Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: 2023 Q2 Compliance and Security Insights
Quick Take
On this episode, the Compliance Unfiltered Duo give you the quick hits for Q2 2023, in our quarterly security insights episode.
Adam gives an in-depth breakdown of password management systems and their importance in modern compliance management. Then the CU guys jump feet first into understanding the benefits of a Compliance Management System with multiple dashboard views and their applicability across multiple internal and external use cases.
The guys then round out the episode with the latest in the news including: A Pwn2Own Vancouver 2023 update, and how Bitcoin ATM hacks led to uncovering 0-Day vulnerabilities on their platform, all on this episode of Compliance Unfiltered.
All this and more, on this week’s episode of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin. Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man who’s the marshmallow to your compliance smore, Mr. Adam Goslin.. How the heck are you, sir? I am doing good. How about yourself, Todd? I can’t complain. All things considered. So it is that time again, sir. We are here. Q2, 2023, compliance and security, inside, go.
All right. Well, we’re going to start off with security reminder. We’re going to talk a little bit about choosing a password management system. So, you know, there’s lots of clever ways that people have for remembering passwords. And, you know, if you can keep track of them all with a clever system, then, you know, in all likelihood, your passwords are going to be too easy to hack if one of them gets exposed. You know, the reality is, is every single password that folks are using should be, you know, long, ugly, complex strings of gobbledygook, you know, that you can’t memorize, and etc, and not using the same account, you know, for the same password for more than one account. You know, and, you know, that’s what really makes for a strong password. And that’s why you need to keep those passwords into a secure password management system.
But there’s a lot of choices when it comes to password management, whether you’re doing it for work or you’re doing it in your personal world. First things first, if your workplace is requiring you to use a specific password management system for work, then by all means, take their lead, do what they’re saying. But like I said, if they don’t, and you would like to use one, or if you would like to adopt this in your personal world, then there’s effectively a couple of baseline choices for password management. You know, a cloud-based solution. otherwise known as software as a service or SaaS. Or you store them on your own system. We’ll call it a local only password repository. So first things first is we’ll touch on the cloud-based password management systems. There’s a number of different ones. Examples out there are LastPass, NordPass, Keeper. There’s a bevy of other ones. And some of the pros and the cons of the cloud-based system, the pro is that it’s online. You can access it from wherever you’re at if you’ve got an internet connection. The pro is it’s available across your devices. So whether you need the repository off of your workstation, your tablet, your phone, many of these will have a platform whereby you can access your various passwords on the various media that you need. The downside is, and this is where you’ve got to go look into the selection of choice, if you will, is it may only be available if you have an internet connection. It may be, the other is that under this model, your passwords are indeed sitting with somebody else’s system. And now you’re depending on their capability to keep your password secure. So some of the password managers in the cloud space may offer replication to your local device where it does sink the data down, etc.
Moving on to the local password management system where it’s just stored on your machine, these are encrypted password vaults that store the passwords right on your own machine. So some of the pros and cons, the pro, it’s always there. So I realized I didn’t call out any example. The one that’s been around for quite some time is a solution called KeyPass, K-E-E-P-A-S-S. But there’s, again, a bevy of other local storage style systems. Some of the pros, it’s always there. It’s right with you, whether you’re online, not online. Another pro is you don’t have to trust the security of the third party service provider. Now it’s on you. Because it’s a local repository, and from a con perspective because it’s a local repository, it doesn’t readily sync across devices. So I can’t just pick up and go use that same thing on my tablet, on my phone, etc. The other con is that you need to be good about backing it up so that you don’t lose all of the information you have within your password management system in the event that you lose a hard drive, or the machine goes down, within your password management system in the event that you have your password management system is lost or stolen, etc. The other con is it is less convenient, especially when you’re logging onto devices that, where you don’t have the password manager just sitting right there. And the other thing is that now you’re taking wholesale responsibility for the security of where that thing is being stored as well. So, everybody’s got to take the pluses and the minuses and make their own decision. I’ve seen some people that will love going to cloud-based. I see other people that love going the local route, and everybody’s different.
So, I’d certainly recommend, go ahead and put yourself through those paces and see which way you want to go. With any vendor or software product, you want to make sure you’re doing due diligence, research the company before making your selection. Note how many breaches have they called out, how recently were they breached? It’s important to remember, no company is completely impervious to a cyber attack, and even password management systems could be compromised. So, whatever type of the password manager you use, the other recommendation I’d have, whether it’s cloud or local, is use it for all of your passwords, pins, security prompts that you’ve got, whether it’s your login to your Active Directory at work, or it’s your personal banking login, whatever. And when I say the security prompts, what I’m talking about there is where they ask you, well, what’s the name of your first cousin, or your best friend in grade school, or whatever. If you put those into your password management system, that also means you can have unique security questions on each site as well, if you note down one of the answers, kind of. piece by piece, if you will. So, quick tip, dashboard views to suit specific needs.
I’ve got a lot of questions around this because I feel like dashboarding needs are kind of subjective, no? Yeah, it depends on what you’re trying to do. The reality is that the TCT portal is designed to be leveraged by a bunch of different people and a bunch of different roles. CEOs, COOs, down to IT directors, down to frontline workers, to HR, to legal, etc. So, and everybody’s kind of looking at it differently. It has a different purpose, maybe they’re the project manager, etc. So, there’s a bunch of different ways you can leverage the dashboard page in the TCT portal to give you the information that you need to see. So there’s two main sections for the dashboard page. It’s a section status and then open items. So in the section status, the top portion, it’s the top portion of the dashboard. It gives you four different, well, it gives you several different option, view options, depending on the configuration, but I’ll go over four of them. So status view. This is just a high level view that identifies which groups of people have which items. It’s really, if you will, the workflow steps on the engagement. So if it’s my company passes to the consultant passes to the assessor passes to complete as an example, then in status view, you’d see each of those steps in the workflow, and you’d be able to see what count of items are in which step of the workflow across the various players that are engaged on your particular engagement. The other important part about that status view is that status dashboard, it can be viewed in a grid format, similar to kind of a spreadsheet view or in graphical format. So in a graphical format, it’s really helpful for capturing screenshots and sharing them for executive status updates or forwarding it on to interested third parties.
Another view up in there is an assigned view. So this view is more often used for tactical sessions with your kind of operational team. When you’re talking about who has which items, you can readily see the assignment counts by person or by a group of people at any stage of the workflow. So you can kind of take a look down there and see, hey, we’re running behind, but this one person has 80% of the responsibilities, do we need to get them some help, that type of thing. That’s where the assigned view is, that view can really come in helpful and handy, if you will.
The reporting view, this portion of the dashboard will call out reporting of statuses that are happening during the engagement, provide some type of notion of what’s being worked on, been worked on, how complete your reporting is on your engagement, who’s been working on it, that type of thing. The assessors especially will often use that reporting view just to keep an eyeball on what’s going on with the progression as they perceive it for the reporting status. Another way to look at that particular dashboard is when you’re running in operational mode, there’s an overdue setting in that dashboard. It’ll tell you when you’ve got time-based elements that are due, once they go past due, then it’ll tell you who has those items that are still open and in their hands and whatnot. And so it really works well for, especially as you’re starting to get into the, getting into your operational mode, you’re running through your items, now you can kind of press on the right people to be able to get the right information passed over and clear your quarterly items to make sure you stay on track.
The other section we were talking about is the open item section. That’s that bottom section of the dashboard. In there, there’s a plethora of different items that you can pick a ton of different filtering down in there. If the users haven’t played around with it, that’s a really good idea to go down there and kind of play around with those, get their arms around them. I’m not gonna go through all of them, but the most common of those is a filter that’s called my requirements. So in my requirements, basically you can go ahead and pick, you can go ahead and pick out, you go ahead and pick up my requirements. And what it’ll do is it’ll show you the various items that are in your hands. You know, if you’re in operational mode, then you can also take a look at any of the items that are coming due within the next hundred days, AKA the next quarter that you’ve got coming up. So there’s a lot of other views that are in there, but it’s really, I really leave it kind of up to the listener to see what works better for their circumstances. A lot of it depends on their role on the engagement, but I’m positive that there are good solid assets that are available within that arena that, You know within that arena that are that would be extremely helpful for them if they haven’t played around with those Good stuff.
Okay. Well turning the page here. It’s uh, it’s that time again. What’s new in the news? Well, I give the listeners a reminder that they can access links to these various news stories by going to the TCT website go to www.gettct.com click on resources and then click on security reminders, so if they go there, they’ll see the, the Q2 2023 security blog it’s got links to all of the various stories that we’re about to go through so Let’s talk about some fun stuff here. So um, yeah first one is a number of different there was a there was a poem to own event in Vancouver earlier this year where a bunch of white hat hackers got together and we’re basically running up against a couple of different platforms. And in one single day, the crew that was in there, they ended up identifying 12 different zero-day exploits in a single day. Now this was across, here’s where the interesting part comes in. They found zero days, they found bugs and zero days across, Windows 11, Tesla, Mac operating system, and Ubuntu desktop that were all successfully compromised. And so yeah, everybody shared the love that day. So Microsoft SharePoint was also able to be compromised and the attacker was able to use improper input validation within Windows 11 to escalate privileges without needing admin username and password. Another group escalated privileges on the macOS by exploiting a talk to bug where hackers during the conference received 375,000 bucks for the unearthing of these various zero days. So that was rather entertaining, shall we say. I bet. We also had Bitcoin ATMs hacked. So are you moving right now or? I’m hearing this constant movement over on your head. Oh. Yeah, it’s all good. It’s a it’s a it sounds like you’re, you’re moving your desk from one side of one side the office to the other so the Yeah, exactly. So the Bitcoin, Bitcoin ATMs they, they ended up hacking into them. They exploit a zero day vulnerability in that platform as well actually that, that’s a interesting reminder that I think TCT recently put a really recently put the one of the cyber one of the cryptocurrency standards up on the up on TCT platform, but anyway the Bitcoin, Bitcoin ATMs they, they announced they had a warning from activists saying that they were Able to steal user information and funds from hot wallets through the Bitcoin ATMs yeah, general, general bites is one of the Bitcoin ATM deployment organizations allowing the Bitcoin customers and holders to exchange Bitcoin for cash and vice versa at an ATM, like you would normally do for a bank or a credit union. You know, the attackers were also able to get reach and view event logs, allowing them to see customer secret keys linked to the wallet addresses and essentially allowing the attacker to mimic being the customer with Bitcoin in their account and empty the wallet.
So yeah, that was awesome. The next one up is Shellbot. There was a new Shellbot distributed denial of service malware, variants that are targeting poorly managed Linux servers. So it’s a new malware that’s specifically targeting Linux and especially the poorly managed one. So Shellbot’s also known as Pearlbot. It uses the IRC protocol to communicate back with the command and control server from the attacker. And this can only get in through port 22 being open, being an open listening port. So Shellbot uses a dictionary style password breach technique to crack the credentials. And then the command and control server, once the password’s cracked, then sends the commands in remotely to extort information that’s been harvested from the infected system. So yeah, good times there. What do you hear? Sounds that way. Yeah, no doubt. Hey, I’m gonna take a coffee sip here, one second. No worries. Follow suit. Yeah, there you go. Vulnerabilities, okay, so in terms of vulnerabilities, Netgear, Orbi router was found to be vulnerable to arbitrary command execution. Now the Netgear Orbi is a popular home wifi network gear. Network setup. And so I wanted to bring this up to the listeners just because if anybody’s got them, I can’t imagine. people. People have them at work, but you never know. But certainly maybe a thing at home. But they were found to be vulnerable to arbitrary command execution. So there were four big vulnerabilities that were found in the system. Some of them were found in kind of the satellites that are set up on that particular platform, aka kind of like the wireless repeaters. And some of them were found in the main router itself. Three of the four that were identified need the attacker to gain access to the network either by having the password to get on the network or connecting to it through a non-password protected network. So a man in the middle attack can be carried out through the public IP address of the home to trick the main router into sending sensitive information back out to the attacker. And finally, We’ve got CISA alerts sent out on critical security vulnerabilities in industrial control systems.
So industrial control systems, they’ve been in the spotlight for some time. I think commonly in the security space has been a notion that there’s some really old outdated systems that had not received the appropriate security care and attention and love, if you will.
And so, yeah, they continue to go after these, Delta Electronics Infrasweet Device Master. Wow, say that 10 times fast. A real-time device monitoring software had several big flaws in their versions that are prior to 1.0.5. The biggest of those vulnerabilities is in a particular CVE-2023-1133. And this vulnerability, it’s a flaw where the Device Master software accepts unverified UDP packets and deserializes the content, allowing the unauthenticated attacker to craft UDP packets to allow for remote arbitrary code execution on the platform, which of course is a gigantic no-no. So there you have it. That’s the new and exciting stuff in the world of security news, Todd.
Excellent news indeed. Thank you, sir. And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less. Thank you!
