Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: 2024 Q3 Security Insights
Quick Take
On this episode Compliance Unfiltered, its that time again – time for Quarterly Security Insights! This quarter we are focused on all the goings on in the cybersecurity world, specifically the CU guys will chat about the intricacies of security being everyone’s job.
Adam gives a breakdown of the news from this quarter, everything from API related breaches to Kraken Crypto being hit with a $3Million Dollar Zero Day attack, and everything in-between, all these topics and more, on this episode of Compliance Unfiltered.
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin. Well, welcome in to another edition of Compliance Unfiltered.
I’m Todd Coshow alongside the DJ to your compliance party, Mr. Adam Gosling. How the heck are you, sir?
I feel like I want to drop a beat or something. Tell me, today we’re talking about security reminders for Q3, and it might be a little timely that we’re having this conversation, is there are some particularly interesting things in the security realm going on today, no? Today in particular, yes, and it looks like somebody, it’s early reporting, it literally just happened overnight, so I’m kind of waiting for the final details to come out, but yeah, it looks like somebody at a particular security firm screwed the pooch on an update that’s taken out like dozens and dozens of airlines, 911 services, all sorts of fun stuff, so I’ve already alerted the team. I want to flag this one for next quarter’s kind of news stories, because by then it will have season, but I think there’s going to be a lot to learn from this one. Absolutely. Well, it is the at that time, security reminders for Q3.
And the biggest one we’re gonna start with today, Adam, is security is everyone’s job. Say more about that. Well, in a lot of organizations and this has been kind of the thing for some period of time, in a lot of organizations, people are going under the assumption that security is an IT thing and it’s somebody else’s job. But the reality is security is ultimately the responsibility of every single person in the organization. This is everybody from the CEO to the janitor and everybody in between. Everybody plays a role in protecting the company from bad actors. Anyone in the organization can get a phishing email that can grant access to the internal network or innocently hold the door open for somebody that’s trailing an employee in and not realizing they’re a threat. So, you know, there’s lots of ways it can happen, but, you know, every single person in the company, there’s an opportunity for bad actors to gain access to sensitive data, and thereby, it’s everybody’s responsibility to assist in, you know, kind of maintaining that security.
You know, there’s several elements that kind of come into play, certainly, you know, the training of employees, you know, the actions, activities, and observances of every person, you know, on the team play an important role in the security and compliance of the organization. So every single person needs to be properly trained in security and compliance, you know. It’s interesting, in some organizations, you’ll see the, you know, kind of the uppity -ups in the organization, oh, I don’t need to attend that training. I don’t know what to tell you, but, you know, statistics would show that you’re probably the one that most needs to go to the training. So, yeah, fun stuff. But, you know, certainly, certain departments play larger roles than others. You know, there’s departments that have direct interactions with external individuals, such as people in sales or customer service or purchasing, you know, there’s some departments within the company that play an active role in kind of validations and checks that are related to security and compliance. So, you know, HR performing background checks or, you know, otherwise provisioning requests for employees to gain access to systems as part of their job role within the organization. But, you know, at the end of the day, every single person in the company plays a part.
You know, you’ve heard the expression, you know, if you see something, say something. The same holds true when it comes to protecting your organization from data breaches. If you see a strange email or a USB drive sitting on, you know, near an entrance or a visitor that looks like they’re or out of place, then go ahead and get that reported to the central group in your organization that handles security and compliance, and to your direct manager so they can assist with escalation. One of the, I’ll go back to, and don’t go overboard in trying to kind of be the savior yourself. So the one area where I’ve seen more than a handful of individuals get into trouble is especially where they see a USB drive sitting there, and they’re typically bad, somebody has bad intentions. They’ll put something on there that makes the user curious as to what might be on it, and hoping that they go and plug it into a machine within the network. So don’t try to be overly helpful. Just do your reporting job. You know, get the… you’ve got the USB over to somebody in your, you know, in your IT or security group that’s kind of handling things. You know, the more that the organization acts as a cohesive group to protect the company, then the more you’ll be able to collectively keep sensitive information safe from bad actors.
Absolutely. Quick tip for the folks, Adam. How and when to flip to PCI DSS version 4 .0 .1 in the TCT portal, tell them about it. Well, for those listeners that are fortunate enough to leverage the TCT portal for their PCI DSS V4 engagements, you know, if they’re up and running on tracks in the TCT portal on a V4, all they have to do is contact TCT, make a request.
They can transition to a version 4 .0 .1 track at any time. You know, it’s a simple sending a message into the portal support email address and asking that their PCI track be transitioned. The PCI SSC released the version 4 .0 .1 modifications to the compliance standard already, but they haven’t yet released the reporting templates for version 4 .0 .1. We expect them, they’ve said that they’ll be releasing them sometime in Q3. So that could be any time from now through, you know, through the end of September. Generally speaking, we’ll see them make those types of updates in advance of the community meeting, which is around the middle of September. So maybe it’ll be sometime in August, you know, type timeframe is my best guess. But for right now, you can make the request to transition to the 4 .0 .1 track and there’s no harm in, there is no harm in waiting until the reporting. templates have been released. But, you know, once they’ve been released, go ahead and, you know, go ahead and get your tracks transitioned as quickly as you can when you’re ready, that type of thing. You know, for those organizations that say, you know what, I just want to move from my 4 .0 to my 4 .0 .1 track, then, you know, now it’s not a big deal. They can go ahead and do that. They’ll be on the right track. And then once the PCI SSC releases the 4 .0 .1 reporting templates, then what we’ll do in the background, we’ll go ahead and put the 4 .0 .1 reporting templates on. For the time being, you know, for the time being there, we have the version 4 .0 .1 tracks. connected to V4 reporting templates so that if we’ve got a client that needs to go ahead and generate a report, they just want to see it on the, you know, on the output, they can still do so. You know, the good news is there are no reporting control differences between version four and version four or one. The bulk of the changes are clarifications, recommendations, things along those lines. So I don’t anticipate, I don’t anticipate the 401 reporting templates to be terribly, terribly impactful. So long story short, they can move whenever they want.
We’re here to help. What’s new in the news? As always listeners can access the links to the various news stories by going to the TCT website at gettct.com. Click on resources and click on security reminders. Adam, what’s in the news this quarter? Well, we got all sorts of entertaining stuff. So a lot of folks will have heard of the Ticketmaster breach. So there was a cybercrime syndicate called Shiny Hunters and they are said to have compromised approximately 560 million user accounts across Ticketmaster and Live Nation. Something along the lines of 1 .3 terabytes of data that was exposed. The types of data that were exposed in this particular breach included names, emails, home addresses, phone numbers and billing slash card information. So yeah, that one, that one is right up there in terms of the, we’ll call it the volume of user accounts or impacted sensitive data. accounts in recent memory. Next up, we’ve got that a quarter of firms suffering an API related breach. So there was a new report out from SALT Security that suggested that approximately a quarter, 23% of the organizations polled, which is a total of 250, were breached through their production -based APIs. Of those polled, 95% were saying they suffered some form of an API -related security issue in their environment, ranging from data exposure to denial of service, among other issues. So the report also revealed that only 8% of those organizations that were sampled felt that their API strategy was, finger quotes, advanced. So that’ll be a concerning trend as we You know, kind of head toward 2025 and the increased use of, you know, of APIs for organizations to share information and data with, with one another. Um, I think, uh, think organizations definitely need to up their game when it comes to their security focus on their APIs. Um, there was a onyx MFA bypass that targeted Microsoft 365 accounts. So there was a new fishing as a service operation that’s currently bypassing to FA logins for financial institutions compromising business email the, the threat actors were using embedded QR codes in PDF attachments within emails, to redirect targeted personnel to fishing URLs where the data, uh, the data being requested would be input and thus causing a successful fishing campaign. Um, this, uh, this fishing campaign was eventually linked back to the onyx store. Oh, and an X, uh, which uses telegram bots. So that was that that was fun and entertaining. Um, Microsoft unveiled some new some ways to detect compromised devices in your organization. So, uh, Microsoft introduced a new way to help detect compromise slash hack machines in organizations. Um, the network analysts through Windows Defender can search for hidden desktops using window window defenders new desktop name option and organizations can use advanced hunting queries to see every instance of a particular process on a per computer basis. And this can give network administrators and security administrators a new tool for detecting and investigating potentially compromised machines within the environment. And lastly, we have Kraken crypto exchange was hit by $3 million theft that was exploiting a zero day flaw.
So it seems like there’s a lot of these cryptocurrency platforms have been kind of popping up over the course of the last decade or so. And the platform Kraken had a flaw in their website that was exploited by a security researcher and their friends. Effectively, they were able to leverage a bug in the funding portion of the program, then deposited $4 into their account without actually completing the deposit. The researcher had mentioned this bug to two others. And those two accounts extorted a combined $3 million from Kraken’s treasury. Oh my days, not the client accounts. So yeah, that was definitely exciting. It also underscores the need or use for some advanced red teaming penetration testing of your various platforms and kind of putting the old white hat to use, if you will.
Indeed. Parting thoughts and shots for the folks this week, Adam? I don’t think so. I think we’ll just keep an eyeball on the latest and greatest CrowdStrike issue going at CrowdStrike slash Azure issue going on. And we’re almost assuredly gonna hit that in the next quarterly security reminder. But now just everybody, everybody keep paying attention, keep your eyes and ears open and keep taking your compliance management, your compliance management seriously.
Indeed, and that right there. Thank you. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. I hope we help to get you fired up to make your compliance suck less.
