Tenchi Security

We are back with Issue #23 of the "Alice in Supply Chains Newsletter." Stay ahead in third-party cyber risk management (TPCRM) with the most up-to-date content curated by our team of experts. Criminals are finding cloud platforms very efficient for data theft.  But are providers working to prevent their strengths from being leveraged against their customers? "Alice in Supply Chains" is here to shed some light on the answer to this question, with a collection of guidance, news, breaches, and regulations related to third-party cyber risk management (TPCRM). We hope you enjoy the read. Stay safe, and see you again next month! #Cybersecurity #TPCRM #SupplyChainAttack

Tenchi Security finding a problem with the Google Workspace enforcement of 2FA was featured on the Enterprise Security Weekly podcast by Security Weekly Productions! You can see it at https://lnkd.in/deQHA5-T, and the show notes are available at https://lnkd.in/dyAXCnBt. Thank you very much to Adrian Sanabria and Katie T. for covering this and for the kind words. This problem appears to have been fixed last Friday (July 12th), about a week after we've reported it to Google Workspace support. Which is not a bad turnaround time for something at this scale, so kudos to anyone involved. Also kudos to Felipe Zanetti and Marcelo Teixeira from our corporate security team that picked up on the alerts, understood their significance and followed through on the investigation. And to Eduardo Pinheiro and our amazing engineering team for building the product that generated the alerts in the first place. Are you a security leader at a large enterprise that wants to truly manage the cyber security posture of your relevant third parties and systematically reduce the risk they represent to your organization, as opposed the traditional #TPCRM focus on just measuring or admiring the problem? I'd love to show you what we are doing here at Tenchi Security. DM me and let's schedule a product demo or a free trial. I'll also be at Black Hat (in particular the Innovators and Investors Summit) and Security BSides Las Vegas in a few weeks, hit me up if you want to meet in person there.

Today, we had another successful “All Hands” meeting, our global alignment session that brings together all Tenchi Security employees. These meetings are crucial for driving our success forward! Our CEO, Felipe Boucas, shared our outstanding YTD results, recent achievements, and the challenges we’ve overcome. He also highlighted important updates on HR initiatives, strategic partnerships, and key marketing strategies. Following this, our CTO, Alexandre Sieira, presented the latest initiatives for Zanshin, our TPCRM SaaS solution, including the roadmap and exciting new features. To wrap up, Eduardo Pinheiro, our Engineering Director, spoke about the “First Ever Engineering Onsite,” where our engineering team had the opportunity to meet in person in São Paulo at the beginning of July. Team members from other countries also participated, fostering alignment on strategy, business vision, and team collaboration. Great job, team! We are proud to have each one of you with us on this journey! #cybersecurity #cyberteam #TPCRM

Se a sua conta do Google Workspace passou pela obrigatoriedade de MFA do Google para administradores e você está usando a política de MFA aplicada por unidade organizacional (OU), a sua configuração de MFA pode não estar funcionando corretamente. Quer saber mais? Leia o blog completo! Blog atualizado em 15 de julho de 2024:  Atualizamos o nosso post tendo em vista que em 12 de julho de 2024, a equipe de engenharia do Google indicou que havia resolvido o problema. No entanto, recomendamos que faça sua devida diligência para validar e confirmar que a política de aplicação de MFA do seu Google Workspace está operando conforme esperado. https://lnkd.in/dkmq9xwm #2FA #googleworkspace #cybersecurity

If your Google Workspace account has gone through Google’s MFA enforcement for admins and you are using OU-level MFA enforcement, your MFA enforcement may not work. Check out the full blog for more details! Blog Update: July – 15th – 2024: We’d like to give you an update on the OU-level MFA enforcement issue identified in this blog. As of July 12th, 2024, Google’s engineering team indicated they had remedied the issue. However, please do your due diligence to validate and confirm that your Google Workspace MFA enforcement policy operates as expected. https://lnkd.in/dvF9Dwcn #2FA #googleworkspace #cybersecurity

Google Workspace seems to have bungled their planned enforcement of #2FA for administrators (see https://lnkd.in/egmPuk25). Here at Tenchi Security we had already had OU-level policies enforcing 2FA for all users, including the administrators. So when we got the e-mail saying it would be turned on for us on July 3rd, we expected that nothing would change. 😎 However our product Zanshin, which we use to perform daily checks of our Google Workspace and other #SaaS #security settings, started alerting on that date that 2FA was no longer enforced for our admin accounts. 🤔 Since this is the opposite of what we expected, we initially thought this was a false positive in our product. It wasn't. Since Google turned on the "enforcement" for our organization, our OU policies were being ignored and Google Workspace was itself reporting on its console that 2FA was indeed not enforced for our admins. We were even able to (temporarily) disable 2FA on one of the admin accounts, which was not possible before! 😱 So the change Google implemented did the opposite of what was intended. Our organization is now less secure - not only is Google Workspace not enforcing 2FA for our admins, it's even ignoring our OU policies to that effect. 🤦♂️ We have reached out to Google's support team and they were as surprised as we were, but told us they confirmed the findings with a test org they control. Tickets are now being escalated. Not sure if this was something that only happened to us (unlikely at their scale) or because very few people double-check this like we do daily with Zanshin so we were among the first to notice it. Let me know in the comments if your organization was impacted by this problem as well, and boost for visibility. Additional checks around admin accounts might be needed until Google sorts this out.

Don't miss out on this month's blog post! Entitled "Businesses still rely on inadequate controls for third-party cyber risk, but change is on the horizon," it explores the critical importance of third-party cyber risk management (TPCRM) and unveils insights from an exclusive survey conducted during the Tenchi Conference. The survey uncovered that many companies still rely on static methods, and that the cybersecurity posture of third parties is still being determined using questionnaires, industry certifications, or point-in-time scans that do not provide real-time discovery and visibility of cybersecurity risks. https://lnkd.in/dyP65CSJ Want to dive deeper? Read the full blog for more details! #TPCRM #cybersecurity

O blog post deste mês está imperdível! Com o título "Empresas ainda contam com controles ineficazes para gestão de riscos cibernéticos de terceiros, mas a mudança está a caminho", aborda a importância da gestão de riscos cibernéticos de terceiros (TPCRM) e apresenta dados de uma pesquisa exclusiva realizada durante o Tenchi Conference no final do ano passado. A pesquisa revelou que muitas empresas ainda dependem de métodos estáticos, e que a postura de cibersegurança dos terceiros ainda vem sendo avaliada por meio de questionários, certificações ou testes que não fornecem uma visibilidade em tempo real sobre problemas de segurança e vulnerabilidades. https://lnkd.in/dUB55_zr Quer saber mais? Leia o blog completo! #TPCRM #cybersecurity

Gostaríamos de agradecer a todos que estiveram presentes no nosso estande ao longo dos três dias da FEBRABAN TECH 2024. Foi um prazer recebê-los e apresentar o que há de mais inovador em gerenciamento de riscos cibernéticos de terceiros. Agradecemos pela confiança e pelo tempo dedicado! #FEBRABANTECH2024 #cybersecurity #TPCRM

O time da Tenchi Security marcou presença hoje na 34ª Edição da FEBRABAN TECH. Vai estar no evento amanhã? Venha nos visitar. Não perca a oportunidade de descobrir como podemos ajudar sua empresa a reduzir sistematicamente os riscos cibernéticos de terceiros. Esperamos por você no estande F-185! #FEBRABANTECH2024 #cybersecurity #TPCRM