Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show notes: 2023 Q1 Security Insights
Quick Take
On this episode, the Compliance Unfiltered Duo give you the quick hits for Q1 2023, in our quarterly security insights episode. From requirement splitting, to LastPass’s second breach in 3 months, and Sirius XM Car Apps showcasing next-gen hacking possibilities, the CU guys have you covered on the news and notables from the quarter that is.
All this and more on this week’s Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside a man who will row, row, row your compliance boat, Mr. Adam Gosling. How the heck are you, sir? I’m doing great, Todd. How are you? Man, I can’t complain at all. It’s that time again, that’s right, folks. Compliance and Security Insights time for Q1 of 2023 this year.
Adam, talk to me about it. Well, first off, we’re going to start up with a security reminder. So we’re going to focus on where your people are really storing sensitive information. The reality is, that most of the compliance standards are requiring the organization to designate approved methods and locations for storing sensitive information about the company. Just because you have the approved storage list, doesn’t necessarily mean that’s where everything’s actually getting stored. So, every organization has it’s own list of approved storage locations for their sensitive data. So, it’s important that the folks understand at these organizations, what the rules and requirements are for the company that I’m working in. Everybody should know what those policies are, including the notion of making requests, if they have some other location. It isn’t always convenient to save files to the approved location. Sometimes, employees will save a file temporarily to another location, because they’re in a hurry. More often than not, users aren’t really thinking about the ripple impacts. But if you’ve got company assets that are being saved off to disparate, uncontrolled locations, I mean, you could effectively have sensitive organizational data that’s left unprotected or stranded. So, it’s one of the most common ways that organizations are getting nailed with data breaches. They’ve got a whole host of sensitive information that gets saved off an unencrypted external hard drive, because somebody thought it’d be easier. And next thing you know, the hard drive comes up missing. Actually, I have one story in that regard. I was working at an organization where one of the heads of IT had gone to a work meeting, went to launch, left their machine in the car type of deal and went in, grabbed lunch, sure enough, by the time they got out there, someone broke into the car. And now you’re dealing with the aftermath. So, you know, it could be something as benign as they’re assigned machines, but they could be thrown on a USB, or a external hard drive. A lot of times what I’ll see in an organization is users just using something that’s easy for them, their heart’s in the right spot, right? I want to be able to work on this stuff from home, and if I forget my laptop, then blah, blah, blah. So, I’m just going to go put it on this Dropbox or whatever, their own personal Dropbox type of deal. It’s like, man, you have absolutely no purview over some of these locations. So, I can’t underscore too strongly the importance of clearly, continuously communicating how, and where the company’s data needs to get stored. Employees need to be held accountable. There need to be consequences for violating the company policy. For those organizations wanting that extra layer of accountability, certainly getting into, data loss prevention, or DLP solutions. that will kind of keep an eyeball on how and where corporate information is getting disseminated to.
Now, talk to me, quick tip, right, here, about splitting requirements into multiple workflows. Sure, so as we give folks a tip for managing compliance, one of the things that organizations will often need to do is segregate their compliance evidence into two or more workflows. So, for example, maybe you’ve got several different hosting facilities that need different sets of evidence. Maybe you’ve got multiple networks that have boxes running on different operating systems. But, there’s a causal effect as to why the organization needs to get to a more granular level of tracking. In this case, it often makes sense to segregate those into multiple workflows, that way you can track your engagement appropriately. For a lot of companies, the folks that work on, let’s just say system administrators, the system admins for Linux often are not the ones that are the system admins for the Windows environment. The cool part is, the TCT Portal can split requirements into multiple buckets. And, the best part is, you can then assign each of those buckets out to individuals on those individual teams. Let’s just say, it’s Mary and Bob. Mary’s the Linux admin, Bob’s the Windows admin. Traditionally, they would have had to share that one. Mary and Bob both need to provide evidence for their various arenas. Don’t forget to wait and make sure the other evidence is there before you hit the go button. If you go in, and divide that singular requirement, now I can take one and assign it to Mary, I can take the other one and assign it to Bob. That way, not only do you keep each of them accountable, but you now have separate workflows, separate follow ups. The systematic, hey, Mary, you still got one open, if Bob finished his, that type of thing will still happen, because of the fact that you’ve got them split out and segregated. So, it allows you to bring the tracking down to that kind of granular level that you need when you’re going through an engagement. Those are just some examples. The bottom line is, is that the requirements splitting can be done pretty much across any plane. So, we gave examples of operating systems or environments, etc. There may be other ways that people need to go in and split them, but that way you can go ahead, split a requirement as many times as you need, whichever way you need, etc. For any folks out there that are leveraging the portal, that need to go ahead and split requirements. It’s easy, just go throw a request into portal support, and they’ll help you go ahead and get that set up.
So what’s in the news? Well, a couple of things. So just a reminder for listeners, they can access links to the various news stories if they go over to TCT’s website, go to www.gettct.com. Then when they get there, it’ll redirect them to the Total Compliance Tracking page, they can click on resources on the top and then click on security reminders. If they go to Q1 2023, then they’ll be able to kind of follow along at home and read through, and link to the various news stories we’re going to talk through. We actually had more stuff going on than normal. In the past three months, normally I’ll try to pick out five stories, that’s generally what I try to hit. But there was just too much going on. So we’re going to cover a couple more. So first up, we had a number of popular web application firewalls that managed to get subverted by a JSON bypass. So, the web application firewalls from AWS, cloud flare, F5, Perva, and Palo Alto were all found vulnerable to a DB attack using a popular JSON format or JavaScript object notation format. Many organizations will use their WAF as a crutch for truly securing the applications. They forget to allow security testing to bypass that WAF, just so they can get a true security stance of where their applications sit in the event that the WAF fails them.
In this particular case, the WAF was allowing a bypass to flow through. So, this would be an example of where you can’t just simply depend on the WAF to protect you from all the oogly booglies.
Next up, LastPass has unfortunately been in the news a good amount lately. They just disclosed last quarter, a second breach over about a three-month period. The threat actor that was behind their August intrusion, used data from that incident to go in and access customer data that was stored on a third-party cloud service provider and affiliate GoTo Reports, is reporting the breach of the development environment. So LastPass and GoTo are both confirming at this point in the game, no impacts to their production environments, or direct loss of customer data. But, this one is still in the process of unfolding. So I guess we’ll see how it all works out in the end. But I’m probably going to want to keep an eyeball on that one.
Another interesting one, there’s an AI phone bug that allowed cyber attackers to literally open physical doors. There was a bug that affected several of the AI phone GT models, which use NFC technology. It would allow the malicious actors to potentially gain access to sensitive facilities. So, the devices in question, there’s a list of them, I won’t read them off, the listeners can go in and read it on the blog article. But these systems are being used by high profile customers, including the White House, the UK’s House of Parliament, etc. So, it’s a system that’s leveraged by some pretty high end customers, and ostensibly, they all have a strong need for security. And yet, the bug would allow folks to go in, code up entry to being able to bypass the physical security measures that were put in place.
Next up. Now this one’s particularly interesting to me. Yeah, we had a couple of different car applications that were highlighting the next gen car hacking. So, that would include Sirius XM and My Hyundai car apps. So, there was a set of three security bugs, which combined, allowed remote attackers to do things like unlock, start the car, operate the climate controls, pop the trunk and more, all through poorly coded mobile applications. So the issues which impacted many of the car brands appear to stem from a basic lack of security testing as part of their development and release process for the applications. So, it was causing owners to need to go figure out, hey, what the heck do I need to do in order to go in and secure my own vehicle. But, it’s always fun when we can kind of pull out security implications to something that a lot of folks don’t think about like your car.
Moving right along from cars. Spacecrafts are also not infallible. They found an aerospace networking bug. There was a single device with malicious code, which would be able to foil a networking protocol that’s used by spacecrafts, aircrafts, and industrial control systems. Resulting in unpredictable operations and possible failures. So, according to some of the researchers from University of Michigan, and NASA said there’s a protocol that’s called Time Triggered Ethernet or TTE, it reduces the cost for implementing networks for these critical infrastructure devices, by allowing multiple devices to use the same network without affecting one another. But of course, they found a security hole in it. So, what are you gonna do? Yeah, good luck patching in space.
So, moving on from there. We talk about security and compliance, the importance of it, etc. And of course, whenever anybody hears this, they’re like, oh, well, that’s just for the little guys that don’t have their act together and blah, blah, blah. Well, apparently not because stolen data on about 80,000 members of the FBI run Infra Guard Site, is reportedly for sale on a dark web forum. They ended up finding information on key personnel that are running our nation’s critical infrastructure. Now, in and of itself, a lot of the information, a lot of the data could theoretically be garnered through public channels and things along those lines. But, the big problem is that this particular repository consolidates all the information into one handy dandy spot. So, you’re not searching the internet and trying to figure things out and blah, you already know who these companies are, and who these people are, and what’s all their contact information. So, it’d literally be a goldmine for any bad actors, or other nation states that are seeking to consolidate the impact information for directed attacks on the US. So yeah, apparently they are not infallible, shall we say.
Also, a Google WordPress plugin bug that was allowing for metadata to be stolen via AWS. So, there was a vulnerability in a WordPress plugin called Google Web Stories, and it would allow the authenticated users to leverage the AWS metadata to further exploit a compromised site, just prompting a reminder to folks about making sure they’re keeping up with their patching, and their strong user authentication. But now, the stories that we had over this last quarter were kind of all over the board and we had some fun ones in there. So I wanted to throw another couple into the mix, just to let people know what’s going on.
Absolutely. And that right there, that’s a good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
