Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Q4 Security Insights 2024
Quick Take
On this episode of Compliance Unfiltered, It’s that time again! You guessed it; it’s time to take a look at all the news and notes of interest from the quarter that was.
- New hacking stories, check.
- Breakdown on the importance of device inventory, check.
- News on SolarWinds, check.
All these tasty details and more on this week’s Compliance Unfiltered!
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the Michael Myers to your compliance Halloween, Mr. Adam Goslin. How back are you, sir? Thankfully, not feeling stabby today. That’s good, we won’t have to talk about your stability on this particular podcast. So, but it is that time again for those of you who are avid listeners to the Compliance Unfiltered podcast, you will recognize this time of year and, well, this time of quarter.
That’s right, quarterly security, remind your time for Q4 of 2024. Adam, talk to us about the importance of your inventory. So this is the kind of the security reminder section of the of the adventure. But, the reality is that, you know, the various requirements that you go up against, PCI as an example, it mandates that you’re inventorying your devices and, you know, it sounds all easy, right?
There’s no slap a list stuff together and, you know, all of a sudden, poof, you’re done. The greater chances are for many folks out there, that the inventory really doesn’t cut it, even though you think you may have done it correctly. So a lot of times when I’m starting engagements with organizations, they’ll have kind of give a half-hearted effort to throw together a list of stuff and call their inventory done. But a lot of the inventories look like kind of a hodgepodge of workstations, servers, you know, etc. And it’s not necessarily that the organizations didn’t care. It’s just, They didn’t really understand why were they putting this list together and what purposes did it serve. That’s certainly an important element of the conversation.
Why does your inventory matter? The need for your device inventories becomes a lot clearer when you understand what all they’re being used for. Before you even start putting together the list of the devices, I would encourage organizations step back from the inventory for a second. What is it that we need to have this list of stuff in place for? What purpose is it serving? If you look at something like PCI DSS, there’s a lot of requirements that have elements that depend on referencing this device inventory. I use the device word loosely in today’s day and age. This could be laptops, workstations, it could be different assets on the corporate network that are drawing IP addresses like badging systems, like cameras, like printers, things along those lines. You start getting into more of a production arena. You’re talking, it could be physical servers, it could be virtual servers, it could be hypervisors, it could be a great number of things. The inventory ends up getting fairly broad. The reality is that a lot of the requirements against PCI should be referencing and making use of that inventory. You’re trying to make sure that nothing is slipping through the cracks, that you’ve, you know, accounted for, every device and piece of software that needs to comply with the various controls that you’re going up against. So you know, as you’re going through all of your various controls, you know, they should be asking, you know, do you know, a question that’s often getting asked, well, how am I going to track all this stuff? And the short answer is your inventory. You know, it’s surprising for those that, kind of haven’t really fully adopted the use of that inventory as it relates to the various controls.
But you know, once you do, it’s surprising how often that inventory is coming up, you know, if there’s an attack on a certain particular piece of technology, you know, what else could be impacted? Go look, you know, go look at the inventory. There’s a new patch for a certain type of, system or a new firmware for a certain piece of infrastructure, you know, where all do we need to apply it. How would I go about validating that we do have our antivirus on all the appropriate systems? You guessed it, inventory. It’s really, really helpful having that full-breath inventory out there. We’ll talk a little bit here about kind of scoping out that inventory. I’m kind of hats on when I talk about inventory. One is I’m trying to make sure, ensure that I have performed the appropriate tasks so that I’m in alignment with my target compliance standard. So for PCI, they only really care about your production environment. Maybe you’ve got a development environment with a dev stage test environment, etc, but primarily they’re focused on production. One of the things that I recommend to folks is that you don’t want to just use your inventory for checking that compliance box, but instead you really use that inventory for a lot more things to protect the company. So include all of those various environments. Maybe you’ve got a production environment, maybe you’ve got a corporate environment. Maybe in a code-based organization, whether deploying applications, etc, they probably have the sub-environments in there, but just don’t forget about, as an organization, anything we’re responsible for, get it into the inventory. A lot of people will kind of push back on that notion where we’re talking about the fact that, well, I don’t want all of this extra stuff and shiny objects and whatnot for the assessors, but if you’re using it for your own internal purposes, you could just as easily put a flag on there for this is part of my PCI scope versus… Is this just part of our overall scope, and that way you can sub-segregate the inventory. And most of the assessors out there, they’re actually gonna be happy that you’re approaching it that way. They won’t get distracted by the shiny objects, et. Worst case scenario, if you find yourself with an assessor that does get distracted by shiny objects, well, then you could just peel off a portion of the inventory when it comes time for provisioning evidence for your annual PCI run. And meanwhile, maintaining the full list for your own internal purposes. Yeah, you wanna make sure you got all your workstations, laptops, and all on there, all your environments. That way, it’s impossible for me to overlook things.
The other piece of this is really making sure, double-checking that you’ve got everything. So I was listing some things earlier like cameras, printers, badge access, endpoints, wireless access points, smart TVs, work issue mobile devices. Just anything. My recommendation to folks is anything drawing an IP, that’s your target. Go ahead and get it in there because that way we’ve got it all in one spot. That said, the one correlated element of this is that don’t forget about the fact that you want to have updates to your inventory as part of your change control process. So that if I’m deploying new assets, they go on the inventory, when I’m deploying them, right? As I’m doing system upgrades, update your inventory. If I’m deprecating devices, update your inventory. So really making it more part of the day-by-day DNA of the organizations. And lastly, as it relates to inventory, don’t just stop at physical devices. The reality is that there’s a lot of things that you’re going to want to have included in the inventory such as what pieces of approved software do we have on our various devices and machines? What browser add-ons do I have for my web-based software? But compiling that list of software inventory in addition to the hardware is going to be an important element of just overall managing that overall inventory. But the inventory, if you think about it, that inventory both for hardware and for software, that should be used as part of your annual validation. Are we deploying patches to all of the various systems that we should? keeping our software and our various components up-to-date, you know, do you have them listed on that central inventory? I’ll tell you what man it goes a it goes a long way to being able to make your traversing of your compliance. and really protecting the organization substantively easier.
You know I have a great appreciation for efficiency. Give the folks a quick tip about repeating what worked last year. So for our TCT Portal, quick tip you know every single year without fail, even if everybody on your team’s been around for years, I absolutely will guarantee people are going to need reminders about how to fulfill certain of their compliance assignments, asking questions like you know how was this supposed to be again? what evidence did I give you for that requirement last year? And what additional explanations did I need to include for this particular item? For most of the people that are on the annual compliance engagement, even those that are fairly heavily involved, in many cases it may very well have been 10 months since they had to touch anything to do with the annual compliance tasks, etc. And so, you know, they justifiably have questions about fulfilling their assignments. Further, if you have somebody that’s brand new on the team, maybe one of your core team members, you know got a promotion, left the company, whatever, and now you’ve got a new bin, if you will. You know, they don’t have any clue how to do some of this stuff or what the assessor’s looking for. So, one good way for those that are kind of herding the compliance cats, if you will, one thing that they can do is take advantage of a capability of the portal to be able to reference your prior year’s explanations and attachments from that prior certification track. You’ll be able to easily refer to last year’s explanations and attachments. You’ll have the ability to do a couple of different things. You could go ahead and attach them to your current track, you know, without having to go hunt around.
You can use those as reference and know exactly which screenshots or which elements of evidence it was that we provided the prior year. And, so for those organizations that haven’t, taken advantage of this capability, it’s really easy. Just go submit a request into the TCT Portal support team and ask them that they turn on the ability to reference your prior track explanations and attachments. When you go in and you do this, it ends up saving everybody in the organization a ton of time on the engagement. It allows your team members to be able to do their own thing without having to go ask questions or be held up. And certainly for those new team members, it goes a long way to be able to make them far more effective, far quicker on the engagement. And probably at the end of the day, the organization will adopt a greater confidence that your assessor is going to be good with the evidence that you’re providing, because if you’re mirroring what you did, kind of the last time around it seems pretty straightforward to set up, too. Yes, it is, and I can’t tell you. Part of it too, if you think about it, is really training, right, for the existing team members. Getting them into that mode of realizing that this stuff is at their fingertips. It’s readily accessible. You know, show them how it works, where to find it, walk them through it, etc. Once the light bulbs go on, most people would much rather just get stuff done, get it off their plate, move on to the next thing that they need to go do, and having all of that readily handy, is game changer.
Well, what’s new in the news? Listeners can always access the links to the various news stories by going to TCT website at GetTCT.com. Click on resources and click on security reminders. Adam, tell the folks what’s in the news this quarter. All right. Well, we’ve got a number of different news stories that we decided to include with this quarterly update. So, the first one is there was a hacker that was charged with seeking to kill using cyber attacks on hospitals. So, there were a couple of guys from anonymous Sudan that were accused of using over 35,000 different distributed denial of service attacks against several targets. One of the charges is for seeking to cause physical death and injury. These two guys took devices that were in hospitals offline, you know, some of which were administering life saving treatment. And it was tied to a, you know, hacktivism activity for profit. They declared on their telegram channel that the United States would be the primary target for the attacks, but they also went in and targeted systems that were in Denmark and Sweden and India. It’s not often that you’ll see the connection you know in terms of the charges getting laid out to these attacks on what we’ll call critical infrastructure, like hospitals. So this was pretty awesome seeing that they’re starting to head down that path. The next step is there’s a E and EU AI act checker revealing big tech compliance pitfalls, so prominent AI models are falling short of the EU regulations in several important areas like cybersecurity resilience. So there’s an AI act that’s coming around in the next couple of years in Europe. It’s intended as a way to put some guardrails around AI. Companies that are failing to comply with this AI act will face a 35 million Euro penalty when they spin up their AI instances. So once this goes into effect, there’ll be some pretty substantive teeth, especially over in the EU. We’re seeing as AI comes into its own, we’re seeing a lot of movement in that direction to try to govern it, to put some guardrails in to ensure certain elements of procedural and cybersecurity controls being put in place on these platforms. So we’ll keep our eyeball on that one.
Yeah, I find that fascinating. I wonder how much of that is going to align with the DORA focus that we’ve seen come out of the EU recently. I’m also curious as to how, I mean, obviously the more stringent guardrails in EU for certain things, i.e. GDPR, I’m curious how that will trickle down on the US side of things. Yeah, well, time will tell. We’re about to find out, as somebody I know likes to say. Yeah, I mean, honestly, I don’t think this train is slowing down anytime soon. . All right, next story. We got a DOJ halting a major Russian election interference plot in advance of the 2024 vote, as we’re recording this. we are eight days away from being passed the vote. But yeah, the Department of Justice, they seized 32 different internet domains that were part of a Russian government-sponsored foreign malicious influence operation. These domains were being used to spread disinformation around the election. Tactics including cyber squatting, AI-generated content, fake social media profiles, you know, with inflated fake followings to push out their propaganda. They didn’t just kind of pick out the US, but they also had some content, and some directed attacks in Germany, Mexico, and Israel. So it was interesting that… The DOJ had gotten a hold of it and taken the action to get these domains shut down, so that’s cool.
Next up is CISA is flagging critical SolarWinds web help desk bug as being currently in the wild exploitation. So CISA on Tuesday added a recent SolarWinds help desk bug. So this is their web help desk or WHD to the known exploits warning that it’s being actively taken advantage of in the wild. This particular flaw is rated CVSS of 9-1. It’s a hard coded credential issue. It allows remote unauthenticated attackers to access the internal web help desk functionality and gives them the capability to modify data. So certainly for anybody with SolarWinds out there, I’m pretty sure you would have heard about this one already, but just keep your eyes open for those patches and keep patching your stuff.
Next up is a trick Mo banking trojan that can now capture Android pins and unlock patterns. So this is an Android based banking trojan that in the more recent variants of it, there are some new undocumented features coming to light. They discovered that trick me can steal the device’s unlock pattern or pin to be able to unlock the screen. Trick Mo was officially discovered in the wild in 2019 with the new information that was found. Attackers can both access and use an infected device, even when the device is locked. So if they already know what the unlock pin or pattern is, you know, on the device itself, then they basically be able to gain access to it remotely when the device is infected. That’s wild. Yeah, good times.
And to round out the news stories, this one I actually got a chuckle out of. So there were some Only Fans hackers that were disrobed by malware in a twist of digital irony. So there’s a notorious hacking forum. Oh gosh, I don’t know if I’m gonna be able to say this. Bilal Canicom? Well done. Anyway, yeah, yeah, yeah, yeah, gazoontite. They offered a tool for these would-be attackers so that they could go in and you know kind of assess Only Fans accounts. So you know they put this thing out there, theoretically for bad guys to go ahead and you know do assessments of Only Fans accounts that they wanted to try to take over, and the tool effectively turned the predators into the prey. The tool was offered to criminals to expose the identity of the person leveraging the tool you know, to go after the Only Fans account. So the malware that performed the prey tracking was called Lumax Stealer. So you know they throw this tool out there and meanwhile it’s exposing the identity of the people that are using the tool to try to do evil. I thought it was just fun, fun, sirs you’re right.
And that right there, Adam that’s the good stuff. Well that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin. I hope we help to get you fired up to make your compliance suck less.
