Quick Compliance & Security Insights for Your Employees: Q2 2024

TCT is committed to helping you keep your organization secure and compliant. Every quarter, we publish compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.

As an added bonus, we’ve highlighted some developing security trends and featured a quick tip to get more out of your compliance management.

Password Best Practices You Shouldn’t Ignore

Many organizations get breached simply because passwords have been exposed and much of the personal identity theft can be attributed to weak personal password approaches. The need has never been greater to get serious about password security.

Following password best practices will benefit your organization, as well as your employees’ personal lives. 

I had one guy at a client organization who was following horrible password practices, and I held his feet to the fire on it. He griped about all the changes I made him make and complained about how inconvenient they were. One day, about six months later, he came back to me and thanked me for forcing him to clean up his password practices. He said, “It was the best decision I ever made. My wife has had her personal information hacked three times in the last six months, and I haven’t had any problems since I started following your advice.”

If your employees are similar to that guy, your company’s security is like a sieve. But you can make it tighter by following these password best practices.

Never use the same password twice

Each account you use should have its own distinct password. If a bad actor is able to discover your password for one account, you want to limit the damage to that one account. Otherwise, they could keep trying the same password on your other accounts and break into them as well, spreading the damage and exposing more data.

Don’t use passwords with patterns

Some people took the approach of having a system for passwords, based on a pattern. That way, you could have distinct passwords for every account, and they could be complex — but since they were based on a pattern, you could easily remember each password. 

If you base your passwords on a pattern, they will be discoverable. It might take longer for a bad actor to figure it out, but attackers are using sophisticated AI programs to identify patterns. Eventually, they’ll be able to access most of your pattern based authentication to your accounts, because you’ve essentially given them the key. 

This issue is made far worse once there are multiple systems breached where passwords are exposed. The bad guys can compare passwords across multiple systems based on your email address to crack the pattern.

Choose passwords you’ll never be able to remember

Your passwords should be effing long, completely randomized, and made up of letters, numbers, and special characters. If the system you’re creating a password for will allow you to create a 50-character password, do it. The more complex, the better. 

Any password you can commit to memory is too simple and much more likely to be discovered.

Use a password management system

The beauty of a password keeper is that you don’t have to remember any of your passwords. Actually, just one: the password to the keeper. You can also securely store URLs, usernames, passwords, notes, and security questions. 

Hot tip: when setting your answers to the security questions, don’t use answers that make sense. Instead, provide a random two-word combination such as “yellow jogging.” This makes it that much harder for a bad actor to guess what your favorite flavor of ice cream might be (for example). Set your answers to security questions differently for each site.

Don’t write down your passwords

This is Remedial Password Security 101. It doesn’t matter if it’s in your desk drawer, stuck in your wallet, or hidden on the underside of your chair. Any password that’s written down is a major vulnerability for your company. Just. Don’t. Do it.

Quick Tip: Use TCT Portal for an Easy Move to PCI 4

If you’re going up against PCI DSS, the last day to fill out an AOC under PCI 3.2.1 was March 31, 2024. So I’m assuming that your company is now staring down the enormous task of transitioning to PCI 4. If you’re using TCT Portal, you’re in luck.

TCT Portal not only has the ability to migrate your company to PCI DSS 4, it can also reference files back to your PCI 3.2.1 track, based on mappings. 

If you’re a current TCT Portal customer, you can start using the PCI 4 track now. All you have to do is click a button. The system’s automated mapping can either import or link all of your existing evidence from PCI 3.2.1 and puts it in the proper line items for PCI DSS 4. 

There’s no guesswork about where something belongs in the new version. No research to verify your interpretation of the standard. No crossing your fingers and hoping that you got it right.

If you aren’t a TCT customer yet, we strongly recommend loading your most recent compliance records into TCT Portal on the PCI 3.2.1 track. That way you have a history you can reference as you go through your transition to version 4. From there, you can map them seamlessly onto PCI 4.

Have questions? Want to see it in action first? Request a personalized demo to see how easy it can be to get up and running with PCI 4.

What’s Going on in Security Today

Facebook may have exploited user devices to spy on competitors, documents show 

Facebook, or Meta now, was caught using a man-in-the-middle (MitM) attack against its competitors. The shocking revelation from this finding is that they were using their customers’ mobile devices to try and detect, decrypt, and intercept other app analytics on the customers’ phones, like Snapchat, YouTube, and Amazon. 

It was alleged that Mark Zuckerburg discussed potentially paying teenagers to install “kits” on their phone, which would allow the attacks to happen — and would prevent Meta from directly being linked to those other apps.

Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds 

Unsaflok is a keycard hacking technique that could potentially unlock millions of key-card hotel room doors in seconds. It needs to be performed in certain steps, leading to the ultimate exploitation. 

Dormakaba is the brand under fire in this vulnerability. They used weak encryption and RFID exploits. The hackers used a used hotel key card, a $300 RFID read and write device, then wrote two blank keycards of their own. The first blank card rewrites a part of the lock’s data, and the second key card exploits it.

CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability

It would not be a TCT quarterly security reminder without some form of an issue from Microsoft. Microsoft SharePoint has a new vulnerability that can be remotely executed: CVE-2023-24955. If the attacker gains authentication with Site Owner permissions, they can initiate network-based attack code remotely. 

This vulnerability was found in the middle of 2023, but some companies are still being victimized by this attack as a result of bad patch management. There is also no new information on what “weapons” the attackers are using to exploit the weakness — only that the weakness can still be present if not patched properly.

‘Tycoon’ Malware Kit Bypasses Microsoft, Google MFA

Tycoon is a new malware that is being sold via the Telegram app. It is essentially a low-cost phishing as a service platform (PHaaS). This phishing kit can perform a blitzkrieg on Microsoft 365 and Gmail email-based accounts, and has capabilities that could potentially allow it to even bypass Multi-Factor Authentication (MFA). 

Bitcoin is used as the payment method, and the malware allows phishing attackers to set up Tycoon 2FA. It allows the attacker to use a reverse proxy server, host the phishing target webpage, accept the victims prompts/inputs, and redirect them to the actual MFA request.

SEC ramps up hack probe with focus on tech, telecom companies, Bloomberg News says

The US SEC is continuing its probe into the government breach of 2020 through SolarWinds Orion system. This breach left thousands of companies with potential exposure to also being targeted. The SEC regulator in charge of this probe has now asked for any internal communications from affected companies regarding the impact to their systems due to this breach. 

This is in relation to the court filing the SEC made against SolarWinds, claiming investors were defrauded by SolarWinds covering up known weaknesses.

Cloudflare blocked 3.4 billion unwanted emails last year

Cloudflare is a web security giant in the cybersecurity space. The data is in, and Cloudflare has announced that the service blocked a rounded 3.4 billion spam emails last year. That equates to blocking over 100 spam emails per second. These blocked emails include spam, malicious, and bulk mailing messages. Three percent of the emails were phishing emails, with a growing pattern for that heading into 2024.