Quick Compliance & Security Insights for Your Employees: Q1 2023

TCT is committed to helping you keep your organization secure and compliant. Every quarter, we publish compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.

As an added bonus, we’ve highlighted some developing security trends and featured a quick tip to get more out of your compliance management.

Where Are Your People REALLY Storing Sensitive Information?

Most compliance standards require your organization to designate approved methods and locations to store sensitive organizational information. But just because you have an approved storage location list, that doesn’t mean that’s where everything is being stored.

Each organization has its own approved storage locations for sensitive data, so it’s important for employees to understand your organization’s rules and requirements. Everyone in your organization should know your company’s policies, including making requests for additional locations before they are used.

It isn’t always convenient to save files to the approved location, and sometimes employees will save a file “temporarily” to another location because they’re in a hurry. Often, users don’t think about the ripple impacts. If you have company assets that are being saved to disparate, uncontrolled locations, you could have sensitive data that’s left unprotected or stranded.

This is one of the most common ways that organizations get nailed with data breaches. They have a whole host of sensitive information that gets saved to an unencrypted external hard drive. The hard drive comes up missing, and next thing you know you’re dealing with a very public and very expensive data breach.

I cannot underscore too strongly the importance of clearly and continuously communicating how and where your company’s data is to be stored. Employees should be held accountable, with consequences for violating company policy. To provide an added layer of accountability, you can purchase data loss prevention (DLP) software that tracks how company information is being disseminated.

Quick Tip: Split Requirements into Multiple Workflows

Sometimes an organization needs to separate its compliance evidence into two or more workflows. For example, they might have several hosting facilities with different sets of evidence, or multiple networks running on different operating systems.

In this case, it often makes sense to keep things segregated into multiple workflows so you can track your compliance engagement appropriately.

TCT Portal can split requirements into multiple buckets so that you can track these workflows individually. Requirement splitting lets you divide the requirement into different tracking and workflows for each split. Assign separate tasks and responsibilities for each split to different personnel.

Now you have a completely separate workflow and evidence repository for each split, and you can track progress at a granular level. Ultimately, all of the evidence rolls up to the main requirement — but while you’re completing tasks and tracking progress, you can do everything at the individual split level.

Requirements can be split as many times as needed, and in whatever way your organization needs. To enable requirement splitting, just send a request to our support team and we’ll turn it on for you.

What’s Going on in Security Today

This quarter, we opted to include more news stories than normal as there were a lot of very interesting security and compliance news events that happened over the past 3 months. Enjoy!

Popular WAFs Subverted by JSON Bypass

Web application firewalls (WAF) from AWS, Cloudflare, F5, Imperva, and Palo Alto Networks are vulnerable to a database attack using the popular JavaScript Object Notation (JSON) format. Many organizations will leverage their WAF as a crutch for truly securing their web applications, and they forget to allow security testing to bypass the WAF to get a true sense of the security stance of their applications in the event of WAF failure.

LastPass Discloses Second Breach in Three Months

The threat actor behind an August intrusion used data from that incident to access customer data stored with a third-party cloud service provider, and affiliate GoTo reports breach of development environment. LastPass and GoTo are both confirming no impact to production environments or direct loss of customer data, it appears this story is still unfolding.

Knock, Knock: Aiphone Bug Allows Cyberattackers to Literally Open (Physical) Doors

The bug affects several Aiphone GT models using NFC technology and allows malicious actors to potentially gain access to sensitive facilities. The devices in question (GT-DMB-N, GT-DMB-LVN, and GT-DB-VN) are used by high-profile customers, including the White House and the United Kingdom’s Houses of Parliament.

SiriusXM, MyHyundai Car Apps Showcase Next-Gen Car Hacking

A trio of security bugs allow remote attackers to unlock or start the car, operate climate controls, pop the trunk, and more — all via poorly coded mobile apps. The issues which impacted many car brands appear to stem from a lack of basic security testing as part of the development / release process for these applications, causing owners to figure out what exactly they need to do in order to secure their own vehicles.

Spacecraft Vulnerable to Failure, Thanks to Aerospace Networking Bug

A single device with malicious code can foil a networking protocol used by spacecraft, aircraft, and industrial control systems, resulting in unpredictable operations and possible failures. According to researchers from the University of Michigan and NASA, who said the protocol, known as time-triggered ethernet (TTE), reduces the cost of implementing networks for critical infrastructure devices by allowing multiple devices to use the same network without affecting one another.

Stolen Data on 80K+ Members of FBI-Run InfraGard Reportedly for Sale on Dark Web Forum

Information on more than 80,000 members of an FBI-run program called InfraGard which contains information on key people who run our nation’s critical infrastructure, making the repository a gold mine for bad actors or other nation states seeking to consolidate this information for directed attacks on the United States.

Google WordPress Plug-in Bug Allows AWS Metadata Theft

New vulnerability in the Google Web Stories WordPress Plugin would allow authenticated users to leverage AWS metadata to further exploit the compromised site, prompting a reminder regarding patching maintenance and strong user authentication.

TCT proves compliance doesn't have to suck.

Check out the TCT podcast:

Listen Now