TCT is committed to helping you keep your organization secure and compliant. Every quarter, we publish compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.
As an added bonus, we’ve highlighted some developing security trends and featured a quick tip to get more out of your compliance management.
How to Choose a Password Management System
Many people devise clever ways of remembering their passwords. But if you can keep track of all your passwords by using a clever system, then your passwords are much too easy to hack if one of them becomes exposed.
Every password you use should be a really long, really ugly, complex string of nonsense — something you’ll never be able to memorize. And you should never use the same password for more than one account. That’s what makes for a strong password, and that’s why you need to keep your passwords stored in a secure password management system.
There are many choices when it comes to password management — whether you’re protecting passwords for work or personal life. First of all, if your workplace requires you to use a specific password management system, then by all means use that one.
Otherwise, you have a couple of baseline choices:
- A SaaS or cloud-based system
- Local-only password repository
Cloud-based password management system
Examples are LastPass, NordPass, and Keeper. Pros and cons include:
- Pro: It’s online, so you can access it anywhere you have an internet connection
- Pro: It’s available on any device — workstation, tablet, phone, etc.
- Con: It may only be available if you have an internet connection
- Con: Your passwords are sitting on someone else’s system, which means you’re depending on their ability to keep your passwords secure
Some password managers may offer local replication, where it syncs your data onto your device.
Local-only password management system
These systems are encrypted password vaults that store your passwords securely on your own machine. Pros and cons include:
- Pro: It’s always there, right with you, whether you’re online or not
- Pro: You don’t have to trust the security of a third-party provider
- Con: Because it’s a local repository, it doesn’t easily sync across devices
- Con: You must be very good about regularly backing it up so that you don’t lose your data if your device crashes
- Con: It’s less convenient, especially when logging into an account on a device that doesn’t have your password manager
As with any other vendor or software product, be sure to do your due diligence and research the company before making your selection. In particular, note how many breaches they have announced in their history, and how recent they were.
Also, remember that no company is completely impervious to a cyberattack, and even password managers can be compromised.
Whatever type of password manager you choose, I strongly recommend that you use it for every single password, PIN, and security prompt that you have — whether it’s your company’s financial software or your League of Legends account.
As long as we’re on the topic, be sure to check out these guidelines for using passwords.
Quick Tip: Dashboard Views for Your Specific Needs
TCT Portal is designed to be leveraged by lots of different people in all kinds of roles — from CEO or COO to IT Directors to frontline workers. Everyone needs to see different kinds of data, and we have several different dashboard views to give you the information you need to see.
There are two sections on the TCT Portal dashboard: Section Status and Open Items.
The top portion of the dashboard is called Section Status, and this section gives you four different view options:
Status View. This view is a high-level barometer for identifying which groups have what items. This data is ideal for high-level status updates or as a starting point for weekly status meetings. It also provides the numbers that are typically used to fulfill executive-level status updates.
The Status dashboard can be viewed in a grid format, similar to a spreadsheet, or in a graph format. The graph format is especially helpful for capturing screenshots and sharing them in executive status updates or forwarding to interested third parties.
Assigned View. This is often used for tactical sessions with your team, when you’re talking about who has what items. You can easily see the assignment counts by person at any stage of the workflow.
Reporting View. This dashboard calls out the status of any reporting that’s happening during the engagement. It provides a sense of what’s been worked on, how complete the reporting is, and who has been working on it. It’s a great way for Assessors to keep tabs on their team’s reporting activities.
Overdue. When you’re running in Operational Mode, this dashboard makes it easy to see what items are overdue and who is assigned to them. This is invaluable for making sure that you don’t fall behind on your regular maintenance schedule.
Open Items section
The bottom section of the dashboard is Open Items. There you’ll find a plethora of different items, based on your user preferences. The most common of those is a filter called My Requirements. This filter allows you to spotlight all the items that are assigned to you. If you’re in Operational Mode, you can also see the items that are coming up within the next 100 days.
There’s a lot more you can view, depending on your user preferences. We encourage you to go in and play around with both sections of the dashboard to see what works best for your needs.
What’s Going on in Security Today
On the very first day of Pwn2Own Vancouver 2023 security conference, a hacking challenge showed Windows 11, Tesla, macOS, and Ubuntu desktop all were successfully compromised. Microsoft SharePoint was also able to be compromised. An attacker was also able to use an improper input validation bug in Windows 11 to elevate privileges without needing admin username and password.
Attack group Synacktiv escalated privileges in Apple’s macOS by exploiting a TOCTOU bug. Hackers during this conference have received $375,000 for unearthing 12 separate zero-day exploits.
General Bytes announced it received a warning from hacktivists stating that they were able to steal user information and funds from hot wallets through Bitcoin ATMs. General Bytes is one of the Bitcoin ATM deployment organizations, allowing Bitcoin customers and holders to exchange bitcoin for cash and vice versa, at an ATM, like you would at a bank or credit union.
The attackers were also able to reach and view event logs, allowing them to see customer secret keys, linked to their wallet addresses, essentially allowing the attacker to mimic being the customer with the bitcoin in their account and empty the wallet.
There is a new malware that is specifically targeting Linux servers, especially the poorly managed ones. Shellbot, also known as Perlbot, is a DDOS malware, using IRC protocol to communicate back with the C&C server from the attacker.
This can only get in via port 22 (SSH) being an open, listening port. Shellbot uses a dictionary style password breach technique to crack the credentials. The C&C server, once the password has been cracked, sends commands remotely to extort information that has been harvested from the infected system.
Popular Home Wifi network Netgear Orbi has been found to be vulnerable to arbitrary command execution. There were four big vulnerabilities found in the whole system, some of them in the “satellites” and some of them in the main router.
Three of the four vulnerabilities need the attacker gaining access to the network though, either by having the password to get on the network, or connecting to it through a non-password protected network. A man-in-the-middle attack can be carried out via the public IP Address of the home to trick the main router into sending sensitive information to the attacker.
Industrial Control Systems (ICS) are under attack now. Delta Electronics’ InfraSuite Device Master, a real-time device monitoring software, has several big flaws in versions prior to 1.0.5. The biggest of the vulnerabilities is CVE-2023-1133.
This vulnerability is a flaw stating the Device Master software accepts unverified UDP packets, plus deserializes the content, allowing an unauthenticated attacker to craft UDP packets to allow remote arbitrary code execution.