Lazarus Alliance Receives Accreditation as FedRAMP 3PAO

IT Cyber Security and GRC firm becomes authorized to validate Cloud Service Providers to new FedRAMP standards

Today, Lazarus Alliance Inc. announced that it has achieved accreditation as a FedRAMP (Federal Risk and Authorization Management Program) Third Party Assessment Organization (3PAO).

Lazarus Alliance Receives Accreditation as FedRAMP Third Party Assessment Organization

The FedRAMP program supports the U.S. government’s objective to enable U.S. federal agencies to use managed service providers that enable cloud computing capabilities, and Lazarus Alliance is one of the few accredited 3PAO firms in the world with this designation. With this certification, Lazarus Alliance is the only assessment firm authorized to conduct assessments for the federal government (3PAO), the Health-care industry (HIPAA, HITECH, Meaningful Use, NIST 800-66), the Payment Card Industry (Qualified Security Assessor), the Service Provider industry ((SSAE 16 (SOC 1), AT 101 (SOC 2), SysTrust / WebTrust (SOC 3)), NERC CIP, the Public sector (SOX 404), and advisors in ISO 27001, 27002, 27005 using the formidable combination of the IT Audit Machine (ITAM) and our Cybervisors.

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. As a part of the FedRAMP process, cloud service providers (CSPs) must use a FedRAMP approved third party assessor to independently validate and verify that they meet the FedRAMP requirements.

“Even taking a pragmatic approach, the cloud raises a plethora of cyber security concerns for any business,” said Michael Peters, CEO at Lazarus Alliance. “For government agencies, these concerns can be even more sensitive since national security can be at risk and as the largest employer in the world, it goes way beyond that. The 3PAO accreditation further confirms Lazarus Alliance’s expertise in cloud cyber security, risk assessments and we look forward to working with CSPs around the world on their FedRAMP initiatives toward receiving an authority to operate (ATO).”

Lazarus Alliance is one of the very few organizations worldwide to obtain this classification as an inspection body to assess cloud systems for the federal government. FedRAMP is the first United States government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud-based services. In order to receive accreditation, Lazarus Alliance demonstrated an advanced level of technical proficiency and compliance experience. According to the A2LA, the “assessment process involves a rigorous evaluation of technical competence of the 3PAOs as well as an assessment of their compliance with international standards.”

Receiving the accreditation of 3PAO means Lazarus Alliance will be able to validate the security and control implementations that CSPs must provide in order to work with and provide cloud services to federal agencies. 3PAOs are critical to the FedRAMP program, as they demonstrate the independence and competency of CSPs that host the government’s most crucial data.

In addition to demonstrating the requisite technical competency in FISMA and independence and quality management to achieve 3PAO accreditation, Lazarus Alliance has diverse leadership experience in additional vital audit & compliance fields, risk assessment & management, and governance & policies. Lazarus Alliance staff members are heavily experienced in those respective industry regulations and are located across the United States.

Inquiries for FedRAMP services can be made with Lazarus Alliance at 877-896-7580 or at https://lazarusalliance.com/services/audit-compliance/fedramp/

[wp-booklet id=1442]

About Lazarus Alliance

Lazarus Alliance is a leading, independent information technology Security, Governance, Risk and Compliance (IT GRC) firm that provides IT Audit & Compliance, Risk Assessment & Management, Governance & Policies, and Cybervisor supported solutions. Founded in 2000, Lazarus Alliance is a proud veteran owned business and has been passionately on the cutting edge of IT security, risk, privacy, governance, cyberspace law and compliance leadership, innovation and services provided to the global community. With significant contributions and innovations such as the IT Audit Machine, The Policy Machine, Cybervisor, Continuum GRC, SafetyNET, the Holistic Operational Readiness Security Evaluation (HORSE Project)®, the Security Trifecta, Your Personal CXO, and other progressive initiatives, it’s no wonder that Lazarus Alliance has become a leading international name synonymous with incorruptible leadership, meaningful services, exceptional customer support and tangible innovations all specifically to prevent negative press and damage to our client’s companies, their shareholders, employees and customers. Lazarus Alliance’s primary purpose is to help organizations attain, maintain, and demonstrate compliance and information security excellence, in any jurisdiction. Contact us and learn more about Lazarus Alliance and why Lazarus Alliance is Proactive Cyber Security.

 

Human Hacking, Not Automated Attacks, Top Cyber Threat

Human hacking, also known as social engineering, has surpassed hardware and software vulnerabilities and is now the top cybersecurity threat, Computer Weekly reports:

Human hacking, also known as social engineering, has surpassed hardware and software vulnerabilities and is now the top cybersecurity threat.

[A]ttackers shifted away from automated exploits in 2015. Instead, attackers engaged people through email, social media and mobile apps to do the dirty work of infecting systems, stealing credentials and transferring funds.

 Researchers found that machine exploits were replaced by human exploitation, with attackers opting for attachment-based social engineering campaigns rather than purchasing expensive technical exploit kits.

 Across attacks of all sizes, threat actors used social engineering to trick people into doing things that once depended on malicious code.

What is Human Hacking?

Human hacking is a type of con during which, instead of trying to hack into a system, the hacker engages in old-fashioned espionage techniques that involve human interaction and prey on weaknesses in human psychology, such as helpfulness, curiosity—even greed. A human hacker may approach an access-controlled door carrying a number of packages and pretend to fumble for their key or access card; an unsuspecting employee, thinking they are being helpful to a co-worker, opens the door for the hacker. This technique is known in the industry as tailgaiting. Or, using the pretexting technique, the hacker may phone an employee, pose as a help desk worker, and attempt to get the employee to provide their system access credentials.

These simple techniques are surprisingly effective. TechTarget reports that a human hacker recently used pretexting to compromise the U.S. Department of Justice. The hacker phoned the DOJ, pretending to be a new employee who was having difficulty accessing the department’s web portal. The hacker was quickly provided with a token that granted him full access to the DOJ intranet. As a result, information on 20,000 FBI agents and 9,000 Department of Homeland Security employees was publicly leaked.

Other common human hacking techniques include:

  • Baiting takes advantage of human curiosity—or, in some cases, greed. The attacker puts a legitimate-looking and interesting label (such as “Employee Salary Report Q4”) on a malware-infected device, such as a USB drive, then leaves it in a place where someone will find it, such as a bathroom, a hallway, or an elevator. Then, the hacker simply waits for someone to pick up the device and insert it into their computer.
  • Phishing is a technique most Internet users have seen in action. The hacker (or phisher) sends an email that appears to be from a legitimate source, usually a bank or another business. The email requests that the receiver “verify” information by clicking on a link and warns of dire consequences, such as their account being deactivated, if the receiver does not do so. The link leads to a legitimate-looking but fraudulent website that requests personal information, such as online banking access credentials or even a debit card PIN.
  • Spear phishing is a more targeted form of phishing where a particular individual or organization is phished, as opposed to random mass attacks.
  • A Scareware scheme combines malware and human psychology. The con involves tricking victims into believing they have downloaded illegal content or that their computers have been infected with malware. The human hacker then offers the victim a “fix” in the form of a download – which is actually malware.

How Can Your Organization Prevent Human Hacking?

As with all cyber security issues, the best defense is a good offense. Lazarus Alliance recommends that organizations take a proactive approach to preventing human hacking, beginning with establishing a comprehensive cyber security policy and employee training program. If employees are aware of the types of cons human hackers run, they can learn to identify and report them before any damage is done.

Additionally, organizations that conduct ongoing risk assessments and fix the gaps identified are on average a whopping 96% less likely to suffer a breach by hackers. Lazarus Alliance recommends organizations of any size implement a risk management program sooner than later when it may be too late.

Lazarus Alliance offers full-service risk assessment and risk management services helping companies all around the world sustain a proactive cyber security program. Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help you prevent human hacking.

Secure in 60 Seconds

Secure in 60 Seconds

While you slip into that Thanksgiving Day coma, take 6o seconds to beat holiday crime and stay secure. Nearly half of holiday shopping this year will be done through online merchants; about 46 percent according to the National Retail Federation. That is up slightly from last year and is another sign that U.S. consumers remain very comfortable with shopping online.

Secure Online Shopping

As we enter peak-season for retailers, no doubt, your email inbox is already filled with holiday themed messages, as multitudes of retailers work to win your heart and your pocketbook on the big, post-Thanksgiving Day shopping day.

As you formulate your holiday spending strategy, here are a few simple shopping tips that may help you protect yourself from criminals both online and outside:

  • Beware of phishing schemes. Just because an email appears to be legitimate doesn’t mean it is. Phishing is when criminals target large numbers of people through email, attempting to obtain private and personal data and even cash. Such emails may look somewhat legitimate, but even without close scrutiny there are often obvious clues they’re not. For example, misspelled words and poor grammar are good indicators an email was sent by a scammer. If you receive one, just delete it. Do not open any of the accompanying attachments or clicking on included links which are common vectors for criminals to take control of your computer and ruin your holidays.
  • Stick to retailers you know and trust. You may be tempted by the low prices offered by a company you’ve never heard of, but will they help you out if the item you order isn’t what was described on their website or never arrives? And if the business turns out to be untrustworthy, remember you’ve also given them your payment card number and other personal information. Make sure your credit card company offers buyer fraud protection which costs you nothing and might just save the day!
  • Use a credit card, rather than a debit card. When you choose your debit card over your credit card, you are exposing yourself to more risk. A criminal can clean out your checking account in one fell swoop with your debit card. To add insult to injury, may people also have over draft protections associated with a debit card linked to draw directly from their savings account. A criminal could completely clean you out within minutes!
  • When shopping online, ensure the site is secure. Look for sites with URLs that begin with HTTPS, rather than HTTP. This technical designation of HTTPS creates an encrypted private connection between your browser and the website you’re visiting, so that the information exchanged cannot be viewed or modified by an outsider.
  • In the physical world, make sure packages arrive when someone’s home to receive them. Thieves have resorted to following delivery trucksand taking items left on front porches when no one’s home. Consider having your items delivered to your work address or to a friend who’ll be at home when the doorbell rings. Also installing security cameras help identify criminals if professionally installed.
  • When in doubt, ask someone knowledgeable about cyber security. Most security professionals are happy to lend some advice free of charge.

These simple steps cost you nothing and do not require the services of the multitude of so-called identity theft companies out there. You can do more to secure and protect yourself faster and cheaper than anyone and all it takes is a little common sense.

Now … from everyone here at Lazarus Alliance, enjoy the holidays!

Lazarus Alliance is Proactive Cyber Security®