If only there was someones advice they could follow.
https://www2.deloitte.com/us/en/pages/risk/topics/cyber-security.html?icid=top_cyber-security
Deloitte, one of the world's "big four" accountancy firms, has fallen victim to a cyberattack that exposed sensitive emails to hackers. The IT security breach dates back to November 2016 but was only discovered in March this year, according to The Guardian, which broke the news in an exclusive on Monday. Deloitte has …
At that link they write:
"Organisations must remain secure, vigilant, and resilient ..."
Well clearly they failed on the first one.
Seems like taking four months to notice fails them on the second.
For the third, it remains to be seen.
.. if you want to sell yourself as cybersecurity advisers, the absolute first thing you should do is clean your own house because you just painted a nice fat target on your front and back.
The problem is, of course, that fixing your own security is a cost centre exercise, whilst fixing someone else's a (very) profitable revenue stream, so guess what gets priority?
Way to go to damage your own credibility.
On the basis that being compromised is inevitable at some point for every organisation, the measure of effectiveness is whether there was a procedure in place for dealing with and mitigating the consequences, and how good that plan turns out to be. It seems that Deloitte have such a plan and time will tell how good it is.
All of that said, having an email admin account without 2fa seems to be a bit of a schoolboy error by any measure. We had a really good fire drill in place but neglected to fix the leaky gas pipes in the basement.
On the basis that being compromised is inevitable at some point for every organisation, the measure of effectiveness is whether there was a procedure in place for dealing with and mitigating the consequences, and how good that plan turns out to be.
I agree 100%.
It seems that Deloitte have such a plan and time will tell how good it is.
I disagree. Probably 100%.
It took them 4+ months to detect. Five months later they are still investigating. They never took control of the message to the public, it was leaked by a newspaper. They aren't managing the PR spin, they are being spun.
None of this implies they had any functional "Cyber Readiness" in place and I suspect their crisis response isn't very well oiled other than "keep quiet and hope no one else notices."
..... Oh, no, not again.
Methinks it might even be safer to send one's personal data through the post on the back of a postcard than trust the security of some big name cowboys ....
In the cloud, you say? well, I'm sure that the relevant three and four letter agencies will keep their copies of your data safe .... ?
Problem is - the TLA's will have scans of all paper mail from the sorting machines, they OCR it, then put all that juicy data neatly-like in databases, outsourced to the lowest bidder probably located in a place where "we" are "at war with terror" and operated by smart "axis of evil people" or plonkers.
Those databases are then splurged onto to internet.
Blame the consulting model that charges each client to reinvent the wheel before starting any real work. Given that the Deloitte Business Security Team appear to be the those that drew the short straws on the 'bench' that month with no formal training and no formal contacts with Microsoft I'm surprised there are not more public security breaches.
Do you have a client account to charge internal MFA to? No? Computer says No to your security request then...
...and yet they can't afford the extra security protection of running their own mail server?
I wonder how much they pay MS Azure to host it and the cost of the reputation damage/compensation compared to running their own systems?
Deloitte remains deeply committed to ensuring that its cyber-security defences are best in class,
How can they claim that when they put their data and systems on someone else's servers where, by definition, they have less control over the security?
I wonder how much they pay MS Azure to host it and the cost of the reputation damage/compensation compared to running their own systems?
I notice that the article refers to Azure and not Office 365; which suggests that Deloitte were running their own systems in Azure rather than just paying MS to do the lot.
I happen to know that another of the big 4 is aggressively moving their systems to Azure and have their email systems hosted on O365 EXCEPT where individual country practices have said they won't allow it eg. Germany, Switzerland
The interconnects are still in O365 though
Do organisations in other parts of the world suffer security breaches on this scale? Perhaps they're more sensible and restrict sensitive data to their internal networks.
I'm sure there's a hostile agency or two somewhere collecting all the leaked data and mining it for future cyber offensives.
"Hackers gained access to Deloitte's email system through an administrative account that was not secured using two-factor authentication"
How did they get the administrative account password, not that two-factor authentication would have protected them.
From my time in large companies they tend to have at least one generic style admin account for systems with no 2FA which is given to contractors when they rock up. That password is rarely changed when the contractor leaves and if the account isn't disabled..
Once working on US government project I found that MS Dynamics for Government cloud service does not have two factor authentication which was government requirement. The project went on anyway. Deloitte also used MS stuff and very likely was not able to secure by two-factor as it does not exist in MS set of cloud security. You get what you get..