Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show notes: 2022 Q4 Security Insights
Quick Take
On this week’s episode, the Compliance Unfiltered Duo gives you the quick hits for Q4 2022, in our quarterly security insights episode.
Among other topics, we discuss:
- File Integrity Monitoring
- Microsoft Teams attack paths for hackers
- Free decryptors available for LockerGoga Ransonware victims
We’ve got you covered on the news and notables from the quarter that was. This and more on this week’s Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter.
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man who will certainly show you where your compliance bread is buttered. Mr. Adam Goslin, Adam, how the heck are you? Oh, I’m doing good. I’m not sure if I mentioned this in the last go-around, but I’ve got a new edition to my family, which has been interesting. We got a 10-week-old, 32-pound Irish Wolfhound.
That’s a small, quiet dog, absolutely. Yeah, small to start. I’ll put it this way. Her mom’s 120 pounds. She’s supposed to be gaining at a rate of approximately two pounds a week for about the first year. So, yeah, this is, it’s exciting. So, no doubt. Yeah, yeah, yeah. If I didn’t have enough damn motion alerts then, now I got a third one. Making sure all your bases are covered, I appreciate that. Thorough.
Speaking of thorough, it’s about that time again, as we do every quarter, it’s time for Q3 2022. Q4, sorry, my bad. Pardon me. For 2022, compliance and security insights. So, where are we starting today? Today Adam. Well, first off, let’s get into the security reminder. So for security reminder, we’re gonna cover file integrity monitoring for the sake of this one. Obviously this topic’s a little more for the gear heads, but even those that aren’t, it’s good to understand what is this control? What does it do? Why is it important? How does it help? Things along those lines. I’ll put it in a way that’s universally intelligible and then we’ll take it from there. So at a high level, a file integrity monitoring tool is one that checks files on machines to see if they’ve been modified.
So, its primary purpose is as a detection mechanism to spot evidence that bad actors have been in your system. So, under normal circumstances, most companies will set this up to fire off once a week. And, it’s a backdrop check to say, hey, have any files been added? Have any files been changed? Have any files been removed? And it’ll basically compare the state of the files on this run to the state of the files on it’s last run. Now, while a lot of organizations will run this weekly, I’m a huge fan of running it. Depending on the tool that you’re using, you can even run these things basically real time, constantly polling and, things along those lines, to see if there’s been any modifications so you can get more near term alerts, if you will. But the minute that the comparison sees a difference, then boom, flag goes up. And so, the benefit is that it can serve two different purposes. First and foremost, let’s pretend we’re running it once a week, and at no point in the prior week did we have any declared change control that was occurring within the environment. And yet, there are file showing up as new and being removed, etc. Hey, that’s when the red light starts spinning, all hands on deck, we got an issue type of thing. But the flip side of that is it also works well as a alignment mechanism between your change control and, the activities that you’re seeing systematically. If I go in Tuesday evening, change control was going through, and I’ve got records of that etc and I’m seeing a bunch of changes to the impacted systems on that Tuesday and the nature of the changes looks to be congruous with the modifications being made, cool no problem check. But the neat part is, it’ll also pick up, let’s say you have a rogue administrator that just wants to go try a setting change or something and doesn’t bother putting it through change control, guess what that’s going to show up to. So it also works as in that sense, it’ll work as a mechanism to be able to make sure changes within the environment were authorized. People are actively following your change control processes and procedures. So not only will it go in and identify bad actors, but it will also identify folks that aren’t following internal process, and procedure, and validate that, yes, we see alignment between this alert mechanism and the changes that are happening on the system. It’s honestly one of the best and most important detection tools that an organization has, just because it’s very difficult to, if not impossible, to be able to skirt around it, right? If the bad guy goes in and swaps out a bunch of core system files for bad files and whatnot, boom, now you can go in and get something done about it.
Sure. Now you made reference to, potentially some organizations doing real-time monitoring of threats. And I know that there’s an opportunity, at least with something you’re familiar with. Do you want to talk through a little bit of automation boosting here? Yeah. So our quick tip for the sake of this quarter is improving your automation, your compliance automation with TCT’s API. So, some folks know and some folks don’t. TCT has an API that will allow for the ingestion of data from secondary systems or the exportation of status-related information. So, for those organizations that have, whatever, their own internal ticketing systems is a good example.
A lot of organizations, especially the tech crew, works exclusively off of some type of a ticketing system. So what they’ll often do is, they’ll set up tickets within their ticketing system. That way, their internal personnel only have a single pane of glass that they have to go to for all their to-dos, all their day-by-day tasks, recurring internal tasks, their development projects, and their compliance tasks, all showing up on that one pane. For those organizations that have the ability to do this, you don’t have to go in and manually update your ticketing system, and then turn around and load the data from your ticketing system back over into the Portal, you can leverage automation via that API to flow the information, whether it’s explanations, attachments, comments, things along those lines into the TCT Portal. It just allows the frontliners to go into it once, and then be able to map that off to the system. So, we were just talking about file integrity monitoring and the reports that are generated from that, when it goes in and does its checks. If someone was leveraging the API, they could basically code up their pull to go pull from wherever those reports are being deposited, and then go ahead and pull those straight on into the TCT Portal. The other cool part for those organizations that, I don’t know, let’s pretend they’ve got an existing internal dashboard, that they leverage for prioritization and summary of where are we at on certain projects, etc. It also would allow them then to pull the current state or status of their particular engagement within the TCT Portal and display the statistics. The statistics from the dashboard within the TCT Portal and bring that back down to their own and merge it with other data points, information, etc. So, I don’t know, let’s say we’ve got a hosting company that has current uptime stats, etc., for the machines that they’re provisioning for a particular client, then they could also have a compliance dashboard within their system to show the current state of their compliance engagement, and have the two systems almost playing together as they go through it. So, it’s a really, really cool way for the guys and gals that have the capability to do that coding to really kick it up a notch, if you will.
Absolutely. Well, it’s about time. We’re going to jump in here with both feet into the news. Listeners can gain access to the links on various news stories that we cover here by going to the TCT website at www.gettct.com. Click on the resources, and click on security reminders.
Now jumping in. Severe security flaw in the Microsoft Teams desktop app. Talk me through it. What happened? Yeah, they had an issue where it was letting attackers access authentication tokens for teams. So the attack path for the attackers with file system access, would allow them to basically steal Microsoft Teams credentials, partly due to the fact that the Teams app was storing authentication tokens in clear text, and it allowed the attackers to guess the token holder’s identity, essentially creating a bypass for multi-factor authentication to the victim’s Microsoft Teams application. Each organization should be keeping up on their security patching, all that fun stuff. Yeah, you definitely want to make sure you go in and get that one patched would be a fantabulous idea.
Now, iPhone users are urged here to update to patch two zero days. Talk me through it. It’s interesting. We don’t see a lot over on the Apple iPhone arena, but they’re not immune. If you’re running Mac OS, iPhone, iPad, Apple’s recommending immediately install two fixes for zero-day exploits within each device’s operating system. The first flaw that they found, it’s a kernel bug. It allows the attackers to maliciously execute code with kernel-level privileges, AKA like they’ve got super user access to the system and do whatever they want. That’s part of the reason why that one was important. Second one is a WebKit bug. It allows the attacker to craft web content, which would lead then to code execution. The WebKit is the engine that powers the Safari Web Browser, along with other third-party browsers in iOS. Again, patching your systems early and often, great idea. Excellent.
Now, we’ve got a free decrypter available for those Locker Gogo ransomware victims. What are we talking about? Yeah. Sure. Yeah. So people also to be, I’ve seen people say this all sorts of different ways, a Locker Gogo, Locker Gaga, , whatever. Ransomware, it started running in the wild in 2019. It was specifically targeting industrial organizations. The creator in combination with no more ransom project, created a tool that’ll instantly decrypt any Locker Gogo infection. And Bitdefender is currently sponsoring that free decrypter. So, if you’ve got your organization or somebody that got hit by this, then you can just let them know that this particular decrypter is available so that they can go and, well, I don’t know, gain access to their stuff.
Nice. For those wondering about the Google patches, Google patches, Chrome, fifth zero day of the year, Adam. Google officially patched the fifth zero day exploit just this year, this year alone. So this particular bug allows for remote code execution. There were, in addition, there were ten other issues that were fixed during this latest patch. Three of the five zero day exploits, were actually in different components of the of the Chrome browser. This trend in these exploits is creating a lot of uncertainty for users of Chrome, and Chrome seeing a drop-off in usage as a result of all the bugs and the holes that are that are bubbling up to the surface.
Well, spell checking in Google Chrome and Microsoft Edge browsers leaks passwords apparently. Yeah, fun stuff. So, yeah, both Google Chrome, and Microsoft Edge browsers, they’re leaking sensitive information to both Google and Microsoft. This leak is called spelljacking. It’s releasing information that includes passwords, usernames, emails, etc. The particular settings that are enabled in Chrome are something called enhanced spell check and on Edge, it’s MS editor. And tests were performed on 30 different websites and more than 96% of those were returned with those settings turned on and were returning some form of personally identifiable information or PII. So yeah, folks want to just, number one, make sure you’ve got your stuff patched up, and number two, consider dialing those settings off until we get confirmation that these things have been truly addressed.
Most definitely. And that. That’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
