Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Quarterly Compliance and Security Insights Report (Q1 2022)
Quick Take
On this episode of Compliance Unfiltered, Adam and Todd unveil a new feature on the podcast: Quarterly Compliance and Security Insights Reports!
This quarter, Adam walks through best practices around access control and password management. He also covers the importance of customizing your directional compliance criteria.
Plus, we hit a myriad of key points from this quarter’s compliance news. From LOG4J vulnerability to covering the most critical of this year’s batch of Microsoft bugs, we’ve got you covered! All on this week’s episode of Compliance Unfiltered.
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome into another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the venerable compliance maestro himself, Adam Goslin. Adam, how the heck are you today? I am doing fantabulous. Fantabulous is hard to beat on a Thursday, on which we are recording.
Happy 2022 to all the Compliance Unfiltered listeners out there. We’re excited to get this year kicked off right, Adam. And as part of that, we’re going to get rolling here with our inaugural Compliance and Security Insights Podcast. Now, tell me a little bit more about this, because I understand we’re planning on doing this quarterly.
Yep, so TCT, for a long time, we’ve basically been prepping up. There’s a requirement across numerous security and compliance standards for having periodic security reminders. So we issue a blog article that we can share with folks, and they can use that to meet that periodic security and compliance reminder. And so, that’d be cool to go ahead and also translate these over into podcasts. That way, if some people prefer to listen versus prefer to read, then they’ve got that option. So, it’s gonna be interesting. We’ll be able to do some fun stuff with this. It’s just nice to be able to get these kind of periodic reminders out to folks in a couple of different mediums. Because it’s not only good information for them, there’s so many inputs coming at everybody these days, so many news feeds and news stories and whatnot. It’s nice to just get a quarterly sanity check of what’s the latest and greatest in the security and compliance arena. Absolutely.
I mean, I guess the question that a lot of folks are probably thinking about is, what does the format of these types of security and compliance insight podcasts look like? So, what we’re going to do is, we’re gonna do it in three phases. First, some type of highlight of a relevant reminder regarding some security and compliance topic. And then from there, we will go ahead and move on to quick tips for ways to improve your security and compliance engagements. And then, round it out with some highlight reel of the stories that came up over the prior quarter, so that we’ve got some kind of near-term, real-world impacts of things going on in the security and compliance spectrum. I like that.
So security reminders, our focus is going to be access control and password management? Tell me more about that. That is correct. So in the world of access control and password management. For any industry standard certification, you certainly need to make sure that you’re handling password management properly, and handling control in terms of access to systems properly as well. So it’s a critical part of the overall security compliance program. So there’s a couple of different things that you’re looking to make sure of. You want to handle it properly when you’re doing things, like having a new hire. In other words, additions to access that need to be granted. You also want to be able to handle things like new roles in the company. So if you’ve got somebody that’s switching from maybe one internal group to another internal group, making sure that they not only gain the access that they need, but also that they’ve deprecated access they no longer need. Because, there’s an underlying premise in the security compliance space, that you’re going to allocate the access control on a privileged basis. In other words, what’s the least amount of access that particular individual is entitled to, or entitled to approve for, and needs for, what they’re doing for the organization. And then finally, is where you have someone’s employment status ceased. Whether that’s a voluntary, or involuntary termination, or medical leaves, there could be a number of different causes for it, but basically the removal of that access. So with that, whenever you want to go and make one of these types of modifications, like new hires, access change, or access removal, you want to make sure that it’s coming from someone in authorized management. We can’t have people, denoting, hey, I’d like to have this access today. Doesn’t quite work like that. So we need to have those checks and balances in place. More often than not, it’s coming through in terms of some type of access control request. And, we want to make sure that access control request, gets basically blessed by somebody with the appropriate permissions to grant that access. Another thing that’ll come up when you’re doing access control, especially when you’ve got a request for a password change, or you’re doling out a new password, then you want to make sure that you are securely getting that user their initial password.
Another thing that a lot of organizations miss, in terms of setting this up, don’t always make the first new password puppy123, otherwise everybody knows what the new password is. There should be a different password every time that you go doling it out, and then getting it to them securely, and making sure that the accounts set up, so that they have to change that password. So the person that distributed that temporary password, if you will, doesn’t know what the individual’s ongoing password is. It goes in line with the overall premise that nobody should know anyone else’s password within the organization. We talked about the role changes and whatnot, making sure that you’re not only granting access needed, but also turning off access that no longer is. One challenge that I’ll typically see within organizations is, especially with role changes, right? There’s some type of a transitional period where Bob or Mary is going to continue doing their old role for a certain period of time, while they do transitions, but they’re also starting to learn their new role. So, it may be that it’s appropriate to sun up their new access needed for the new position, while maintaining the access they had from the prior. But go ahead and put a marker in there for, hey, Mary’s gonna need this access for the next 90 days while we conclude the transition. Have something that’s gonna pop back up and say, hey, we need to go back and double check, can we shut this off for Mary at this point in the game? Or, do we need to get another approved extension? Handling that appropriately is another piece of it. At the end of the day, this notion of lease privileges, it’s all in an effort to limit the levels of access these folks need. That way, if their user credentials happen to be acquired, then we’re limiting the amount of exposure that folks will have through that process.
And then, the last element is the notion of sundowning permissions, or access removals. We just want to make sure that when that occurs, that it depends on the circumstance, right? If somebody’s gone and put in their two weeks notice, well now we know that at the end of that two week period, that’s when it needs to shut off. If we’ve got a zero notice for an employee that’s leaving, or it’s an involuntary, then typically what will happen is, while that person is being advised of their change in employment status, while that’s occurring, they’re in the process of shutting it off right then and there. You don’t ever want somebody that’s no longer with the organization to even have the access, or be able to gain access to those systems. So, just making sure you’ve got that buttoned up through the process.
For most of the compliance standards that are out there, there’s requirements as you get into that operational mode of compliance. You have these mechanisms in place for governing the day by day, and for provisioning changes and removals. But, most of the compliance standards will require something like a quarterly pulse check. Go through, take a look, review your list, make sure that you don’t have users that should no longer have access. It’s almost like your emergency parachute as you’re going through your day by day, so that you can just have a double check as part of the oversight. Absolutely. Absolutely.
Well, hey, Adam, I think we’re ready for a quick tip here. Talk to me about the importance of customizing your directional compliance criteria. Sure. One of the things that’s a struggle for a lot of organizations, and this portion’s really just some type of a generic recommendation that’ll help people with their security and compliance engagements. With certain standards like HIPAA or SOC, I call them directional standards. So they aren’t terribly specific. So, if I take the case of HIPAA as an example, in HIPAA, and in SOC, really HIPAA was written to cover everybody from a dental practice, to a health system type of thing. So, they couldn’t get to line item level requiring all of this ad nauseam detail about how you were going to go ahead and meet the criteria. So instead, certification standards like HIPAA, and SOC 2, they’ll have certain criteria that need to be met. And then, it’s up to the organization to typically through a risk-based approach to define how they’re going to prove out that they’re meeting these criteria. You know, what you want in terms of the ability to customize the directional compliance arena. There’s a lot of tools out there which are, I want to almost call them like prefabricated. If you follow our recipe, then poof, you’re fill-in-the-blank compliant. And that works, as long as you want to stay within those bounds. And for a lot of organizations, they need to make tweaks, alterations, things on those lines.
So one of the things that we built into the TCT Portal, is the ability to handle the HIPAAs and the SOCs of the world, by allowing the organizations to go in and define their own customized controls, that will go ahead and meet that criteria. And then further, for each of the customized controls, to then define what are the testing steps that we’re going to go through. So in a typical SOC style engagement, typically what’ll happen is, the organization will sit down with their assessor and go through and discuss, these are the controls that we’ve put in place, this is the way that we’re assessing these controls. Get on the same page with the assessor, and then go down the path of proving it out. So, the TCT Portal just allows you to customize those controls for your own organization, as well as working with your assessor to define those testing steps, and be able to basically bolt it all into the same system that you use for your really prescriptive standards like PCI, and NIST 853. So, it just gives them the ability to handle it all within one tool set, instead of having segregated ones. And certainly, makes their life a lot easier, especially when you’ve got to make tweaks or adjustments based on your business circumstances. I like that a lot. I think that’s a super helpful tip.
So talk to me, as we will at every time at this point during the Quarterly Insights podcast. Talk to me about the news, Adam. What’s going on in the world of compliance today? So, we collected up five different news stories. One of the big ones that had come out is a Log4J vulnerability. And so in the log4J arena, it’s one of the biggest vulnerabilities that’s been discovered to date. Almost 40% of all the corporate networks, when this thing came out, had this vulnerability in some capacity. So log4J is typically associated with Unix Linux based systems, with that being a component that’s on those systems. And so, the average application today uses just a little bit over 500 different open source components. So log4J was a fairly common one that was leveraged. And the problem with this log4J, is that it allowed remote code execution that attackers could run on impacted systems. And when they initially released this particular vulnerability, within 24 hours of the public release of this thing, there were already 60 plus variants of the original vulnerability that people had, that the bad guys had gone in and coded up. Log4J kind of makes COVID look like a slow moving virus.
The one pointer that I would give to organizations is that, and by the way, this is something that we didn’t mention earlier on, but on the TCT site under the resources tab, we’ve got one for security reminders. So if these security reminders are out there, you can link to the news stories and things like that, that’d be helpful for people. But with the loG4J vulnerability, it’s bigger than just, hey, I need to go look at my systems. Because, you could have n number of vendor systems, or you leverage a service provider where they host it, or it could be vendor deployed platforms, hardware, or software within the organization. You don’t know if you’ve got this particular vulnerability on those systems or not. So it’s bigger than just go look at my stuff. They need to look at their service providers, and ask them questions. They also need to look at any software vendors, that they’ve got within the organization as well. Absolutely.
So what’s going on with the iLObleed rootkit right now? What’s new in that realm? Sure. So iLObleed Rootkit, was a rootkit that’s been discovered targeting HP’s integrated lights up management technology. And so, the Rootkit effectively messes with the firmware modules, and has the ability to wipe data off of target and infected systems. These iLO modules on the HP Enterprise servers, they have the ability to access firmware, hardware, and software operating systems. So, the Rootkit, when they go ahead and point it at one of these servers, it makes it so much easier for the bad guys to go in, do damage, and be an ideal candidate to try to exploit. So, as with the prior ones, obviously, if we’re talking about vulnerabilities on systems, make sure that you’re going in, checking, are you up to speed, up to date, do you have all your patches applied, looking at your sources for feeds that you have within your spectrum. Whether it feeds directly from vendors, or results from vuln scans. Use all of those various points of input that you’ve got, and go ahead and get these closed out. I know when going back to Log4J, literally, I think the thing came out on a Friday and by Monday, I already had multiple inquiries. Hey, are you guys affected? So, I mean, literally, companies need to take this stuff seriously. They need to be on top of it. You don’t want to be getting on the phone with somebody and go, Log4J, what? You want to be able to come in with some confidence. Yep. We’ve already checked into it. We’re all good. We’ve checked across the board. We’re clear. Then, that’s a good way to go about handling that. Absolutely.
So, Adam, another year. Another batch of Microsoft bugs. Talk through the most critical, and the most overlooked. Yeah, sure, Microsoft. Love them. So in the year, they had a little bit over eight hundred and eighty vulnerabilities that they ended up patching. While it’s fewer than the prior year, it’s a still a high number. There was an exchange vulnerability that they had early in the year. It was exploited by half name, which was a state-sponsored Chinese hacking organization. They also had a print spooler vulnerability called print nightmare. Print nightmare was a remotely executed bug, that could be exploited by an authenticated user account, gaining system level access on affected systems, allowing them to remotely execute code. The one thing about Microsoft is, at least there’s typically a fairly steady cadence with the patch Tuesday releases that they’ll go ahead and put out. But the important part for organizations is, making sure they’ve got their security, and security compliance vulnerability fees, and patch management all working in lockstep, so that they can become aware of these as quickly as possible. The big problem with the publicly facing critical vulnerabilities is, like I was talking on the Log4J, the minute this stuff is out there, I mean, they’re either all over it, or just literally randomly scanning boxes on the internet, to try to find boxes where they can take advantage of this, or they’re writing variants so that they won’t get picked up by the AV platforms. They can try to take advantage of it, by trying to mask their approach to it. Sure. Now that makes total sense.
So, in another realm, LastPass has had some issues, talk about those. Sure. So their automated warnings were linked to credential stuffing attacks. So, they had some recent findings at LastPass of credential stuffing attacks happening. So LastPass for those that aren’t familiar, it’s a password management tool, it’s owned by LogMeIn. Basically, the user needs to remember one login to go get into their password management system. And then once they get in, then the rest of their usernames and passwords are accessible to them. And, you can copy and paste the information into appropriate websites. So, LastPass is urging users to use complicated master passwords for unlocking it. The credential stuffing attacks, it’s where lists of usernames and passwords are used to gain access to user accounts, through large scale automated login requests against applications. So basically, we’ve got folks that are out there attempting to breach people’s LastPass accounts, by trying to cherry pick off, easy to remember passwords. I mean, the one thing that I’ve recommended to folks, literally for probably the better part of a decade, is your password management system should be the longest, ugliest, nastiest, never written anywhere, or used anywhere password that you can possibly think of. So, once you get it committed to memory, well, you don’t need to go back and try to remember it again. It’s just an act of getting it committed to memory, if you will. But if you can do that, it’s far better protection. When looking at the early days, I was reticent to leverage any of the shared platforms, where you get the benefit of having your password management system web-based, and thereby accessible everywhere. It also means, it’s on somebody else’s system, not necessarily in your control. So, yeah, if you’re using an online accessible password management system, you definitely wanna make sure that you’ve set those passwords as strong as humanly possible. That’s a good shout.
Now, vulnerabilities in Garrett, like, talk to me about remote attacks there. Okay, so they ended up finding some vulnerabilities. It’s Garrett walk through metal detectors, allowing remote attacks. So, there were a couple of different models that would basically allow remote access, with the ability to execute, quote, malicious commands. So, for example, the attacker could go in, change the sensitivity levels to ultra high. They could also, oh, turn them off. So, it could cause problems for people that are going through them. If I wanted to get something through the metal detector, I was called a medical detector, the metal detector, that it would allow people to go through with dangerous items. The whole point of having metal detectors, is to actually detect the metal. So yeah that was, we’ll call it extremely uncool. I think it was less a concern about somebody dialing it up to stupid high. But certainly, shutting it off temporarily for somebody as they’re going through the metal detector, yeah that’s dangerous as all heck. So we’ve got to get those ones buttoned up as well.
Well there it is. There it is. Adam, I can’t thank you enough for the time today. I think that’s going to do it for this quarters Security and Compliance Insights Podcast. We look forward to regrouping next week. Sounds great. Thanks.
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help get you fired up to make your compliance suck less.
