TCT is committed to helping you keep your organization secure and compliant. Every quarter, we publish compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.
As an added bonus, we’ve highlighted some developing security trends and featured a quick tip to get more out of your compliance management.
Are Your Vendors Secure? You’d Better Find Out.
Vendor management is an important arena that every organization should pay attention to — and it’s a requirement for many security / compliance standards, including PCI DSS 4.x. I recommend starting the process by pulling together your list of vendors and doing a sanity check to ensure their security stance meets the security / compliance requirements of the various standards and certifications your organization is subject to.
Have your accounting department compile a list of every vendor you’ve paid in the last twelve months. Take that list and start categorizing your vendors by their exposure to your sensitive data. Are they simply delivering pencils and printer paper, or are they backing up your critical servers?
Allow the categories of vendors to drive how much attention you give them and how much is warranted. The more exposure they have to your data, the more important it will be to verify that their security posture is in compliance with the various standards you go up against.
IMPORTANT: If your vendors’ recertification date is after March 31, 2024, they will need to provide an Attestation of Compliance (AOC) for PCI 4.0, not 3.2.1. Double check each vendor to ensure that they provide the right AOC.
I would recommend doing your annual vendor oversight process quarterly, instead of doing it once per year. This way, you can ensure that you review the vendors that are coming up for paperwork renewal in the next quarter, to ensure timely collection of fresh compliance reporting from them. This will allow you to catch issues well before your own annual deadline arrives.
Quick Tip: Generate INFI Worksheets with Just a Click
One of the new aspects of PCI DSS 4.x is the Items Noted For Improvement (INFI). INFI gives the QSA the ability to denote items that required improvement as the Assessor was going through the assessment. INFIs require additional paperwork, called INFI worksheets.
TCT Portal has the ability to automatically generate INFI worksheets at the end of your engagement. All the required information is captured as the QSA conducts the assessment, and the paperwork is generated with the click of a button.
See it in action — schedule a demo today.
What’s Going on in Security Today
Modern cars are a privacy nightmare. A recent study found that 25 out of 25 car brands collect and use significant amounts of personal data. Collected data includes how a phone interacts with the car, what apps are used, how frequently the apps are used, and more. Most of the car companies sell personal data to third parties.
Just over 50% of investigated car companies share information with government or law enforcement agencies upon requests. Tesla received all five “dings” on data privacy, according to Mozilla.
Poorly secured Linux based SSH servers are being targeted by dictionary attacks and having their credentials sold on the dark web. Attackers also have another option at their disposal: bad actors are installing port scanning software and dictionary attack software, and targeting other servers/systems within the affected systems network.
They then install cryptocurrency mining software and use the infected systems to perform DDOS attacks. So they are essentially gaining a mining bot and another node to help take down other networks once access is gained. NKAbuse is being leveraged, using NKN protocol (New Kind of Network) as a communication channel to help carry out these attacks.
There was an undocumented hardware feature on Apple’s System on a chip (SOC), allowing for multiple exploitation of vulnerabilities. These vulnerabilities pose a risk to Apple iOS device users’ privacy and data security. The main target of the vulnerability is iMessage, and has been exploited on versions of iOS up to 16.2.
Upon initial discovery, it was taking advantage of four individual zero day exploits. What is particularly alarming about this is the growing number of attacks, threats, and eventual exploitations on the iPhone platform. Due to the closed nature of iOS, it can be challenging to detect these newer attacks without network traffic analysis or data forensic analysis tools.
There is a new Terrapin flaw targeting SSH protocol. The Terrapin attack is being classified as “the first ever practically exploitable prefix truncation a”ack.” In short, the attacker can adjust the number sequence during the handshake, without the other side detecting it. The attacker, acting as a Man in the Middle who can access the TCP/IP layer, can downgrade the SSH security when negotiating the security handshake.
Using a cell phone’s audio recorder, attackers can capture keyboard stroke sounds off of a keyboard and feed that audio into “CoAtNet”, an image classifying software, to produce wavelength images. Using just the smartphone audio, keyboard strokes were able to be correctly identified with an average accuracy of 95%. Accuracy dropped to 93% with Zoom, and 92% with Skype. A potential mitigation to this risk is to have background noise/white noise around the keyboard. Software-based keystroke audio filters can help as well. This acoustic attack can even work on silent keyboards.
Get equipped with insider expertise
Subscribe to the TCT blog