Tangible Security

The US federal government cloud market is projected to be $41 billion in 2025 and will continue to grow. Yet before you can take advantage of it, your service must first achieve Federal Risk and Authorization Management Program (FedRAMP) authorization. FedRAMP is a US federal government compliance program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The below diagram gives a high-level view of the main steps in the FedRAMP authorization process, including:   Preparation. Preparation typically starts when you have interest from a government customer. Your next steps are meeting with their Authorizing Official (AO), who oversees the authority to operate for that agency’s IT systems. You will provide the AO with a draft System Security Plan (SSP) and package based on the current state of your system meeting the required controls for FedRAMP. Authorization. The authorization phase involves SSP documentation refinement in tandem with uplifting security controls and preparing for audit, completing the FedRAMP audit, and then remediating any deficient items found in the audit to the satisfaction of the agency and the FedRAMP PMO. Continuous Monitoring. Once you achieve authorization the continuous monitoring phase begins, in which you will complete certain activities and provide evidence for the agency and FedRAMP monthly, quarterly, yearly, and at other intervals. The entire process seems very difficult, but an experienced FedRAMP advisory services firm that has led FedRAMP authorizations successfully can guide your cloud service to a successful authorization without wasting unnecessary time and money. To learn more about the FedRAMP authorization process, we invite you to view our free one-hour webinar, Are You Ready to be a FedRAMP authorized cloud service provider? https://lnkd.in/ggSm6nBw

Wealthy Italian businesspeople recently received an urgent phone call from the defense minister asking them to transfer money to avert a national crisis. But the voice on the call was generated by AI, an example of vishing technology, which has become both inexpensive and easy to deploy. Vishing, meaning voice phishing, utilizes an AI-replicated voice of a person known to the target to bypass the target’s wariness of strangers. By tricking the target into believing someone they trust needs their help, the attacker can exploit the target’s altruism and take advantage of them to get money, information, or credentials. How does AI vishing work? The tools required to perform an AI vishing attack are readily available and make performing such an attack simple. Voice cloning is both inexpensive and easily deployable. CBS reported that for $5 and a 30-second audio clip of a voice to replicate, they were able to use a web-based voice cloning service to get that voice to say anything they typed. Such voice-cloning services are readily available and present themselves as legitimate businesses. When paired with any one of a number of voice transcription services and a chat service that can be told to present itself as a real person, an attacker can cheaply and easily impersonate anyone who’s ever spoken aloud in a video posted on the Internet. These attacks can be performed manually with pre-generated audio, but it’s also possible to orchestrate these services together into a system that could allow the deepfake to converse with the target, enhancing the illusion. In the system shown in the diagram, incoming audio from the target is passed through speech-to-text transliteration software and into an LLM-driven chatbot, which has been primed by a prompt engineer to play the role of someone the target trusts. The output of the chatbot is run through a voice cloning service to emulate the voice of the role the chatbot is playing, and the resulting audio is played back to the target. In a successful attack, the target believes they’re speaking to the person being emulated and provides sensitive information or agrees to send money. How can you protect yourself? Read the rest of our blog post, AI Vishing: What It Is and How to Protect Yourself https://lnkd.in/gGQ7-3tv

The final rule for the Pentagon’s Cybersecurity Maturity Model Certification 2.0 (CMMC) initiative went into effect this year. Are you ready? If you want to be part of the $58.4B in IT funding the Department of Defense (DoD) requested last year, you probably need to be. Defense Industrial Base (DIB) organizations, meaning those working with the DoD on US federal contracts, have long been subject to significant regulatory requirements for protecting sensitive information. However, a weakness of earlier regulations was a heavy reliance on self-certification. In response, the DoD in 2019 announced the development of the Cybersecurity Maturity Model Certification (CMMC) as a new effort to move away from self-attestation and provide enforceable, verifiable cybersecurity requirements for its contractors. The first phase of CMMC implementation will begin this quarter. If your organization is part of the DIB and hasn’t begun its efforts toward CMS compliance, now is the time to start. Achieving CMMC compliance can be complex and time-consuming. Fortunately, we have a webinar to help you navigate CMMC with an overview of the three levels of CMMC certification, the different types of information covered by the CMMC framework, and how to create a CMMC certification plan. Watch our on-demand webinar on the changes to the CMMC framework, and what you need to do to get ready here: https://lnkd.in/gid7_ptP #CMMC #Cybersecurity #DefenseContractors #Compliance

Cybercriminals are increasingly targeting small businesses, which are struggling to keep up with limited IT budgets. Small businesses are finding that investing in their employees can be a critical – and cost-effective way to protect your business. There is a common misconception that cyber criminals only go after large organizations, but smaller companies have become attractive targets. According to the US Cybersecurity and Infrastructure Security Agency (CISA), small businesses are three times more likely to be a target of cybercriminals than larger companies. A reason for this is that cybercriminals perceive small businesses as having weaker cybersecurity measures and thus easier to crack than large enterprises. The most common attacks against small businesses include not just phishing, but ransomware, which makes up 40 percent of attacks, and malware, which accounts for 20 percent. Fortunately, there are some ways to upgrade your cybersecurity that don’t involve enterprise-level IT budgets. Increasing the security awareness of employees is a cost-effective strategy to help small businesses protect their data. One of the leading threats that businesses face stems from employees not receiving training that introduces them to the threats that they may face. One effective solution is KnowBe4, which conducts test social engineering campaigns on employees by simulating phishing emails and then tracking employee actions after receiving the emails. KnowBe4 also provides training videos to inform employees about the evolving cyber landscape and tactics utilized by cybercriminals. This tool is effective because it can give your company actionable data to track progress over time and ensure that users who repeatedly fall for phishing campaigns receive additional training to recognize suspicious activities. This training increases employee awareness and makes them better stewards of company data. Additional cost-effective cybersecurity solutions for small businesses include making better use of the tools you already have, deploying cost-effective continuous monitoring solutions, and building a culture of security in your company. Learn about all of them in our blog post, “Cost-Conscious Strategies for Securing Your Small Business,” here https://lnkd.in/gvyfTJ_u

Reports of bad actors using AI deepfake technologies to commit crimes are increasing, including for social engineering, corporate espionage, and various types of fraud. Deepfakes, meaning AI-generated facsimiles of real people’s image or voice, ripe for misuse, particularly because the deepfake technology is widely accessible and requires little technical expertise to deploy. AI-generated images, audio, and video have legitimate uses, such as the generated images used in this blog post. Deepfakes can be used for amusement (such as putting the Pope into a puffer jacket), but they are increasingly used to defraud others and spread misinformation. Some high-profile deepfakes seen in the real world include: A surrender video of Ukrainian President Zelensky, which could have negatively impacted morale. An image of a damaged Pentagon, which caused a dip in stock price. A video of a Voice of America journalist reporting false information. A group of Australian scammers using fabricated video of government officials to promote a fake investment scheme. A company in Hong Kong being defrauded of $25 million through use of fake Zoom meeting participants. Less high-profile, but more common are smaller attacks, such as the use of deepfakes in credibility interviews for UK student visas, the theft of biometric data from phones to create deepfakes of individuals to steal their identities, and an overall increase in the use of the technology for fraud. Generative AI is a technology, and deepfakes are a threat – that merits attention both in and out of the workplace. There are countermeasures that you can use to help protect yourself from deepfakes which fall into three main categories: strong authentication, social awareness, and education. Read the rest of our blog post, “AI Security and You: Deepfakes” here: https://lnkd.in/gTdKRj9N

Ransomware actors are using tools like AI to launch more sophisticated attacks and are targeting a wider range of victims, including mid-size companies. Overall ransomware attacks increased 132% in the first quarter of 2025. Ransomware can severely impact your business if you are not prepared. Ransomware infects systems and then encrypts files, enabling criminals to demand a ransom in exchange for a decryption key that can unlock the files. Ransomware actors also often threaten to sell or leak sensitive data if the ransom is not paid. While ransomware is continually evolving, there are some basic steps any organization should take to better prepare for ransomware attacks: Maintain a suitable backup. Failure to implement adequate backup measures is a key reason why some ransomware attacks are successful. Ensure that your security professional maintains an appropriate schedule of backups, lessening the gap between contamination and discovery. Assess your security program. A maturity assessment of your security program using recognized standards such as the NIST Cybersecurity Framework or ISO 27001 can identify areas where your security program is performing well, and where improvements are needed. Following up your assessment with a multiple-year project roadmap can help guide your program forward, close gaps, reduce risk, and increase your cyber resilience. Ensure all systems are fully patched. Failure to patch hardware and software leaves systems vulnerable. When your system is patched you can utilize updated features, fix bugs, and stay secure. Implement security awareness training. Ransomware attacks are often initiated through phishing or social engineering. Implementing a security awareness training program can strengthen what can be the weakest part of your security by teaching employees to recognize possible ransomware attacks. Read the rest of the blog post, How to Protect Your Business from Ransomware here: https://lnkd.in/g_Ds8hXH #cybersecurity #ransomware

Notable security risks resulting from misconfigurations of Microsoft 365 Exchange and Power Pages in recent months have drawn attention to the importance of secure configurations. A September report uncovered a vulnerability in Microsoft Exchange Online settings that could enable email spoofing attacks. Then in November a separate report showed how misconfigured access controls in Microsoft Power Pages left millions of records exposed. The Microsoft 365 suite of tools provides productivity benefits to many organizations. However, the default settings of Microsoft 365 when implemented out of the box may not be secure enough for your organization. This can leave your organization vulnerable to unwanted attackers who can present a threat to your entire Microsoft 365 environment. A crucial first step is to understand which settings need strengthening, since as an organization you cannot begin to protect what you don’t know you have. Throughout this post we will explore the areas within Microsoft 365 that require attention and can be enhanced to create a more secure environment. Microsoft 365 Admin Center is the hub for managing user accounts, teams, groups, and policies. These are all sensitive tasks, so it’s important that default settings are properly configured or security risks can present themselves. Roles and permissions often follow a more permissive model, which can violate the principle of least privilege and give users more access than necessary. This can increase the risk of insider threats or accidental data breaches if roles and permissions are not appropriately configured. Password policies may not enforce strong password requirements, leaving them vulnerable to brute force attacks. Users may also be prompted for regular password change intervals, which can lead to password fatigue and the use of generic and easily guessed passwords. With the use of a strong password policy, the necessity to rotate passwords lessens since users are required to meet length requirements and use special characters and numbers, making their passwords more difficult to guess by an attacker. Third-party storage services, when allowed without stringent controls can open doors for data leaks and unauthorized access, as these services may not be compliant with your organization’s security policies. Read the rest of our blog post, Beyond the Defaults: Securing Your Microsoft 365 Environment here: https://lnkd.in/ggTFnWaK #misconfiguration #cybersecurity #cloudsecurity #microsoft365

If your organization hasn’t adopted the National Institute of Standards and Technology Cybersecurity Framework 2.0 (NIST CSF 2.0), you should consider doing so. The NIST CSF 1.0, a set of guidelines and best practices to manage and reduce cybersecurity risks was created by executive order in 2013 and is mandatory for US federal agencies. The first NIST CSF has been widely adopted by many types of organizations worldwide. NIST CSF 2.0 is designed for all organizations, from large to small and across industry sectors. The NIST CSF 2.0 contains some important changes, including: A new Govern function that consolidates Governance, Risk, and Compliance (GRC) categories, demonstrates its importance, and expands supply chain risk focus. * Implementation Tiers have been revised as “CSF Tiers,” intended for formal use as a maturity model. * Implementation examples now provide consistent demonstrations of controls applicable to each category. * Organizational Profiles now allow organizations to more easily demonstrate their current and planned level of cybersecurity maturity. * Self-assessment tools, Quick Start Guides, and Community Profiles facilitate the use of the Framework. NIST CSF 2.0 is a critical tool for organizations working to improve their cybersecurity posture. If you want to learn more, check out our on-demand webinar with CISO Anthony Bolan to learn how it will impact you. Learn about the new recommendations in NIST CSF 2.0 for governance and risk management, how to use the CSF to improve your security program now, and when you should plan for an assessment.  Watch: https://lnkd.in/gid7_ptP #NIST #NIST2 #Cybersecurity #Compliance

Understanding and applying the AWS Shared Responsibility Model is critical to preventing security issues arising from cloud misconfigurations. Amazon Web Services (AWS) is a powerful and flexible cloud computing platform, but like most cloud environments, the security settings out-of-the-box are usually not enough for a production environment. Organizations deploying AWS must take an active role in securing their environments to prevent misconfigurations and vulnerabilities. According to a Gartner survey, misconfiguration-related issues cause 80 percent of all security breaches. The AWS Shared Responsibility Model clarifies the division of security responsibilities between AWS and its customers, ensuring that organizations understand their role in maintaining a secure cloud infrastructure. AWS operates under a Shared Responsibility Model, which delineates security responsibilities between AWS and its customers. AWS is responsible for securing the infrastructure that runs AWS Cloud Services, including hardware, software, networking, and data center facilities. Customers, on the other hand, are responsible for configuring and securing their cloud environments. This includes protecting customer data, securing applications and platforms, managing Identity and Access Management (IAM), implementing server-side encryption, and ensuring network traffic protection. Each AWS customer’s security responsibilities vary based on the AWS services they use, their integration with other services, and their regulatory compliance requirements. Properly understanding and implementing these responsibilities is critical for preventing security breaches. Customers must configure AWS environments themselves to achieve proper security, so there is a risk that misconfigurations will expose organizations to significant security risks… Read the rest of the blog post, Securing Your AWS Environment: Understanding the Shared Responsibility Model here: https://lnkd.in/g8bXzmFm #aws #cloudsecurity #cybersecurity

Compliance gets more expensive and complex every year. Can continuous compliance, also called Compliance as a Service (CaaS) ease the burden? A Gartner survey of legal and compliance professionals found that 39 percent want solutions that will help them keep pace with regulatory requirements. This isn’t a surprise, as governments worldwide continue to draft new measures to protect the privacy of user data and wrangle the beast that is artificial intelligence. Requirements and standards are only getting harder for businesses to navigate. Whether it’s GDPR, CCPA, HIPAA, PCI DSS, or all the above, these regulations can quickly lead to massive lists of controls to implement and evidence to gather. The burden is particularly steep for smaller firms, as the U.S. Chamber of Commerce found on average, small businesses spend 200 hours and $11,700 per employee per year on compliance. This is where continuous compliance comes in. Continuous compliance combines the broad knowledge and experience of top professionals with best-of-breed tools to provide a comprehensive solution, covering the laws and regulations applicable to your organization. Using extensive automation capabilities, a continuous approach can assess the design and effectiveness of security controls, identify gaps, and remediate findings to ensure your organization is ready for its next audit. By partnering with a third party, organizations gain access to a wealth of expertise and resources that would be challenging and costly to maintain in-house. These outsourcers provide cybersecurity veterans who stay abreast of the latest regulatory changes, emerging threats, and industry best practices. This knowledge is then tailored to your specific business needs, ensuring that your compliance program is both comprehensive and relevant. Read the rest of the blog post, Reducing Risk Through Continuous Compliance here: https://lnkd.in/gn-mXX4F #compliance #cybersecurity