Spring4Shell: Zero-Day Vulnerability in Spring Framework

What Happened?

On March 30, 2022, we received word through our channels of a remote code execution vulnerability in Spring Framework when a Chinese-speaking researcher published a GitHub commit that contained proof-of-concept (PoC) exploit code.

This uploaded exploit targeted a zero-day vulnerability in the Spring Core module of the Spring Framework. Spring is maintained by Spring.io (a subsidiary of VMWare) and is used by many Java-based enterprise software frameworks. The vulnerability in the leaked proof-of-concept, which appeared to allow unauthenticated attackers to execute code on target systems, was exploited quickly.

What Are We Doing?

1. Actively monitoring public data streams pertaining to this situation. We are also researching with Rapid7’s research team who can confirm the zero-day vulnerability is real and provides unauthenticated remote code execution.

Proof-of-concept exploits exist, but it’s currently unclear which real-world applications use the vulnerable functionality. As of March 31, Spring has also confirmed the vulnerability and has released Spring Framework versions 5.3.18 and 5.2.20 to address it.

It affects Spring MVC and Spring WebFlux applications running on JDK 9+. As additional information becomes available, we will evaluate the feasibility of vulnerability checks, attack modules, detections, and Metasploit modules.

While Rapid7 does not have a direct detection in place for this exploit, they do have behavior- based detection mechanisms in place to alert on common follow-on attacker activity.

2. Informing our SOC Analysts of the investigation and providing them with the necessary briefings to deploy any defenses provided by our partners.

3. Reinforcing our recommendations by communicating the need for layered security and applying rock solid standards provided by public vendor neutral agencies like the Center for Internet Security. The goal of these standards is a stronger, robust layering of protective measures for our FIT clients.

What You Can Do

The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+. As of 10AM, EDT March 31, 2022, CVE-2022-22965 has been assigned to this vulnerability.

Spring has confirmed the zero-day vulnerability and has released Spring Framework versions 5.3.18 and 5.2.20 to address it.

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Evaluate your environment for this vulnerability and patch as needed. We are big fans of the work performed by the Center for Internet Security (CIS). CIS is a nonprofit organization, formed in October 2000.

Its mission is to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.

Spring4J would be best mitigated by applying the CIS Controls:

Control 02 – Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Control 08 – Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

Control 12 – Network Monitoring & Defense

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

If you have any questions about how to further implement these controls in your environment, FIT Cybersecurity would love to provide guidance and help you improve your security posture.

 

— The FIT Cyber Team

Serious Cybersecurity Vulnerabilities: Apache Log4j & SMA-3217

UPDATE — 12/18/21

There have been more developments in the ongoing remediation of the Log4j logging library and connected vulnerabilities.

The initial patch, version 2.15.0, that aimed to resolve the remote code execution vulnerability described in CVE-2021-44228 was found to be incomplete and led to the discovery of CVE-2021-45046. Initially thought to be a minor DoS vulnerability, CVE-2021-45046 was assigned a CVSS of 3.7. As of late yesterday, CVE-2021-45046 was elevated to a CVSS of 9 due to newly discovered attack vectors that would allow bad actors to exfiltrate data. A patch was quickly released in version 2.16.0 to remediate it.  Earlier this morning, a new flaw was identified in the patch version 2.16.0 that has required a new patch release (version 2.17.0) and a new vulnerability tracking ID of CVE-2021-45105. The identified flaw is a severe DoS vulnerability that would allow bad actors to perpetrate Denial-of-Service attacks against affected assets. CVE-2021-45105 has been assigned a CVSS of 7.5.

The risk with these vulnerabilities not only rests in active use of the Log4j library within production applications developed by your company, but also in several standard workplace applications and solutions that also utilize it. Log4j is one of the most ubiquitous logging libraries and is used in a plethora of applications and solutions. It is likely that some of the applications you use in your environment are affected and therefore vulnerable. These are called nested vulnerabilities as they stem from a utility that is used within standardly deployed applications and are dependent on patch releases from the vendor to remediate.

 

FIT’s Response:

FIT is continuing to monitor the situation closely and apply patches as they become available. FIT engineering will be reaching out as patches are released to setup emergency patching windows for FIT IT managed clients.

 

Recommendations:

If you are currently utilizing Log4j in your development or infrastructure, FIT recommends immediately applying the patch in version 2.17.0 (Java 8).

Additionally, these vulnerabilities have highlighted the importance of running a full application inventory of your environment and monitoring attack surface lists of affected applications to compare. It is critical to apply patches when available to all affected applications in your environment. The primary attack surface list in use by FIT Cybersecurity is published by Rumble and can be found here – Finding applications that use Log4J (rumble.run). It is updated daily, if not twice daily, and maintains the most complete list of applications affected by these vulnerabilities.

 

UPDATE — 12/17/21

CVE-2021-44228 & CVE-2021-45046

VMWare is starting to release patches for both vulnerabilities. Please reference this article against your environment to determine what patches are available for your infrastructure: VMSA-2021-0028.3 (vmware.com)

FIT Managed IT clients will be hearing from your engineering team as patches for your environment become available.

FIT Cloud Clients, emergency patches are being applied to your infrastructures this weekend.

Please Note: This is just the first round of patches and not everything has had a patch released yet. We anticipate this process continuing for the next few weeks at least. Depending on your environment, it is very possible you will need several emergency patching windows as more and more patches become available.

 

UPDATE —  12/16/21

We’d like to provide a status update of where we stand with the remediation efforts of the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).

CVE-2021-44228

FIT Solutions’ Managed IT clients are 95% patched for on-premise assets that are affected by this vulnerability, and the last 5% are actively being worked on by the engineering team. This vulnerability scope is evolving as new applications and services are identified to be vulnerable. FIT Solutions is actively investigating and monitoring all client infrastructures to identify and address any newly discovered vulnerable systems.

CVE-2021-45046

This new vulnerability that was produced from the remediation of CVE-2021-44228 remains in the monitoring state. A few patches have been released to address this, but a majority of software and solution providers are still working on updated patches to address it. FIT Cybersecurity is actively monitoring the situation and engaging the engineering team as soon as patches become available to implement in client environments.

Updated Recommendation

FIT Cybersecurity is recommending an additional layer of protection that can assist in defending against the Log4j vulnerabilities. If it is possible in the environment, we recommend that Outbound LDAP communications be blocked on the firewall. This will not completely protect your environment from the Log4j vulnerability, but will hamper attempts by bad actors to exploit the vulnerability by utilizing LDAP. FIT Cybersecurity and FIT Solutions will continue to collaborate on monitoring the situation and remediating client environments. If you have any questions or concerns, please do not hesitate to reach out to info@fitsolutions.biz.

 

UPDATE — 12/15/21

A new vulnerability was discovered that impacts all assets affected by the initial Log4j Vulnerability (CVE-2021-44228). This new vulnerability (CVE-2021-45046) is less severe than CVE-2021-44228 coming in with a CVSS score of 3.7 out of 10. Do not let the lower CVSS score fool you, the vulnerability is still something that requires immediate attention.

The initial patch released for Log4j will prevent an attacker from gaining complete control over an affected asset, but that same patch can be abused by attackers resulting in a denial-of-service (DoS) attack on the affected asset. These DoS attacks have the ability to take an affected asset down by flooding the asset with requests at such a volume that the asset cannot handle the load.

Currently, software and solution providers are scrambling to release new patches of their software that address this new vulnerability. Apache, the initial source of both these vulnerabilities, has released a new version of the Log4j logging library that fixes this issue. If you actively use Log4j, please make sure you update your version to 2.16.0 which resolves both vulnerabilities.

Here are some additional resources for more information on the new vulnerability CVE-2021-45046:

Apache’s Fix for Log4Shell Can Lead to DoS Attacks | Threatpost

Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released (thehackernews.com)

FIT Cybersecurity and FIT Solutions Response

FIT Cybersecurity and FIT Solutions are collaborating actively to patch all FIT Solutions IT clients and advise all cybersecurity clients on next steps. As more patches become available, FIT Solutions will reach out to IT clients for emergency patching windows. It is important to note, about 90% of affected assets from FIT Managed IT clients have been patched with the initial patch or a workaround has been implemented. The remaining 10% are actively being worked on to complete patching of the initial CVE-2021-44228.

 

UPDATE — 12/14/21

Only about 30% of the software vendors impacted have released patches thus far. We urge decision-makers to approve emergency patching all week if possible as updates come out during the week. Though patching updates can be disruptive to work, the interruption would be far less than that caused by a breach. Our cybersecurity team built custom monitoring alerts to increase threat hunting while we wait for patches to be released. Our team is also trained on emergency response actions to stop the exploit from being leveraged. We are working with all our clients to strategically make plans to minimize risk to their businesses. For users of FIT Cloud, we have applied the work-around fixes to VMware while a patch is being developed to protect the Cloud infrastructure.

 

INITIAL 12/13/21

Late last week, two vulnerabilities came to light that have made large waves in the cybersecurity space. We wanted to make sure you are informed of these new and potentially dangerous vulnerabilities. FIT Solutions stands ready to assist in any way we can as we go through the remediation of these new vulnerabilities. Please do not hesitate to reach out to support@fitsolutions.biz with any questions or concerns you may have.

 

Apache Log4j Logging Library Vulnerability | CVE-2021-44228 | CVSS 10.0

The Apache Log4j vulnerability was released late on Friday, December 10, and has a large attack surface with potentially dangerous effects. This vulnerability allows attackers to gain complete control of affected systems. The Log4j logging library is widely used and can be found in different services from Apple, Twitter, Steam, Tesla, Elastic Search, and more. Ranking as a CVSS 10.0 out of 10, this vulnerability poses a significant threat to those that utilize or interact with the Apache Log4j Logging Library, and it is already being exploited in the wild.

This is a high criticality vulnerability and deserves your immediate attention. Recommended remediation is to immediately upgrade any direct use of the Log4j library to log4j-2.15.0.rc2. Log4j is also utilized in several tools for logging, monitoring, alerting, and dashboard solutions. This means the issue may not be that you are directly using the library, but your tools are, which would also leave you vulnerable. In these instances, update your tools to the latest version and monitor their publishers’ releases to ensure you update to the release meant to fix CVE-2021-44228.

Log4j is also a dependency in large number of applications for business and personal use. In these circumstances, we must wait for the application provider to update the Log4j library. With the intense scrutiny and attention this vulnerability has received, we anticipate patching within the next couple days if the issue has not been patched already.

If you are not sure if you or one of the tools you utilize use Log4j, Huntress has come out with a utility to check if you are vulnerable – Huntress – Log4Shell Tester

Here are some additional resources for CVE-2021-44228:

Critical RCE Vulnerability: log4j – CVE-2021-44228 (huntress.com)

Security warning: New zero-day in the Log4j Java library is already being exploited | ZDNet

NVD – CVE-2021-44228 (nist.gov)

 

SMA-3217 – SMA100 Unauthenticated Stack-based Buffer Overflow| CVE-2021-20038 | CVSS 9.8

The Unauthenticated Stack-based Buffer Overflow vulnerability is significant but in much smaller scope than the Log4j vulnerability. Affecting SMA 100 series appliances, this vulnerability can allow an unauthenticated attacker to execute commands as the nobody user, giving complete control of the device to the attacker.

Currently, there are no reports of this vulnerability being exploited in the wild, but it still warrants patching if you utilize any of these appliances. A patch has already been deployed by SonicWall and is readily available to all organizations that utilize these appliances. Our remediation recommendation is to immediately apply this patch to all affected SMA appliances.

Here are some more resources for CVE-2021-20038:

Security Advisory (sonicwall.com)

NVD – CVE-2021-20038 (nist.gov)

Patch Now: Sonicwall Fixes Multiple Vulnerabilities in SMA 100 Devices | Rapid7 Blog

FIT Cybersecurity & FIT Solutions Response

FIT Cybersecurity already has monitoring deployed to watch for Log4j exploitation attempts and is closely monitoring all logs for evidence of these attempts on our clients. We are collaborating with the engineering teams for FIT Solutions customers to ensure any available patches are applied to your environment immediately.

We are ready to assist and answer any questions you may have concerning these vulnerabilities.

Should I Lease Multiple Domains for Cybersecurity?

Recently we hosted a webinar on Phishing & Whaling—How to Protect Yourself and Your Team. Melinda, one of our Solutions Executives, and Stormy, from our vCISO team, shared real-life examples and valuable insights to help educate business owners on the threats they face on a daily basis.

As Stormy explained examples of whaling attacks, one of our audience members posed an intriguing question: if cybercriminals are purchasing lookalike domains in order to phish you, would leasing multiple domains help prevent that?

Stormy’s answer? Both yes and no. Let’s get a little more context.

 

THE THREAT

One common scheme used in phishing attacks is domain spoofing, where a criminal leases a domain that is very similar to yours. For example, if your website is www.LawFirmABC.com, the attacker might lease www.LawFlrmABC.com, swapping the I for an L. Then he sets up an email address at that domain and sends an email to one of your team members posing as an employee. The swapped letter is easy to miss during a quick scan of an email that otherwise looks legitimate.

 

THE PROPOSED SOLUTION

Given that this scheme relies on the domains being fairly similar, the concept is that if you’re leasing multiple lookalike domains, you’ll keep them out of criminal hands and protect your organization against this type of attack.

In theory, yes, this could help. In fact, large companies like Google do this for this exact reason. When our own team uses domain spoofing during a social engineering campaign for a client, we turn any lookalike domains we leased over to the client’s control after the campaign ends. However, leasing multiple domains is not enough.

 

THE BETTER SOLUTION

In practice, this defense isn’t really practical; there are too many possible combinations to feasibly lease them all. Plus, it could lull your team into a false sense of security. The money you might spend leasing those domains would be better invested in cybersecurity awareness training for your employees. Staying alert and on guard at all times is vital to maintaining your organization’s security.

 

FIT Cybersecurity provides cybersecurity education and social engineering campaigns to organizations across all industries. If you’d like to test your company’s defenses or your team’s awareness of common cybercrime tactics, give us a call today at 888-683-6573 or contact us here.

PRESS RELEASE: SOCBOX Changes Its Name to FIT Cybersecurity in Major Rebrand

Network Security Provider Joins Sister Company FIT Solutions

San Diego, California, November 30, 2021 – SOCBOX has announced its name change to FIT Cybersecurity, joining its sister company FIT Solutions in a major rebrand. Founded in 2012 by CEO Ephraim Ebstein, the company is approaching its ten-year anniversary of helping organizations achieve their business goals through technology. FIT, which stands for Freedom Information Technologies, serves as an acronym uniting both brands under the same leadership and core values. Though the companies will remain separate entities along with their technical teams, Ebstein’s goal was to provide a more streamlined experience for clients and partners.

FIT Cybersecurity prides itself on providing quality solutions to critical industries such as legal, financial, education, healthcare and manufacturing. Ebstein shared the fundamental principles of the business: “FIT Solutions was created because of our desire to impact as many lives as possible for the better. This meant two things: creating opportunities for the team we care for dearly, and solving business problems for our clients to help those organizations achieve their objectives,” he said. “FIT Solutions looks to work with organizations that also have big goals so that together, we can help extend the reach to help as many people as possible.”

Unlike many of its competitors, FIT Cybersecurity offers an around-the-clock team of expert analysts, a human element that differentiates the company from others in the marketplace. “Most offerings on the market are proprietary tools that send alerts when incidents or suspicious activity are detected. Addressing such alerts still requires a human on your team to investigate and decide whether further action is necessary. Many organizations try to handle this in-house, but quickly realize that a single employee, even full-time, cannot properly monitor and manage the security tools because of 24/7 limitations,” Ebstein said. “We take care of that for you by acting as your 24/7 cybersecurity team, monitoring and managing whatever tools and systems you have in place for a fraction of the fully-burdened resources needed to handle it in-house. We investigate any activity or alerts, and take the appropriate action to deal with any security incident.”

FIT specializes in serving long-term healthcare facilities and law firms, both of which need solid IT and cybersecurity strategies. As Ebstein stated, “Technology and Cybersecurity are like the ‘tires and brakes’ of an organization. It is critical that they work well, especially the faster the organization moves. Those two services will determine whether an organization will be able to achieve its goals.”

However, the disparate branding had caused confusion for prospective partners, which Ebstein hopes to alleviate with the rebrand. “Our IT and cybersecurity offerings are very different and are operated by different technical teams. Despite that, our core values and the philosophy and processes used to deliver results are the same,” he said. When asked which businesses should consider FIT Solutions as their service provider of choice, he answered, “Businesses that are focused on growth, that are tired of having IT and cybersecurity issues and want the best value for their investment. Organizations that are focused on securing their assets and utilizing technology to allow them to scale successfully should have a conversation with us.”

Ebstein urges potential clients to research FIT Solutions to learn more. “The best way to see what it’s like to be a FIT partner is to look at our Google reviews. Two of our core values are ‘Raving Fan Culture’ (based on a book by Ken Blanchard) and ‘Results-Driven.’ This means it is in our DNA to overdeliver and, even when mistakes happen, to deliver results,” he said.

 

About FIT Cybersecurity: Formerly known as SOCBOX, FIT Cybersecurity is a subsidiary of FIT Solutions, offering a team of world-class cybersecurity experts dedicated to helping clients protect their valuable assets. In doing so, they combine a state-of-the-art Security Operations Center (SOC) with the best cybersecurity tools and managed security services available. FIT Cybersecurity becomes an organization’s cybersecurity team, monitoring the environment 24/7 to detect and prevent cyberthreats. Learn more here.

Idea Fest 2021

It’s that time again! We recently hosted our fourth annual Idea Fest, a Shark Tank-style forum where employees present their ideas for company improvement. Presentations may focus on streamlining a particular job or task, better emulating our core values, improving the company’s bottom line, or enhancing the service we provide to our clients and partners. Instead of just identifying problems or areas that could be improved, Idea Fest focuses on solutions; presenters are expected to include a plan for implementation. We have two prizes: a $50 gift card for the best idea, and another $50 gift card for the best presentation.

Each presenter has 5-10 minutes to explain their idea, followed by a brief Q&A session with the rest of the team. At the close of Idea Fest, all attendees vote on their favorite idea and presentation, and the management team meets later to organize execution of the ideas.

This year, we had three presenters:

  • Natasha Herrera, our COO, outlined a Road Trip system for updating employees on recent company updates
  • Josh Insel, IT Engineer from Team 4, won Best Idea for his proposal of a longevity bonus
  • Rachel Roybal, our HR Director, won Best Presentation with her idea to create a “FIT Kit” welcome package for new hires

Best Idea: Longevity Bonus

Technology has the highest turnover rate of U.S. industries, so employee retention is a huge focus for most businesses. We are always looking for ways to make sure that we are providing a stable workplace with both room and support for growth. Idea Fest is one of those ways; it allows team members to share their innovations and ideas so we can all grow together.

Josh’s idea was to provide an extra incentive as a thank you to long-term employees; every additional year an employee sticks with the FIT family, they are eligible for a bonus that increases with their tenure. Color us (not at all) surprised: everybody loved this idea!

Best Presentation: New Hire Welcome Package

Keeping with the theme of employee retention and happiness, our HR Director Rachel suggested a “FIT Kit” to be sent to new hires before their start date. Especially while the bulk of the company is working remotely, a welcome kit is a great way to showcase FIT culture and help new team members get a feel for who we are.

The proposed kit would include a note from our CEO, employee testimonials, our core values, and of course, some FIT swag! One of our core values is to create a Raving Fan culture, both internally and externally, and we loved this idea on how to create raving fans out of our new hires! A big part of our team growth has been through employee referrals, underscoring the appropriateness of the Walt Disney quote Rachel used to kick off her presentation: “Do what you do so well that they will want to see it again and again and bring their friend.”

We’re stoked to see how the FIT Kit turns out!

Runner-Up: Virtual “Road Trip”

Natasha, our COO, tied with Rachel for Best Presentation. She pitched a virtual “Company Road Trip” idea. The road trip would be set up as an online presentation of company changes and updates over the previous quarter: new hires, internal job openings, new technology or applications we’re using, exciting new goals, an update on company growth, etc.

It would also include a “road closures” list: anything that is changing or being streamlined. Teams or departments could choose to complete the road trip together, or individually. After completion, employees qualify for souvenir swag.

A central figure in this road trip idea was Fitzgerald, or Fitzy, Natasha’s proposed new mascot for internal FIT functions. We enjoyed meeting Fitzy 1.0 and who knows, maybe we’ll see him again on some FIT swag!

We love that our team is constantly looking for ways to help us improve and move forward! That innovation is one of our core values, and Idea Fest is the perfect showcase for that creativity. Thanks for tuning in!

If you want to join a fast-growing team that thrives on ideas, team input, and raving fan culture, we’d love to talk to you! Head over to our Careers page to see if we’ve got an opening that suits you.

Who’s On Your Bench? Teaching & Delegating for Growth

And we’re back for round 3 of our core values discussion! Our ‘Teach & Delegate’ core value is near and dear to our hearts. Many organizations tend to focus on formal, structured training—a rigid, chalkboard-style approach to teaching. That has its place, but we can’t neglect teaching by example—the qualitative skills team members pick up from everyday interactions with leadership. As most parents can attest, we imitate what we see rather than what we hear.

Training at the Company Level

How do you teach others to teach? To lead? The FIT team is more than halfway through a 15-week training course for our entire organization. Each Tuesday, we have a companywide roundtable where employees discuss what they learned and enjoyed, leadership shares how the training applies to our business, and we have a question-and-answer session to make sure that application is clear.

As leaders of our organization, we have the responsibility to lead by example, to show that our core values are not just standards for company conduct, but standards for our personal lives and choices. For us, this involves encouraging participation, inviting employees to share their stories and struggles and wins, how they have applied or want to apply the concepts we’re discussing.

Training at the Employee Level

Companies invest hundreds of thousands of dollars every year in training their staff. Training Magazine’s 2019 Training Industry Report found that on average, employees received 42.1 hours of training annually. However, that training is usually designed to help an employee better fulfill their existing role—not to prepare them for the next one.

At FIT, we have this concept of “being on the bench.” To move up in the company, you need to seek out mentors, learn the roles and responsibilities of the job you want, and “be on the bench” for that position. By the same token, though, you can’t move out of your position unless you have someone on your bench. This cycle of learning and teaching allows for smoother transitions and more internal hiring.

To help with this passing of the baton, our teams are recording hundreds of videos documenting our processes and knowledge across all departments, making it even easier to “be on the bench.”

Elevation Through Delegation

It’s difficult to discuss the topics of teaching and delegating separately because they’re so intrinsically linked. They also tie in with our other core values, such as constructive communication and staying humble and adaptable.

Much of the business world today is infamous for its selfish, me-first spirit: climb the corporate ladder, always look out for #1 or people will take advantage of you. Few people would actively endorse these messages, but there’s definitely a feeling of “that’s just the way it is, so to be successful, I’ve got to play by those rules.”

At FIT, we feel that we can’t be successful—as leaders, as individuals, as a company—if our staff isn’t successful. For us to do well, our employees need to do well. We want to elevate our team, because it elevates us. The same applies between employees; we will not succeed as a team if everybody isn’t working to elevate both themselves AND each other.

As an example of delegation, we recently hired a new engineer named Rance. Usually, Shane, who manages our engineering teams, would be responsible for training a new hire. However, fellow engineer Douglas (who, on a related note, won Best Idea at our Idea Fest for his plan of creating more structured mentorship for new hires) volunteered to train Rance, and Shane agreed to delegate that responsibility to him. We love when team members engage like this; it strengthens the team bond, trains employees for managerial responsibilities, and creates a sustainable cycle of growth.

What Makes Delegating Hard?

It can be difficult to delegate: maybe the job won’t get done as quickly as you’d like, or you’re worried that sharing your knowledge or responsibilities will make you irrelevant or dispensable. But if you don’t delegate, you can’t grow. If a rock climber never let go of one hold, he’d never scale the wall.

You can’t delegate if you’re worried about yourself, your position, your success. Going back to the “bench” concept, are you taking the time to train and mentor, to invest in and elevate someone else? Doing it yourself may be faster, but delegating means restraining yourself from doing a task, and allowing someone else to do it slower.

When you let go of that ego and elevate those around you by sharing your knowledge, you elevate yourself, too.

How It Benefits You

We want to elevate, not just ourselves and our team, but also our clients and partners. Our mission is to help businesses achieve their growth goals as smoothly as possible. If you’re ready to elevate your business, give us a call today at 888-339-5694 or contact us here.

4 Reasons Your Business Needs a VCIO

As businesses grow, that trajectory usually isn’t a straight, steady line. Without careful planning, those forward steps may be marked by major growing pains. Is your IT environment equipped to support your organization as it matures? The CIO, or Chief Information Officer, is responsible for providing high-level technical consulting—evaluating the big picture and making recommendations to smooth that growth path.

The Role of the CIO

Your CIO handles large-scale projects and IT needs. Let’s say you’re looking at moving your on-premise infrastructure into the cloud. This kind of major migration project takes a lot of coordination: rallying the troops, directing the engineers, getting the proper resources, and architecting how it will work from a business perspective as well as on the technical side. How will operations be affected? What will it cost? What risks are involved? These are all questions to which your CIO can provide answers.

Much of a CIO’s job deals with risk. What business problem are we trying to solve? What are the possible solutions? What are the risks and benefits of each? A CIO evaluates your options, makes a recommendation, and oversees the project to completion.

What about organizations that cannot afford (or don’t yet need) a full-time CIO in-house? How can you get the expertise of a CIO that knows your environment, but on a part-time basis?

Four Benefits of a VCIO

Businesses can outsource this consultant position to a VCIO, or Virtual CIO. Why go the virtual route?

  1. Cost Savings. Between salary and benefits, a full-time, in-house CIO may cost you between $100k-$300k/yr. A virtual CIO is just a fraction of this; for smaller businesses that don’t need a full-time CIO, outsourcing this role makes more sense. Partnering with a VCIO means you don’t have to choose between overpaying and sacrificing that valuable insight.
  2. Perspective. A true VCIO partner will get to know your business inside and out, becoming nearly indistinguishable from your in-house team. However, since they also work with other clients in a variety of industries, they bring that experience to the table in finding creative solutions to your business problems.
  3. Consulting. A VCIO conducts regular technology business planning. This should be a living document, outlining the opportunities, potential pain points, and recommended solutions for your environment over the next 3-24 months.
  4. Disaster Recovery Planning. Disaster recovery and business continuity are a regular part of business planning, but they’ve become especially urgent during the current pandemic crisis. This is one of the areas that showed the starkest contrast between organizations that had CIO or VCIO services and those that didn’t. As various areas went into lockdown or similar restrictions, did you have the necessary infrastructure for your team to work remotely? Do you have it now? If your team is still working remotely, can they access company data securely and without compromising compliance? What other kinds of disasters might your organization face? A VCIO creates contingency plans that prepare you for all situations.

A virtual CIO partner is an invaluable asset to your business. At FIT Solutions, our VCIO services are bundled with our managed IT services, providing you with both the technology and the high-level consulting you need to achieve a steady growth path. Give us a call at 888-339-5694 or contact us today to see how a VCIO can benefit your organization.

Lessons on Team Unity from the Roman Empire

Time for another behind-the-scenes peek at the inner workings of FIT Solutions! Last time we examined the first of our core values, cutting-edge expertise. Next up in the series is Team Unity.

Why is unity so important to us as an organization? How do we look for this quality in new hires? And how do we continue to foster that spirit amongst our team?

The Why

Just about every amazing accomplishment comes from a team effort. For example, the Roman Empire didn’t arise by accident; it took systematic teamwork and organization. Their army was immensely successful, in large part due to the training soldiers received to work as a unit. We have big goals at FIT, and we can’t get there without a unified team.

Another motivation for prioritizing team unity is the nature of consulting work. To be a strong IT partner, we need to know our clients’ environments inside and out, and we put a lot of effort into making informed recommendations to improve their performance. The varied knowledge and expertise of our team is a huge asset, but what happens when a team of engineers doesn’t agree on one solution? If they meet with a client, and each one is recommending a different approach or tool, they could actually undermine the client’s confidence in our ability to solve their business problems.

To make sure we act together as one unit, we have regular account management meetings to discuss different options and solutions before settling on a course of action for the team. Even if their presented option was not the one chosen, each engineer supports the final decision and does everything they can to make it successful. Think of it like a football team: even if a player would have personally chosen a different play, his team has the best chance of success if he puts his all into the directed play he is given.

The How: Part 1—In New Hires

One of the contributing causes for the fall of the Roman Empire was that legions began recruiting foreign mercenaries to keep up their numbers. Having no loyalty to the empire, the new recruits lacked the unity and cohesiveness of the original ranks, and eventually, many of them turned against Rome.

It may seem like a bit of an extreme example, but the underlying principle is key; we’ve worked really hard to build a cohesive and united team, and we want to make sure that new team members will help to strengthen that bond rather than erode it.

Many of our new hires come from employee referrals; we prefer to hire people that we know will fit our culture and values. When we don’t know an applicant, though, we conduct an exercise that asks about the candidate’s personal, professional, and financial goals. We also ask them to explain what our core values mean to them, and how they pursue those values in their own life. Often, we’ll do a role play exercise as well to help them get a better feel for what they can expect after joining our team.

The How: Part 2—In the Team

Team unity includes both unity between employees and leadership, and unity between teammates. To encourage the first, we strive for transparency, and have daily company-wide meetings to keep everybody on the same page. At those meetings, we report on wins from each department, welcome new FIT team members, share positive feedback we’ve gotten from clients, and announce work anniversaries. We also use that time for Raving Fan shoutouts, expressing appreciation for a teammate that has gone above and beyond for their team or for a client. We even have a dedicated Microsoft Teams channel for Raving Fans feedback.

Having a united team is great in theory but can be difficult in practice. When things get hard, when we have strong opposing viewpoints on service—that’s when this value gets put to the test. If we encounter a situation where we see a slip in our unity, we immediately meet to discuss what happened and how we can do better.

When FIT Solutions was started, we structured our teams in a unique way; instead of having to work their way up a help desk, clients get immediate access to a team of high-level engineers that know their environment. This has a two-fold benefit: our clients get better service, and our engineers get mentoring. Finding mentors in the IT field can be difficult, but with a team structure like ours, teammates sharpen and drive each other, working together to solve problems and expand their knowledge. This, too, contributes to team unity.

The Result

A streamlined team with one goal in mind is capable of awesome things, both internally and for our clients. We love working closely with our partners to solve business problems. If you’re ready to work with a team that is truly in sync with your environment and business goals, give us a call today at 888-339-5694 or contact us here.

“I Passed My Compliance Audit; Now What?”

It’s that time again—time for your compliance audit. Depending on your business, it might be an annual audit from a government or regulatory entity, or it may be requested by someone with whom you’re about to do business—a prospective vendor, partner or client.

What’s involved in this audit? And if you pass, does that mean you’re good to go? What’s the next step?

What Is a Compliance Audit?

A compliance audit is a set of questions designed to make sure that you are complying with industry or federal regulations. Most often, these are related to security of information. The type of information varies, but the ultimate goal is the same: making sure that your organization is taking the appropriate steps to ensure the safety of the data that has been entrusted to you.

Audits across different industries ask different questions. A healthcare compliance audit will be looking for HIPAA metrics—steps taken to safeguard protected health information (PHI). Brokers are subject to FINRA compliance audits to ensure security in the financial industry, and organizations that contract with the government must comply with NIST requirements for cybersecurity.

Compliance audits average between 100-200 questions, most of which are highly technical and are best answered by your IT team or resource. It’s not a black-and-white pass/fail scenario, though. Since audits may vary not only by industry, but even from company to company, not every question will apply to your business. For example, a healthcare organization may send a HIPAA compliance audit to a potential vendor, but since the vendor doesn’t handle any PHI, many of the questions won’t apply. This doesn’t mean that the two can’t do business together; rather, it supports an informed discussion about their partnership.

If I Passed, That Means I’m Secure, Right?

Not exactly. As Anthony, one of our FIT engineers, explains, it’s just a first step. Compliance audits are concerned with different aspects of your business and environment, but not EVERY aspect. Some areas of your network are not included, but could still pose a vulnerability in your security.

Plus, most audit questions are not a simple pass/fail; you may have passed, but with the equivalent of a C. Think of your compliance audit as a report card—an assessment of where you’re at, and where you can improve. Once you identify those areas, what do you do about them?

Next Steps

Your compliance audit helps you develop a TBP, or Technology Business Plan, for what adjustments or improvements your IT environment needs over the next 3-24 months. Areas that barely passed or didn’t pass will be the primary areas of focus for your IT team, and can spur projects or other resolutions to help strengthen and streamline your network.

Since the main focus of compliance audits is security, take a good look at the cybersecurity measures you have in place. New threats emerge every day, so it takes a proactive approach and constant vigilance to counter attacks and defend against new vulnerabilities and exploits.

At FIT Solutions, we are your go-to IT resource. We complete compliance audits for you and make recommendations based on the results. We also help prepare your environment to meet and repel cyberattacks. Give us a call today at 888-339-5694 or contact info@fitsolutions.biz to see what elite IT service is like.

How to Become Unstoppable

In a world where the technology landscape is constantly changing, how do you stay ahead of the curve? You’ve got to change with it.

From a business perspective, this means continuing to learn and adapt, taking in new information and figuring out better ways to solve business problems.

At FIT, maintaining cutting-edge expertise is one of our seven core values—the guiding principles that shape our actions as a company. We’ll be delving into each of these values over the next several weeks:

  • Cutting-Edge Expertise
  • Humble & Adaptable
  • Elite Raving Fan Culture
  • Constructive Communication
  • Team Unity
  • Hard Work
  • Teach & Delegate

As an MSP, we serve as the IT support system for our clients. To do so while providing elite service requires a high level of technical excellence and knowledge. Our clients have widely varying IT environments, with different needs and toolsets, so we need to be broad and progressive in building our knowledge base. The more we learn, the more we can accomplish for our clients.

So how can maintaining cutting-edge expertise make you unstoppable?

Forming an Unstoppable Team

During the hiring process, we have a rigorous standard for experience, and place a high value on being an expert or highly capable technician. Some of this comes with on-the-job training, and some of it is a base requirement to join the FIT team.

To find the right mix, we look for particular qualities in job applicants as well as quantifiable data, like certifications. We want people who are humble and eager to learn, because teachability coupled with experience is an unstoppable force.

How Do We Maintain This Momentum?

The typical ramp-up for any company’s new hire is a heavily front-loaded training schedule, which tapers off as they get comfortable with their role and responsibilities. How do we keep an intense focus on maintaining and increasing expertise while balancing the needs of the day-to-day work?

We put a strong emphasis on continuous learning, with semiweekly engineer roundtables and monthly training sessions. In the pre-COVID-19 era, we hosted lunch-and-learns every month or two, inviting partners or engineers to present on particular topics. We leverage our partnerships with vendors to get training and updates on their tools until we know it as well as or better than they do.

We also make extensive use of LinkedIn Learning; our engagement falls in the 75th percentile of companies that use this platform. Our Learning paths are a combination of management-chosen and self-driven, and feature both the videos already offered by the platform as well as how-to and educational videos put together by our own team. It’s no surprise that computer networking and network administration are among our top skills learned, but the most popular programs actually center on communication, emotional intelligence and teamwork!

Our client base covers a range of industries, from healthcare to finance to manufacturing to recreation, and each industry comes with its own language of sorts. To be a true partner and actively contribute towards achieving their business goals, we need to be able to speak the lingo.  So some of our trainings are industry-specific, helping our engineers communicate effectively with our end-users and client contacts.

How Cutting-Edge Expertise Benefits You

Every single minute there are new things to learn. To stop is to stagnate. If you don’t prioritize learning and growth, you’ve basically stopped.

We see so many companies that are using obsolete systems because they ‘get the job done,’ without fully grasping how much time or revenue is wasted on inefficiencies. At FIT, we’re always working to learn what’s new and how to better solve business problems. We love getting to put that drive to work for you—searching out inefficiencies, implementing new solutions, and streamlining your environment until it hums.

Ready to work with a team of cutting-edge experts? Give us a call today at 888-339-5694.

Get in touch.

Fill out the form and our team will get
back to you as soon as we can!