Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: 2022 Q3 Security Insights
Quick Take
On this week’s episode, the Compliance Unfiltered duo give you the quick hits from Q3 2022, in our quarterly security insights episode. Adam and Todd give you all the news notables from the quarter, from Central Logging and PCI v4.0, to Ransomware and Windows patching updates. All these insights and more on this week’s Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man whose knowledge of compliance impresses me on a far more than quarterly basis, Adam Goslin. How the heck are you, sir? I’m doing good, Todd. How about yourself? I can’t complain, man. Today, as you may have guessed by my flubbing of the open, we’re talking about Q3 compliance and security insights.
Tell me more about what’s going on this quarter when it comes to central logging. Well, a real quick friendly reminder. So when we do these kind of quarterly compliance security insights episodes, we’ll cover a topic as a security reminder, which will be central logging. But we did a full podcast on central logging with a ton of information on Episode 31, for those playing home. Yeah, exactly. So we’re just going to be covering things in broad strokes here, really looking to the listener. We’ve got a combination of folks that are generally subject to compliance. We’re on the business side all the way, to the kind of the gearhead. So, we’ll take a middle of the road approach for the sake of this one. But especially for the gearheads of the world, go and listening to that episode, strongly recommended.
So with all that said and done, let’s get into some stuff about central logging. So, most of this topic is really geared towards the gear heads. But, the bottom line is, that the tech group is the group that will primarily be handling this, etc. But, I think it’s important that everybody understands, why do we have central logging? What do we use this central logging thing for? It’s kind of like buying the iron curtain type of thing. At a high level, central logging is storing your logs for your systems to a secondary secured location, where those logs, preferably, are replicated live to that secure repository. And it’s implemented across all of the devices within the environment. So, if you think about your typical environment is going to have firewalls, and different infrastructure equipment that makes everything connect and work. You’re going to have servers, and files, you’re going to have various servers, web servers, file servers, active directory servers, whatever it may be, database servers. So, all of those things generate logs. And the intent is get those logs over off to somewhere else that it can be leveraged.
Really, the central logging objective is to have the ability to have one single place where all those logs go, because then it makes it a lot easier to go look through those logs. When you go through and you do that, it’s a lot easier when they’re all in one spot. And additionally, if the organization has some type of a problem, whether it’s a breach or they just need to go and do some investigating into what happened here, now they don’t have to go out to all of these various locations to try to piece it together. They can go to that one central logging repository, and they can see everything from there, if you will. That said, one of the things for the listener to keep in mind is that when the bad guys go and get on to breach a system, and they get into an environment, one of the first things that they’re going to do is, they’re going to try to go in and clear the logs off of systems, so that they can attempt to try to cover their tracks. We don’t want some listing of who did what, in what order, and which user, and what IP address did they come from, etc. They want to try to cover their tracks. So, what they’ll try to do is they’ll try and cleanse the logs off of the end systems, but it’s impossible to cleanse. They may still be able to affect the local system, but if your logs are live replicating off to that secondary secure repository, they don’t have the ability to go in and kind of clear the logs from that central repository, which means you’ve got at least a pristine view of, any logs that were generated across any of the devices within the system.
For the gear heads of the group, a couple of quick tips for a process you can put in place each quarter as it relates to logging. So, number one, go through and validate that all of the devices that I expect to be logging, in fact, are. And what I mean by that is, is that if I have whatever, 87 devices, which are supposed to be sending logs to central logging, at least do a periodic pulse check, quarterly pulse check or something, monthly, whatever you wanna do, and make sure that you’re actually getting logs from all 87 devices that you’re supposed to. Depending on the technology that the organization has, they may be able to establish alerts, so that they can have the central logging system firing off alerts that, hey, FYI, I’m not getting logs from fill in the blank anymore. If you can do that, great. Go ahead and get that set up as well. That’s even better. We did an episode recently called Trust But Verify, it’s great to go in and set up your logging, but, go in and verify that it’s actually in place, and that you’ve kind of got everything over where it’s supposed to be.
The other element that I was gonna bring up kind of to close out this security reminder for central logging, is also during that kind of quarterly pulse check, sanity check, etc., just validate and make sure, yes, I still have 90 days of logs that are immediately accessible. Yes, I still have up to a year, either immediately accessible, or in cold storage. Just depends on which certification requirements that the organization is up against, and what policies that they’ve had put in place. But whatever that structure is, you’re either obligated to follow, or that you’ve chosen to adopt through your policies and procedures. Having a check in there to make sure I actually have all of the logs, that I expect that I’m going to have.
Well, something else Adam that’s on our quick tip radar this quarter, PCI version 4.0, how do you switch over to 4.0 with the TCT Portal? So it’s pretty easy. You just go put a request into portal support for your new PCI version 4.0 track. If you’re converting from a 3.2.1 track to 4.0, at the end with, like I’m wrapping up my 3.2.1 now I want to go move over to 4.0. One other thing for folks to think through is if they want their 3.2.1 data migrated over to the version 4.0 track. Otherwise, if, whatever, you’re in the middle of 3.2.1, you decide to end ship and go over to 4.0, then you can do that whenever you want, that’s not a problem at all. Either way, we’ll be able to set it up so that you’ll be able to reference your evidence off of your 3.2.1 track, It’s just whether or not you want to port it over.
If you, as an organization, just want to get a 4.0 track, and go take a look at it in anticipation of moving to 4.0 down the road, then we can do that too. So just let us know. Again, all those can go through portal support. And just a friendly, helpful reminder that for us, most of our support requests, they’re handled within a couple of business hours. So we’ll get your 4.0 track deployment, wrapped up with the same type of speed that you’ve come to expect from TCT.
Fantastic. So what’s new in the news this quarter? Well, the one reminder for listeners is that you can access links to these news stories by going to the TCT website. So a shortcut to it is www.gettct.com and click on resources, and then click on security reminders. And then you’ll see our 2022 Q3 reminder pop up there. And within there, it’s got links to all these various news stories that we’re about to start with.
So the first story has to do with ransomware. So, ransomware gangs are leveraging an interesting approach. Interesting gangs? Yeah, yeah. So, these groups, the way they make money is by going through and deploying ransomware, locking up people’s systems and then, mandating a payment. But, what they’re doing is, how their trying to make the victim companies pay, is to provide publicly a database that has search capabilities, so that they can post on that website any organization that doesn’t pay them. they’ll just go, well, okay, fine, we’ll go ahead and just post it regardless. Anybody that didn’t pay them breached information, so that they can make it easier for victims, whether the victims happen to be employees of that organization, or customers of that organization to be able to go in, search and identify themselves, so that they can assist with the application of pressure, to apply to those organizations to pay. The interesting part about this one is that, when they go in and they do this, effectively what they’re trying to play on is the fact that then publicly customers and employees can go find that their data or information’s been breached. It increases the possibility that these organizations are gonna go through some form of a class action lawsuit, that type of thing. So, a couple of the other ransomware gangs kind got together so, they could go ahead and, try to continue to apply that pressure so that they can get paid, if you will.
Sure, it was about that time again, Adobe Security Patching, talk to me. So Adobe released their own kind of Patch Tuesday, in the Microsoft-esque arena on July 12th of 22. This is in a response to a series of flaws in several pieces of their software. So it had an impact on both Windows, and Mac OS installations. The affected software being Adobe Acrobat Reader, Photoshop, RoboHelp, and Character Animation. So the flaws in these various chunks of software included, full system take takeovers, remote code executions, memory leaks. Adobe claimed that the flaws were not yet in the wild, prior to these patches being produced, but certainly the folks out there are gonna wanna make sure that they’re getting up to speed on their Adobe patching as a result.
Excellent, Linux malware, what’s new? Well, there’s a new chunk of malware that’s making rounds specifically for Linux devices. Generally speaking, Linux is viewed as a safe alternative to Windows in both corporate, and in-home environments. The malware is called Orbit. It’s different from other previous Linux threats, in that this one can steal information directly from different commands and processes on the Linux box. It can also impact files associated with the processes on the local system. The malware itself provides remote access capabilities over SSH, which would allow the attackers to go in and harvest both credentials and data that the malware gets exposed to.
Now on the Windows front, what’s up in their malware arena? Well, there’s a new malware officially circulating that uses what they call a fileless attack, to inject remote shell codes into Windows. What that means is, there’s basically, no malware specific trace files that get left on the system for detection as a result of the way that they went about deploying this particular element of malware. It uses an infected office document, and the Rosina malware creates a remote backdoor, and the office doc is used to offload the malicious payload onto the affected systems. But there’s already a patch to go in and fix this particular finding, but most organizations haven’t applied that patch to their systems yet.
And then as far as Windows passing? Well, Microsoft recently fulfilled a promise that they made to cloud consumers. They have something called Windows Auto Patch, that they’ve officially made live. So the service is only live for Windows Enterprise E3 and E5 licenses, and you need to have Azure Active Directory Premium, and Microsoft Intune in order to leverage the Windows auto patch. The patches will basically start to implement on all devices currently subscribed to the services above automatically, but Microsoft has come out and said that auto patch can’t prevent glitches caused by bad patches. So I mean my word on this one would be proceed with caution, based on your comfort level with Microsoft’s stellar track record of releasing well-tested patches.
That’s the good stuff. Thank you. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
