Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Quarterly Compliance and Security Insights Report (Q2 2022)
Quick Take
On this week’s episode of Compliance Unfiltered, Adam gives a full breakdown of the Compliance and Security Insights from Q2 of 2022.
Looking for the quick coverage of this quarter’s newsworthy items? We’ve got you.
Need a better understanding of how linking multiple certifications together can eliminate duplicate work? The CU fellas have you covered there too!
Looking for clarity around penetration testing vs. vulnerability scans? No sweat.
All this and more on this week’s episode of Compliance Unfiltered!
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the venerable Compliance General himself, Adam Goslin. Adam, how the heck are you today? I am doing fantabulous, Todd. How about yourself? It’s hard to compete with fantabulous, I’ll tell you that. I’m not bad, which is better than not good, as we discussed earlier today, and I will take it every day of the week.
All right, so today we’re coming in hot, boys and girls, and the reason why is because it’s that time again, our quarterly security and compliance insights for Q2 are upon us. Adam, tell the folks what’s in store today. Well, every time we do one of these security compliance updates, we’ll be covering three main topics. One, a security reminder to folks on some miscellaneous security topic, a quick tip around managing compliance, and then we’ll talk a little bit about what all’s going on in the news.
Perfect. So with that in mind, talk to us about vulnerability scanning or penetration testing, and how that relates to overall security. Sure. So one of the common areas, I think we did like a whole podcast on vulnerability scanning versus penetration testing.
So this is just a friendly reminder to folks, because one of the problems that I’ve seen working on engagements over the years is that, a lot of folks will just assume that because of the fact that they’re doing security testing, quote unquote, and they’ve checked the box for their vulnerability scanning that, oh, well, I’m good across the board, and I’m all set, right? The pen testing is the same thing as the vuln scanning, right? No.
Just a friendly reminder to folks about vulnerability scanning versus pen testing. Vulnerability scanning, I like to tell folks that it works similar to antivirus, where it’s a pattern recognition system. So when you’re running AV, or the typical standard AV offering, it’s a series of patterns that the piece of software is looking for in the target system that it’s monitoring. It sees a match to a pattern and the system will raise its arm and say, you may have a problem here, and alert on the issue. The vulnerability scanning in general, you’ll see a lot more false positives with vulnerability scanning. And in the same sense, it’s really only looking at a portion of what you really need to consider for security. And so it’ll look at the hosts, it’ll look at basic network layer style issues, it will look for host layer vulnerabilities, patching issues, down-rev operating systems, some of the incorrect settings you may have, insecure transmission protocols, and a bunch of other types of issues. But the reality of vulnerability scanning is that it’s not terribly advanced, is one side of it, and it’s picking up things that are easy to find, which is cool. And it’s also a pretty easy tool to go in and run more frequently. So you can keep up to speed on, hey, do we have any big issues that we may have missed an alert on, or whatever it may be. That said, there’s a huge difference between that and penetration testing.
Penetration testing is really in a different league. And the way that folks ought to be looking at penetration testing is, that it’s an in-depth security testing engagement. It’s got experienced security engineers that have done this type of testing before. Vulnerability scanning is one tool that a pen testing team would use. Typically, the scope for your penetration testing is often far different than you would use for vulnerability scanning. So you can do your penetration testing to look at, yes, the network layer, but it’s also going to be capable of doing detailed testing of web applications, detailed testing of APIs or web services that you may have employed. It’s going to be able to go in and look at all sorts of different types of devices externally and internally. You’ve got the ability to fold in your wireless systems. So, there’s a lot of advantages to organizations going down the route of their penetration testing engagement. Folks need to just keep in mind, they’re two completely different modes or methods of doing security testing.
I would recommend if this is a topic that you’re really interested in, then do me a favor and go take a listen to that detailed podcast we had. I don’t know, it was about a half hour, 40 minutes or so, really covering in depth differences between vuln scanning and pen testing, and approaches for penetration testing, and all sorts of other good tidbits. So, if you haven’t listened to that one, then go give that a listen and then we’ll be off and running. I like that plug a lot, actually.
So, talk to the folks about quick tips around linking multiple certifications, and how that’s gonna eliminate the duplication of work.
Sure. Actually, I’ve been super excited about getting to this point with TCT Portal, and that is making sure that the compliance management system that you’re leveraging, has the ability to create those connections between your various certifications. So, let’s pretend for the sake of this discussion that an organization’s going up against PCI, they’re going up against HIPAA, they’re going up against ISO 27001 and NIST CSF as an example. So in that scenario, make sure that your compliance management system has the capability to be able to link all of those together. Because oftentimes, I’ll just use a really, really simple, easy example, right? Your main information security policy, you’re one book to rule them all, your mainline security policy that you’ve got. You’re going to be able to not only on PCI, bolt into 120, 150 different line items and use it all over the place. But that same document, is the same thing that you also then need to use on HIPAA, ISO and NIST. So if you’ve got the ability within your compliance management system to link all of those certifications together, where inheritance of the evidence and explanations that you’ve leveraged on your core certification, if you can use that core certification, and basically have it splay the information out across all of your secondary certs, well now I can go and enter in my data protection policy on 12.1 in PCI and poof, it’ll go and show up in all of the right places on my HIPAA, my ISO, and my NIST. Are you serious? Yeah, yeah.
Think about it, back in the day, especially when you weren’t using a compliance management system, you were carrying the burden or cross of Excel spreadsheets, right? The whole reason why we built the damn system is, when you were in that mode, you’d literally have to duplicate evidence manually. Did you just equate audit work to martyrdom right now? I’m just asking. Hey, man, somebody had to do it, I vote me. But no, the whole reason for the compliance management system is to alleviate things that you shouldn’t be doing. And you shouldn’t be manually duplicating evidence. You shouldn’t be manually mirroring or mapping your evidence between different tracks. So if you’ve got that ability, or specifically with TCT’s case, we call it live linking, where it automatically goes ahead and generates to those secondary certifications, it strips out an enormous amount of rework. And that information security policy is one example. Let me think about it on a PCI engagement, with stuff that you would collect up. Your incident response policy, your latest vulnerability scans, your latest penetration testing, your evidence that you’ve used for making sure that your active directory is set up appropriately, and your central logging. Those are all elements that are going to, in some way, shape or form, cover you on those secondary certifications. So it just makes sense to take advantage of that. It’s actually a piece of functionality, that’s been on my list for years to be able to do. Part of the reason why I held off was because I wanted to wait until, number one, we had a good number of certifications on the system, and number two, we had a lot of the mappings between the various certifications in hand. So at this point in the game, the system has gained that maturity. We’ve got a lot of certs and mappings in there. It was time to go ahead and layer on the live linking, and dude, it’s super, super, super cool, because it saves organizations so much time, pain and manual baloney, as they’re going through their certifications. It’s like, once you’ve gone there, you’re like, oh, why the hell did I ever do it any differently? You know what I mean? I do indeed, I do indeed.
Well, what’s new in the news? I know that there’s some resources that we’re going to cover here, but specifically the fact that if you go to gettct.com and you click on our resources button, click on the blog tab, and you can actually view security reminders by topic.
So anything that you’ve heard here, there’s likely to be a more in-depth piece of content produced by TCT at some point. Is that correct, Adam? Yeah, actually, we’re recording this today, but I believe later today, the blog article will go up with the Q2 2022 security reminders. And in that blog, we’re going to go and talk through a bunch of what’s new in the news. Each of these particular stories not only has a brief summary that we’ll talk through on here, but it’s also got the links to the actual news stories themselves. So the readers, and the listeners can go in to the blog, click on those, and read the full articles if something’s piqued their interest. But, each of these stories has a link to the actual story in there.
So first off, we had a CISA warning, Russian actors bypass two-factor authentication, the what happened, an how to avoid it. So what happened in this particular case is, and actually, this is going to lead me to a discussion topic, which we didn’t officially have on here, but it’s pertinent at this point in time. But anyway, in this particular case, Russian state-backed hackers, they successfully bypassed multi-factor authentication for a private organization. What happened was there was an account that was initially leveraged, but it had been left active in the organization, it hadn’t been disabled once somebody left. So what they did is, they ended up being able to get in there, reset that particular multi-factor authentication setting, switched it to their own phone, then turned around and in truly authenticated fashion, logged into the system as the user. They then gained domain administrator access, and turned off MFA for everything in the organization, and were able to go in and wreak all sorts of havoc. So the reminder here is just the importance of making sure, as you have personnel leave, or change positions where they no longer need certain rights, like access to systems. Make sure you’re staying on top of that.
One other thing that typically a lot of organizations don’t think about is, they’re like, oh, yeah, we’ve got we got multi-factor authentication or two-factor authentication in place. We’re good. And the one thing to keep in mind with that is, that depending on the 2FA-MFA solution that you’re using, even though you’re enforcing that I want you to go to this secondary location as my second factor of authentication, even though you’re forcing the authentication path to go over there. In some of these systems, you can actually set the user over on the MFA side as not required to two-factor authenticate. So despite the fact that your Active Directory, as an example, forces you over to fill in the blank MFA-2FA solution, on the MFA-2FA, that user’s set with don’t worry about it. And so what happens is, the user logs in with a username password, they get passed over to multi-factor authentication, and immediately passed back because they’re set in bypass mode. So one of the things that I recommend to folks when they’re going through their operational compliance is, when you hit that point where it’s time to do a user review. It’s time to make sure everything looks good. Do yourself a favor, go over to your MFA solution and double check that nobody inadvertently, accidentally, or maybe they’re in the middle of testing and then forgot to set it back, who knows. But make sure you don’t have any users where they have the capability to bypass 2FA, because otherwise you’re back to, in effect, not having 2FA in hand whatsoever.
So talk to me about this low key locker ransomware that has been going around in the news. Talk to me about that. Sure. It’s a new ransomware that came out. This is an interesting one because they classify it as ransomware as a service. Everybody’s got their abbreviations they love to use. They’re calling ransomware as a service, RAAS, right now, R-A-A-S. But basically, what it does is it uses AES, encrypts all the files, disguising itself as a Windows update. And that attack basically goes in, overwrites the master boot record and wipes the target device. So there’s evidence that it came out of Iran initially. But the point here for organizations is, go in, look at your incident response, look at your disaster recovery, make absolutely certain that you have, number one, your stuff is backed up, and number two, that it’s backed up to your disaster recovery as a service solution. Wherever that point of truth is that you are now going to depend on, make absolutely certain that it’s not connected to your production system. Because I’ve seen organizations where they’ll get hit with malware, or ransomware at least, and what will happen is it’ll affect the target production system. But in its desire to go out and encrypt everything under the sun, what it will do is, it will go in and it will start encrypting anything it can gain access to. Well, if your production system that you’re backing up has a direct share to the location where your backups are, guess what? It’s going to go hop through that hole, and encrypt all your backups too. And there’s been organizations that have gotten hit with ransomware where the problem was, literally all their prod servers and backups were encrypted. They were screwed. So yeah, it’s not a fun position to be in. And unfortunately, a lot of organizations don’t figure that out until it’s almost too late.
Well, okay. So that said, kind of the next topic here is, the six reasons not to pay ransomware attackers. I mean, let’s unpack that a little bit more. It’s almost like you teed it up for me. If you’re the victim of a ransomware attack, you’ve got to go and figure out where do I currently stand? If you’ve got the ability to go to backups, and a disaster recovery service, and be able to cleanly restore it, guess what? That bar none is your very, very, very best case scenario, because now you don’t need to worry about, oh, geez, I have to pay. But it’s interesting that only a little over half of ransomware victims that pay the ransom, actually get their files recovered. So, you’ve got to remember, the bad guys are out there, they’re trying to make your life painful. I mean, at least half of them don’t give two craps about whether or not you get your data back, all they care about is getting your money. And so, the other problem is as you pay these ransoms, you’re encouraging additional attacks.
The six reasons specifically, and again, you’ll be able to go over to the website resources blog and search for security reminders. You’ll be able to get to this if you want to read more about these. But, the six different things are, there’s no guarantee you’re gonna regain access to your data after the payment. So, as I was saying a minute ago, only about half of them will actually get their files and data back. Paying these guys will encourage more attacks. If they’re successful with being able to lock people’s stuff up and get paid, well, then why would they stop, right? Ransom payments, they’re fueling more sophisticated attacks. So, these guys aren’t dumb, they’re gonna go in, they’re gonna do ransomware attacks against organizations as they gain dollars, gain foothold, gain traction. Now they use those dollars to put in additional research and attacks that will more cleanly go ahead and accomplish their goal of getting even more money. So you’re basically fueling the fire, if you will. There’s also nothing stopping the attacker from leaking or selling the stolen data. You may regain access to it, but it doesn’t mean that they’re not going to turn around on the black market and still sell your stuff. These folks don’t exactly have scruples. So you can’t depend on their good nature, or their common decency.
There’s a couple of other things that folks need to keep in mind, depending on who it is that you’re paying. You could fall into one of two different scenarios, which is really line item five and six on this, which is that you could be performing a US sanctions violation.
So in other words, this is perfect timing actually, to go back to the topic I forgot to bring up earlier, which is the whole situation with Russia. In the present day, the world is invoking sanctions against Russia. The US government is limiting what US organizations and companies can do when it comes to interactions with Russia. You very well could be violating US sanctions laws by even paying the ransom. So that’s one. And then the second side of this, and really item number six, those payments could also run afoul of the US money transmission rules. So there’s a couple of different legal implications for your organization. Now I get it. If you’re stuck, then do we tank the company? Do we rebuild from scratch? Or do we roll the dice? I wouldn’t want to be in that position, but it’s better to walk in eyes wide open that there’s several different arenas that are going to come into play when it comes to talking about making those ransomware payments.
So talk to me a little bit about misconfigured Firebase Databases. I know that relates to mobile apps and data exposure there. Tell us a bit more about that. Well, there was a new report from Checkpoint Research that was indicating there’s over 2100 mobile apps that are using Firebase, Cloud-Based Databases, that have either leaked or exposed customer data. So it allows the attackers and threat vectors to obtain information about the application’s clients. So, it was interesting that at least 5% of all of the Firebase Databases being leveraged were found to be exposed. And that equals thousands of new applications every month that could be actively leaking their information. So for folks that are leveraging the Firebase DBs for their mobile apps, go in, do the digging, do the research, make sure you got your I’s dotted, T’s crossed, have it configured correctly. Because yeah, you don’t want to be that company.
Now this is another one. I was like, they’re still trying to do this, really? I hear that hackers are trying to target certain bank networks in order to steal money from ATM machines. Talk to me through this. It’s been a long time. Okay. So there’s a new Rootkit that they found. It’s targeting Oracle and Solaris ATM machines. So what it does, it uses fraudulent cards to withdraw money using unauthorized cash withdrawals. So the attacks, they’re calling it CAKE TAP, literally C-A-K-E-T-A-P, all one word, that have taken place over the last couple of years. It works by intercepting card and pin verification messages, then uses the stolen card data to perform fraudulent transactions. So yeah, I think as long as we’ve got electronics, and as long as we’ve got electronic access to money, then I don’t see the attacks against the ATMs of the world coming to a grinding halt anytime soon.
So those are your Q2 2022 Compliance and Security Insights. Cheers. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
