Last week, we discussed the upcoming changes to DFARS 252.204-7012 -- the Cybersecurity Model Maturity Certification (CMMC). The CMMC will involve serious changes in how defense contractors and subcontractors approach information security for their networks and computer systems.
As your organization grows, you may find yourself growing from an IT department of one to working with a small team -- or more. With that growth will come the need to document processes and procedures that were previously ad-hoc, or “oral tradition” -- answers given in the moment in response to one-off questions.
In June 2019, Dawn Greenman of Johns Hopkins University and Liz Hogan of E-N Computers sat in on a briefing. The Department of Defense announced that it is introducing a new cybersecurity standard for contractors -- the Cybersecurity Maturity Model Certification (CMMC). With cyberattacks and cyber-warfare in the news week after week, it’s no surprise that the Department of Defense is ready to take a harder line on enforcing cybersecurity standards for defense contractors handling sensitive information.
We’ve talked before about having a malware response plan in case one of your endpoints is infected by a virus, trojan, or worm. And while it’s always good to have an action plan, it would be even better if your users were able to avoid getting infected in the first place.
For the last few weeks, we’ve been looking at Microsoft AD Certificate Services PKI. Last week, we went over how to set up an offline Root CA. This week, we’ll get an intermediate Issuing CA set up and ready to issue certificates.
Setting Up the Issuing CA
For the issuing CA, you’ll need a domain-joined server running Windows Server 2016. Go ahead and log on to that server with domain admin credentials.
With the need for users to frequently change their passwords under question, the need for users to pick stronger passwords in the first place becomes apparent. Last week, we talked about one way for sysadmins to sniff out weak passwords in use in Active Directory.
Phishing is big business. Each year, businesses lose millions of dollars to phishing scams and other “social engineering” attacks. So naturally, sysadmins are interested in helping their users to identify and avoid these threats if and when they hit their inboxes.
Last week, we talked about password expiration, and the recent guidance that recommends doing away with them. But, those same papers recommended that you should beef up your password security in other ways. One way is by auditing the strength of your current passwords.
For years, the conventional wisdom in computer security has been to force users to change passwords every few months. The thought was that if a password were compromised, then an attacker would only have access to that password for a limited amount of time.
For the last few weeks, we’ve been looking at digital certificates and the Public Key Infrastructure (PKI) that makes them work. Last week, we looked at some design considerations for a Microsoft AD Certificate Services PKI. If you’ve decided to go ahead and set up your own in-house PKI, then this article will help you get started!
This week we will cover setting up the offline root CA. Then next week we’ll finish up with configuring an issuing CA and making sure that the certs and CRL are published so that your clients can use them.
