Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: 2023 Q3 Compliance and Security Insights
Quick Take
On this week’s episode, the Compliance Unfiltered Duo gives you the quick hits for Q3 2023 in our quarterly security insights episode. Adam provides an in-depth breakdown of all the key topics at hand in Q3 of 2023. The PCI 4.0 transition is upon us – are you ready? Did you see the third-party vendor hacks that exposed data from both American and Southwest Airlines? And ChatGPT… well, when it comes to secure coding, it appears human after all. Finally, Akira Ransomware is gaining momentum with a shift to Linux! All of these topics and more await you on this episode of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the custom to your Compliance Mike Tyson. Mr. Adam Gosling, how the heck are you, sir? I am doing good. Morning, sunshine. Indeed, indeed. So it is that time, again, to all of you Compliance Unfiltered listeners out there. Security reminder time for Q3 of 2023.
Adam, tell the folks what they need to know this quarter. Well, our security reminder is going to be, what if your organization has not moved to PCI DSS4 yet? Oh, that sounds like it might be a pretty relevant topic. Let’s see what other folks think out there, huh? Yeah, something about TikTok, mother effers, comes to mind. Now, bottom line is that you have, you can hold on desperately like Leonardo DiCaprio to the raft after the sinking of Titanic until 331 of 24. And after that, and you turn into a pumpkin and sink to the bottom of the ocean. No, you just switch over to four. So the bottom line is, is that you got less than a year at this point in the game. You know, the last day, the last eight to fill out a three, two, one, sign it and have it stick is March 31st of 2024. So, you know, for those organizations that haven’t started, you know, getting moving over to four, you need to start, you know, thinking about your game plan right about now. You know, if your annual assessment’s still coming up in Q3 or Q4 of 2023, or it wraps up in enough time for the signing party, by the end of Q1 of 24, then you can stick with your three, two, one, and then flip over to four. Otherwise, if the answer to that question is no, you are… sometime in Q2 or Q2 timeframe, you know, type of thing, then you’re gonna need to start making the transition. So, you know, really for organizations, I mean, I’d highly recommend they start that transition sooner than later, regardless of when their next assessment is.
You know, if the folks that are listening are using the TCT portal, then it’s really simple. You can make a request to have a 4.0 track. We can map everything from your 3.2.1 over to your 4, so you can kind of see what types of coverage you’ve got. Certainly you can start leveraging. If you have to go up against 4, you’re definitely gonna wanna run your TCT portal in operational mode, so that you are adhering to gathering, garnering all of the kind of appropriate elements in preparation for 4.0. It is not going to be a flip of a switch. One of the interesting things is that there have been some of the requirements in PCI that have legitimately stayed in approximately the same spot, like 112 was the network diagram type of thing. Some of these requirements, you work with the compliance standards enough that you get to memorize, what are the numbers for the various things? Well, unfortunately a vast majority of them have shuffled. So we all get to learn a new series of numbers and it’s gonna be a little discoordinated. We’re gonna feel like awkward teenagers for a while. But the reality is that it’s a good idea to go ahead and start contemplating the switch. There are some new things. There are some enhanced requirements, etc. So starting to get your eye on it. around it sooner than later is going to be a brilliant idea, and for those that are working within a compliance management platform like TCT Portal, the system is going to do a lot of the heavy lifting, so you don’t have to figure everything out for yourself. I remember back in the day going from whatever, one to two and two to three, etc, now we’re going from the three’s to the four’s, and so it’s always entertaining when you’ve got to make those transitions and whatnot, so definitely I would recommend to folks if they haven’t started that process, take it seriously, get going on it sooner than later, you know, even if you’re able to clear a three-two-one still in advance of it, turn it into a pumpkin, go ahead and get yourself familiar with four and start working down that path for sure.
Excellent. Now how does security surveys, Adam, tell the people what they need to know here. Sure. Um, so, you know, everybody’s familiar with having to fill out those fricking security surveys and every single person that sends you on, there’s a different fricking survey. And all it is, is a, is a big bag of the same questions and different orders and, you know, that type of thing. Um, you know, the, you know, each organization wants to feel like they’ve put their own spin on things and organized it in a way that makes sense to them and, you know, etc. What the net result is, you end up, you know, having, you know, just a, a gaggle of all of these different surveys asking the same stuff. And, you know, it’s not as easy as just copy and pasting answers, you know, into the next one because they’ve, you know, move, move things around, they’ve, you know, shuffled the questions, they’re, they’re in different sections, you know, etc. So, um, you know, every single security survey, you know, is, is just another time suck that folks shouldn’t need to deal with. So one of the things that, um, that we built into TCT Portal is a capability for what we call public reporting. So if you are already using it, then you guys are all nodding your heads and applauding and all that fun stuff. Uh, if you haven’t had the opportunity to leverage it yet, um, go ahead and talk to the, uh, talk to the support crew, ask them to turn on public reporting, give you a how-to, etc. Um, basically what it does is it’s a, it’s a system which is designed to have ready-to-go responses about your security posture to external entities. That’s why we call it public reporting. This is the text that you would hand out to others. You’re not going to go hand them your ROC, um, you know, for, you know, for, you know, on, you know, compliance for PCI, but instead you’re going to, you know, kind of give them a high level overview of what is the organization’s position as it relates to fill in the blank. So you know, effectively what it allows you to do is go in and write your response once and then you can go ahead and mix and match that consistent response into, you know, and shuffle it together to respond to the security surveys that you have coming inbound. So that way, instead of having to, you know, every time you get a new security survey, now you’re consulting two or three or four or five other, you know, other surveys and having to. of piecemeal everything together manually, and it’s just a gigantic pain in the ass. Instead, what you can do is you can set up a profile for this new survey, and you can draw in the consistent responses. There’s really two benefits. One, obviously, it makes it a hell of a lot easier to go provision these responses, etc. But the more important part is the fact that you can double check and ensure the responses are consistent. There’s other organizations, depending on this written guidance you’re giving them, you’ve got to maintain consistency as you go through that process. That way, you’re not telling slightly different stories to different organizations, and maybe one’s wrong, maybe one’s mostly right, etc. Maybe one’s spot on. Guess what? You can just write it, write it, vet it, validate it, and then use that on every single one.
That way, every time somebody asks you whatever, do you manage or maintain your network diagram, then you have a consistent response that goes out to all of the entities that are doing the inquiries. You’ve got the ability to go through and do this effectively, mix and match all your response, and then punch a button to produce the upbound report from the Azure response, in addition to your standard fare compliance documentation that you would normally go ahead and fill out as you’re provisioning these responses to these organizations.
It certainly allows that. It also allows you, let’s say that in the year 2021, we did a security survey with response or vendor questionnaire response for company A. Generally speaking, when they get to 2022, they might have a couple of additional. questions but generally speaking the vast majority of it’s going to be either identical or the same or identically the same uh it was either going to be uh you know it’s either been identical to the last time or primarily similar is what I meant to say um you know as you’re as you’re going through that process so um you know it when you get to that second year of responding now to Company A now it’s just a matter of going through validating okay is it the same structure do we have any new questions etc you go through you do that quick validation and then quite frankly as long as you’re managing and maintaining your response library you just hit the button and poof it comes out so um yeah it ends up working out really, really well and provisions, it saves time, saves pain, makes it suck less and provisions consistent responses all the way around, a brilliant frickin’ idea for the poor souls that have the joy of dealing with the security survey arena.
Excellent, well, it’s that time again as it is every quarter, Adam, what’s new in the news? Well, just a reminder that listeners can gain access to links to these various news stories, go to the TCT website, www.gettct.com and then click on resources and security reminders.
And you’ll see the Q3 2023 security reminder blog entry and you’ll be able to go in there, there’s links to all of the actual news stories in there. So with all that said and done, let’s go with the first one. So we’ve got a third party vendor hack exposing data at both American and Southwest. So there was a company called Pilot Credentials. They were breached, it was discovered in early May. They’re a third party vendor, they host pilot information for American Airlines and Southwest. And as of the time they were writing the article, the American and Southwest systems didn’t appear to be directly impacted by this breach. The target appears to be the data of the airline pilots and training cadets. The attacker used an unauthorized access exploit, but they weren’t certain if it was an internal threat actor or some type of malicious software that was behind that initial breach. In this particular case, they had over 8,000 personnel that were affected between those two major airlines. Next up is they found some critical security flaws in the social login. plugin for WordPress, which was exposing user accounts. So WordPress is one of the more popular website building platforms, so they’re constantly the target of bad actors, if you will. There was a critical security flaw identified in Mini Orange’s social login and register plugin that basically let the attacker use a hard coded social media account login feature, using a valid email address and identifying the user that they’re trying to exploit. So this particular issue was discovered on all of the versions prior to 7.6.4. So if the account that they compromise is the WordPress site administrator for the organization, that could lead to a complete compromise of the organizational assets for the systems that they got up and running via WordPress. And next up, let’s talk secure coding. The good news is that the AI, AKA Chat GPT, is actually quintessentially human. So the tech arena already experiences a lot of bugs and vulnerabilities and threats in cybersecurity.
Now we get to go layer in AI. The IT departments and security services are struggling to maintain safety in their networks without the help of AI-borne issues. So AI sounds like a cool way to help mankind, but there’s always negatives that go with the positives. So phishing, malware creation, script kiddie activities all increased dramatically in 2023, in good part to the services. like chat, GPT, and other AI services, folks that are basically leveraging those platforms to very quickly and expediently iterate their bad actor software that they can go ahead and leverage. It used to be that human beings going through and doing the recoding of the code so they could try to bypass detection mechanisms, etc. With the lovely advent of AI, they’re able to do that at a much faster pace, and that’s a good part of what’s driving a lot of the increase in the traffic we’re seeing in that area. Next up, we’ve got some new ransomware. Akira is building momentum with a shift into the Linux arena. Akira ransomware, oh boy, say that 10 times fast. And it is specifically being crafted to go around Windows. With all the vulnerabilities in Windows, it’s lucrative to attack it, but the more Windows is getting attacked, then the more people are getting things buttoned up, etc. So they added some new capabilities to Akira to specifically target Linux-based systems. So trying to breach Linux would also be kind of a financially solid move for the attackers as a lot of the share of the environments are using open-source Linux-based server operating systems in their environments. The ransomware isn’t just released to continually target one type of system. Once the attackers start seeing some success, then they go out, they enhance their product so that they can continue to stay relevant and stay ahead of the defensive postures to continue to potentially bring them in revenue in the form of ransom payments to release the data that they turn around and encrypt. So that’s gonna be an interesting move if they start finding some pretty solid vulnerabilities in the Linux space. So that’s that one. And last on the heap today, we’ve got that most of the enterprise security information and event management platforms, or otherwise known as SIMs, are blind to MITRE ATT&CK tactics. So they were doing some digging and whatnot into SIM platforms, and they were finding some pretty gaping holes in the monitoring techniques that they were seeing. So a group called CardinalOps did some research that shows major SIMs like Splunk and Microsoft Sentinel, IBM QRadar, Sumo Logic. We’re only detecting about a quarter of the MITRE ATT&CKs where, and granted. 24% is better than zero, but we need a little more perspective will help. There’s about 200 different techniques defined in the MITRE attack pool right now, meaning that only about 50 of them are getting logged and alerted on and reported. They investigated, the investigated sims that they were working with, took in enough data to cover about 94% of the 200 different attack types. So there’s some disparity between the data they’ve got, which ought to allow them to detect these and the actual detection pattern. So the team generating the pattern recognition for the remainder of those MITRE attacks is just behind in getting those defined, getting those into the into the system. So it’s kind of tough to sit there knowing that there’s a good number of these attack patterns that are not currently built into these particular tools. In some ways, it’s causing organizations to be lulled into a false sense of security when it relates to these MITRE attacks. So I’m really hoping that the sim providers kind of gang up and close the loop on this one in particular, because it’s tough when you’ve gone through the efforts to put a platform in place, believing that it’s going to protect you.
It’s a little unnerving when you find that they really aren’t covering you as well as you would have hoped, shall we say. Without a doubt. And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered.
I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
