Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: 2023 Q4 Security Insights
Quick Take
On this week’s episode of Compliance Unfiltered. It’s that time again! Time for this quarter’s security insights podcast!
This month Adam gives a breakdown on the importance of physical security. The guys cover the value of Operational Mode as it relates to achieving continuous compliance. Plus, Adam covers the juiciest news stories from this quarter in cyber security. All these topics and more, on this week’s Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the sunshine on your compliance shoulder, Mr. Adam Gosselin. How the heck are you? I’m doing good, Todd. How about yourself? Man, I can’t complain. I can’t complain at all. It’s security awareness reminder time again for Q4 of 2023.
Adam, let’s talk in this episode about the importance of physical security for starters. Sure. You know, it’s not uncommon for me when I’m doing on-site visits for a client that I’m discovering basic physical security failures that need to get addressed. Some of these are as simple as adequate locking mechanisms on doors or installation of security cameras, but at the end of the day, physical security is a critical part of effective cyber security. If your organization is charged with protecting sensitive information, then you need to be vigilant and making sure you’re following best practices. So what I recommend to folks is several considerations. So first off, make sure that you’re covering all your locations. There’s a strong propensity to really focus in on the production environment. or where the servers are, et cetera, which is appropriate. And then they’ll also really focus on headquarters. But they forget about the fact that, oh, I don’t know. Maybe they’ve got an IT outpost. Maybe they’ve got a sales office, etc. Make sure that you are covering all of your locations, including those kind of one-person sales offices. Don’t disregard those just because there’s one or two people in there. It doesn’t mean that they couldn’t have issues which would expose the organization. So the size of the office is what you’re doing with it.
But the reality is that, I don’t know, Any office that has connectivity of the main network is a potential security risk. So you need to pay attention to physical security. Bad actors will often see a small office as an easy target to get into the network. You’ve also got to look as you go then, now you’ve got your full list of all your locations. Make sure that you’re checking out and reviewing the physical security of every single entrance and exit. Make sure that you’ve got locking mechanisms on the doors that are operating properly. Make sure that you’ve got monitoring, camera monitoring at each of the entrances and exits. Having modes of authentication for people that are entering and leaving the building, AKA badge entry. Cameras at all the entrances, not just the main entrance. If somebody wants to get unauthorized access to the building, they’ll be willing to go through unauthorized entrances, including emergency exits, windows, rooftop access points, et cetera. Certainly sending out the reminder to the staff about no piggybacking on the way into the building. Don’t ever hold the door open for somebody that’s coming toward the building, even if it’s an employee that they know, because that employee might have been released the day before or put their resignation in the day before and lost their physical access. And now you’re thwarting that. So certainly making sure there’s visitor badging systems for the building. If you’re seeing somebody strolling around without their visitor badge, then you don’t have to be obnoxious about it, but go over and stop, ask them, who are you here to see? How can I help you? Escort that visitor back to the front desk, get them signed in, get them in action. escort to where they’re supposed to be going. Things along those lines are all elements of physical security as a friendly reminder, if you will.
One area that I’ll hear often is, well, we don’t actually own this building, we just lease it. So it’s not my responsibility to take care of the physical security. The reality is that while it may not be your responsibility to handle the physical security, you’re certainly the organization that’s going to, we’ll call it, inherit the bad fortune of somebody thwarting that physical security. So the odds are whoever owns the building Honestly, it doesn’t have any idea what they’re doing from a physical security perspective. So, you know, it’s your business that’s in there You’re occupying it. So I look at it as a shared responsibility You know you, you as a as a as a tenant need to raise the you know raise awareness to the to the landlord You know, they have a responsibility to, to put in place protections for your organization So, you know, it might be somebody else’s building but the blowbacks gonna come in on you So report the shortcomings to the landlord get them on the list to get addressed, you know, etc And continue to follow up with them You know on you know on the you know that the aspects of physical security.
Absolutely quick tip time Adam how the TCT portal operational mode protects Organizations after achieving compliance tell us more well in TCT portal It really runs in two modes. We’ve got what we would typically call at one time or first time mode Which organizations will do their initial run at fill-in-the-blank compliance, you know certification or standard But once you’ve gotten there once you’ve achieved that that goal that mark objective You’re not done a lot of a lot of organizations will go. Oh, thank God how we got through the fill-in-the-blank, you know Effort and now we can go back to our normal job Well what the organization needs to realize is that what they just did is yes They had a great event which was confirming their you know adherence compliance, etc With fill-in-the-blank and it’s a big deal that said you’re also signing up for doing certain, certain functions every day every week every month every quarter twice a year once a year so, you know, it’s, it’s taking those responsibilities seriously where you know, the TCT portal operational mode comes into play. Effectively, the operational mode will use automation to help make sure that you as an organization aren’t missing one of your ongoing compliance maintenance responsibilities. I’ve seen a lot of organizations that get into especially year two, you know, where they have lapses in their operational compliance requirements. So somebody forgets to run a scan, somebody forgets to do a user review, somebody forgets to turn off so-and-so’s access when they were terminated, etc. So, you know, and then they’re heading into their annual assessment with their assessor, and the assessor’s basically saying, oh, geez, I’m sorry, but we can’t sign off on this because you need to have four quarterly passing vulnerability scans. You know, if you missed… the last quarter, it’s not as impactful as if the organization maybe missed their compliance quarter two. Now what? We got to wait six months till we have four passing quarterly scans? It’s a big deal, and I’ve seen some organizations really get themselves in a tight jam with their assessor because of missing these requirements. The other side of the operational mode that I would say to those that are leaders of an organization, to those that own the organization, you know, etc. These periodic, you know, time-based activities, it’s not just a checkbox for compliance. These activities really help to improve dramatically the overall security and compliance stance of the organization, and it’s something that organizations really need to take seriously. You know, operational mode will basically serve these tasks up to your personnel. It will tell them when it’s due, what needs to be done, who’s doing it, and so at a glance, project managers can readily go in and see, oh, well, you know, of the 37 things that we needed to do for this quarter, I can see that half of them are done, and I can see who has the remaining half, etc., and they can readily and easily manage, you know, to those, and as an organization, especially as a management team or an ownership team, you don’t have to wonder, geez, are we keeping up with what we’re supposed to do? You will know it because you’ll be able to go in, take a look at, you know, take a look at the TCT portal and readily see your current state, where you’re at, and what needs done.
Well, it’s new news time. Again, listeners can access links to the various news stories by going to the TCT website. at GetTCT.com, click on Resources, click on Security Reminders. And with that, what’s new in the news, Adam? Well, what’s new in the news? So let’s see, first one that we’ll go through. There were some fake browser updates that were used in malware distribution. So there’s been an upward trend in exploiting the mere mortals with safe, known software. Meanwhile, installing malicious updates. So using fake browser updates on compromised websites. threat actors like TA569 have been using JavaScript and HTML injected code to deliver the SOC ghoulish malware which is posing as a legitimate software update for web browsers. But it’s effectively lying to the users that are trusting their, their browsers and a way to subvert organizations and training awareness mechanisms. So it’s a pretty interesting one that organizations need to be aware of. The next up news story is the NSA and CISA were advising on top 10 cybersecurity misconfigurations. This is certainly one where the NSA, CISA, and FBI jointly released a top 10 most common cybersecurity misconfigurations list. Some of that list included using default software or hardware credentials when deploying hardware software, weak two-factor or multi-factor authentication mechanisms, unrestricted code execution for software. So certainly for any organization that wants to know a little bit more about things to watch out for, etc., go and take a gander there. Just a friendly reminder that we do have the links to these stories on the website. Just as Todd said at the top of this segment. So go in and look those up. You can go in and grab hold the list. Next up, the Five Eyes Intelligent Chiefs are warning that China is using AI for stealing intellectual property?
Well, jeez, go figure. I mean, honestly, the Chinese have been notorious for the outright abject stealing of intellectual property from many countries, including the United States. So, jeez, go figure they’d make a shot at artificial intelligence. But for those that don’t know, the Five Eyes intelligence network is composed of the United States, Britain, Canada, Australia, New Zealand. And they issued a joint statement saying, Chinese using AI to assist their state sponsored hackers, so that they can not only spy against the Five Eyes countries, but also against the rest of the world. It’s not limited to homes and small businesses. Their reports that companies that companies working on robotics, biotech, AI, quantum technology have been targeted by China and their cyber networks assisted by AI to speed up their queries without decreasing the performance on their side to carry out their attacks. Christopher Wray was stating that China has a bigger hacking program, either physical or virtual than that of any, every other major national, major power nation combined. So, you know, the scale of these attacks is making it much more challenging to thwart.
Moving on to the exploration of the realm of malicious generative AI. This is gonna be a new digital security challenge. So, you know, malicious AI is already starting to blossom, you know, among the number of AI solutions that are in place. There’s one called fraud GPT that has the ability to craft spearfishing campaigns, create counterfeit invoices, fake news articles, among other things. It’s all for the sake of taking down organizations and exploiting and defrauding employees and even upper management. These types of malicious attacks can also work to shift public opinion on certain topics and be exploited, you know, in cyber attacks. And finally, we’ll talk about Discord. This is a playground for nation state hackers targeting critical infrastructure. So, Discord is one of the most popular communication software applications on the market today. And thus is a lucrative attack target, as well as useful tool for folks to launch attacks from. So, use. functionality that’s already on the Discord server, such as its webhook, attackers can have a rigged website that results in scripts that extract and run power script shells to download, you know, other, you know, scripts from a web-based GitHub repository. The initial file that that’s hit, it’s not that dangerous, but once that task has been executed, the attacker can then go in and modify the GitHub script to make it more malicious, do more damage, you know, even to the point of physical, physical hardware, hardware harm. So this one in particular is starting to get real interesting as they dial up their capabilities for, for, you know, kind of attack vectors.
That right there. That’s a good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.