Category: Insight

Categories
Insight

Sim Swapping: It’s Not as Fun as It Sounds

cybersecurity
cybersecurity

Sim Swapping: It’s Not as Fun as It Sounds

Cybersecurity continues to dominate IT news, with one of the industry’s premier cybersecurity companies, FireEye, getting breached recently by nation-state hackers from a country with “top-tier offensive capabilities.” How can organizations protect themselves from bad actors when security companies struggle to? Having implemented some of the most stringent cybersecurity protocols for the Department of Defense, our experience has proven that a wide range of authentication solutions from short message service (SMS) and two-factor authentication (2FA) to true multifactor authentication (MFA) using hardware tokens can protect your enterprise from cyber criminals. That said, it is important to understand that all authentication, using SMS or not, is ultimately “hackable.” The level of effort required to execute a successful attack, and whether a capable adversary is motivated to execute it, is what determines if your data will be safe.

Despite appearing like simple fixes, 2FA and MFA have proven to be effective methods to prevent breaches while complying with industry and government standards such as CMMC and HIPAA. When choosing an MFA option, there are multiple factors to consider and, as with all cybersecurity options, decisions are based on a risk/benefit analysis. Authentication “factors” are broken down into three types of information the user provides: something they know (username and password), something they are (biometrics) or something they have (a hardware token). If two of these types of factors (2FA) are used, it makes for a strong protocol. If all three factors (MFA) are used, the greatest protection is achieved.

When implementing MFA, SMS based options are very attractive based on their ease of use, simple implementation, and low cost because SMS is standardized across the telecom industry and used by anyone with a smartphone. SMS 2FA sends a one-time password (OTP) to a user’s cellphone, which serves as the “something you have.” The problem with SMS 2FA is that an adversary can easily pretend to have your cell phone using a technique called Subscriber Identity Module (SIM) swapping. In the past, SIM cards were physical hardware that served as the identity of a phone. Today, SIM cards are represented digitally and can be transferred from phone to phone with little more than a phone call to the cellular provider. Using a combination of social engineering and phishing attacks, an adversary can impersonate a target’s SIM card and authenticate using the texted OTP.

It is helpful to look at the types of attacks used to beat SMS 2FA. The most common technical attacks involve session hijacking. An adversary will attempt to steal a session token by intercepting communications from the victim. This is known as a Man-in-the-Middle (MITM) attack. Also, if an attacker has access to an endpoint, known as Man-in-the-Endpoint (MITE), stealing session cookies is insignificant because the attacker has full control to execute any attack at his disposal. Understanding how adversaries will often use the path of least resistance is critical to businesses. In this regard, phishing and social engineering are the greatest risk to SMS 2FA. Simply by learning the target’s cellphone number, email, and some other identifying information, an attacker can call the victim’s service provider and transfer the target’s SIM information to their device.

The key to enterprise security is working with a partner who has the experience necessary to navigate risk-based decisions such as the use of SMS for 2FA. Nolij helps organizations prevent these attacks by explaining how these tactics are used, the precautions needed to mitigate the attacks, and by providing consistent phishing training to staff. For example, the best practice to decreasing any SMS swapping attacks is not to include a cell phone used for authentication messages in the email signature block. If attackers do not know your number, they cannot impersonate you. Additionally, using an authenticator app is a good solution because it requires an attacker to have physical access to a device. In cybersecurity, the goal is not to find a perfect solution, but to make hacking a system more trouble than it is worth. If a high degree of technical knowledge is necessary to conduct an attack, it may deter bad actors from trying at all. As the saying goes, “An ounce of prevention is worth a pound of cure.” 

Categories
Insight

Is A Post-Implementation Review Critical to Project Success?

Is A Post-Implementation Review Critical to Project Success?

Finishing a project in IT does not mean the same thing as ending the project management timeline. A Post Implementation Review (PIR) is conducted after completing the project and is one of the most important aspects of the project life-cycle because it ensures that the organization benefits from the project’s outcome. The objective of system enhancements and software upgrades is not an end in itself but rather to address the specific business needs. It is for this reason a PIR is crucial to a successful project. A PIR evaluates whether project objectives were met, how effectively the project was run, lessons for the future, and the actions required to maximize the benefits from the project outputs. This, no doubt, is the real measure of success.

In 2020, for example, Nolij was tasked by the U.S. Department of Agriculture (USDA) Foreign Agriculture Service (FAS) to do an independent PIR of their mission-critical Integrated Management Administrative Resource Tool (iMART) and their Production, Supply, and Distribution (PSD) systems after enhancements had been made. In collaboration with two FAS stakeholder groups, a team of senior business analysts from Nolij analyzed months of data to determine whether critical FAS business processes were being supported and help decision-makers improve investment decisions. The primary benefit of iMART to FAS is its unique ability to manage and integrate USDA’s strategic planning with human resources, logistics, and financial activities associated with overseas operations. The PSD system underpins the critical analysis and market intelligence that is foundational to the FAS mission of expanding U.S. agricultural exports through trade policy initiatives, marketing activities, and trade capacity projects. The PSD is the primary data system for global agricultural production, trade, consumption, and stocks.

Nolij analyzed months of data from PSD and iMART and provided recommendations on IT architecture, project management, customer acceptance, business process support and boosting high-performance in the workforce. Additionally, the concluding report included:

  1. Evaluation of return on investment (ROI) to date; an objective cost versus anticipated savings appraisal
  2. Assessment of enterprise architecture, IT infrastructure and system functionality by measuring performance, security risks and mitigation strategies
  3. Determining impact to stakeholders by evaluating business process support and FAS investment decision-making processes for IT projects

Working on the PIR for USDA was a wonderful collaborative opportunity for the Nolij business analyst team as demonstrated by the praise received from the FAS PSD project manager: “Thanks for the high-quality effort and results!” For Nolij, helping customers reach their business goals defines our success.

Learn more about Nolij Consulting and how we can advance your business goals at Nolijconsulting.com.

Categories
Insight

Nolij Overcomes Network Hurdles to Make Medical Systems Work Anywhere at Anytime

Nolij Overcomes Network Hurdles to Make Medical Systems Work Anywhere at Anytime

After completion of a successful project for the Department of Defense, the Nolij contracting officer remarked, “I cannot believe you solved this problem. This is huge!”  What problem did Nolij solve? Nolij had successfully ensured that data moved consistently across an array of gear, equipment and multidomain networks, such as mobile phones and satellites, in different warzone situations. This would allow the US military to provide reliable medical service across the continuum of care to soldiers as they move from the field, to Humvee, helicopter and onto command post hospitals in battlefield situations.

How did Nolij resolve the glitches in DOD’s communication networks? First, Nolij found that the military’s applications and systems were not being rigorously and thoroughly tested with the actual communication equipment used on the field during the development life cycle. For software to be reliable, it requires comprehensive testing in a “real-life” simulated operational testing environment that takes into consideration all possible scenarios and system constraints prior to deployment. This oversight during testing led to the health systems failing when deployed due to the operational environment never being introduced until it was released; thereby, causing a multitude of problems during software deployment such as tactical system failures.

Second, Nolij created a “real life” simulated operation testing environment by leveraging the Joint Network Emulator (JNE), a proprietary communications
simulation and network emulator jointly developed by DoD and EXata, that lets you evaluate on-the-move communication networks quickly and realistically. Our engineers worked with the armed services to emulate a soldier’s treatment in a warzone in different battlefield situations. Our team of system and test engineers then began to configure the JNE emulation package with all the environmental and system constraints we had discovered. After configuring JNE we then tied our emulation to our onsite network equipment, allowing us to test software in the intended deployed environment.

Third, we first ran our EXata environment on a mobile health application. The results were outstanding and the team was able to identify with precision where the software was failing or having integration issues. This knowledge demonstrated software behavior to our clients before it was shared with the development team. This allowed developers to begin mitigating problems while the testing was still occurring, which led to a faster feedback loop. For the first time in Military Health System history, software was being tested within the operational environmental situation and configuration as it exists in the field.

Since the successful deployment of this multidomain battlefield network simulation, Nolij has perfected their EXata expertise to deliver superior testing
environments to help clients resolve difficult technology challenges.

Categories
Insight

Happy Employees are the Heart of Nolij

Happy Employees are the Heart of Nolij
Happy Employees are the Heart of Nolij
Happy Employees are the Heart of Nolij

Happy Employees are the Heart of Nolij

“There is little success where there is little laughter”– Andrew Carnegie

 

At Nolij our employees are the heart of our company and are the reason we continually strive to provide an environment that empowers them to do their best possible work. Nolij is proud to have achieved an overall 4.1 rating from Glassdoor on our work culture, values, inclusion and diversity.  According to a recent Glassdoor employee testimonial, Nolij is the  “Best company I ever worked for, great co-workers and leadership. They really understand that you are an asset.” We want employees to feel that they are supported to be the best versions of themselves both at work and outside. One of the key reasons for having a high employee retention rate is because we strive to maintain a healthy work-life balance and empower our employees.

Nolij employees enjoy exploring and developing cutting edge technology, being creative in finding innovative solutions and being mentored by the best and the brightest in the industry. Nolij employees’ expertise is supported by a recent federal customer testimonial: “The quality of the contractor’s deliverables was outstanding and reflected the high level of understanding and knowledge the contractor had of the work required as well as the organization’s needs.”

Creating a positive and meaningful work experience for our employees goes beyond health benefits and perks—but they are important! From the beginning, we build the right culture with a competitive salary and a solid benefits package. We want to make sure our employees are well taken care of and offer additional programs such as the Employee Assistance Program that provides certified clinicians via phone and email to address mental health concerns.

Nolij consultants are constantly learning and developing professionally. Nolij helps foster a learning environment with tuition reimbursement and monthly Hacks and Snacks, which is a lunch and learn program. While at work, our employees work hard and are rewarded with spot bonuses to recognize individual contributions. But we have lots of fun together too!

At Nolij, our employees are like family. We like to celebrate our employees’ birthdays with cards and gifts. We organize different company events that bring our employees together to socialize. For example, we have Margaritas and Tacos happy hours and company sponsored Paint Night where employees let their creative side flourish all while enjoying the company of their teammates and coworkers. Nolij employees also participate in the company kickball team and build camaraderie.

Around the holidays, we have a Halloween costumes contest, Thanksgiving potluck and the Nolij International potluck dinner where we come together as employees to celebrate our diverse cultural backgrounds and traditions. As the weather warms up, we look forward to our annual company picnic for our employees and their families with friendly games of  tug-of-war and  sack races.

In 2020 we have been challenged in ways that we never thought possible. We have had to adjust our daily lives and routines during the pandemic both at home and at work. It has allowed Nolij to grow and change to not only to meet the needs of the business but the needs of our employees. We are constantly trying to find new ways to reinforce a sense of community, even though we are working remotely. We have gotten creative and moved to virtual team happy hours, online zoom yoga classes, virtual coffee chats and a virtual holiday party. Recently, we launched a new program Lunch on Us, which has been well received. Each employee is given a company Grubhub account that has been credited and on a designated day each month we encourage our employees to socialize with their team or coworker and enjoy Lunch on Us.

Day to day things look much different than they used to. We took for granted the importance of random encounters in the office or quick conversations over coffee in the office kitchen. So, while we wait for the day when we can return safely to our office and to team meetings in the conference rooms, lunch with our office mates or even a friendly game of ping pong, Nolij remains focused on delivering an exceptional company culture experience to our employees.

Categories
Insight

Nolij Blends Microservices and AI to Help HHS “Buy Smarter”

Nolij Blends Microservices and AI to Help HHS “Buy Smarter”

Nolij Consulting, LLC, a NITAAC CIO-SP3-Small Business Contract Holder, successfully combined microservices with AI to help one federal department modernize and transform its procurement processes. Procurement can be a time-consuming, arduous process. Sometimes the overall cost and time invested are actually disproportionate to the benefits. Because multiple people buy the same or similar items at different times, from different vendors, and at different costs, it can be nearly impossible to compare purchases and identify departmental or organizational needs – and opportunities for economies of scale.

When the Office of Management and Budget tasked federal agencies in May 2017 with submitting a reform plan to improve the efficiency, effectiveness and accountability of their programs, the Department of Health and Human Services embarked on a multi-faceted department-wide transformation effort known as ReImagine HHS. A key component of that effort is HHS’ BuySmarter initiative, designed to transform and modernize the way the Department acquires goods and services. With more than $24 Billion in annual spend, HHS saw an opportunity to leverage Artificial Intelligence and e-commerce solutions to establish a cohesive acquisition structure across the department and drive better pricing, better terms, and recognize greater economies of scale. And shift the focus of its acquisition professionals to higher-priority mission-critical work.

Nolij Consulting developed a first-of-its-kind Artificial Intelligence tool for use in HHS’ BuySmarter initiative. The tool uses AI to compare and contrast purchases from almost two million current contract documents comprising 5-7 billion words, as well as schedules and public price lists, to enable strategic sourcing and group purchasing functions. By extracting information directly from the text of existing contracts, the tool enables HHS acquisition professionals, their subject matter experts and customers to easily access and compare similar purchases. This readily-accessible knowledge enables them to create more informed solicitations and more effectively negotiate the terms of new purchases.

The tool’s “human-centered” acquisition approach doesn’t require the user to have a perfect definition to search for an item – it walks them through a specific process of descriptive terms to provide the most relevant results.

Acquisition professionals, their Subject Matter Experts (SMEs), and customers can use this valuable information to craft more informed solicitations, more effectively negotiate the terms of new purchases, and unlock the potential for large group purchases. Daily procurement activities are ultimately faster, more accurate and less complicated.