Every quarter, we publish compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.
As an added bonus, we’ve highlighted some developing security trends and featured a quick tip to get more out of your compliance management.
Are Unvalidated Vendors Being Hired Through the Backdoor?
It’s surprisingly common for departments within organizations to hire new vendors without vetting their security — and it’s surprisingly easy to have disastrous consequences.
Your company doesn’t have an abundance of IT resources who are just sitting around waiting to solve people’s problems. Instead, those resources are stretched thin — and even though you may have a process for vendor onboarding, it either takes too long or the people within your organization perceive it as such.
So a lot of the time, departments decide to onboard vendors themselves and they take shortcuts through the process. Instead of going through the proper IT channels and doing due diligence, a new vendor is selected without any security vetting.
Your departments may be attempting to sort things out on their own so they are not contributing to the overwhelming load on the IT resources. And because they don’t know how to assess risks to the organization, they might hire an otherwise excellent vendor who poses security risk to your company.
The group in your company that typically performs vendor due diligence has no idea that vendors are being hired without being vetted. As a result, no one ever assesses those vendors and your company’s security risk has the potential to rise every time a new vendor is hired without vetting.
Not only is this an issue for the organization overall, but since vendor management is a requirement for most industry standard compliance frameworks, bringing on vendors that have not gone through the established vendor vetting process actually puts your compliance at risk, in addition to raising the risk to the organization itself.
Target lost nearly half their profits in a single quarter after a very public data breach. The attack was successful not because Target’s security was poor, but because an HVAC vendor wasn’t properly vetted.
Straight talk to make compliance management suck less
Check out the TCT podcast
Is vendor due diligence really necessary?
It might seem like the data that your company shares with vendors is benign data. Maybe the vendor only has your customers’ names and addresses. It’s not like they have credit card data or social security numbers. But if any kind of personal information is exposed, your company has a massive problem to deal with. A data breach is a data breach, and a malicious third party has your customers’ information.
It’s critical to ensure that every vendor you work with is handling data properly — that they follow appropriate security standards for the receipt, processing, storage and transmission of information.
It doesn’t matter who the vendor is or what they provide — a marketing platform, plumbing services, or free software that doesn’t take credit card data. Your vendors have some amount of access to various types of organizational information, and a bad actor can target your organization through these vendors.
There may also be ripple impacts of exposed vulnerabilities on your organizational systems. If you install a new piece of software, how do you know it’s secure? Does it have security holes or vulnerabilities? What additional exposed vulnerabilities could be made possible through that software, and how often is the vendor making patches available for the software?
Your IT team will know to check for warning signs that your departments may never consider. For example, it’s easy to grab a free widget and add it to your website to run a specific function — but you may not realize that it was developed in Russia. Vendor vetting would quickly uncover that detail, among many others.
How to Audit Your Vendors for Security and Compliance
Ensure all your vendors are vetted
Develop a process of vendor due diligence that is efficient and responsive. If it takes weeks or months to vet a vendor, your personnel will get frustrated and potentially circumvent the process.
Communicate with all of your departments on a regular basis to remind them of the importance of vetting vendors. Build in accountability with consequences for not following proper procedures. Create new vendor alerts that come out of accounting each month and are sent to each department, including IT. This will help you to catch the majority of vendors that may have been brought on without vetting.
Also be sure to keep up with periodic system reviews, department interviews, and software inventory management. These inputs will help to supplement the feed from Accounting, as you very well may have solutions brought in as Open Source software (Freeware) or possibly brought in on a trial basis — which will be caught here.
Any organization that provides a product, solution, or service to your company must be fully vetted. Otherwise, you could be opening yourself up to any number of unknown security risks, let alone violating best practices and your compliance.
TCT Portal Quick Tip: Tell Us What You Really Think!
TCT exists for one reason alone: to make compliance management suck less. We got into this space to help people so they don’t have to suffer through enormous wastes of time when doing compliance engagements.
That’s why we value the tremendous feedback we receive from our users. TCT Portal’s user base has always been highly active, and many of our best and most popular features have come from customer requests. In fact, about 95% of our releases are client-requested functionality.
Our customers are the boots on the ground, and that means you know best what you need most. So if you see an opportunity to make TCT Portal better (for your organization and others), don’t hesitate to contact Portal Support. We’ll capture your great idea and get it onto our development roadmap. We’ll also tag your name and organization, so that we can keep you posted as it moves into production.
Have a request right now? When you’re logged into the TCT Portal, simply click on the Support link on the left navigation pane and submit your ideas to the TCT Product Team!
Get industry insider expertise delivered to your inbox
Subscribe to the TCT blog
What’s Going on in Security Today
Green Bay Packers’ Online Pro Shop Sacked by Payment Skimmer
The Green Bay Packers Pro Shop website was breached by third party threat actors. Malicious code was found on the website on October 23, 2024. There were an estimated 8,500 “cheeseheads” who received letters that their payment data during two separate windows of time had been compromised.
Certain payment methods were not exposed, according to the report, but credit card information and Personally Identifiable information were exposed/captured.
PayPal Phishing Campaign Employs Genuine Links to Take Over Accounts
There is a new phishing campaign for Paypal account access that uses a legitimate Paypal website link to trick people. It throws up a payment page request, and as the user enters their credentials on this page, it ties their credentials to the attacker’s email, which they can then use to gain access to the affected Paypal account.
This campaign has even circumvented PayPal’s anti-phishing protections, per Fortinet.
Cross-Domain Attacks: A Growing Threat to Modern Security and How to Combat Them
There is a new emerging type of attack that is gaining prominence, called cross-domain attacks. This attack exploits weak points in one organization and its identity systems — then they can move laterally, undetected, and skip across interconnections with other organizations.
This type of attack cracks the authentication of one system to move internally and laterally to infiltrate other systems.
CVE-2024-5594 (CVSS 9.1): Critical Vulnerability in OpenVPN Enables Code Execution
The most critical flaw in OpenVPN CVE-2024-5594 allowed the attacker to inject arbitrary data into plugins tied to OpenVPN software. This could allow the OpenVPN peer to execute code or even cause denial of service conditions.
Another vulnerability, CVE-2024-4877, targets Windows users, allowing the attacker to steal Windows login credentials through the user interface service pipe.
SonicWall Warns of an Exploitable SonicOS Vulnerability
SonicWall has identified a “high” vulnerability in their SonicOS. There is an authentication bypass exploit in SSL VPN or SSH management. A patch and a new firmware to fix it were released on 1/7/2025.
One of the mitigations from Sonicwall is to “limit access to trusted sources, or even disable SSLVPN if it is not a needed service for your organization.”
Banshee macOS Malware Expands Targeting
Banshee MacOS malware has been running around targeting MacOS systems since the middle of 2024. In November, the source code of the malware was leaked online, and is thought to be developed by Russian hackers/developers.
While this makes detecting it on MAC easier, it allows other attackers/developers to take it, make custom changes to it, and redeploy it as a separate malware instance. The biggest change from the most recent find is that the Russian language check has been removed, which protects the malware from being installed because of the Russian language on the system.
Get industry insider expertise delivered to your inbox
Subscribe to the TCT blog
