Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: 2024 Q1 Security Insights
Quick Take
On this week’s episode of Compliance Unfiltered. It’s that time again! Time for 2024’s security insights podcast! This month Adam gives a breakdown on the importance of vendor security. The guys cover the value of TCT Portal handling of the new PCI v4.0 INFI worksheet. Plus, Adam covers the juiciest news stories from this quarter in cyber security.
All these topics and more, on this week’s Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the crash to your compliance bandicoot, Mr. Adam Goslin. How the heck are you, sir? Aw, man, I played the crap out of that game back in the day. Tell you what, how you been, sir? Oh, you know, just living the dream, as I like to say. Every now and then, I wake up screaming.
I get it, I get it. It is that time again, sir. It is that time again. Time for our quarterly security reminder podcast, this time for Q1 of 2024. Talk to me about the importance of vendor security, Adam. Well, you know, for vendor management, it’s an important arena that all organizations need to pay attention to. It’s a requirement for a lot of security and compliance standards. In fact, almost all of them, you know, including PCI, DSS, you know, 4.x. o, you know, for those that, you know, haven’t gone down the, you know, they’ve gone down the path or whatnot, this is a security reminder. So, if you’re doing this stuff, cool. If you’re doing most of it, maybe not some. Maybe there’d be some bits you can plug in here. But I always recommend to people, start off the process. Pull together your list of vendors. check to make sure that their security stance meets your security and compliance requirements of your organization and the various standards and certifications your organization is subject to. One easy way to go about doing that, which let me tell you a brief story. One of the problems that I’ve seen on engagements is we’ll go, hey, tell me who all your vendors are. And they give us a list of vendors. And then we start going doing things and blah, blah, blah. We get some period of time down the road. Meanwhile, we’ve done all the check, check, check, check, check. And then I go, oh crap, we forgot about this one. And then another 10 days later, oh, forgot about another one. You know, and it’s like, it’s like playing vendor whack-a-mole as you’re going through the process. And so I like to just cut to brass tacks. And, you know, I’ll basically tell them, I’m like, look, go to your accounting department, tell them to export a list of any organization. that has received payment in the past year. That way, it’s going to be, yes, it’s going to be way more vendors than you’re gonna ultimately wanna have on the list for this high importance, you know, scrutiny and blah from a security perspective, but you’re not gonna be missing anything at least. So taking the list and categorizing them by exposure to various degrees of sensitive data, depending on what you’re dealing with. Maybe they’re getting exposed to credit card data. Maybe they’re getting exposed to health data. Maybe they’re getting exposed to personally identifiable information or intellectual property, et cetera. So you just kinda go down and figure out what all of these guys have access to. You know, the folks that are delivering pens and notepads and stuff, you know, is one bucket and those that are backing up your critical servers is another bucket. So, you know, and then, you know, kind of allow those categories of your vendors to drive the amount of attention that’s appropriate, warranted, and or required for what you need to go in and do. You know, the more exposure they have to your important data, then the more important it is to make sure you’ve really got it nailed with their security posture and alignment with your own.
You know, so one important note is in the PCI space is that if their recertification date is after March 31st of 2024, they will need to provide an attestation of compliance against PCI 4.x, not 321. So as you’re going in and you’re receiving any AOCs from vendors, you gotta make sure that you’ve got an AOC that on the header page is referring to a PCI 4.x, not 321. I recommend to folks also do your annual, you know, there’s a requirement PCI as an example do an annual vendor oversight, you know, well, don’t do it once a year. Check it check quarterly as you’re going through the year. So, as an example, if I’m, I’m in the midst of q one, I can look ahead to q who all is going to be renewing in q two. Now I can go out and I can hit the appropriate subset of my critical vendors in the quarter that they’re supposed to have new paperwork, etc. There’s a couple of different benefits. One, you’re more on top of it to you get a more timely exposure to their refreshed compliance reporting. Third, and this has been known to happen, believe it or not, is that, well, somebody’s having a problem with getting their compliance paperwork filled out and a month passes and another month passes and three more months pass and blah, blah, blah. At least you’re going to be finding out that there’s something amiss here, finding out earlier in the process, then let’s pretend they rolled over, you know, one month after your last annual check, well, these guys could be, you know, these guys could be theoretically out of whack with their security and compliance paperwork for 11 months before you find out again, you know? So it’s just better all the way around to get a good idea of, you know, kind of where you’re at, stay on top of it, being proactive, you know, all the way around, you know, it’s just a better approach to how you handle it. And not the least of which is if the person listening to this pod is a TCT customer, then certainly, you know, you can coordinate with TCT to assist you with having those, you know, kind of vendor pulse checks, having the system triggering quarterly instead of just being a once a year validation. So we can help you with that. Let us know.
Well, I know you got a quick tip for the folks, Adam, regarding the TCT portals handling of the new PCI version four in fee worksheet capability. Talk me through that. Sure. You know, one of the new aspects of PCI DSS Forex is the, they have these things that are called items noted for improvement. Everybody loves an acronym and this one is in fee. So the in fee gives the gives the QSA the ability to denote items that needed improvement as the assessor was kind of going through the assessment. Any declared in fee needs additional. and that paperwork is called infi worksheets. So the TC portal has the ability to automatically generate those infi worksheets at the end of your engagement. So all of the required information is captured as the QSA is going through and conducting the assessment. The paperwork for the infi worksheets is generated with a button click. So for anybody that hasn’t seen that capability, feature functionality, et cetera, by all means, for new folks to TCT, then go ahead and hit the website and you can get a request to schedule a demo and we’d be happy to share that with you. If you’re an existing client, go ahead and send something in to the support team and they will give you a hand with showing you how that works. Excellent stuff. Now, what’s new? in the news. For listeners, you can access links to various news stories by going to the TCT website at GetTCT.com, click on Resources, and click on Security Reminders.
Let them know, Adam, what is new in the news for Q1 2024. Our Q1 news list. This is fun. So let’s start off with, you know, it was funny because I said to myself, as we’ve been kind of looking at security over time, blah, blah, blah, blah, you know, for a period of time, I have been saying, you know, folks have been talking to, you know, mobile applications is, you know, kind of the new wild west of, you know, of, you know, of security, you know, where there’s, you know, the developers aren’t quite used to doing things securely, blah, blah, blah. But we have a new story here. They did a study on car companies. And it turns out that the cars turned out to be the worst product category that they’d ever reviewed as far as privacy went. So the modern cars where you’re playing, you know, whatever, you’re connecting your phone, and then you’re able to have it reading your emails and reading your text messages to you and making calls on your behalf.
And, and, and, you know, read this recent study found 25 out of the 25 card brands are collecting and using significant amounts of personal data. Collected data includes how the phone’s interacting with the car, which apps are being used, how frequently they’re being used and more. Most of the car companies are selling this personal data to third parties. So just over half of the investigated car companies are sharing information with government or law enforcement agency upon request. And it turned out that Tesla received all five dings in terms of data privacy according to Mozilla. So yeah, it was, it was pretty interesting. But yeah, I don’t know, man, I think I think for a privacy perspective, I think the cars are leading the pack, from a impactful security perspective. I’m still gonna keep my eye on those mobile apps, but. Well, no doubt about it, man, but as somebody who lives in Southern California, it is very much a car culture. I mean, the majority of people I know depend on their vehicle and its capability to integrate with their phone in some way, shape and form.
So that is shocking. Yeah, I’ll just know that they’re always listening, shall we say. So let’s move on. Poorly secured Linux SSH servers are under attacks for cryptocurrency mining. So poorly secured Linux based SSH servers are being targeted by dictionary attacks, having their credentials sold on the dark web. Attackers have another option at their disposal. They can install port scanning software and dictionary attack software and use that system to then target other systems within the affected network. So they then go back and install cryptocurrency mining software, using those systems to perform DDoS attacks, basically getting a mining bot and another node to help take down other networks once they gain access. So they’ve got NK abuse that’s being leveraged using the NKN protocol, a new kind of network as a communication channel to assist them with carrying out these attacks. So just word to the wise for those with the Linux server. Take a, do you wanna take a look into that one? The next one, operation triangulation. This is spyware, attackers, bypass, iPhone memory protections. So there was a… undocumented hardware feature on Apple’s system on a chip or that they’ve short-form sock allowing for multiple exploitation of vulnerabilities and these vulnerabilities pose a risk to the Apple iOS device users privacy and data security the main target is iMessage it’s been exploited on iOS up through 16.2 so a lot of you know despite all of the patch your stuff, patch your stuff, patch your stuff we all know there’s a number of people out there that don’t bother so those folks are certainly at risk but you know upon initial discovery this particular hole was taking advantage of four individual zero-day exploits And, you know, what’s alarming about this is the growing number of attacks, threats, eventual exploitations, you know, on the iPhone platform.
You know, due to the close nature of iOS, it can be challenging to detect these newer attacks without network traffic analysis or data forensic analysis tools. So, you know, there’s a plus side and a minus side to, you know, to the tightly controlled, you know, arena for the iOS platform. So, it comes with it’s good and it’s bad, I suppose. Also, there’s a new terrapin flaw that can allow attackers to downgrade SSH protocol security. So, you know, there’s a new, this new terrapin flaw that targets SSH being classified as the, you know, the first ever practically exploitable prefix truncation attack. In short, the attacker can adjust the number sequence during the handshake without the other side detecting it. And the attacker acting as a man in the middle who can access the TCPIP layer, they can downgrade the SSH security when negotiating that security handshake. So, you know, definitely something to, you know, for folks to keep their eyeball on. And lastly, to kind of round out the security news for this go around, it’s a new acoustic attack that steals data from keystrokes with 95% accuracy. This is one where, you know, definitely go and take a look at this article. It’s actually a pretty interesting read. But using the cell phone’s audio recorder, the attackers can capture keyboard stroke sounds off of the keyboard and feed that audio. into, it’s called Coetnet, an image classifying piece of software to produce wavelength images. They then, using just the smartphone audio, the keyboard strokes were able to be correctly identified with an average accuracy of 95%. That’s why. When you’re on Zoom, then the accuracy dropped to 93%, and when you’re on Skype, it dropped to 92%. But the long story short is it was pretty damn accurate. A potential mitigation to this risk is to have some form of background noise, white noise around the keyboard, but software-based keystroke audio filters can help this out as well. But the interesting part is the acoustic attack. Can even work on you know finger quotes silent keyboard. So I found this one was kind of Kind of entertaining especially since you know, if you think about it, right?
In your office You’ve got a listening device on you non-stop aka your cell phone You have another listening device on you know, I’ll kind of on you which is the machine itself You know, let alone could there be others? Oh, I don’t know You know, what would they call that thing? The You know, I’m talking about the little Alexa or whatever it is. Oh, yeah, yeah, all right You want to know why I struggle to be able to come up with the names of these damn things because there isn’t one That exists at my place appears I Would not play that game.
So so anyway, but no that you’ve got those things You know smattered around the house, etc. So yeah, it’s this one. This one was actually pretty damn entertaining That is man that is wild because there’s a lot of folks there that are that are that’s going to, to impact a lot of the things that they do 95 percent accuracy And think about how much of the business is now transacted at 93 percent accuracy over something like zoom Well, and if you think about it, right so they’re talking about keystrokes And they’re also talking about you know, it’s you know silent keyboards below blah where you’ve got integrated systems where I’ve got my email on here I have my you know, I have intellectual property. I’m typing into a word doc. I’m typing into a spreadsheet I’m you know, I’ve got my text, text messaging integrated into my computer and, and, and you know All of this stuff, you know, this this just keeps this just keystroke, you know identification So it’s just a it’s kind of like the you know, the key the key loggers that you know That were really, you know kind of prevalent and, and went wild Unchecked in the early, you know in the early days of you know, them coming out with you know keyboard capture and blah, blah You know, it’s it should it should you know Kind of freak people out no less then you know, then when we were dealing with that back what 20 of 10 15 years ago No doubt that right there.
That’s the good stuff Well, that’s all the time we have for this episode of compliance unfiltered I’m Todd Coshow and I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less
