TCT is committed to helping you keep your organization secure and compliant. Every quarter, we publish compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.
As an added bonus, we’ve highlighted some developing security trends and featured a quick tip to get more out of your compliance management.
What Is Central Logging?
Central logging is a technical subject, but it’s important for everybody in a compliant organization to understand what it is and why it’s important.
In a compliance engagement, centralized logging is intended to be its own separate secure repository of logs. Basically, it’s a duplication of the logs across your environment. Each individual device within your network environment pushes its logs to the secure secondary location, so that you have a solid repository that can’t be altered. It provides a point of reference, in the event that you need to peruse or review those logs.
A lot of people take a “set it and forget it” approach to their central logging. Don’t make that mistake. Instead, integrate a quarterly pulse check to make sure that all of the devices that you expect to be logging still are. Validate that you have the right number of devices logging, and that they match the exact devices that should be logging.
Some quick tips:
- If your central logging system can do it, turn on alerts if something stops logging.
- During periodic checks, make sure that 90 days of logs are immediately accessible, and that your logging repository has at least a year’s worth of logs. That way, if you have a problem with the logging on the device itself, you have a backup.
- Don’t send alerts on everything. Take the time to determine the items that should be showing alerts and the information you need. There are often many logs which are benign and just noise that gets in the way of what’s important to pay attention to.
- Regularly review how your logs are categorizing new log patterns, because new log patterns show up all the time. Technology changes and interactions between machines constantly change.
Quick Tip: Easily Move to PCI DSS 4.0
If you’re using TCT Portal, making the switch to PCI DSS 4.0 is straightforward and easy. When you’re ready to have that track set up, you have a couple of options.
Your first and simplest option is to contact TCT’s support team as soon as you’ve completed your annual cycle under PCI 3.2.1. Ask us to set you up with a PCI 4.0 track — the same way that you would have requested your PCI 3.2.1 setup. From there, we can swing up the portal track, and map items off your 3.2.1 track over to 4.0.
You can also convert to PCI 4.0 in the middle of a PCI 3.2.1 track, as long as you know what your goals and needs are.
Transition is quick — you’ll be running on your new track within one business day, and often in a matter of hours.
What’s Going on in Security Today
Ransomware gangs are using leverage to get victim companies to pay by providing a database with search capabilities where they will post non-payer breached information to make it easier for victims (whether employees or customers) to identify themselves and apply pressure to the organization to pay.
Adobe released their own “Patch Tuesday” on July 12, 2022. This was in response to a series of flaws in several pieces of their software, having an impact on both Windows and macOS installations.
The affected software is Adobe Acrobat/Reader, Photoshop, RoboHelp, and Character Animator. These flaws include full system takeover, remote code execution, memory leaks. Adobe has claimed that these flaws were not “in-the-wild” prior to the patches being produced, but organizations need to get themselves patched expediently.
There is a new malware making rounds specifically in Linux devices. Linux is generally viewed as a safe alternative to Windows in corporate environments, or even in home environments.
This malware is called Orbit. It is different from other previous Linux threats, because it can steal information directly from different commands/processes, and can also impact the files associated with processes on the local system.
The malware provides remote access capabilities over SSH, allowing attackers to harvest credentials and data.
There is a new malware officially circulating that uses a “fileless” attack to inject remote shell codes into Windows. There are no malware-specific trace files left on the system for detection.
Using an infected Microsoft Office document, Rozena malware creates a remote backdoor. The office document is used to offload the malicious payload onto affected systems. There is already a patch to fix this finding, but most organizations have not installed the patch yet.
Microsoft has fulfilled a promise to cloud consumers: Windows Autopatch is officially live. The service is only officially live for Windows Enterprise E3 and E5 licenses. Azure Active Directory Premium and Microsoft Intune are also needed to access Windows Autopatch.
Patches will be implemented on all devices currently subscribed to the services above automatically, but beware — Microsoft has stated that AutoPatch cannot prevent glitches caused by bad patches.