Berlove. Read the original post at: https://www.preveil.com/blog/protecting-cui-and-the-dod-supply-chain/

LastPass free tier is about to change: What to do and alternatives to consider - Gearbrain

Posted: 18 Feb 2021 08:27 AM PST

LastPass is a popular password managing application that works across smartphones, smartwatches and computers. But, from March 16, its free tier will become less useful for many customers.

As it currently stands, users of the free tier can access and edit their secure password collection on all of their devices, including phones, computers, watches and tablets. However, starting March 16 the free tier will restrict users so they can only access LastPass either from a computer or a mobile device — but not both.

Read More:

If you log into LastPass on or after March 16 from your smartphone, then you will only get access to your passwords on that device going forward, as well as any other smartwatches and phones (iOS and Android). But you won't be able to access your passwords from a computer at that point. This means you can use LastPass on a personal iPhone and a work-issued Android, for example, and also from an Apple Watch, but not on a laptop or computer.

Alternatively, if you log into LastPass on or after March 16 on a computer, you won't be able to access LastPass on your phone or smartwatch. This means you can get to your passwords on all of your personal and work computers — and any computer you log into your LastPass account with – but not from any mobile device or wearable.

Users of the free tier will be able to switch between a mobile device and computer three times after March 16 — but after those three times are used, they'll be forced to stick with one access point, or the other.

To access passwords on every device, LastPass customers will need to sign up to the Premium tier, which is currently being offered at the reduced price of $27 per year. That works out at $2.25 per month, a savings of $11 a year on the normal price.

A useful tip for Mac and iPhone users

Before we look at alternatives, Apple's hand-off system offers a nice way to quickly access your LastPass passwords on any device. To do this, choose mobile as your LastPass device type, then when you open the app tap on the password you want to use, then tap on copy. Now go to your Mac and, as long as it is on the same Wi-Fi network as your iPhone, you can paste that password into wherever it is needed.

What else does LastPass Premium include?

LastPassLastPass Premium costs $27 a yearLastPass

As well as granting access to your passwords from any device, the Premium tier includes 1GB of encrypted file storage to save files in the cloud. It also includes a feature called one-to-many sharing, where you can share a single saved password with select other people – handy for sharing passwords to online services, like streaming sites, that you share with your family.

Premium also includes access to the LastPass security dashboard, which acts as a place to store and change your passwords, as well as showing your security score and alerting you to any weak or vulnerable passwords. Additionally, dark web monitoring keeps an eye out and alerts you if any of your passwords are spotted in stolen data troves dumped onto the dark web.

Lastly, Premium has the option to grant someone emergency access to your passwords. That way, if you can't access LastPass for whatever reason and need a password in an emergency, a friend can log in to help you out.

Free alternatives to LastPass

If you don't want to pay for password storage and would rather now move away from LastPass, there are plenty of alternatives to consider – options that, unlike LastPass, let you view your passwords from computers and also mobile devices at the same time, without a fee.

First, web browsers like Chrome and Safari have integrated password management systems. These aren't as comprehensive as a dedicated app like LastPass, but have the convenience of serving up a password when it's needed as you browse the web, and offering to create secure new ones when needed. They also flag up any of your passwords that have been caught in a data breach and are now considered vulnerable.

Apple and Google also offer system-level password management on their respective iOS and Android mobile operating systems.

BitWardenBitWarden's free tier includes access across Mac, PC and mobileBitWarden

If you would use a dedicated password manager, BitWarden is a good alternative to LastPass. Options are available for personal and business users, with the free personal account tier giving access to an unlimited number of passwords across multiple devices. BitWarden can also create secure new passwords for you, and it is available on iOS, Android, Windows, Mac and Linux, plus via web browser plugins for Chrome, Firefox, Opera and Microsoft Edge.

BitWarden also offers a $10-a-year option that adds 1GB of encrypted file storage and two-step login to increase security.

MykiMyki stores passwords on your devices instead of in the cloudMyki

A lot of password managers work in a very similar way to LastPass, but Myki is different because it doesn't store your passwords online. In theory, this should help protect you from hackers as there is no online database full of passwords with a big target on its back. Instead, passwords are stored inside the Myki smartphone app and can be synchronized directly between devices running the app.

The free Myki app is available for Windows, Mac, Linux, iOS and Android, and there are browser extensions for Chrome, Firefox, Safari, Opera and Microsoft Edge. The apps can be secured with a PIN or passcode, or by using biometric security like a fingerprint or face scan.

Myki also offers paid-for enterprise options, starting at just under $50 per user annually.

NordPass appNordPass allows the storage of notes and credit cards as well as passwordsNordPass

NordPass is a password manager that offers a free tier for saving an unlimited number of passwords and keeping them in sync across all of your devices. You can also use NordPass to store notes and credit card details online.

The only real negative of the free tier is how only one device can be logged into NordPass at a time. So, while you can access your passwords from any device you own, you can only view passwords and other saved information on one device at a time.

Whichever service you choose, we strongly advise readers to up their password game and start using a password manager – just look at our data breach tracker, updated every week, to see how common the theft of usernames, passwords and other personal details can be. With a password manager, you are taking the first steps to keeping yourself and your identity protected online.
-

Comments

Post a Comment

Popular Posts

Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian

Image
Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian Posted: 13 Oct 2019 06:58 AM PDT Anne Sacoolas, the wife of a US intelligence official who was involved in the road collision that killed 19-year-old Harry Dunn, has agreed to meet with his grieving parents and cooperate with a British police inquiry. But amid continuing questions over her right to diplomatic immunity, it is not clear if she will return to the UK to fulfil a promise to answer police questions about her role in the car crash. The reversal of position on a meeting appears to have come after lawyers specialising in diplomatic immunity started to advise Dunn's parents last week, leading them to say they would pursue Sacoolas in the US courts for a civil claim. Mark Stephens, one of the legal specialists advising the parents, told the Guar...
Read more

Top 100 cool tech gadgets you can't miss - Queensland Times

Image
Top 100 cool tech gadgets you can't miss - Queensland Times Top 100 cool tech gadgets you can't miss - Queensland Times Posted: 21 Nov 2020 08:22 PM PST From 5G smartphones and next-gen consoles to gadgets designed to listen to your heart, straighten your hair, light up in your hand, capture your memories and keep you connected, technology is playing a bigger role in our lives than ever this year. Analysts say the trend is likely to continue under the Christmas tree with a bumper list of shiny new devices launched mere weeks before the big day, and some so popular they are selling out in record time (good luck, PlayStation 5 buyers). To take the pain out of finding the best devices for your friends, family and yourself, we've rounded up the top 100 tech gifts to add to your cart in 2020, ranging from what you'll need in 2021 to gadgets that will just make life a bit more entertaining. SMARTPHONES SAMSUNG GALAX...
Read more

VPN browser extensions: Why you shouldn't use then - Tech Advisor

VPN browser extensions: Why you shouldn't use then - Tech Advisor VPN browser extensions: Why you shouldn't use then - Tech Advisor Google Fi calls between Android subscribers will soon be end-to-end encrypted - 9to5Google How to encrypt your computer (and why you should) - Mashable How to encrypt and decrypt a folder on Android with SSE Universal Encryption - TechRepublic 4 ways to send encrypted messages on Android - TechRepublic WhatsApp “end-to-end encrypted” messages aren’t that private after all - Ars Technica ciphertext feedback (CFB) - TechTarget What Is the Windows Encrypting File System (EFS) and How Do You Enable or Disable It? - MUO - MakeUseOf Encrypting your online life is important - Telangana Today Keeper Password Manager Review – Forbes Advisor - Forbes [Update: Screenshot] Google Messages preparing end-to-end encryption for RCS messages - 9to5Google T...
Read more