TCT is committed to helping you keep your organization secure and compliant. Every quarter, we publish compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.
As an added bonus, we’ve highlighted some developing security trends and featured a quick tip to get more out of your compliance management.
What if You Haven’t Moved to PCI DSS 4.0 Yet?
In less than a year, you will no longer be able to become certified under PCI 3.2.1. The last date to fill out your Attestation of Compliance (AOC) under PCI 3.2.1 is March 31, 2024. If you haven’t already started the transition to PCI 4.0, you need to be developing your game plan now.
If your annual assessment concludes in Q3 or Q4 this year or Q1 of 2024, you can be on PCI 3.2.1 for the remainder of this cycle. Otherwise, you need to make the move to be operating on PCI 4.0 now.
That said, I highly recommend that you start your transition to version 4.0 now, no matter when your next assessment is. Moving from 3.2.1 will not be a simple flip of a switch. You’ll need to do your homework, understand the differences between the versions, and consider how the transition will impact your organization.
It’s a whole lot easier to transition from PCI 3.2.1 to version 4.0 if you’re already working within a compliance management system like TCT Portal. TCT Portal has built-in mappings from 3.2.1 to 4.0, so you don’t have to figure any of that out yourself.
It’s also not too late to load your 3.2.1 track to facilitate your orderly transition to 4.
If you haven’t already done so, it’s time to start taking your transition to PCI DSS 4.0 seriously. And you’ll make your life a hell of a lot easier if you leverage technology to make that path as seamless as possible.
Quick Tip: Fill Out Security Surveys in a Snap with TCT Portal
Dread filling out security surveys for your clients and partners? You’re not alone. Every single organization out there uses a different series of questions — they have their own pet concerns, they word things differently, and they put the questions in different orders.
So you can’t simply copy/paste your answers onto the next organization’s survey — you end up having to respond to each survey uniquely. Each security survey is another time suck you shouldn’t have to deal with.
TCT Portal’s Public Reporting capability is designed to give ready-to-go responses around your security posture to external entities. Write the response once, and TCT Portal lets you drop it into any other survey that asks for the same information.
Everyone on your team can leverage that same response. They also have the capability to mix and match the answers so that they’re in the appropriate order for the particular survey they’re responding to.
Just go into TCT Portal, configure a response template, and click a button to generate the output. Not only do you save time, you also create a consistent set of responses, no matter who is responding to a survey. There’s no need to worry if Bob’s response is as accurate or complete as Mary’s response, since both individuals are pulling from the same pool of already validated responses.
What’s Going on in Security Today
Third-Party Vendor Hack Exposes Data at American, Southwest Airlines
Pilot Credentials (the company) was breached, as discovered on May 3. Pilot Credentials is a third party vendor that hosts pilot information for American Airlines and Southwest airlines. As of this writing, American and Southwest system’s don’t seem to have been directly impacted by the breach. The target seems to be the data of the airline pilots and training cadets. The attacker used an unauthorized access exploit, although it isn’t certain if it was an internal threat actor or some type of malicious software behind the initial breach. Over 8,000 personnel were affected, between the two major airlines.
Critical Security Flaw in Social Login Plugin for WordPress Exposes Users’ Accounts
WordPress is one of the most popular website building platforms out there. It is no surprise that they are constantly the target of ill-minded ventures. There has been a critical security flaw identified in mini-Orange’s Social Login and Register Plugin. This essentially lets the attacker use the hard-coded social media account login feature, using a valid email address, identifying the user they are trying to exploit.
This has been discovered for all versions prior to 7.6.4. If the account they compromise is the WordPress Site Administrator for the organization, it could lead to a complete compromise of organizational assets in WordPress.
When It Comes to Secure Coding, ChatGPT Is Quintessentially Human
Tech already experiences a high volume of bugs, vulnerabilities, and threats in cybersecurity. Now add in AI. IT departments and security services across the globe are struggling to maintain safety in their networks without the help of AI-borne issues. AI is a great way to help mankind. But, whenever there is a positive, there is always an associated opposite.
Phishing, malware creation, and script-kiddie activities have all increased dramatically in 2023, thanks, in part, to ChatGPT and other AI services. Phishing and malware creation are now achievable much quicker, and much cheaper.
Newbie Akira Ransomware Builds Momentum With Linux Shift
Akira ransomware is being specifically crafted to go around Windows. With all of the
vulnerabilities in Windows systems, it is lucrative to attack it. But as Windows gets attacked more and more, IT departments and organizations across the globe are moving their infrastructure and computer assets to other platforms.
There have been new capabilities added to Akira to specifically target Linux-based systems. Trying to breach Linux would also be a financially savvy move for attackers, as a great
share of environments use open-source Linux-based server operating systems in their environments.
Ransomware isn’t just released to continuously target one type of system. Once the attackers see the success, they will continue enhancing their “product” so it can continue to stay relevant, and continue to potentially bring in revenue, in the form of ransom payments to release the data that they encrypt.
Most Enterprise SIEMs Blind to MITRE ATT&CK Tactics
Security Information and Event Management platforms have gaping holes in their monitoring
techniques in today’s ever evolving threat landscape. CardinalOps has conducted research that shows that major SIEMs, like Splunk, MicrosoH Sentinel, IBM QRadar, and Sumo Logic only detect an estimated 24% of MITRE ATT&CK techniques. While 24% detection is better than zero, some more perspective needs to be put on this.
There are roughly 200 different techniques defined in the MITRE ATT&CK pool, meaning that only an estimated 50 of the attack types are logged, alerted on, and reported to IT departments. The investigated SIEMs were confirmed to take in sufficient data to be capable of covering roughly 94% of the 200 ATT&CK types. This disconnect is leading many departments to be lulled into a false sense of security.
TCT proves compliance doesn't have to suck.
Check out the TCT podcast:
