TCT is committed to helping you keep your organization secure and compliant. Every quarter, we publish compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.
As an added bonus, we’ve highlighted some developing security trends to help you get more out of your compliance management.
The Dangers of Public WiFi
Public wifi is everywhere, and that’s incredibly convenient if you’re working remotely. But it’s also dangerous, because bad actors can use a public network to gain access to your device and your data. Depending on the configuration of a wireless system, a hacker can connect to your machine, see what you’re transmitting to the internet, and exfiltrate files from your device.
If you’re connected, you’re vulnerable — even if you aren’t actively sending data over that connection. Think of it like a highway from one city to another: you don’t need any traffic in order to get to your destination.
The best recommendation is to not use public wifi at all. When you’re on those networks, you’re depending on the security of the public wifi and you don’t know whether internal network connections are possible to your machine. If the wifi is configured properly, they have the capability to be perfectly fine. But the issue is that you don’t have any idea whether or not a particular network is safe to use.
Are all public wifi networks unsafe? Not all. The general state of wifi systems has improved over the years, especially among large companies that place an emphasis on their wireless service — for example, Starbucks. But mom and pop shops typically don’t have a clue about adequate wifi security or appropriate configuration of their networks.
But even accessing a safe network can be risky, because a hacker can name their own hotspot to look like a legitimate one. A bad actor can set up their own wifi network near a Starbucks cafe and name it “Starbucks-Guest-01.” It looks just like the real thing, so it’s easy to sign onto the wrong network. You won’t even know that your data has been exposed.
What if you have a VPN? VPNs will protect the signal that goes from your laptop to the VPN endpoint, but doesn’t by itself protect your machine. If the attack targets your machine, your VPN alone won’t do you any good.
So what should you do? I use the hotspot on my phone to connect my laptop. Yes, it’s a wireless network, but the telecom companies have done a great job of hardening their systems against hackers. While it will be a slower connection, it’ll be a safer one! If you don’t have a hotspot on your phone, you can buy a hotspot device at your local wireless store.
Quick Tip: Streamline Your Compliance Document Management
Attempting to manage all of the documentation on a security and compliance engagement is challenging. But TCT Portal makes it easy. The software includes a built-in capability to attach all of your documentation at requirement level across the entire certification or standard. Connect the document once, and it’s also connected at every single requirement that it applies to. It’s as easy as can be.
Let’s take for instance your main information security policy. On a given complex certification track, such as SOC or PCI, this particular document could be attached to well over a hundred line items. What happens when you need to make slight language changes at the request of the Assessor? It’s a nightmare to manage the versions of documentation and replace it everywhere.
With TCT Portal, you simply load the new version, and every instance of that file is instantly updated with the latest version of the documentation.
What’s Going on in Security Today
Technical debt increases security risk. Technical debt is created when shortcuts are taken in IT, whether it’s coding, architecture, infrastructure, or performance. Stacking up numerous aspects of technical debt drastically increases the overall security risk an organization could take on at some point.
After several recent attempts to break into drinking water treatment systems, it is apparent the U.S. has a problem. Many of the devices used inside drinking water facilities are not inventoried across the 52,000 separate drinking water systems. One of the biggest and most critical challenges to protecting our drinking water from attackers is simply getting these devices inventoried.
Beyond Trust has identified that vulnerabilities in Microsoft Products are up nearly 48% compared to 2019. In 2020, Microsoft had 1,188 published security vulnerabilities, topping the list. Apple by comparison was 8th, with 381. This does not mean that all found or published vulnerabilities were bad. Many of them were related to bug bounty hunters and were never exploited.
71% of IT decision makers have personally experienced some type of mobile phishing in the past 5 years. They’re stating it’s only getting worse. 53% of decision makers in this survey said that they and their organizations can’t be ready for all the tactics and strategies attacking mobile devices.
The big SolarWinds breach that occurred last year was a huge blow to U.S. cybersecurity efforts. The United States is now pouring billions of dollars into cyber security as a result. The CISA has determined that if victims had configured firewalls so all outbound connections running SolarWinds had been blocked, the malware would have been neutralized instead of spreading like wildfire.