Earlier this week, I briefly mentioned the Deloitte breach as I talked about the importance of knowing and understanding your data in order to protect it from a breach. Today, I’d like to talk a little more in depth about the Deloitte breach.
Every breach has its unique story, but the Deloitte breach has elements that we’ve seen play out many times. The story was originally broken by The Guardian, eSecurity Planet explained, adding:https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
Deloitte's global email server was compromised through an admin account that provided them with what the Guardian describes as "privileged, unrestricted 'access to all areas.'" Notably, the account was password-protected but did not have multi-factor authentication.
So right here we see how easily a privileged account can be taken over and cause major damage, followed quickly by another security failure – relying on a single authentication system, in this case a password. It’s always just a password when we should really know better by now, especially in a cyber-savvy organization like Deloitte. But, as Gaurav Banga, founder and CEO with Balbix, said in an email comment:
Unfortunately, the myriad of different ways in which an enterprise may be breached is very large, and even a robust investment in traditional security technologies and incident response is not enough.
And this explains, in part, why while breaches are unique unto themselves, they carry similarities to other breaches before them. There are so many different ways an organization can be breached, but are we only using the most recent major breaches as examples of how to manage security? Are we relying on legacy systems and traditional security postures and ignoring new attack vectors? How well does your organization think outside the box when it comes to cybersecurity practices and tools? I agree with Banga when he said that organizations need to think proactively to really understand their attack surface of software and humans continuously and comprehensively – which parts are at greatest risk, what mitigations will work well, and where the security gaps are.
Of course, privileged access compromise and a lack of a multi-factor authentication system aren’t the only ways Deloitte came up short in this breach. There were questions about something “not right” back in October 2016, as Brian Krebs reported, and employees were warned to change their passwords and PINs almost immediately (they had four days). But then, supposedly, the breach wasn’t found until March 2017, and finally we’re finding out about it in late September 2017.
I agree with what Ajit Sancheti, CEO of Preempt, said to me in an email comment:
The Deloitte breach shows the importance of being able to automatically respond to potentially unusual access and activities from administrators to validate a user’s identity before allowing access. To prevent breaches like this, it is important to trust but verify in real time, especially for administrative accounts.
But at what point is something done to ensure breaches and other security incidents are reported in a timely manner? As with the Equifax breach and so many others that weren’t revealed to the public until months after the fact, the damage is already done and it puts consumers at a serious disadvantage.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba