Welcome back to part three of “What You Need to Know About CMMC”. I’m Bob Hanley from Sabre Systems. Today we will continue our discussion on CMMC domains. We have completed two already – during this series we’re going to go through each of the 17 domains. If you remember, we discussed configuration management last week, or CM. Today, we’re going to discuss identification and authentication domain, or better known as IA. Remember, CMMC is about protecting controlled unclassified information, commonly referred to as CUI. Historically, that includes lim-dis or limited distribution, or FOUO (For Official Use Only).

So, as a reminder, CMMC has five levels of maturity, with five being the most stringent. Contractors, as well as subcontractors, will all need to have a minimum of level one to compete on contracts. However, prime contractors will need to obtain a minimum of level three or higher. Today, under IA, we have three levels of requirements – at level one, two and three, but IA does not have level four and level five requirements. So, level one remember, is about performing. Level two is about documenting and level three is about managing practices. So, it gets more costly to comply as you go from level one to two, three, four and five. You perform practices at level one, but you are not assessed for process maturity at level one so that’s important to remember and that’s why the costs go up as you go higher because there are more expectations for the contractor or the subcontractors.

So today the key focus of IA is to grant access to authenticated entities, pretty simple and straightforward, but we’ll see how this progresses as we go through each of the levels. So, level one for IA – level one has two practices or controls. The first one is about how you identify information system users and their access processes acting on behalf of users or devices. So, what do I mean when I say access? Access is granted to organizational information systems defined as either a local or network access. So, you may require unique identification for individuals in group accounts, commonly referred to as shared privileged accounts, or for detailed accountability of an individual user. Now, when you set up your system, you want to make sure that your team has access to the information they need to do their jobs. So, if you remember the last two vlogs that we did, we talked about some of the least privilege and things like that – so as you look at the 17 domains, there is a lot of interconnectivity between those and we’ll talk about that more on the subsequent discussion item here coming up.

So, you will need to have typical solutions that include employing passwords, tokens, sometimes biometrics to authenticate user identities or multi-factor authentication or some combination thereof Login security is a good way of making sure that the user gains the appropriate access to the information that they’re allowed to have access to. So, what we’re talking about today is, is not unique and it’s not unique to just conventional IT, or information technology. So, even tactical aircraft today used within the DoD – Army, Navy and Air Force used some sort of login credential for pilots, maintainers, etc. when they work on or operate these aircraft. And there’s even been talk about using biometrics or tokens in some of these aircraft to provide a further level of security, uh for the systems.

So, the second practice at level one is about authenticating, or verifying, the identities of those users or processes or devices as a prerequisite to allowing access to an organizational information system –basically your network. This domain directly relates to access control, which we’re going to talk about in a future vlog. So, how do you do this? Well, there’s a lot of devices used by organizations. If you look across your organization, you’ve got laptops and servers and smartphones and smart TVs and wireless security systems and wireless cameras, etc. So, both AC and IA employee controls, such as least privilege, that allow only authorized access for users, which are necessary to accomplish assigned tasks in accordance with your mission and your business functions. It doesn’t matter if your government, industry, etc. – same basic principles apply.

So, one thing you can do now is to establish password rules. Not a big surprise, right? Everybody deals with passwords every single day in their lives, uh so, we’re all used to using that, but we’re all also used to, in our personal lives, sometimes trying to use the easy-to-remember type password – never a good thing, even in your personal life, but definitely not in the business environment either. Everyone should use a combination of different types of characters for all new or changed passwords. You should have a minimum number of characters for each of the passwords. Definitely not one, obviously, and nobody should have a single letter, or number, or special character password. Characters include numbers, lowercase, uppercase, symbols, etc. These rules help to create hard-to-guess passwords, which help to secure your network.

So, how many of us here listening to this, including me, have defaulted to family names, or pet names, or streets that you live on, etc.? You know, we all try to do that, but that is not really good cyber hygiene or cyber practice and we should all steer away from that. However, not surprisingly, would you be able to guess what the most popular passwords used in 2020 are? Well I can tell you, not that I know this off the top of my head, I’ve, I’ve looked it up myself, but the most popular passwords currently being used in 2020 are “123456”; for more complicated ones, “123456789”, because nobody would guess to add on those additional three numbers; “qwerty”, “q-w-e-r-t-y” from your keyboard; and simply, “password”. Don’t allow your people to default to any of these easy-to-guess passwords and discourage them from using any type of family name, street name, things that people could get off of social media.

Okay, let’s move on to level two. So, level two has five practices and we’re going to take a look at each of them. The first one is to enforce a minimum password complexity and change of characters when new passwords are created. So, you’ve set up a policy under level one, now you need to enforce it, but how far do you go? So, the best password protection requires no dictionary words, requires random numbers, random letters, caps, small letters, special characters. Very few of us listening to this probably follow that in our own, personal lives, but we should. But, definitely in a business environment, DoD environment, federal government environment – we should adhere to this.

So, there are some password systems that are set up that if you type in a name or word that’s actually in the dictionary it will kick it back and not allow you to use that. So, that’s a good practice, you know? And you can consider using that in your particular work environment. Most companies don’t like to do that – a little too hard, a little too complicated – but consider it anyway. Don’t fall into the trap, though, of creating easy to remember passwords. That is definitely something you do not want to do and again because many hackers can go on to social media, possibly your Facebook page if it’s open, and just look at you and based on what they see on social media, they can probably figure out what your most likely password is going to be.

So, another thing to consider is almost everyone has had email and or passwords compromised and sold or available on the dark web. You may not realize it, but it has been. So, take that seriously. We find your compromise cap, we Sabre, find your compromise passwords on the dark web when we’re doing phishing exercises for companies. So, we go on to the dark web and we will look at individuals within companies and we can find people who’ve actually had their passwords compromised and we will target them in phishing expeditions. So, this can happen to you. And, in fact, hackers use that as a common phishing scam for ransomware.

So, about a year/two years ago, a very large-scale hacking/phishing scam went out on using ransomware, where hackers came in and said “Hey, Bob Hanley here’s a password you use”, and they would put up a password that actually I had used in years ago, “and we are going to take over control of your cell phone laptop, etc. unless you pay 970 dollars via bitcoin to this ransomware site”. True story, really happened to people and, in fact, in the case where it actually did get an email that I got, it did actually have a password that I’d used previously that somehow got compromised, it was on the dark web. Know that that’s out there, know that you could be a victim – change your passwords, make it hard for hackers to be able to take control of your life.

So, second practice at level two is to prohibit password reuse for a specified number of generations, as CMMC would call it, or resets, as most people would commonly refer to it. So, this is the most common problem with people and passwords. Again, how many of you use family names, pet names, “123456”, “password1234”, your birthday, etc. as your password? Almost everyone tries to create an easy-to-remember password and when they change them sometimes, they’ll just make a very simple change. So, instead of being like “123456”, they’ll make it “123457”, like nobody would think you would ever increment that. Again, don’t do those kinds of things, protect yourself, require real password changes that can really protect the intellectual property your company, your business, etc.

So, third, you want to allow temporary passwords for system logons, uh, with an immediate change to a permanent password. So, you bring on a new employee, you have a temporary password – all of us, at one time or another, have been issued a temporary password – signing into a new app, signing into, uh, Avis rental car, something like that, you get a temporary password then you immediately have to change it. So, you should have this employed in your business, your organization, etc. So, new employees frequently get issued that “temp” password and then you recreate a new one, but for many companies they will let you use the temporary password for an extended period of time until your company rolls a “cycle change” on your password, typically four to six weeks. You shouldn’t do that. Make an immediate change for that temporary password the first time they log in. And remember when you purchase IT: laptops, wi-fi, etc., temporary passwords are also included there – change those as soon as you, uh, log into them or use them for the first time.

So, did you know as an example, that many “out-of-the-box” router, like Netgear, come with a default password and every model of Netgear has the same default password? So, there could be 10,000 of these routers out there all using the same default password. Make sure you go and change those router passwords and all those other IT as well, because somebody (hacker) could come by your house looking for a Netgear router of a particular model, knows what the default password is, is able to access your house with the default password and make compromises. Same thing could happen in a business as well.

So, fourth, you want to be able to store and transfer/transmit only cryptographically protected graph passwords. So, do not keep your personal or corporate passwords in an open, unprotected, unencrypted file. Don’t use a Post-It in your home or your office for your password – and people do that and some of you listening to this may have done that as well: written down your password on a Post-It and posted it to your, your laptop, or your computer screen, or to the wall behind your computer, don’t do that and don’t text your password to anybody. Protect all your passwords with one-way transformation, or hashing, before storing or transmitting them. Protect them. And speaking of vulnerabilities on your info and passwords, did you know as an example, of how easy it can be sometimes to compromise your system? So, I’m going to give you a real world example that actually happened to an individual, probably has happened to numerous individuals. So, you get an e-ticket for an airline flight. Your e-ticket has a barcode on it. Sometimes people, and I’ve seen people do this, will throw away their e-ticket after they de-board an airplane into the trash. So, an individual actually had that e-ticket taken out of the trashcan by a hacker, who then used just a standard barcode scanner that you can have on your cell phone, read the information off of the e-ticket on that individual, which included their frequent flyer account, their name and their address. Then they went on to social media and they found out information about the person that could help them log into the account. So, what they did was they went to the airline account, they had the frequent flyer number, they use the frequent flyer number and didn’t have the password so they hit password reset, they used the challenge questions instead of the email for the, the password reset and based upon what they learned on social media they were able to answer the challenge questions and get into the person’s account and be able to book a flight, uh, off of the information they got on an e-ticket. So, your information is out there in numerous places and hackers are very smart at using disparate pieces of information, like an e-ticket and social media, to piece together how to hack into your business, your company and your home and your personal life. Be protected.

So, last, uh, practice here at level two is to obscure feedback on the authentication information. How many of you have started to put in password, uh, information and immediately it turns to an asterisk? That’s what we’re talking about here. So, for your mobile devices, password characters are briefly displayed to the user, but then are quickly obscured. You should have that system to protect putting in your passwords. How many of you have gone to an ATM and typed in your number? People actually have stood with binoculars away and watch what numbers you put in. Hackers, thieves are very smart at being able to get your information. Protect it, make sure you have a password system in there that obscures your password.

All right let’s go on to level three here. So, level three has four practices. So, the first focuses on use of multi-factor authentication for local network access to privileged accounts and for network access to non-privileged accounts. So, what does that mean? All of you have probably used multi-factor authentication at some time or another. Many businesses, companies, applications, financial institutions now are starting to require multi-factor authentication. So, that means you just can’t use the password, there has to be a second authentication to ensure that it’s you. Why? Because passwords get stolen, information could get stolen. So, if you, uh, the frequent flyer account that I referenced on the previous example had two-level authentication that maybe the second level authentication was sending a six-digit code to your cell phone that you had to enter real time then the hacker wouldn’t have been able to have just gone to social media and been able to hack into that person’s account. So, that’s why it’s important and it does provide a second layer of protection.

So, your plan for IT infrastructure should be to enable multi-factor authentication. So, when a user initiates remote access, they should be prompted for an additional authentication factor and especially if you’re using a cloud-based application you enable MFA when staff access the application from your home or office or on travel. You may also want to enable a “remember this device”. So, for many of you out there you probably have seen this, you’ve gone in and you’ve logged into your work from a remote site from your laptop, but then you’re also able to remote in from your cell phone and the first time you do that you may have gotten a notification that says “remember this device?” and you, most of us, will click “yes”, obviously. So, that should be included, uh, in how you protect your systems as well. Most of you have already experienced this on bank accounts, colleges, universities they all use multi-level authentication – great thing to have, provides that additional second layer of protection, protects you against people losing passwords, protects you against people trying to log in from different sites, but they don’t have that second feature to be able to enable them to to access an account or business function.

Second, you need to employ replay resistant authentication mechanisms for network access to privileged and non-privileged accounts. What does that mean? Well, you want to protect your IT organization, you want authentication that cannot be easily copied and resent to your systems by an adversary. So, this one gets a little more complicated, so i’m going to use some, some buzzwords here that hopefully you understand as well, but certain protocols have replay resistance inherently designed into them.

So, your first step is to ensure something called “transport layer security” or TLS is enabled for access to relevant IT services. Coupled with the use of a secure protocol, you evaluate the use of multi-factor authentication using public key infrastructure, commonly referred to as PKI or a “one-time password token”, commonly referred to as OTP tokens are very frequently used in classified programs – that’s that second layer of multi-factor authentication. So, based on your requirements you may select OTP as a way to provide a time limited challenge for user authentication into your IT services. So, time limited means that you may enter a password but you only have a certain amount of time to put the second layer of authentication in and you’ll frequently see that when you’re working with banking institutions and things like that, but that should be a universal requirement as well that you put into place. Most companies, including the government, use CAC cards with PKI embedded in it.

So, third, you’re going to need to prevent the reuse of identifiers for a defined period of time.  So, as an IT administrator for your organization, you should be maintaining a central directory and domain that holds user accounts for the computers within the organization – pretty simple, pretty easy. We should all logically know that exists, but as part of the job you assign unique usernames: new employee comes on, you assign them an email “[email protected]”, okay pretty simple. All right that’s great, so that person may someday leave the company, all right so, you have to account for the fact or you may actually have a second bob come on with the company so you could have “[email protected]” and then Bob two comes along and it’s [email protected]. So, remember that as you increment to different employees you should be tracking those people with a very simple to follow, nomenclature and accountability for them within your system and if they leave you should ensure that that person and their account information is removed from the system so nobody is able to future access their information or into the company using previously used passwords, etc.

So, protect your company, protect your system, make sure you have unique identifiers, make sure you have unique identifiers for people with similar or the same name that come on board into your organization and lastly, at level three, you must disable identifiers after a defined period of activity. So, what does that mean? You need to enforce your company’s inactive account policy. You have somebody who’s working for the company, maybe they go away on a six-month leave of absence, maybe they’re out on maternity leave and maybe they don’t access the system for an extended period of time – you need to deactivate that account after a fixed number of days. Many companies use 45 days, some use 60 days, some use 90 days, but you need to enforce a policy that deactivates an account without a positive action to reactivate it once you ensure that that person requires access back into your system and make sure the authentication is updated once that happens. You decide to do this by writing a script that runs once a day to check the last login date for each account and generates a report of the accounts with no login records for whatever that specific specified period of time is that you’ve chosen. After reviewing the report, you then notify employee supervisor or, or the person responsible for the individual and let them know that you’re deactivating that account, maybe in some cases, deleting the account if the employee has left the company.

All good cyber hygiene practices here for IA, all of which should be intuitively obvious to everybody listening because most of it involves passwords, which are things we all do every single day. Most times we take it for granted at how much the password protection impacts the cyber security of your personal life, or of your company. So please pay due diligence to this – there are 11 practices at IA for levels one, two and three, none additional for four and five as we talked when we kicked this off.

Things you should do: fund your program – I’ve said this in our first couple of vlogs. Doesn’t do you any good to put in a good cyber hygiene program, meet CMMC requirements, if you don’t fund the program because eventually you will fall off the cliff and become non-compliant. Make sure you become familiar with CMMC, in general. And, as I always tell you, be aware of NIST SP 800-171 800-53.

In our next review, we’re going to discuss the CMMC practice for IR, or incident response, and I look forward to seeing you all then.

Please stay safe, be cyber hygienic, implement some of these policies and practices, be prepared for CMMC when it hits the street later this year and you’ll be required to comply to compete on contracts.

This is Bob Hanley from Sabre, signing off. Have a great day. Thank you.