Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Q2 Security Insights 2025
Quick Take
On this episode of Compliance Unfiltered, it is that time again! You guessed it, time for all of the spicy security stories that were, and the critical security reminders for the second quarter of 2025.
Wondering about phishing, vishing, and smishing?
Then you’re not going to want to miss this episode of Compliance Unfiltered!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
And welcome into another edition of compliance unfiltered. I’m Todd Coshow alongside the perfect bait to your compliance fishing excursion. Mr. Adam Goslin. How the heck are you?
I’m doing great, Todd. How about yourself?
And I can’t complain.It is that time again. That’s right. We’re talking about the 2025 Q2 security reminders. All right. So the big security reminder to start us all off. We’re talking about fishing, fishing and smishing. Adam, tell us what we need to know.
All right, very good. You used to be back in the day you could spot those phishing emails from a mile away, right? It’s a Nigerian prince, it’s horrifying grammar, and, and, and, and, needless to say, times have changed. Phishing scams have become a lot more sophisticated.They’re coming in through email, not just through email, but through other channels, text messages, voicemails, you know, you name it. So, it’s important that, that folks keep themselves up to date on latest and greatest in the phishing arena. You know, phishing is a, is commonly an email attack where, you know, bad actors are sending messages. They’re either trying to, you know, dupe you into providing sensitive information, downloading a malicious file, clicking on a malicious link. I did recently get a new one that I hadn’t seen before, which makes sense. Once, once, once you’ve received it and you’re going, oh, okay, that’s cool. Not cool, cool. But you know, it’s, it’s like, oh, ingenious. So I got an email where instead of the atypical, send you a link, or there’s a button in there, or whatever it may be, they sent me an email and in it, it had a QR code so that you could, it was a handy dandy QR code. You could just go ahead and, you know, whatever. I think, I think the premise is, is that people are seeing it on their, you know, on their computers and they can just use their phone to go, you know, basically hit the link. So I think their primary target there is, you know, is, is trying to hit mobile devices, you know, and whatnot, because that’s typically how somebody would be go about using it. Unless they got a reader or something on their, you know, on their, on their phone, if they’re looking at it there, but they, they do it that way just to, to make it easier for you. Uh, you know, and so of course the link’s going off to some malicious site, et cetera. But you don’t know because the QR code doesn’t clearly display, Hey, here’s, we’re about to launch you to. So I was like, Oh, that’s pretty, that’s pretty ingenious. But, um, You know, phishing isn’t just, you know, an email scam though, you know, the attackers these days are, you know, getting more and more clever, shall we say. So we’ve got, you know, smishing, which is phishing through SMS text messages. We’ve got phishing, which is voice phishing, either trying to send you messages through your email or, you know, or through your phone, you know, et cetera. Angler phishing, where they’re using fake social media posts designed to hook victims. Spear phishing, where you targeted phishing for a specific individual. Wailing, targeting a phishing attack on a senior executive. So, you know, regardless of which “ishing” we’re talking about, or ailing is the case maybe, the, you know, the bad actor is posing as a trustworthy source.
The recipient’s going under the assumption that it’s a legitimate person or organization on the other end and that they need to go do whatever the message had requested. You know, the goal of these phishing scams is to gain access to your system or sensitive data and, you know, it happens by conning you into providing sensitive information or by, you know, provisioning access to your device or devices, whether it’s your computer or your mobile, your tablet, whatever it may be, you know, typically through installation of, you know, kind of malicious software.Now that said, the phishing attacks have been getting more and more difficult to be able to identify, you know, the, you know, everybody seems to be doing the AI zombie walk and has been, you know, for about the last, you know, 18 months or so. And the bad guys are, you know, taking a page out of the book, if you will. So, you know, we were talking earlier about back in the day, they’ve got broken English is, you know, is integrated into these things, et cetera. And, you know, the reality is that through AI, you know, they can use that to write attacker scripts that are coming across in, you know, perfect conversational English. But even with the, you know, with the greater levels of sophistication, you know, there’s some common telltale elements that, you know, these phishing attacks will include, you know, including, you know, a link, an image or a button that needs to be clicked, an attached file that’s to be downloaded, a request for sensitive information, you know, a request to update information. So, as such, you know, update your banking information, come over to our handy dandy login page and type in your bank credentials, you know, type of a deal. So, you know, requesting to, it could be requesting to update personnel banking information as well. I’ve been getting actually a fairly steady stream lately of, you know, of these folks sending in emails and saying that, you know, one of my people has, you know, has changed their banks and so can I please go update the banking information for them type of thing.So as a business owner or someone in management, et cetera, been seeing a lot more of those. You know, the attackers are going to also typically include some form of urgent messaging, oh, you need to get, do this now, or you need to do this within the next X minutes or this horrifying thing’s going to happen to you, whatever. So they try to use a pressure tactic to be able to get people to take action.You’ll also see, maybe not right out of the gate, but at some point in the continuum of the interaction, they, you know, the conversation turns to a payment request, in their cryptocurrency, gift cards, cash. I was hearing a story about some attacker. I was just taking a sip and sipping a little coffee here. I’m still, I’m still dealing with this effing cold that’s been going on for, I don’t know. I think I’m, I think I’m in week five of the afterglow, uh, if you will, it’s, yeah, I mean, it’s, it’s horrifying anyway.
Um, I’ve been hearing more and more though, they’ll go and they’ll get somebody on the line, uh, get, you know, get, get a new fish on the line and, um, and convince them to go and pull out thousands of dollars, you know, from their account. And then they’ll actually send somebody to go pick it up, you know, type of a deal it’s, I mean, there’s some, there’s some wild stuff going on out there, so, you know, the, the, the bad actors are counting on, you know, people to, you know, to, to not think deeper than, you know, scratching just the surface, acting on impulses, um, be in a hurry so that they’re not looking at things too closely, you know, et cetera. So, you know, we just need to need to slow it down and, you know, slow it down, take things with a grain of salt.You know, the one, the one recommendation I’ve given people for north of a decade is that no matter what you get, you know, if your bank is telling you, Hey, you’ve got this horrifying problem, you know, then, then, you know, don’t, don’t use what they sent to you. Go to the known bank website. If there’s something that’s that important, you can bet your bottom dollar that they will have some alert when you go log in and telling you that you got, you got an issue you need to go figure out. So, um, you know, that’s certainly, uh, uh, certainly a best practice that everybody, whether it’s in at work, whether it’s in your personal world, you know, take that piece of advice.Yeah, that will go a long way to, uh, uh, to avoiding issues, regardless of the kind of the attack vector. So, so for vision attacks, uh, where people are sending in a scam voicemail message, you know, a lot of the, a lot of phone systems these days will automatically transcribe that voicemail message and make it visible on your, you know, uh, on your phone or make it visit or send you an email with the content, et cetera. And sometimes what they’ll do is they’ll leave a URL, um, to, to in the message so that the receiver will go in and click on the URL to redirect, you know, you know, type of type of a deal. They go into the guiding assumption. It was really who, who they said, you know, said that it was, um, you know, the, those vision attacks can be really convincing because some of those, uh, bad actors, they can use AI to deep fake a trusted person’s voice, such as the company CEO, um, you know, there, if there’s videos or, you know, pod recordings of the person’s voice that are already online, then that, or they can use that to create a very convincing, uh, you know, uh, you know, fake AI voice that’s coming over.Um, you know, the, the other thing that I wanted to, to point out to folks is that, you know, a lot of times. A lot of times there’s two different things you have to watch out for, especially in the phone arena. One, if you can gain a kind of voice validation type of a thing, that’s one thing, but most importantly is watching the numbers that the calls are coming from. The majority of them are going to be coming from an unknown number, a block number, that type of thing.
The minute you’re seeing block numbers or unknown numbers, there’s your radar that’s going off. Secondarily, especially with the admin and the AI, the other problem is if the attacker happens to know the phone number from which this person would be calling you, it is possible for them to go ahead and fake the phone number that they’re calling from as well. All the way around, just trust your gut.As you’re listening to this thing, as you’re hearing what they’re saying, trust your gut. Phishing can also be a live phone call. The caller will usually give you some type of false story, seeking to gain information or eventually leading to money, looking to change hands, creating an urgent scenario that needs a quick response. They’re wanting you to do things before you can validate, before you can think clearly. Don’t feel pressured to do an immediate reaction. Slow it down a little bit, hang up, take a minute, double check what you’re hearing. Validate it through a secondary source that you know to be trustworthy. As an example, if I was getting bad vibes from the CEO calling me and telling me I needed to fill in the blank, what I may very well do is hang up the phone and call the CEO. Call the known number, validate that this is real, et cetera. It’s shocking to those that weren’t expecting it when they do that validation and the CEO is like, what are you talking about? It always gets entertaining. Smishing, phishing via text messages, they’ll normally try to start out with some type of a, trying to get you engaged in a conversation. One of the things that I’ve been seeing for a long time now is they’ll send in text messages and what they’re seeking is, let’s say they send it to somebody in IT and they’ll try to get them to go over to their personal phone, just send a message from your personal phone. Well, why are they trying to do that? Well, they’re trying to get the person off of the systems where monitoring, alerting and things along those lines are probably tracked and get them over to a device where it probably isn’t. Through text, they might be, I’ve gotten some that just says, hey, great chat, great chat last month, let’s keep chatting type of thing and literally just send that, excuse me, coming from a known number and you don’t have any clue who the hell it is and so they’re just trying to get you engaged. They could also send photos, links, a link to a file, they could be using URL shorteners like bit.ly or bit.ly or tiny URL that hides the actual URL that they’re going to and whatnot. A lot of the time they are using that trust factor through the smishing attack. Anytime you’re getting something that’s not expected or coming from a source you don’t recognize, just make sure that you’re going in and confirming things. Like I said earlier, if you’re getting an alert from your bank or from filling in the blank site, et cetera, just go directly to the known URL that you’ve got for that facility.
Don’t ever use the things that they send you. Don’t ever use the alerts that they send you to go in and do that validation because if it’s important enough, when you get there, there will be flashing lights and sirens and all sorts of fun stuff when you go get logged in, but more often than not, people are finding that it was a fake. Go in, don’t use the phone numbers they gave you, go do a lookup for the organization, call the number that you’ve already got in your contacts, things along those lines. That’s a far better way to go about doing it.Yeah, it’s going to take you a couple extra seconds and it’s less convenient, et cetera, but I’ve had a couple of people try to get me on the phone and whatnot, and if it’s a real legitimate organization, they’re going to understand that you’re kind of pessimistic about what they’re saying to you. The one thing that the listeners need to remember is that every single one of you plays a critical role in helping to shield your organization from bad actors. Everybody in the organization is part of the solution on this one. So that’s just something for everybody to kind of keep in mind, if you will.
Quick tip, how splitting requirements means lowering complexity, tell us more.
Sure. So, with those folks that are on the TCT portal, we’ve got the capability to split a requirement. So, I’ll bring that up because a lot of organizations will have multiple locations they need to gather evidence for. Maybe it’s physical evidence that they need to gather up information for. So, maybe they’ve got multiple locations, multiple firewalls, multiple operating systems, which every time you’ve got these multiples, now I have multiple headaches that I have to deal with. So, when you have to gather up multiple groups of evidence to satisfy a particular control, it makes the whole work process a hell of a lot more complex and more cumbersome.So, when you have multiple people that are adding evidence to the same line item, it also starts to get confusing. Like, let’s go to the firewall example, right? Maybe you’ve got one individual that is an expert in this type of firewall, and you’ve got another individual that’s an expert in this firewall, or with the locations. These are literally locations that are, maybe they’re located in different states. It’s not going to be the same person for location one, two, and three. So, you’ve got different people involved and whatnot. So, it becomes a real burden, but through the TCT portal, we’ve got functionality that will allow you to split your existing requirement across whatever it may be that you have multiples of. So, it’s really, really super easy to go in and do, but it allows you to take that one item. So, let’s say I was gathering up physical security evidence from multiple physical locations. If I go into the one that says, hey, do you have cameras pointing at the entry doors and exit doors? as an example. What I can do is I can take that one requirement, I can split it into my, and basically make a bucket for each of the three locations. The coolest part is, is that now I can go in and I can assign Mary at location one, I can assign, you know, Bob at location two, I can assign Frank for location three. And so, now I have the right people on the right items, and better yet, as Mary finishes her item, now she hits the button, it moves up the workflow, her item is now closed out.I know that I’m still waiting on the other two to go and provision their evidence, but now it allows me to track it by person, you know, who’s still holding the bag, et cetera. Once I’ve gotten all three, now I can go ahead and clear that requirement type of deal, but it really gives you granular control over your tracks. Everybody can, you know, kind of really know what their assignments are on the track, and better yet, you can go ahead and replicate that when you’re going from year one to year two, you know, that type of a thing, you can, you can go ahead and, you know, and do that. So, it just gives everybody that’s involved in the engagement, just a really good way to be able to go through, track their, you know, and really give you that line item level tracking that you need on these engagements, because it’s a whole hell of a lot easier.
If you think about, you know, if you think about the way it normally works, well, I got three people that are on this one particular item, and so, you know, person one loads their evidence, and then they hit the complete button, right, to go move it up the workflow. Well, the other two didn’t put theirs on yet, so now I’m wasting time.It removes those things from their purview as still needing to be done. It’s moving it up for review. Whoever’s reviewing, it’s wasting their time reviewing it, because there’s only one of the three things I needed. They invariably end up shoving it back down again, and one of two things happens, either the person that did their evidence initially, they’re like, well, I already did this. Click, they move it back up again, or maybe the second person goes in, adds their evidence, and hits the complete button again. It’s like, no. So, it’s just, it is really, really painful when you’re dealing with the situation, but we’ve got that capability, you know, within the TCT portal. Easy to go turn on. Just, you know, go reach out to us and let us know that you need some help there. We’ll be happy now.
very cool. What’s new in the news, as always, just a friendly reminder that listeners can access the links to the various news stories by going to the TCT website at www.gettct.com. Click on resources and click on security reminders. Adam, what’s new in the news?
Well, let’s see, a couple of different things in the security arena. So there was an organization that does penetration testing that did some analysis of their last 10,000 internal network layer penetration tests. And what they ended up finding out is that there are some trends in organizational security gaps that are capable of being exploited by attackers. So we’re not necessarily talking about zero-day exploits, but weak points within the organizational systems. And so what they found is that half of the risks they were seeing were due to misconfigurations in either settings or appliances. 30% were due to missing patches and or poor patch management, and 20% were related to weak passwords and password policies. So the article goes into depth on the granular details of the 10 critical ones that they kind of dialed in on as our top 10. But I thought that mix was interesting.And really, for me, what it underscores is for an organization that’s got a strong stance on their security and compliance program, and better yet, an organization that is leveraging a strong security and compliance management system, these are the types of things that with a well-run program that they ought to be able to identify and detect and get proactive about across their systems, all of these groups of vulnerabilities are really preventable if you have the right internal controls in place to be able to get them addressed before they turn into real issues. So with mobile jailbreak, they’re seeing that that is going a long way for increasing corporate risk. So jailbreaking and rooting of mobile devices have been around for years. And so there’s a, Magisk is a popular Android rooting, and Check Rain is one of the more popular iOS varieties. But these mobile platforms are restrictive compared to the computer operating systems. And so people are using these methods so that they can make the phone less restrictive. Well, the report and data analysis is showing that companies that have a BYOD policy have a much greater risk of having exploits and bugs getting through and onto their systems through these employee-owned devices that have been either jailbroken or rooted. And so the greater risk percentage for cyber compromise is anywhere between 3,000 and 3,000 times greater when you’ve got these types of devices in there. So just something for organizations, especially if you’ve got BYOD capabilities and where those devices are connecting on your network, certainly something for folks to think through.So, AI driven roles in cybersecurity. So, in 2024, ISC2 members were surveyed about how they perceived AI to impact their security roles in organizations. And certainly 82% of them said that AI would make things more efficient. And it does seem to be holding true. You know, you think about the average mid to large size company, you know, has between 65 to 75, sorry, 60 to 75 different security tools at their disposal. So, you know, it means that, you know, a lot of the security professionals are starting to look toward AI for automation assistance, relieving them of some of the, you know, kind of manual overhead, you know, things on those lines. So, it’s allowing the tools to implement machine learning for observations, learning, and taking on some of those repetitive tasks in cybersecurity. Ultimately, you know, being a driving force to making security personnel more efficient. You know, the only, you know, the only wave of caution, I love talking about the, you know, the AI zombie walk, that is, you know, contemplating dipping their toe in the AI arena and or implementing tools that integrate AI. You know, it also is important for those organizations to ask a lot of questions and really clearly understand the boundary lines between, you know, between their desired functionality versus who all they are sharing that data with. You know, if the platform is just dumping your sensitive data, you know, into an open AI platform, then that’s not so good. So, you’ve really got to ask a lot of questions, especially right now.The AI is just absolutely the Wild West these days, it feels like. So, Steam pulled a game off of their gaming platform. They had a demo installer for a piece of software called Phantom’s Resolution, or Sniper colon Phantom’s Resolution. And they found that it was infecting systems that it was downloaded on. So, leading to all sorts of information extortion. So, users were noticing that the descriptions were copied from other games and it was prompting players to download this demo installer from an external GitHub repository instead of through the primary Steam platform, among other oddities. So, there were several facets to this particular installer and there were a lot of steps that were put into it by the publisher to gather information from any individual that was downloading it. So, I thought that was interesting.Kind of underscores for these platforms that are provisioning things. I know that certain of the folks that play in that space have learned their lesson over the years, apparently. Apparently, they got one to learn. And finally, there’s a brand new botnet that’s delivering record size DDoS attacks. So, there’s a new botnet called, it’s spelled 11, spelled out with the number 11 and bought behind that. So, it’s causing a big stink. The botnet’s targeting webcams, video recorders, and once infected, the compromised systems are then used to initiate distributed denial of service attacks against any particular target that eleven11 bought wishes. So, while the DDoS attacks aren’t technically a failing criteria for PCI, per se, and other forms of compliance, they can definitely be very frustrating and annoying to maintain a presence so that you can repel these attacks. The simple idea of a DDoS attack is to overwhelm the organization’s edge gatekeeper, whether it’s modem, router, firewall, et cetera, flooding it with so many packets of data distributed from a ton of different systems that the protection mechanisms will either stop responding, maybe puke up, maybe go offline, and ultimately, their desire with those is either to take the target, the target offline, make them inaccessible, or by door number two is to create a circumstance whereby the attacker has the capability to go in and gain access to the system through a hole that’s now been opened up as a result of the protective mechanisms failing, depending on what state they failed into.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow
And I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
