Why Any Manufacturer Creating Software and Using Containerization Should Be Preparing for CMMC

Which Security Threats and Risks Bad Actors Can Leverage 

If you’re one of the manufacturers creating software as part of your solutions, the convenience and speed that digital communications offer is a double-edged sword. And if you’re using containerization as part of your software development, keep reading. 

While digital helps you get more done faster, it’s also made the world a more dangerous place to do business. Well-trained and funded hackers from halfway around the world can penetrate seemingly robust cybersecurity defenses, penetrate containers, and pilfer off valuable and sensitive information.

No organization has been more keenly aware of cyber-threats than the U.S. Department of Defense (DoD). Tasked with protecting the American people from terrorists, rogue nations, and cyber criminals seeking self-enrichment, the DoD implemented the stringent Cybersecurity Maturity Model Certification (CMMC) policy.

The recently rolled out CMMC compliance guidelines require military contractors and organizations in the supply chain to meet heightened standards.

The DoD has put this in place because over the last decade, sophisticated hackers have penetrated a wide range of private sector organizations that lead to military and other government information that appears to lack strategic value on its own.

Looking to prepare for CMMC Compliance? Check out our (ungated) CMMC Compliance Checklist.

When considered with other data, it gives bad actors vital pieces to the U.S. national security puzzle—the depth and breadth of these threats is often unknown until it’s too late. These threats are quickly expanding to companies such as manufacturers containing small software development outfits that once seemed of no interest to cybercriminals.

As corporations brush against the military-industrial base in small ways and software as a service (SAAS) increases in Cloud-based networks, your privately owned and operated company would be well-served to take proactive measures, like employing Microsoft Defender for Endpoint security.

But before we dig into that, let’s look at some very real and recent events that demonstrate exactly why you should be thinking about this.

Cyber Attacks on Large Corporations Are Driving Change for DoD and Contractors—Big AND Small

To illustrate the point that CMMC compliance and ongoing vigilance remain a necessary element of protecting an organization, let’s look at three high-profile hacks — Marriott, Solar Winds, and the Colonial Pipeline. What all three of these have in common is they possessed seemingly stout cybersecurity defenses yet garnered national headlines for getting cleverly breached.

Marriott Hotel

The Marriott Hotel group’s Starwood reservation system was stung by sophisticated cybercriminals who managed to expose the credentials of upwards of 500 million guests. The personal identity information stolen included birth dates, phone numbers, credit card numbers, and even passport records.

One would expect the vast resources of this international corporation to bring the most hardened cybersecurity defenses to bear. But despite Marriott having more than $10 billion in annual revenue back in 2014-2018, hackers remained undetected for years.

SolarWinds

When the more recent SolarWinds hack was discovered, it sent shock waves across wide-reaching sectors, including the federal government. Despite agencies such as the U.S. Commerce, Treasury Department, Department of Homeland Security, National Institutes of Health, and State Department being in CMMC compliance, high-level cyber criminals were effectively able to leverage a software backdoor.
The digital criminals employed a strategy sometimes called a supply chain attack. They managed to insert malicious code into SolarWinds Orion software, a widely-used software by multinational corporations and high-level government agencies.

With this added code, a seemingly innocent update of the SaaS model and information systems became infected. More than 18,000 organizations unwittingly allowed the tainted Orion software development update to move forward, sometimes sidestepping cybersecurity protocols and defenses.

Colonial Pipeline

Unlike the Marriott and Solar Winds breaches, everyday people are more likely to experience the impact of the Colonial Pipeline attack.
The FBI reportedly indicates that a hacker group known as DarkSide is responsible for orchestrating a ransomware attack on one of the largest energy infrastructure outfits. The Colonial Pipeline reportedly delivers upwards of half of all the liquid fuel on the East Coast. Its disruption will likely result in short-term gasoline shortages and rising prices at the pump.

As a critical part of America’s infrastructure, one would anticipate that Colonial would either already have been tapped to meet DoD requirements such as CMMC compliance, or it’s about to go on the table. Energy infrastructure is inextricably linked to national security and DoD operations.

Although the nefarious individuals behind the Colonial Pipeline ransomware attack reportedly sought only to “make money,” according to reports, the breach uncovered weaknesses across the U.S. energy sector that need to be addressed.

A rival nation could go further than a hacker group with a breach that could devastate the U.S. economy, cripple military technology, or disrupt other supply chains.

Software development organizations using containerization strategies remain equally, if not more, vulnerable to these examples.

Manufacturers Leveraging Containerization Remain At Risk

An industry outsider might not see parallel vulnerabilities between the cybersecurity in manufacturing software using containerization and companies in the military supply chain at first blush. Although these sectors typically deal with vastly different tools and product models, most businesses now intersect with Cloud-based SaaS.

Modern software developers that employ containers must adopt digitization to compete in the global space. Often, the more advanced IT environments rely on containers and Kubernetes for increased agility.

These and other portable, open-source platforms help manage workloads that have been effectively managed with containerization. They deliver manufacturing outfits the IT services support required for real-time configuration and automation. This Cloud-efficient model also helps manufacturers mirror the best practices of wide-reaching industries.

But the inherent vulnerability stems from organizations employing containerization to bundle software, create file configurations, and fast-track software-driven hybrid Cloud infrastructure. The same convenience manufacturers gain from Kubernetes and container use can be leveraged by hackers to insert malware and breach systems.

The questions decision-makers continue to ask typically revolve around how breaches occur and how they can be prevented. These are questions that savvy business leaders deserve to have answered, and solutions for them presented.

9 Cybersecurity Vulnerabilities Bad Actors Can Leverage Due To Containerization

With multinational corporations, the questions of “How?” cannot be avoided when it comes to large cybersecurity breaches.
In the case of Solar Winds, the company indicated that an intern unwittingly opened the door to hackers by making a password mistake.

Apparently, the person used the password “solarwinds123” and posted the information on a GitHub account.

The years-long Marriott infiltration reportedly started with a former employee’s stolen credentials.

And the Colonial Pipeline disruption was the result of a ransomware attack. Ransomware is typically deployed via email or electronic messaging– once someone with access to the system clicks on a malicious link or downloads a file from any synced device, the cybercriminals assume control.

These scenarios and others could easily threaten any manufacturers who are using containerization for software in the military or federal government supply chain. As seen in these instances, if there are holes in security, someone will find it.

That’s why determining cybersecurity measures such as Microsoft Defender for Endpoint Detection are recommended, and necessary.
Putting those measures in place can help secure software from vulnerabilities like:

1. Valid Accounts – The use of suspicious cloud credentials and unauthorized access.
2. Unsecured Credentials – Bad actors illegitimately accessing credentials and using them to reach secure information.
3. Build Image on Host – This technique builds a container image directly on the host network to bypass cybersecurity, allowing cybercriminals to slip in malware.
4. Deploy Container – Bad actors may deploy containers into a system to mask their activities from cybersecurity defenses. The endgame may be to execute or force the download of malicious files. Container deployment is used to target both Cloud-based and on-premises networks.
5. User Execution – Unsuspecting employees with access to a network may be targeted through Phishing schemes and social engineering. The hacker’s goal is to prompt a misstep and execute malicious software.
6. Resource Hijacking – This relatively new hacking technique leverages systems without owner consent to carry out illicit or illegal activities. It is often associated with crypto-mining.
7. Container Resource Discovery – Targeted attacks sometimes try to uncover valuable information that includes an organization’s Cloud service provider. Each piece of information a cybercriminal possesses paints a picture about defenses and vulnerabilities.
8. Exploit Public-Facing Application – Digital thieves may try to identify and leverage weakness in an Internet-facing computer or a program using software or commands. This strategy can prompt unanticipated movement or show weaknesses such as a bug, glitch, or design flaw.
9. Escape to Host – Adversaries sometimes try to break out of a container to access the host. This opens the door to other assets.

These are critical threats to a software developer in the DoD supply chain, especially those using containerization. They rank among the primary reasons the federal government requires the most hardened cybersecurity defenses and protocols possible to protect Controlled Unclassified Information (CUI).

But as we can see from attacks on what appear to be peripheral organizations, CMMC consulting could play an increasingly prominent role in the near future.

If hotels hosting military contractors and SaaS providers offer hackers a trail of breadcrumbs to valuable military secrets and national security data, CMMC compliance may need to be more universally applied.

Why Is CMMC Compliance Mission Critical For Containerization Users?

The DoD rolled out the most recent version of CMMC certification to bring wide-reaching cybersecurity policies and regulations under one umbrella.

Rival nations and skilled hackers focused more attention on the DoD supply chain because it was loosely defended. Items such as CUI could be pieced together to reveal military projects, policies, and strategies.

The CUI remains abundant in supply chain outfits on the margins with inadequate defenses. Hackers saw them as the low-hanging fruit and harvested them accordingly.

If you apply this type of chess match to the Marriott, Solar Winds, and Colonial Pipeline breaches, it’s easy to see how infiltrating one system opens doors to valuable data across sectors.

One under-reported symptom of the Solar Winds hack indicated the former acting Secretary of Homeland Security’s emails were compromised. To say government officials or military data cannot be loosely linked to Colonial or Marriott would deny the reality of living in the information age.

That’s why software development outfits such as Solar Winds remain relatively high-level targets for hackers. And since many manufacturers rely on (or develop) cloud-based software containerization platforms, they would also be wise to prepare for the DoD and other agencies to broaden their reach in the wake of private sector hacks.

The 5 Levels of CMMC Compliance Software Developers Could Need

The current CMMC 0.7 rollout requires military contractors, subcontractors, and those considered supply chain businesses to meet one of five levels of CMMC compliance. Those outfits that store or transfer sensitive information typically must meet a cybersecurity threshold that reflects the value of the data.

Organizations that desire to bid on lucrative DoD and other government contracts must earn certification through a third-party audit.

Given the fact that requests for information and bids already require certification, a log jam of CMMC consulting firms persists. Failing to gain certification can sideline a business as it misses opportunities to secure future work.

Depending on the type of software a company makes or distributes, a business could be tasked with meeting one of the five Cyber-hygiene thresholds mandated by the DoD and federal agencies:

• Level 1 – This CMMC hygiene threshold tasks an outfit with demonstrating and gaining certification for “basic cyber hygiene.” Commercial antivirus software, secure password protocols, and protection consistent with Federal Contract Information standards are typically required.
• Level 2 – Manufacturers and other organizations must prove “intermediate cyber hygiene” that protects CUI under the NIST 800-171 guidance adopted by CMMC.
• Level 3 – A company ranked in the middle of the cybersecurity vulnerability supply chain must demonstrate “good cyber hygiene.” This level of protection often calls for CUI protection and defense above many NIST parameters. Basic antivirus software and firewalls generally will not suffice.
• Level 4 – The DoD expects an organization with vital national security information to be able to detect and repel threats. Enemy states enlist expert-level hackers and provide them the tools necessary to penetrate these systems, so organizations involved need proper defense.
• Level 5 – This level is typically reserved for direct military contractors, although the federal government may start rethinking which organizations must meet the highest standards. Outfits such as Solar Winds and Colonial Pipeline have far-reaching national security implications and could have benefited from higher cybersecurity standards.

Expanding CMMC compliance and ratcheting up levels on manufacturers who include containerization software as part of their solution is not necessarily unreasonable.

The full impact of Marriott, Solar Winds, and Colonial Pipeline may never be revealed. But we know that sophisticated hackers can use brute force methods such as ransomware, software backdoors, or hide in plain sight for years.

Decision-makers can take proactive measures by reviewing a CMMC compliance checklist or even enlisting an experienced CMMC consulting firm to improve defenses ahead of the next government mandate. The alternative may be getting stuck in another log jam of corporations trying to level up and stay in the government’s good graces.

Contact a CMMC Consulting Firm About Protecting Your Containerization Technology

For organizations already considered in the supply chain, DoD CMMC compliance is mandated to participate in lucrative contracts and peripheral work.

The CMMC implementation requires companies to prove their respective level has been achieved and others are on a short leash to comply. The penetrations of Solar Winds, Marriott, and Colonial Pipeline highlight a widening circle of business that can lead adversaries to crucial data– a circle any developers using containerization are no longer exempt from.

As an experienced CMMC consulting firm, we provide thorough cybersecurity solutions to prevent our valued clients from suffering a devastating breach.

Looking to prepare for CMMC Compliance? Check out our (ungated) CMMC Compliance Checklist.

If you have concerns about potential vulnerabilities due to software containerization or questions about CMMC compliance, reach out to us for help today.