Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Q3 Security Insights 2025
Quick Take
On this episode of Compliance Unfiltered, it is that time again! You guessed it, time for all of the spicy security stories that were, and the critical security reminders for the third quarter of 2025.
Curious about learning some tips on how to impress your assessor? Wondering how you can maximize your knowledge of space to minimize the struggles associated with your engagements?
Then you’re not going to want to miss this episode of Compliance Unfiltered!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the supercharger in your compliance muscle car, Mr. Adam Goslin. How the heck are you, sir?
I am doing fantabulous today, Todd. How about yourself?
Can’t complain, brother, I truly cannot. It is that time again, folks, that’s right. Security reminders for Q3 of 2025. Adam, let us know about this quarter’s security reminder tips to impress your assessor.
Well, you know, the client-assessor relationship is an important one, you know, if you want to have a positive experience, you know, you need to have some good rapport, mutual trust, and the better your relationship, the easier everything goes. You know, there’s a, you know, we’ve got kind of a set of best practices so that people can make the most, you know, of the relationship with their assessor starting with, making sure that you hire, excuse me, hire the right assessor for you. You know, if you’re looking for a new assessor to work with, you know, you want to walk into the process as if you’re, you know, kind of starting a dating relationship, you know. Every organization has its own kind of corporate culture. Some are easygoing, others are more formal, you know, and the same thing exists over on the assessor side. Your choice of assessor should be a great match to your organization’s culture because you’re really forming a relationship that, you know, that, you know, needs to be mutually beneficial and you don’t really want to be in a situation where those two are oil and vinegar, you know, if you will, it’s good to have, you know, kind of the right mix there.Certainly you want to start that relationship with the assessor on the right foot, you know, once you’ve gone through onboard your assessor, etc., you know, then, you know, there’s often a pressure to, you know, really show the assessor that you’ve, you know, completely got your crap together, you know, type of a thing and, you know, my recommendation is, you know, bring the assessor in early, you know, talk to them about where you’re at, talk to them about what you’re doing, you know, at the end of the day, the right assessor is going to have their brain in the right spot, which is I’m getting my arms around this organization, I’m learning about these things, I may be able to give them some high level of directional guidance, etc., but I know they’re on the path to, you know, being ready to go, but pull that assessor in right out of the gate, because that way you don’t want them, you know, you don’t want them surprised that, you know, hey, they’re going to need this amount of time to be ready to rate a rock and roll. It also gives them a better understanding, you know, of what’s going on. You definitely don’t want, you know, don’t want them, you know, digging deeper so that they can find, you know, find skeletons, etc., so use that onboarding period to be able to have important conversations around, you know, current challenges that you’re, you know, that you’re actively working through, things along those lines as you, you know, go through and confirm the scale scope of the engagement, different certifications, the overview or layout of the organization, people involved, departments, things along those lines, all of that is going to, you know, give the assessor the, you know, kind of the right feel out of the gate.
Certainly, one thing that’s important with the assessor is communicating a commitment to compliance, you know, as you’re going through all of this hard work and ready for the assessment, you know, you can go to the, you know, to the assessor team, you know, when you do need their input about a particular control that, you know, if you’ve got multiple ways to go about doing it, you know, gaining their input, gaining their feedback, gaining their, you know, kind of direction, if you will. The assessors love being able to, at the end of the day, they love being able to help people, and so, you know, giving them that kind of understanding, you know, of what’s going on so that they can, you know, share some of their knowledge with you, you know, etc., that’s a good thing. You know, there’s some organizations that are, they’re hesitant to engage. Now, to be amazingly clear, you know, you don’t want to just wide open, full throttle, share everything under the sun, you know, type of a thing displaying, you know, lack of compliance and things along those lines, but, you know, certainly gaining their, you know, gaining their trust, understanding, knowing that you will ask questions appropriately as you’re going through the process and preparing for the assessment, that’s something that they’ll actually admire and appreciate. So, you know, don’t be hesitant about doing it in the right way. You know, they’re often very glad to be able to jump into the mix, feel a little bit better about their comprehension and understanding, you know, and whatnot. Just keep in mind, you know, you don’t want to be, the intent here isn’t to pound the blazes out of the assessor with a billion questions, etc. I mean, you’ve got to be restricted and limited. They’re not here to be your compliance consultant, which we’ve talked about on pods numerous times as to what the benefits are there, you know, but certainly, you know, kind of ingratiating them into, you know, directed questions, where it makes sense, etc. They love it. You know, be prepared, this sounds like the dumbest thing ever, but actually be prepared for your annual assessment. You know, I can’t tell you back, you know, especially back in the day, how many organizations are like, you know, the date hits for green light go on the assessment, but they’re nowhere close to ready. You know, just make sure you got your I’s dot and your T’s crossed. You know, there’s nothing that frustrates an assessor more than, you know, companies that can’t get their act together. You know, the assessor’s got a job to do, I mean, you think about it, right? They need to come in, they need to do their assessment, they need to do their evaluations, they need to review their stuff, do their interviews, gather the evidence, review the evidence and write up results. And then, you know, they’re off to the next party. They’ll see you next year, type of deal, but, you know, they’re not there to, you know, hold your hand, add an item for weeks and months at a time, you know, hoping that you’re actually going to be ready for the assessment you said you were going to be ready for.
So that’s again, that’s where a consultant comes into play. So you know, how can you make sure that you’re actually ready? You know, for those that are leveraging the TCT portal, it’s amazingly clear. You know what evidence has been put together, you know what things are done, you know what things are still left open, etc. So you’ve kind of got a, you already have a rock solid repository of what’s where, what needs done, you know, has it been pushed up and ready for review, that type of thing. So you know, there’s nothing that’s going to impress an assessor more than a client that is really well organized, has everything within reach that can communicate, you know, communicate their responses clearly and concisely that can readily reference the appropriate documentation for the topic at hand. All of those things increase the assessor’s confidence, you know, that they’re gaining that transparency and openness and honesty they’re seeking, but able to enjoy just clearing through, you know, clearing through the engagement.You know, you want to make the next topic I’ve got, make the onsite assessment easy. So when it comes to the onsite assessment, you know, the assessor’s going to have their own list of things they want to see. Get a list of the things that they’re looking for right out of the gate. What do they want to cover? Make sure you’ve got everything ready to go, the agenda’s lined up, you have not only people to cover topics, but you also have backup people for those topics. Make sure they’re actually in the office and not on vacation. You know, things along those lines. It’s amazing how far that’ll go. You know, sit down with your team before the onsite, go over the agenda, talk to your expectations, questions, topics, etc. Set expectations, you know, answer any of the team’s upfront questions that they’ve got before the onsite, you know, etc. And, you know, it even comes down to, I’ve been on engagements where the person that’s going around doing the physical security walkthrough doesn’t have the keys for all the various doors and buildings, etc., that we need to go in and visit. So it’s the little things, right? You get better at it year over year, but, you know, just make sure you’re prepared as you’re going through it. So you’ll have it all lined up. And then when you’ve got everything prepared in advance, primary and secondary people in place, etc., you’re ready to hit the ground running. The assessor had a six-hour agenda that you clear in four hours. I’ll tell you what, you’re learning brownie points with that assessor at that point in the game. Because, you know, you’re showing them. You’ve got your compliance act together. You demonstrated, you know, some consideration for the assessor themselves. The onsite visits for these assessors, man, they’re tired from traveling, they’re stuck in a hotel, they’re separated from their family, they’re mentally, physically exhausted.
So all of these things will, you know, kind of ingratiate you to your assessor, if you will. And finally, the closing loops. So, you know, when the assessment’s over, and this happens if you haven’t been through the process before or you’re a seasoned veteran, I don’t care, man. Every single freaking time, I think it’s a, I don’t know if I want to call it a character flaw, but it’s almost like a challenge. You know, the assessors, no matter how damn good a company is, they always want to come up with something. They want to feel like they’ve contributed something to this engagement. So just don’t be surprised. Things are going to pop up that need to be followed up on. But, you know, before that onsite activity is over, you know, coordinate with the assessor. Review the open list of items that they’re requesting or additional things they need clarity on. Establish, if you can do it at the time, great, but really shortly thereafter, commit to delivery dates for the various items that they’ve requested from you. Hit the dates that you commit to. Don’t get overly aggressive. If you really need a week, don’t tell them two days, you know, type of a thing. We want to be able to hit the mark. You’ve set the, you’ve set everything up properly. You’ve done all the upfront work. You’re impressing the blazes out of the assessor. Don’t screw the pooch on the finish line. So, you know, hit your dates. They’ve got schedules they need to meet. We need to set their expectations for when they can expect to have their stuff. That way we’re maintaining kind of a respectful commitment. You know, on both sides. You get your stuff done for the assessor. The assessor will get their stuff done for you. It’s kind of magic the way that works.
Indeed, it is. Indeed, it is. Okay, quick tip, easily regulate user access. Tell us more about it.
Well, this is our TCT Portal Quick Tip, so you want to be able to make sure that you’ve got certain people and various functions across the compliance team, and it’s important to limit who has access to what, what types of sensitive data do they have access to. You may need to limit some of the functionality to particular individuals, etc. So a little note, some people know this, some people don’t, but the TCT Portal makes the role-based access within TCT Portal easy to manage. You can take an assignment within the TCT Portal, give it to a single individual, but you can also assign that single item to multiple people. So if you’ve got a team of people that share the same role, you can assign this particular item to all of the various people that need that access. So in that scenario, everybody on the team is going to get that assignment reminder and continue to get them until one person pushes that, you know, that item off the plate, takes action and marks it complete. So you’ll also have the ability to turn on a user in what we call restricted mode. So in restricted mode, it allows users to only see the items that they are actually assigned to. And so basically you can take certain users, restrict their access. So let’s say I’ve got somebody, you know, somebody within the organization that really only needs to supply, you know, supply information on the inventory as an example. They don’t need access to the firewall rules. They don’t need access to HR legal documents, etc. You can go dial them on in that dial that person on in restricted mode. But in the same sense, if you’ve got people on the team that are, you know, have broad scope responsibility, then you can just leave them unrestricted. So you can make that decision user by user, you know, and whatnot. But, you know, if your organization would prefer to limit the visibility of the people on their engagements, put a request into TCT support team and we’ll be able to kind of walk you through how to limit people into that kind of restricted mode.
What’s new in the news? Listeners can access links to the various news stories by going to TCT’s website www.gettct.com. Click on resources and then click on security reminders. Adam to the news.
All right, so running down the list, we had a company called Vanta, they’re a major player in the compliance space. They pushed a product code change that caused private data from some of their customers to be exposed to other customers. Vanta was stating that hundreds of their clients were impacted. One of the clients was told that employee data that was exposed to a different client’s Vanta instance, information such as name, roles, MFA configuration settings were reportedly exposed to different client instances. There is also a new Linux flaw that enables full root access via PAM and UDIS across major distribution. So, Qual has discovered a couple of vulnerabilities. They can be exploited to gain root privileges on major Linux distros. Susie 15’s PAM enables a local attacker to elevate the allow active user and then call pull kit actions that effectively allow the remote user to simulate being physically connected or present in front of the machine. The second vulnerability actually plays off of the first one where they’re using the libblock dev service that allows the active user to gain root privileges once that first vulnerability is exploited. The next one, this one was interesting. China broke a lower grade level of RSA encryption by using a quantum computer. They’re viewing this as an impending threat for global data security. While AI is leading the headlines, if you will, quantum computing is quietly redefining everything about computing. So, these Chinese engineers, they use a quantum computer built by D-Wave systems and they factored out a 22-bit RSA integer theoretically decrypting RSA. So, with that, RSA is heavily used in all sorts of computer industries as a security measure and especially in the banking arena. Now, while the 22-bit RSA integer is still small in the realm of RSA, many of the keys that are in use today are 2048 or higher. But this is an early step toward eventually breaking that encryption algorithm. So, it’s kind of interesting news, if you will.
The next one up is the US insurance industry, my bad, warned of a scattered spider attack. Google has officially warned the insurance company giants that the scattered spider attack is leaving the retail sector and starting to move toward the insurance industry. Scattered spider officially starts as a sophisticated social engineering network of attacks that target multiple employees at the target organization and once they get some of that information then they try to deliver ransomware payloads to perform both data theft and extortion. So folks in the insurance industry keep your eyeballs open and keep your security awareness training in high gear. Kali Linux 2025.2 was released with 13 new including car hacking updates. So for those that may or may or may not know, Kali Linux has been around for years in the computing world. It’s a Linux operating system. It has several tools that are built into it for both cyber offense and defense purposes. The newest version has a bunch of new tools. There’s a new interface that’s called, there’s a new Kali menu. There’s also a car hacking tool set that they’ve integrated. So the newer smarter cars can get probed by these tool sets and can be potentially breached, exposing sensitive information that is within the car, the cars that have internet connectivity within them. So the more the technology evolves, the more the bad guys are going to take advantage of it, if you will. And finally, we’ve got open AI is supposed to be helping DOD with some cyber defense, under a new 200 million dollar contract. So open AI opened up open AI for government, a 200 million dollar campaign that’s designed to allow US government workers to enhance their work capabilities. It’s a major, it marks a major shift for the AI giant, as they’re now officially working alongside the US government and the partnership will allow AI to start pioneering prototype capabilities for the AI frontier.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
