Georgia Tech Procurement Assistance Center

FBI: Reset your router or face Russian malware

By

It’s not every day that the Federal Bureau of Investigation gives you an order.

On May 25 the FBI asked members of the public to turn off and turn back on their routers because of the spread of malware called “VPNFilter” created and distributed by the Russian hacker network Sofacy.

Georgia Tech Senior Research Scientist Charles “Chaz” Lever explained the damage this malware can do:

“This malware will affect the average user by using one of the capabilities in the malware to passively collect traffic. This can be used to harvest banking credentials or other sensitive password information that is going over the home network. Additionally, your home network could be hijacked to be part of an attack on a remote entity, masking the identity of the original user and potentially putting you in the crosshairs of law enforcement.”

In addition to just a simple reboot, Lever recommended following the manufacturer’s instructions on resetting the software in the device, also known as “firmware.”

Source: http://www.news.gatech.edu/2018/06/06/fbi-reset-your-router-or-face-russian-malware

Learn more about cybersecurity research at Georgia Tech by visiting the Institute for Information Security and Privacy.

Watch a YouTube video on this subject by clicking on the image below:

Recently the Federal Bureau of Investigation (FBI) issued a critical warning for all Americans to reset their routers for homes and small businesses in an effort to disrupt a potential cyber attack. We sat down with Georgia Tech’s senior research scientist, Charles “Chaz” Lever, to find out just what this threat contains and how serious it can potentially be.

Scam Alert: Malicious e-mail spoofs being sent to vendors

By

The Defense Logistics Agency (DLA) is reporting that a fake solicitation is being sent to vendors in the form of a Request for Quotation (RFQ).

The fake email solicitation, purporting to be from DLA, has been targeting GSA STARS II vendors.

The emails are not from DLA.mil.  Instead, they are coming from a “Reply-To” address ending in @dla-mil.us, which is not a government address.

In some cases, “stars2@american consultants.com” has been identified to supposedly send messages on behalf of a DLA Contract Specialist — these are also fake.

Some of the bogus emails suggest that vendors use the “stars2” Google Group at https//groups.google.com/a/americanconsultants.com to obtain more information or to unsubscribe from the email communication.  Be advised that “stars2” is not a DLA affiliated group.

Always remain cautious of emails that arrive in your inbox that are not explicitly addressed to you.  Sometimes scammers attempt to hide their actions by addressing their targets in the “bcc” line.

Also, please be aware that the phone number in these recent bogus emails is not a DLA phone number.  In addition, the RFQ form in the email is not an official government form, nor is the signature block legitimate.

DLA’s notice about this matter can be seen here: Vendor Phishing Notice -DLA – 8 June 2018.  The notice shows copies of the bogus emails.

Bottom line: Vendors should always remain vigilant about suspicious emails, and be cautious about opening email attachments.  Questions or comments can be directed to DLA at CERTFusionCell@dla.mil.

In addition, if you ever have a question about the legitimacy of any emails having to do government contracting opportunities, especially those which solicit a fee, please feel free to contact the Georgia Tech Procurement Assistance Center (GTPAC) for advice.  GTPAC can be emailed at gtpacatl@innovate.gatech.edu.

To read previous articles about scams involving government contracting, visit http://gtpac.org/?s=scam

Draft DoD guidance reveals how cyber readiness will impact contract evaluations

By

Editor’s Note: This post was created by Jon Williams who is a partner with PilieroMazza and a member of the firm’s Government Contracts Group. 

We have been blogging and giving webinars since last year about the DoD requirements around cybersecurity for contractors that are subject to DFARS 252.204-7012. Please view our past blogs and webinars here and here to get more of the backstory.

In a nutshell, DoD contractors operating nonfederal IT systems and subject to DFARS 252.204-7012 were required to have a system security plan (“SSP”) in place by December 31, 2017, to demonstrate compliance with the recommended security controls in NIST SP 800-171. Although the DFARS requirements were black-and-white, there was a fair amount of uncertainty late last year and continuing into this year about what contractors needed to do to comply and if/how DoD would enforce the requirements.

DoD has taken some of the mystery out of these cyber requirements in a recently-released draft guidance.

Keep reading this blog post at: http://www.pilieromazza.com/the-protests-are-coming-draft-dod-guidance-reveals-how-cyber-readiness-will-impact-contract-evaluations

See GTPAC’s instructional video on achieving compliance with DFARS 252.204-7012 and NIST guidance at: http://gtpac.org/cybersecurity-training-video/

Georgia National Guard wants some help prepping for a big cyber test

By

The Georgia Army National Guard is gearing up for an inspection of its cyber posture and is looking for a contractor to provide technical assistance as it prepares.

The guard unit plans to upgrade its IT systems ahead of the review and needs assistance with “network configuration, server administration and information assurance,” according to a solicitation on the government contracting site FedBid.

“The objective of this contract is to provide skill and expertise in order to successfully pass the [Command Cyber Readiness Inspection],” according to the performance work statement. “This work will be performed to bring the [Georgia Army National Guard] into compliance with current DOD network security standards.”

Keep reading this article at: https://www.nextgov.com/cybersecurity/2018/05/georgias-national-guard-unit-wants-some-help-prepping-big-cyber-test/148190/

Security tips for choosing and using passwords

By

You probably use a number of personal identification numbers (PINs), passwords, and passphrases every day: from getting money from the ATM or using your debit card in a store, to logging in to your email or into an online retailer. Keeping track of all of the number, letter, and word combinations may be frustrating at times, but you’ve seen enough news coverage to know that hackers represent a real threat to your information. Often, an attack is not specifically about your account, but about using the access to your information to launch a larger attack.

One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that those requesting access are the people they claim to be is the next step. This authentication process is more important and more difficult in the cyber world. Passwords are the most common means of authentication, but only work if they are complex and confidential. Many systems and services have been successfully breached because of insecure and inadequate passwords. Once a system is compromised, it’s open to exploitation by other unwanted sources.

How to choose good passwords

Avoid common mistakes

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them. Consider a four-digit PIN. Is yours a combination of the month, day, or year of your birthday? Does it contain your address or phone number? Think about how easy it is to find someone’s birthday or similar information. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to dictionary attacks, which attempt to guess passwords based on common words or phrases.

Although intentionally misspelling a word (“daytt” instead of “date”) may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password “hoops,” use “IlTpbb” for “[I] [l]ike [T]o [p]lay [b]asket[b]all.” Using both lowercase and capital letters adds another layer of obscurity. Changing the same example used above to “Il!2pBb.” creates a password very different from any dictionary word.

Length and complexity

The National Institute of Standards and Technology (NIST) has developed specific guidelines for strong passwords. According to NIST guidance, you should  consider using the longest password or passphrase permissible (16–64 characters) when you can. For example, “Pattern2baseball#4mYmiemale!” would be a strong password because it has 28 characters. It also includes the upper and lowercase letters, numbers, and special characters. You may need to try different variations of a passphrase—some applications limit the length of passwords, some do not accept spaces or certain special characters. Avoid common phrases, famous quotations, and song lyrics.

Dos and don’ts

Once you’ve come up with a strong, memorable password it’s tempting to reuse it ­– don’t! Reusing a password, even a strong one, endangers your accounts just as much as using a weak password. If attackers guess your password, they would have access to all of your accounts. Use the following techniques to develop unique passwords for each of your accounts:

  • Do use different passwords on different systems and accounts.
  • Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  • Use the longest password or passphrase permissible by each password system
  • Don’t use words that can be found in any dictionary of any language.
  • Do develop mnemonics to remember complex passwords.
  • Do consider using a password manager program to keep track of your passwords. (See more information below.)

How to protect your passwords

Now that you’ve chosen a password that’s easy for your to remember, but difficult for others to guess, you have to make sure not to leave it someplace for people to find. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Don’t tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords. (See Avoiding Social Engineering and Phishing Attacks for more information.)

Programs called password managers offer the option to create randomly generated passwords for all of your accounts. You then access those strong passwords with a master password. If you use a password manager, remember to use a strong master password.

Password problems can stem from your web browsers’ ability to save passwords and your online sessions in memory. Depending on your web browsers’ settings, anyone with access to your computer may be able to discover all of your passwords and gain access to your information. Always remember to log out when you are using a public computer (at the library, an Internet cafe, or even a shared computer at your office). Avoid using public computers and public Wi-Fi to access sensitive accounts such as banking and email.

There’s no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

For more information on passwords, multi-factor authentication, and related password topics, see Supplementing Passwords.

Don’t forget security basics

  • Keep your operating system, browser, and other software up-to-date.
  • Use and maintain anti-virus software and a firewall.
  • Regularly scan your computer for spyware. (Some anti-virus programs incorporate spyware detection.)
  • Use caution with email attachments and untrusted links.
  • Watch for suspicious activity on your accounts.

Source: The National Cybersecurity and Communications Integration Center’s (NCCIC) – https://www.us-cert.gov/ncas

New cyber rule requires critical documents

By

Contractors and their supply chain with active Defense Department contracts, or those that plan on doing business with it, must assure that any of their data systems that transmit, process or store controlled unclassified information are compliant with National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.”

It’s clear that meeting the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 mandate to comply to the special publication is a required priority for defense contractors, subcontractors and suppliers.

Making a system security plan and plan of actions and mitigations is crucial to winning new business and keeping existing contracts this year and moving forward. Here are some tips on how to approach creating and utilizing these complex compliance documents.

Keep reading this article at: http://www.nationaldefensemagazine.org/articles/2018/3/30/new-cyber-rule-requires-critical-documents

The Georgia Tech Procurement Assistance Center (GTPAC) has developed an instructional video and a template to help contractors comply with DoD’s cybersecurity requirements.  You can view and download these resources at: http://gtpac.org/cybersecurity-training-video/

 

SAM.gov hackers used spearphishing, spoofing, credential theft

By

Cybercrooks who stole federal payments by hacking contractor accounts on a General Services Administration (GSA) website used sophisticated spearphishing techniques to steal login credentials and then diverted payments to bank accounts they controlled, an executive of a contractor targeted in the scam told FedScoop.

It’s unclear how much the scammers have netted through their scheme, which is being investigated by the GSA inspector general and federal law enforcement.

The inspector general’s office declined to comment, but sources familiar with the investigation told FedScoop that the cyberattacks that facilitated the fraud had been identified last year and were ongoing as
recently as last week.

Keep reading this article at: https://www.fedscoop.com/sam-gov-hackers-used-spearphishing-spoofing-credential-theft/

Also see Tips for Surviving Compromise of Government’s Vendor Database: http://gtpac.org/2018/03/26/tips-for-surviving-compromise-of-governments-vendor-database/

Why CDM vendors need more flexibility

By

The first two phases of the Department of Homeland Security’s Continuous Diagnostic and Mitigation (CDM) program have helped government agencies deploy foundational cybersecurity solutions for real-time visibility and continuous network monitoring to identify vulnerabilities, reduce risk, ensure compliance and respond to threats.

DHS and the General Services Administration (GSA) deserve tremendous credit for implementing a technical program of this size and complexity. However, the first two phases barely bring government to the starting line of the cybersecurity technology race. The private sector and U.S. adversaries are already well past that point.

The most important phase of the CDM program is yet to come, under which government tackles the data security problems of an increasingly mobile workforce and distributed cloud computing environment.

Keep reading this article at: https://fcw.com/articles/2018/03/19/cdm-vendor-flex-comment.aspx

GTPAC’s cybersecurity initiative recognized with national ‘Outstanding Project Award’

By

GTPAC received the Outstanding Project Award at APTAC’s annual training conference on Mar. 7, 2018.

The Georgia Tech Procurement Assistance Center (GTPAC) was honored this week by the Association of Procurement Assistance Centers (APTAC), the organization which represents 98 procurement technical assistance centers (PTACs) across the United States, Guam and Puerto Rico.

GTPAC was presented with APTAC’s Outstanding Project Award which annually recognizes an accomplishment that stands out from the day-to-day activities that all PTACs organize and undertake.

The project recognized by APTAC is GTPAC’s instructional video that provides step-by-step guidance to government contractors on how they can achieve compliance with Department of Defense (DoD) cybersecurity requirements  designed to safeguard DoD information and report on cyber incidents.

GTPAC’s video and accompanying resources – including a template which contractors may use – are made available free of charge on the GTPAC web site at: http://gtpac.org/cybersecurity-training-video.

The video and template have been heralded both by PTACs, who counsel businesses, and by businesses themselves as valuable one-stop resources for existing contractors and aspiring DoD contractors alike.  Since the launch of these training tools at the end of last year, 1,284 persons have viewed the video and downloaded the template 1,508 times.

Specifically, the video explains Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, including its key definitions and cyber obligations, including its primary requirement that defense contractors which process, store or transmit “covered defense information” must address 110 individual cybersecurity controls outlined in National Institute of Standards and Technology (NIST) Special Publication 800-171.

The 20-minute video not only provides information on these requirements, but also provides specific guidance on how government contractors can achieve compliance with the DFARS clause and the NIST standards.  The video guides government contractors on how they can perform a “self-assessment” of their information system using NIST’s Manufacturing Extension Partnership (MEP) Cybersecurity Self-Assessment Handbook.

One of the most creative and innovative aspects of the project is the 127-page cybersecurity template GTPAC created in conjunction with the video.  The template provides step-by-step instructions on how government contractors can create a “Systems Security Plan” and “Plan of Action” – documentation necessary to achieve compliance.

The resources GTPAC created are very timely in light of recent warnings from DoD that it plans to request and evaluate cyber plans from businesses as a part of the contract award decision-making process.   If the video is carefully reviewed and the template is fully completed and properly filled out, contractors will be in a position to document their compliance with the DFARS cybersecurity requirements.

Members of the GTPAC team proudly show off the national award they received.

GTPAC program manager Joe Beaulieu points out that “by providing the video and cybersecurity template, GTPAC’s objective is to make the process of achieving compliance much easier, especially for small defense contractors who may not have the resources necessary to develop such plans from scratch.”  Indeed, the template makes the process of drafting the required documentation easier, as contractors merely have to fill in the blanks and answer specific questions, rather than work from a blank slate.  While it is ultimately up to the contractor to meet the requirements and to provide accurate information, GTPAC’s video and template provide contractors with an excellent starting point for assessing, achieving and documenting compliance.

In honoring GTPAC with the Outstanding Project Award, APTAC encouraged other PTACs to make use of the video, template, and resource materials posted at http://gtpac.org/cybersecurity-training-video.  NIST recently provided similar encouragement to their nationwide network of MEPs in their work with U.S. manufacturers.  GTPAC coordinated the creation of the cybersecurity materials with the Georgia MEP (GaMEP) which, like GTPAC, is a part of the Georgia Institute of Technology’s Enterprise Innovation Institute (EI2).

EI2 is Georgia Tech’s business outreach organization which serves as the primary vehicle to achieve Georgia Tech’s goal of expanded local, regional, and global outreach.  EI2 is the nation’s largest and most comprehensive university-based program of business and industry assistance, technology commercialization, and economic development.

GTPAC is a state-wide program operated by EI2 under a cooperative agreement with the Defense Logistics Agency (DLA).   In 2017, Georgia businesses won more than 5,000 government contracts – worth more than $1 billion – with GTPAC’s help.  All totalled, GTPAC provided counseling, instruction, and bid opportunities to 2,548 Georgia businesses during the past year.

Federal agencies more secure than contractors, study finds

By

Government contractors are typically less digitally secure than the federal agencies they’re contracting with, according to a study from the cybersecurity ratings firm BitSight.

Health care, defense and aerospace contractors demonstrated better security than other categories in the study, while engineering, technology and manufacturing contractors came in last.

The average scores for all those contractor categories underperformed the average score for federal agencies. The study, however, was based largely on public information and a type of internet scanning of 1,212 contractors and 122 agencies.

Contractors frequently manage sensitive data, including citizens’ personal information, on behalf of agencies. A 2014 breach of the contractor USIS, for example, compromised the security clearances of Homeland Security department employees.

Keep reading this article at: http://www.nextgov.com/cybersecurity/2018/02/federal-agencies-more-secure-contractors-study-finds/146003/

GTPAC has developed an instructional video and a template to help contractors comply with Defense Department cybersecurity rules.  Find these resources at: http://gtpac.org/cybersecurity-training-video/

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More