Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Q1 Security Insights 2025
Quick Take
On this episode of Compliance Unfiltered, it is that time again! You guessed it, time for all of the juicy security stories that were, and the critical security reminders for the first quarter of 2025.
Curious if unvalidated vendors are being hired through your back door? Then you’re not going to want to miss this episode of Compliance Unfiltered!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the cherry to your Compliance sundae. Mr. Adam Goslin, how the heck are you, sir? I’m doing good today, Todd. How about you? Man, I cannot complain. It is that time again. what I’m talking about. Security reminders for Q1 2025. We’re getting it started, Adam, with the security reminder.
And I got to ask a question here. Are unvalidated vendors being hired through the back door? Well, it is surprisingly common for departments within an organization. They’re trying to bring on new vendors. They need a solution. The vendor doesn’t get vetted from a security perspective. It’s easy to happen, and it could have disastrous consequences. There’s a couple of different issues within the organization either, their vendor onboarding isn’t all that strong, More often than not, whoever it is that’s going through and doing the vendor vetting process, is tight on time, short on resources, stretched thin and whatnot. So, even though you may have the process, hey everybody, you’ve got to bring somebody on, then go over and talk to so-and-so, and here’s how you go ahead and get through the process, etc., it’s either taking too long or, the people within the organization are going, jeez, this is just painful, we’ll just go do our own thing. So, the departments will just go make the call, hey, we’re going to go ahead and bring on the vendor and, whatnot, to be able to get through the process. And sometimes they’re justifying it to themselves in terms of, well, this vendor’s only doing this little function or, well, this vendor isn’t all that important or, in some cases, there’s the justification of, oh, hey, I, don’t have to actually pay this vendor, so who cares? And, there’s a lot of different ways that people will kind of think that through. But at the end of the day, the onboarding of these vendors, sands the process is exactly what has the propensity to increase risk to the organizational overall. And, sometimes they just feel bad for the poor folks, whatever departments’ doing the vendor vetting, they don’t want to bother them with this, they’re so busy, and there’s a lot of reasons why it happens. Sometimes, it’s just their process takes too damn long, because of the fact these people don’t know how to assess risk for the organization. They, may hire a vendor that poses some type of a security risk to the company. In a lot of cases, the group that’s doing the vendor due diligence stuff, they don’t have any idea that these vendors are coming on, nobody ever assessed the vendor, nobody took a look at the security risk of this vendor, etc. Now you’re only finding out after the fact that this happened. The problem for organizations is, this is the part that everybody needs to understand, is that vendor management, appropriate vendor management, it’s a requirement for most of the industry standard compliance frameworks. So bringing on vendors that didn’t go through that established process, whether you think they’re too busy, or it takes too long or whatever, by not going through the vendor onboarding procedures, you’re literally putting the entire company’s compliance at risk as a result, because it’s one of the things that you’re required to do.
You have policies about how you’re bringing on these vendors, and reviewing their risks. I mean, all you got to do, I don’t know, is pick a really public one, go ask Target how it went when they lost half their profits in a single quarter after a really public data breach. It didn’t have anything necessarily directly to do with Target, but because they had some issues with an HVAC vendor. So, sometimes we’ll get the questions, do we really need to go do this process? And it might seem like the company is sharing benign data with the vendors, maybe that vendor only has your customer names and addresses. It’s not like they have credit card data, or, social security numbers, or national secrets or whatever. But, the reality is if there’s any form of personal information or PII that’s exposed, then your company’s got a massive problem to go deal with from the public’s eye, from your customer’s eyes, a data breach is a data breach. And, now you maybe have a malicious third party that’s got customer information.
So, it is critical to go through validate and vet the vendors, make sure that they’re following appropriate security standards for a receipt, processing, storage, and transmission of information. It really doesn’t matter who the vendor is, or what they provide, whether they’re a marketing platform, plumbing services, some type of a free software that’s provisioning some type of feature or functionality that doesn’t take credit card data, that type of thing. The vendors will have some level of access, whether logically or physically to organizational information in general. The bad part is, is that bad actors, when they’re picking out a victim organization, oftentimes they’ll go through secondary channels, AKA, potentially these vendors, to see what information and data they can go ahead and scrape up. So, there could be ripple impacts regarding exposed vulnerabilities on the organization overall, depending on what’s found, if you install some new piece of software, and it’s got security holes or vulnerabilities, what other things just got opened up because of that software’s vulnerabilities and holes, now that it’s now open? Can I leverage that to really amplify the impact to the target organization? So your IT team, or whatever group it is that’s doing the vendor vetting, they’ll know to check in for warning signs, and look for things that the departments may not even consider. So it’s easy to say, hey, I just grabbed this free widget and slapped it on the website to run some function, not realizing, well, crap, this thing was developed in Russia, and they’re actively scraping data off your system. So you want to make sure that all of your vendors are vetted, developing a vendor due diligence process on behalf of the organization.
It’s important that you make that efficient and responsive plans, taking weeks and months just to be able to go in and vet a vendor, then everybody’s going to get frustrated with that. And honestly help drive the desire to circumvent the process. So, it’s important that you as an organization, especially the group doing the vetting, communicate with all of your departments on a regular basis, and remind them of the importance of the vendor vetting process. We want to build in accountability, with consequences as well for not following the proper procedures. One suggestion would be, for your accounting department, if the accounting department is seeing somebody new that they need to go ahead and pay, get an alert set up that sends something out to various folks within the organization that ought to know about a new vendor being there. If all of a sudden, this vendor’s gone through the vetting process and then I’m getting the alert from accounting, hey, we’re paying this new vendor, well, then I go, okay, that’s great. We’ve already checked them off, but at least if something passed through the process, and now we’re getting charges coming our way with a new vendor, now I’ve got an alert process so that I can get things buttoned up, see what happened. How did this get past the process?
In addition, the other suggestion that I’ve got for folks is going in and looking at your periodic system reviews, departmental reviews, software inventory, things along those lines, your hardware software inventory, and reviewing those for new things that have shown up, that’ll help you to catch the freeware, open source software solutions that may have been brought in. Really any organization that’s got a product solution service for your company, they need to be vetted, otherwise it dramatically increases the possibility that you run into a significant issue with the vendors. I’m not tinfoil hatting here, right? Every vendor isn’t bad, but getting these vendors into that management process, it also enrolls them into an annual ongoing cyclical process of reviewing, validating, vetting vendor security, making sure they’re keeping up with their obligations, etc. It’s a really big deal in the grand scheme of things, and for the folks that are, we’ll call them boots on the ground, not necessarily directly involved, you guys play a huge part in this. A lot of times when I see this popping up, it’s coming out of sales, or it’s coming out of marketing, or, it’s coming out of somebody in customer service, or whatever it may be. It’s usually ancillary departments that have good ideas to go get things done, and either work out or somehow circumvent that process.
Time for the quick tip, Adam. Tell us what you really think. All right, so this is just a friendly reminder for all the folks that are leveraging TCT Portal. I mean, TCT exists for a singular reason. And we’re trying to make compliance management suck less, period. We got into the space to help people. We didn’t want people to continue to suffer through what I had to go through way back in the day. We don’t want them wasting their time when they’re doing compliance engagements, etc. And that’s a good part of the reason why we value the great feedback that we’ve gotten from our user base. When we launched the TCT Portal, it was back in 2015. And really, the user base has always been highly active. A lot of our best, most popular features have come out of customer requests. Right now, about 95% or more of the content in our releases is literally client requested functionality. So you guys listening to this that are TCT clients, you are boots on the ground, you know what you need most. So if, as you’re using the system, you’re seeing a way to, hey, It would be cool if the TCT Portal did this, or it would be amazing to have this feature or function, that type of thing. Don’t hesitate to reach out to Portal Support. We’ll capture you’re a great idea. We’ll get it into the development roadmap. We’ll also tag your name and your organization, so that we can keep you posted as that particular request moves through to production.
When I talk to new clients of TCT, I like to, not I like to, I want to be on every kickoff call with a new client. And when I get on there, it’s fun. Like the ones we’ve done recently, we’re able to say to the client, you have the opportunity to leverage a compliance management platform that’s literally had user feedback being injected for a decade. Be part of the solution. If any of the folks listening have an idea right now, when you’re logged into the TCT portal, click on the support link on the left nav page and then submit your ideas through to the TCT product team. That would be most appreciated, and the coolest part about it is that not only will you be able to help yourself, but you’ll also be benefiting the other users of the TCT Portal at the same time.
What’s new in the news? Reminded of folks out there. Listeners can access the various news stories by going to the TCT website at gettct.com. Click on the resources, and then click on security reminders. Adam, let’s get to the news. You got it. So let’s see, the first one we’ll go through. So the Green Bay Packers online pro shop got nailed by a payment skimmer. So in this particular case, the website was breached by third party actors. Malicious code was found on the website and there were approximately 8,500, Green Bay calls the fans cheese heads. But 8,500 cheese heads who received letters that their payment data was exposed during two separate windows, and that had been compromised. Certain payment methods weren’t exposed, but credit card information, PII were exposed and captured. This really underscores the need for organizations, especially, to pay attention to that file integrity monitoring, to their various detection mechanisms that they would normally set up. This kind of underscores the importance of knowing what’s going on, and what’s happening.
The second news story, there’s a PayPal fishing campaign. This one was interesting. It was using genuine links to take over accounts. So, there was this fishing campaign, it used a legitimate PayPal web link to trick people. It would throw up a payment page request and as the users were entering in their credentials onto the page, it would tie those credentials to an attacker email, which the attacker could then use to go ahead and gain access to the affected PayPal account, and then start making modifications and changes to the PayPal account, really circumventing at that point in the game, PayPal’s anti-phishing protections in the process. So yeah, that one was an entertaining one, shall we say. That’s wild.
We also had some cross-domain attacks, increased threat to modern security and how to combat them. So there’s a new emerging, apparently it’s easier to say, a new emerging type of attack that’s gaining prominence called cross-domain attacks. And what that is, is it uses the weak point in one organization and its identity systems, and then moving laterally undetected to skip across interconnections to other organizations. It attacks the authentication of the one system, to move internally and laterally to do cross-system infiltration. So really, for the organizations out there, having a really good idea of what are the connected areas within the target organization. And certainly if you’ve got connections to third parties as part of that process, it goes back to our initial reminder topic, underscores the importance for watching out for vendor due diligence and things along those lines with connected areas that we need to protect.
So the next one that I’m going to move on to is there’s a critical vulnerability in OpenVPN that was identified. So if the folks out there are using OpenVPN and you haven’t patched it already, get out there and get it patched. The CVE is 2024-5594. It allows the attacker to inject arbitrary data into plugins that are tied to the OpenVPN software, which could allow the OpenVPN peer to execute code to be leveraged for denial-of-service conditions. There was a second vulnerability, 4877. That one was targeting Windows users, allowing the attacker to steal those Windows login credentials through the user interface pipe. So this is a big vulnerability that people are going to want to go get patched right away. I’m going to wait. Fun stuff, right?
SonicWall, they’re warning of an exploitable Sonic OS vulnerability, so they identified a high vulnerability in the Sonic OS. There’s an authentication bypass exploit in SSL, VPN, or SSH management. There is an available patch in firmware that was released on 1.7, 10 days ago, at this point in the game as of recording. So they released that on 1.7.25. But one of the mitigations from SonicWall was to limit access to trusted sources, or to possibly disable the SSL VPN if it’s not a needed service for the organization.
And finally, there’s a Banshee macOS malware that is doing some expanded targeting. So the Banshee macOS malware, it’s been floating around since about the middle of 24. In November, the source code for it was leaked online. It’s thought to be developed by Russian hackers and developers, and while it makes detecting it on the Mac easier, it allows the attackers and developers to take it, customize it, redeploy it, etc., like these guys always do. The biggest change from the most recent find is that they had a Russian language check in the software, which for, yes, if you have Russian language dialed on, then you would still be at risk. But a lot of systems didn’t have the Russian language dialed on, which inadvertently, quote, protected them. But with them doing this latest release, removing that validation, that means that it’s probably gonna have a much higher propensity for being able to make its way across systems in the wild, if you will.
Thank you for those, and that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Gosling. Hope we helped to get you fired up to make your compliance suck less.
