Teleconferencing Guidance for Education

Teleconferencing Guidance
Teleconferencing Guidance

The Cybersecurity and Infrastructure Security Agency (CISA) has released Teleconferencing Guidance for education.  Remote classroom teleconferencing has continued to grow.  As a result it has been a tempting target for cybercrime.

Recommendations for K-12 Schools

School districts are increasingly using teleconferencing tools to deliver their services.  These tools have increased in availability and capability.  Their use however, comes with risk as the volume and sophistication of cybercrime continues to grow.  As a consequence, schools and school districts must assess risks to both school IT networks and individual users.

Threats to Teleconferencing

Cyber threats are posed by nation-states, criminal organizations, and people inside an organization.  Common tactics used include:

  • Exploiting unpatched software vulnerabilities.
  • Eavesdropping.
  • Hijacking video teleconferencing with inappropriate content.
  • Use of teleconferencing applications to infiltrate other applications.
  • Penetrating sensitive meetings through social engineering to deceive people into divulging private information.
  • Some products may share or sell customer information to third parties.  This data sharing can unintentionally expose student and school information.

Teleconferencing Guidance for Teachers and Students

CISA guidance for teachers and students include:

For Teachers

  1. Only use organization-approved software and tools to host and schedule meetings.
  2. Consider sensitivity of data before exposing it (via screen share or upload) to video conferences. Ensure that only data needed to be shared is visible.
    • Close or minimize all other windows and consider turning off alerts for incoming messages.
    •  If displaying content from organizational intranet sites in public meetings, hide the address bar from participants before displaying the content.
    • Use common sense—do not discuss content you would not discuss over regular telephone lines.
    • When having sensitive discussions, use all available security measures.
    • Ensure all attendees of the meeting are intended participants.
  3. Do not attempt to install software not approved by your school.
  4. Do not make meetings public unless they are intended to be open to anybody.
  5. Have a plan for what circumstances constitute termination of a meeting, who has the authority to make that decision, and how the meeting will be terminated.
  6. Require passwords and use a waiting room to control admittance of guests.
  7. Provide links to meetings directly to specific people and share passwords in a separate email.
  8. Manage screensharing, recording, and file sharing options. Limit who can share their screen to avoid any unwanted or unexpected images. Consider saving locally versus to the cloud.  Change default file names when saving recordings.  Make sure to consult with your organization or district’s counsel about laws applicable to recording video conferences and sharing materials through them

For Everybody

  1. Make certain that your audio and video surroundings are secure and do not reveal any unwanted information.
  2. Move, mute, or disable virtual assistants and home security cameras.  Do not conduct meetings in public places.  Consider using headphones.
  3. If using a personal device
    • Require passwords to log in to device.
    • Only use elevated privileges when performing administrative functions on the device.
    • Close all non school related windows before and during school activities.
    • Keep operating systems and relevant applications up to date.
    • Turn on automatic patching and Anti-Virus software.Check and update your home network.  Use complex passwords for your home Wi-Fi network.  Enable router with encryption protocols such as WPA2 or WPA3.  Disable legacy protocols such as WEP and WPA.
  4. Check and update your home network.  Change default settings and use complex passwords for your broadband router and Wi-Fi network and only share this information with people you trust. Choose a generic name for your home Wi-Fi network to avoid identifying who it belongs to or the equipment manufacturer. Update router software and ensure your Wi-Fi is encrypted with current protocols (such as WPA2 or WPA3), and confirm that legacy protocols such as WEP and WPA are disabled.
  5. Be wary of links sent by unfamiliar addresses, and never click on a link to a meeting sent by a  suspicious sender. Verify that meeting links sent via email are valid.
  6. Do not share student credentials or links, with strangers who may use them to disrupt classes or steal information. Do not share passwords with anyone.
  7. Carefully review meeting invitations sent for sessions. Check to see if the meeting originated from a known teacher or other school employee.  Verify that the address has the district’s or school’s name in the URL.

Teleconferencing Guidance and Cybersecurity Practices for K-12 Organizations

CISA recommends the following Security Practices for K-12 Organizations:

  • Assess organizational needs and determine the appropriate products.
  • Establish organizational distance learning policies or guides to address physical and information security.  Based on these documents, develop easy to understand (e.g. one-page) summaries for teachers, students, and parents.
  • Limit and minimize the number of authorized collaboration tools to reduce the overall amount of vulnerabilities.
  • Maintain the latest versions of software and remove all obsolete versions from managed devices.
  • Instruct users to join web (browser) based sessions that do not require installation of client software. 
  • Prohibit end users from installing client software on school- or district-managed devices.
    (including removing local administration rights).
  • Prevent system administrators from using collaboration tools on the system while logged on with administrative
    privileges.
  • Prohibit the use of collaboration tools and features that allow remote access and remote administration.
  • Clearly educate employees legal, privacy, and document retention implications of using teleconferencing tools.

CVG Strategy

We all have family and friends who are teachers, students, or education administrators, and we acknowledge the difficulties they are enduring during this pandemic.  Therefore we are providing this Teleconferencing Guidance for education for our community.

CVG Strategy cybersecurity experts are committed to keeping organizations’ information secure.  We help businesses and organizations implement ISMS solutions that fit unique requirements and provide the training required to make them work.  Contact Us today to see how we can help.

Export Control Training Recommended by BIS and DDTC

export control training
export control training

Export Control Training

Export control training is an essential part of an effective export compliance program.  Both the Bureau of Industry and Security (BIS) and the Directorate of  Defense Trade Controls (DDTC) recommend regular training for all employees involved in exports.  For businesses that are involved with International Traffic in Arms Regulations (ITAR) this includes employees that have access to controlled information.

Elements of Effective Export Compliance Programs

The BIS and the DDTC recognize eight elements crucial to an effective export compliance program:

  1. Management commitment and organizational structure.
  2. Risk Assessment that identifies risks and builds controls.
  3. Processes that ensure that the organization makes correct decisions, tracks and protects exported items, and screens all parties associated with a transaction.
  4. Record keeping in accordance with requirements.
  5. Training for all involved employees.
  6. Periodic audits to access the integrity of the program.
  7. Procedures for reporting and addressing violations.
  8. An export compliance manual that defines processes, roles, and responsibilities.

Changing Regulatory Landscape

In recent months there have been major changes in export regulations.  Ignorance is not an adequate defense for violation of these regulations.  Therefore it is important to maintain an up to date export compliance knowledge base.  When investigating export compliance incidents, export enforcement agents are instructed to assess an organization’s compliance program .  As a result, when programs are found negligent, increases in civil fines, penalties, and criminal prosecution occur .  Specific items of concern are:

  • Is the corporation’s compliance program well designed?
  • Is the program being applied earnestly and in good faith?  In other words, is the program adequately resourced and empowered to function effectively?
  • Does the corporation’s compliance program work in practice?

CVG Strategy Export Control Training

CVG Strategy provides a one-day live export compliance webinar.   This training covers the regulatory and statutory framework of export law.  It covers the key principals and essentials of ITAR and EAR Export compliance.  Subjects covered in this training include:

  • ITAR and USML (U.S. Munitions List).
  • EAR and CCL (Commerce Control List).
  • Registration with the State Department.
  • ITAR and EAR technical data controls.
  • ITAR and EAR licenses.
  • Compliance and enforcement.
  • Transition of hardware and technical data from the USML to the Export Administration Regulations (EAR)
  • Regulation of brokering activities.
  • Using classification of articles to organize the necessary controls for US Law.

Other CVG Strategy Export Services

CVG Strategy, LLC is a premier provider of customized ITAR Consulting and ITAR & Export Compliance Programs.  Visit our ITAR store for badges, signs, and visitor log books to help with your facility security requirements.  We also offer answers to your ITAR questionsContact Us today to see how we can help your export compliance program.

 

Remote Workforce Cybersecurity Concerns Grow

Remote Workforce Cybersecurity
Remote Workforce Cybersecurity

Business Executives Have Concern About Remote Workplace Cybersecurity

Remote Workforce Cybersecurity is a growing concern for businesses who are adapting to the Covid-19 pandemic.  Although many tools are available to secure vital data, the remote employee still poses the greatest threat.  The challenge therefore is to train employees how to regularly use effective cybersecurity practices.

Effective IT Tools and Policies

A number of tools are available for cybersecurity.  These include the use of Virtual Personal Networks (VPN)s, encrypted data protocols, dual authentication, and providing employees with properly set up equipment.  Policies can also help to mitigate cyber vulnerabilities.  These include prohibiting data from being on employees’ personal devices and establishing protocol for meeting software usage.  All of these, however are only as effective as the daily habits of the employees that are accessing secure data.

Information Security Management Systems

An Information Security Management System (ISMS) is  a comprehensive approach to keeping corporate information secure.  It involves people, processes, and IT systems to coordinate business security efforts.  ISO 27001 (ISO/IEC 27001) is a standard for developing an ISMS that ensures comprehensive integration of internationally recognized best practices.  Because it employs risk management and continual evaluation for improvement it is a dynamic tool capable of adapting to a cyberthreat environment that is growing in scale and complexity.  As with any management system, continual training is critical for effective implementation.

Improving Remote Workforce Cybersecurity Practices

Although cyber-criminals are using increasingly sophisticated tools phishing remains a leading form of attack.  Employees should be trained to think before they click on suspicious emails and links.  Other basic practices include proper password etiquette.  Passwords should be should be strong and unique.  Follow this link for The National Institute for Science and Technology’s guidance on Choosing and Protecting Passwords.

People can be brilliant and still not regularly practice common sense.  Instilling good practices involves continual education.  While it is easy to point the finger elsewhere, you may well ask yourself how well you practice cybersecurity basics.  To find out take the Federal Trade Commission Cybersecurity Basics Quiz.

CVG Strategy

CVG Strategy cybersecurity experts are committed to keeping business information secure.  This is more critical than ever as remote workforce cybersecurity practices increase vulnerability.  We can help your business implement ISMS solutions that fit your unique requirements and provide the training required to make them work.  Contact Us today to see how we can help.

Training for Export Compliance – ITAR and EAR

Training for Export Compliance
Training for Export Compliance

Regular training for export compliance is more important than ever.  This is due to dynamic changes in export regulations and increased enforcement of those regulations.  CVG Strategy offers up to date training for Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR).  Our classes are engaging, interesting, and informative.  Best of all these classes are available online so that you can get the training you need and maintain social distancing.

Changing Global Dynamics Effect Regulations

Changes are continually occurring in export compliance because of the current global situation.  During the Covid-19 crisis many emergency measures were put in place to ensure that vitally needed emergency supplies were available in the United States.  Additionally, actions by China, especially in regards to Hong Kong, are continuing to dramatically change trade in the Asian marketplace.

Increases in Enforcement of Exports

The prosecution of organizations and individuals responsible for breaches of ITAR compliance have been increasing.  These have included major corporations such as Boeing, Motorola, and Airbus.  Small businesses are under the scope as well.  Many are facing fines, imprisonment, and disbarment. 

The monitoring of end use of exports has increased since the 1990s with the Blue Lantern program.  Information from this program is reviewed by export enforcement agencies such as the Directorate of Defense Trade (DDTC).  The Bureau of Industry and Science (BIS) has also seen a raise in activity in enforcement. This at a time where increased scrutiny is being placed on technology exports such as semiconductors.

Training is Vital for Export Compliance Programs

The U.S. Government strongly recommends that businesses implement effective export compliance programs.  Failure to have an effective export compliance program can lead to increased fines and penalties if a violation of export regulations does occur.  Regular training for export compliance is part of a well managed program.  Contact us today to register for your webinar training.

 

International Bans on Huawei Increasing

International Bans on Huawei
International Bans on Huawei

International bans on Huawei technologies are increasing in the midst of rapidly changing world opinion.  The United States has long held that Huawei products are a threat to information security.  Now the United Kingdom and members of the European Union are voicing those concerns as well.  Because Huawei is a leader in emerging 5G technologies this is of great concern. 

Possible U.S. Ban on Huawei to Take Effect in August 2020

Legislation passed in 2019 is due to take effect August 13, 2020.  While congressional is considering amendments to the Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment, the core principles of the legislation are expected to remain intact.  The implementation of the rule will not likely be postponed according to a publication of the interim ruling, .  This rule will prohibit the awarding or renewing of federal contracts to contractors using telecommunication equipment produced by Huawei Technologies Company, ZTE Corporation, or any subsidiary or affiliate. 

Previous Huawei Rulings in the U.S.

The Bureau of Science and Industry (BIS) restricted Huawei’s semiconductor manufacturing capabilities in May of 2020.  BIS took this action to prevent the company from acquiring semiconductors that are the direct product of U.S. technologies and software.  These technologies now fall under the Export Authorization Regulations (EAR).  In other news, the Department of Justice is prosecuting a case against the company for participation in a fraudulent scheme to export banned U.S. goods and technologies for its business in Iran.

Global Reactions to China’s Continued Malicious Behaviors

Because of a growing awareness of China’s history of cybercrime and information theft attitudes are changing in the international community .  The country’s handling of the Covid pandemic, the Hong Kong crackdown, and the repression of ethnic Uighurs have contributed to this awakening. 

There has been growing political pressure in recent months the United Kingdom  moved to remove Huawei devices from the country.  While France has stated that it will not totally ban the company’s 5G products, it is encouraging operators not to use them.  Australia, Canada, New Zealand, and Vietnam have declared that Huawei equipment poses a “significant security threat”.  Poland arrested a Huawei employee for spying.  Because of this, it has asked the EU to develop a joint stance against Huawei.

China has an extremely centralized government.  It is therefore impossible to separate the actions of the country with the actions of its corporations.  On July 13, 2020 Reuters reported that there was broad support in the European Union (EU) in response to new security laws in Hong Kong.

CVG Strategy

International bans on Huawei are but one development in a complex business world.  As a result, businesses will continue to be faced with a changes in regulations.  Additionally, cyberthreats to vital information are increasing in volume and complexity.  CVG Strategy is committed to helping businesses with export compliance and cybersecurity.    We are here to assist you establish Export Compliance Programs and Information Security Management Systems that will keep your business running strong.  Contact us to see how we can help.

Witnessing EMI Testing Properly Adds Value

Witnessing EMI Testing
Witnessing EMI Testing

Witnessing EMI/EMC testing is a complex task.  Conducting this task properly can add value to your product development efforts.  More often than not products fail their initial testing.  Because of this, iterations of redesign and retest are required.  This can result in budgetary and scheduling issues for your design team and delay getting your product to market.

What is EMI/EMC Testing?

Let’s start by defining what testing is.  The word test has many definitions.  The definition critical for our subject is “a procedure for critical evaluation“.  There is significantly more going on than the pass/fail exams we took in college.  This process verifies that the product will meet design specification when operated in its intended environment and validate that it meets or exceeds customer requirements. 

When products experience issues in the field they can interfere with other equipment in their environment.  They can also be susceptible to radio frequencies that result in unexpected behaviors of the product.  These issues can result in property damage, injury, and death.  They can also result in product recalls, product liability cases, and fines.  Therefore properly conducted testing is of great importance.

Have a Plan – A Test Plan

The first step is to understand what testing is to be accomplished.  This will require reading and comprehending the standard and its requirements.  Once that has been done creating a test plan is essential.  This is because it is important to clearly communicate to lab personnel important information that is specific to your equipment.  This would include:

Testing to be Performed

This not only would include what testing is to be performed but document required pass/fail criteria.  This is because many standards will have different requirements for various classifications of equipment. 

Description of Equipment to be Tested

This should include a general description including model, serial number, and version numbers for hardware and software.  It should also include power requirements and overall size of the equipment.

Modes of Operation

This section should define all operational modes of the equipment, control settings, required interconnections.  It should also include any grounding or load requirements.

Performance Checks

Remember that we are trying to verify and validate the performance of the product.  Testing the equipment in an idle mode will not accomplish this goal.  Therefore it is important to provide simulation equipment to exercise the test item during both emissions and susceptibility procedures.

Susceptibility Criteria

It is important to define what your equipment’s acceptable level of operation when conducting susceptibility testing.  Often requirements for classes of equipment are established in the test standard.  This will inform the lab what the pass/fail criteria for the test will be.

Electrostatic Discharge Schedules

It is a good idea to document test points for Electrostatic Discharge (ESD) testing.  The documentation should include points where likely discharges from human contact would occur.  This documentation instructs the lab personnel to conduct a test that returns valid data.

Witnessing EMI Testing – Do the Work

Sitting in the waiting room of a lab plinking on a laptop is not providing any value to test activities.  A test witness should go to the lab prepared to work.  Communicate with the lab personnel what is to be done and make sure they are clear about the details.  Set up the test equipment and ensure it is operating correctly.  Place the equipment into a required mode of operation and check to see that simulation equipment, monitoring equipment and loads are behaving properly.  It is important to assist in monitoring the test item to capture any intermittent failures when performing susceptibility testing.

Data Gathering and Troubleshooting

The real challenge when witnessing EMI/EMC testing is when a test fails.  Time management is critical.  Selecting the best avenue for isolating and analyzing the cause of the failure can best utilize that time.  While you may not be able to “solve” the problem at the lab, you can identify causes of the failure.  You can also identify mitigation techniques that should be considered for design modification.  All of this activity should be documented and included in a final report.

CVG Strategy

It can be a challenge to perform witnessing of EMI/EMC testing in the new reality of Covid-19.  Travel of essential personnel to test facilities is often not an option.  CVG Strategy test and evaluation consultants are ready to help.  We are partnered with local labs to provide test program management and test witnessing services.  We offer a variety of test documentation products including our EZ-Test Plan Templates.

Our subject matter experts have decades of experience in aerospace, automotive, defense, and commercial applications.  They can help you with design issues by performing product evaluations and susceptibility analysis.  Contact Us today to see how we can help.

Organizational Cyber Resiliency Report

Organizational Cyber Resiliency Report
Organizational Cyber Resiliency Report

IBM Security has released its organizational cyber resiliency report for 2020.  This year’s report, based on research from the Ponemon Institute is based on a survey of IT and cybersecurity experts from around the world.  The National Institute of Science and Technology (NIST) defines cyber resiliency as a merging of systems engineering, resilience engineering, and systems security.  Its goal is to develop systems with the ability to anticipate, withstand, recover from, and adapt to an increasingly hostile cyber environment.

Key Takeaways from the Cyber Resilient Organization Report

IBM’s organizational cyber resiliency report is an extremely detailed analysis of the current situation.  There are however, many key takeaways that can provide guidance for businesses attempting to critical cyber concerns.

Cybersecurity Incident Response Plans

Most organizations surveyed had suffered business disruptions during the last two years.  While it’s impossible to thwart every attack a well developed plan can greatly mitigate the effects.  Because the amount of cyber threats has markedly grown, many organizations have implemented Cybersecurity Incident Response Plans (CSIRP).  Effective CSIRPs involve all levels of an enterprises.  They include regular reporting to C suite stakeholders and incorporate regular reviews.  This is consistent with a well developed Information Security Management System (ISMS) such as ISO 27001 or NIST 800-171.

Automated Tools for Cybersecurity

Most participants reported that they had accomplished better resilience by employing automation tools.  Organizations that noted effectiveness used more than 20 tools when investigating or responding to a cybersecurity incidents.  While these tools can provide security, organizations that used too many tools (over 50) reduced their effectiveness.  These tools included technologies such as analytics, automation, AI, and machine learning.

Improved Cloud Service Implementation

More than two-thirds of companies in the United Kingdom, Germany, France, the United States and Canada sited value in the the use of cloud services.  These included organizations in healthcare, retail, and public sectors.  The leading reasons given for improvement due to cloud services were the benefits of leveraging a distributed environment, economies of scale, and availability of service level agreements.

It is important to note however, that poorly configured cloud services can severely endanger an organizations data security.  About a third of respondents reported negative results from investing in cloud services.

Sharing of Threat Intelligence

While a majority of participants agree that sharing intelligence with government and industry peers provides benefit, most do not share information.  Among reasons given were a lack of resources and cost.

CVG Strategy Cybersecurity Consulting

CVG Strategy cybersecurity consultants can help you tailor and implement effective CSIRPs that:

  • Incorporate all sectors of an enterprise.
  • Provide reporting to and participation of executives.
  • Identify top threats to your specific industry and assess risks.
  • Develop accelerated responses to specific attack types.
  • Optimize the implementation of automated technologies.
  • Incorporate regular reviews for evaluation and process improvements.

Contact Us today to see how our team of experts can bring their extensive experience to improve your cybersecurity processes on time and on budget.

Hong Kong Special Status Suspended by Commerce Dept.

Hong Kong Special Status
Hong Kong Special Status

Commerce Department regulations that gave Hong Kong Special Status have been suspended.  U.S. Secretary of Commerce Wilbur Ross made this announcement on June 29, 2020.  This change will effect the export of sensitive U.S. technologies to Hong Kong.  It will also effect the availability for export license exceptions. Mr. Ross also mentioned that further actions to eliminate the differential treatment for Hong Kong are under considerations and urged the Chinese government to “fulfill the promises it has made to the people of Hong Kong and the world”.

Action a Response to Chinese Security Measures

The Chinese Communist Party has imposed severe security measures of late.  These actions are seen to undermine the autonomous status of Hong Kong.  As such, it will make it impossible to ensure that exports are not diverted to China’s People’s Liberation Army or Ministry of State Security.

Hong Kong has been a major international financial hub, but many experts see China’s recent actions endangering its future.   A new national security law imposed by China on June 28th will severely crack down on crimes of secession, subversion, terrorism, and collusion.  The law will allow for the creation of a national security agency in the city to take actions beyond existing Hong Kong law.

Hong Kong’s Special Status and the International Business Community

Members of the international business community have trusted Hong Kong as a major conduit for global finance and trade.  This was largely due to its autonomy from China’s authoritarian legal and economic systems.  With that firewall now effectively destroyed the future of Hong Kong’s trade legacy is in question.  The European Union (EU) has already stated its concerns about the conformity of the new law with Hong Kong’s Basic Law and with China’s international commitments.  The European Union considers it essential that the existing rights and freedoms of Hong Kong residents are fully protected.  How the rest of the world reacts to this crisis will very likely change the dynamics of trade in the region.  It will be important therefore, to continue monitoring this situation.

CVG Strategy Export Compliance Expertise

Export compliance is an extremely dynamic area of late.  Because of this, keeping up with changing laws and regulations can be challenging for businesses of all sizes.  CVG Strategy export compliance consultants can help.  We have extensive experience in Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR).  Our experts can help establish programs for compliance, conduct audits, and provide training.  We also provide quick on line answers for your ITAR questionsContact Us today to see how we can help.