Deloitte has been targeted in an attack that compromised the emails and plans of some of its clients. Here are some of the industry comments Help Net Security received regarding this incident.
Dr Jamie Graves, CEO at ZoneFox
This attack is another clear example that anyone can be affected by cybercriminals – even those whose speciality is to stop them. It’s discomforting to see that even an experienced firm as Deloitte have fallen victim to attackers supposedly using an administrative password and account to access their Azure storage. This has to act as a wake-up call for the industry to pursue a more proactive, threat-hunting approach to their cyber-security.
Passwords still have a hugely important role to play in securing information, but they have to be combined with other layers of security within a two or multi-factor approach. The bottom line is that data visibility has to be in place for an effective, modern security structure; firms need to know not just who is accessing their data, but where it’s being accessed from, what has specifically been looked at and where the data (or copies of it) is residing, while stationary and in transit.
Extra layers – such as IP listing and user behaviour analytics – would have helped Deloitte identify that outside agents were using the administrative account; certainly reducing the time the attackers spent within the network before being noticed. Months of access combined with six months of behind-the-scenes work before the attack has come to general attention would certainly fall foul of GDPR once it goes live and does little to generate sympathy for the firm. It’s a worthy tactic to try and trace the cyber-footsteps of the attackers now, but a more proactive approach, utilising machine learning and augmented or artificial intelligence, will ensure firms can identify threats before they can create a major security concern.
Sam Curry, CSO at Cybereason
While news of the Deloitte breach is just surfacing I caution everyone not to cast stones because no one really has specific details of what happened unless they work at Deloitte or for their security consultants. However, if the report about Deloitte’s global email server being compromised is true and if access was gained through an “administrator’s account” that, in theory, gave hackers unrestricted “access to all areas’ of the network, then this is a wake-up call for corporations to at a minimum have two-step authentication in place as opposed to a single password. Naturally, there could be much more to this; and time will help us all understand the lessons to be learned in security operations and, hopefully, in transparency, respect for privacy and crisis communications.
Overall, it’s not that shocking that another corporation is making headlines as it has been a rough month for many of them. Keep in the mind, thousands of other companies not named Deloitte, Equifax or the SEC have been breached but have thus far managed to stay out of the headlines. Trust me, other breaches have occurred.
The hackers today have the advantage because they have time on their side and they only have to be correct once to initiate a compromise while a corporation has to be correct 100 percent of the time to keep hackers at bay. That’s a clear asymmetry.
I urge all corporations to immediately build out a hunting practice and to improve their security hygiene and their ability stop attackers by deploying a strategy where they can disrupt the hackers early in the process by likewise getting it right once and being able to respond, preventing attackers from setting up beachheads and back doors. Of course, garden variety threats need to be able to be detected, but the sophisticated threats need to be found and stopped earlier as well. Corporations also need a professional, modern CIRC, a real strategy for segmentation and good hygiene and to elevate the way security is managed and operated.
Richard Stiennon, Chief Strategy Officer at Blancco Technology Group
Deloitte is one of the largest consulting firms in the world that regularly advises its clients on cybersecurity matters, including strong guidance around information governance. Their own experience with a simplistic breach of their Microsoft 365 infrastructure through an easy to access administrator account highlights how easy it is to overlook critical information stores. Email is the life blood of most modern companies. Practically all information eventually flows through email. Secure policy reviews, audit logs, legal matters and financials are freely shared and discussed on email. In Deloitte’s case, this included confidential client information.
A complete data governance regime should put email at the top of concerns. While health records, financials and PII usually are considered first, it must be acknowledged that all of that critical information passes through email too. Email should be first protected against unauthorized access. But it’s just as important to manage the content. One critical control is encryption so email exchanges cannot be read without the participants’ keys. Another is to regularly scrub emails wherever they reside. This can be based on a simple time horizon (securely erase anything older than a certain amount of years), or it could be fine-tuned to include types of emails or particular content.
The industry will have an excellent chance to learn from Deloitte’s breach of its email servers. Not only will we see the impact of such a breach, but eventually we can expect Deloitte to share its protective measures and the new processes they put in place to avoid similar future breaches. All of Deloitte’s clients will benefit from these lessons learned.
Rob Wilkinson, Corporate Security Specialist at Smoothwall
When an organisation that openly emphasises cyber security as paramount to any business, is then itself found to be the victim of a major cyber breach – as with the case of Deloitte – it asks some very serious questions of a company which may have been leaking highly-sensitive information since October last year. For a company reporting a near $40bn revenue year ending May ’17, what’s clear is that not enough of that money has been poured into protecting names, emails and plans of some of its biggest clients in the case of a hack. For Deloitte, this could lead to serious financial and reputational damage, more so than any other company – it’s clearly not practising what it preaches.
Hackers can now come from anywhere, acting individually, part of a group or even be state-sponsored. Their motives can often be quite unclear too; simply creating chaos for the sake of it can have companies scrambling to stem financial damage and a loss in trust from clients and customers alike. Every company from an SME right up to one of the ‘Big Four’ such as Deloitte needs to take cyber security equally importantly and have a strong cyber security culture at its heart. But in all honesty, it shouldn’t be up to us to tell one of the most well-known cyber security companies this. While you would assume Deloitte has the appropriate monitoring, encryption and threat detection in place, it’s clearly not enough to protect them from this type of “access all areas” hack.
Thomas Fischer, Global Security Advocate at Digital Guardian
This latest breach highlights the importance of ensuring customer data is stored and communicated in a secure form. In this situation encryption would have avoided the emails being read. However, this also highlights one of the fundamental challenges with encryption, especially as it relates to email – it’s simply too easy for users not to enable it, or forgetting to enable it.
Tools can help, and there are some that force encryption if certain keywords are detected. But the bottom line is that if a company’s data is securely stored and communicated, breaches like this can have much less impact.
Stephen Cox, Chief Security Architect at SecureAuth
The misuse of administrator credentials in the Deloitte incident is strong affirmation that identity is now at the center of information security. We’re seeing breach after breach leveraging stolen credentials as an attack vector and even skilled information security practitioners are struggling with this threat. Part of the problem is a general lack of acknowledgement of the importance of identity security in relation to network and endpoint security; these are now the three pillars of security. We have highly distributed organisations across on-premise and cloud infrastructure. Identity is the glue that binds everything together.
Organisations should be rethinking their approach to identity security. The password is dead and even vanilla two-factor authentication is not enough. We must raise the bar with adaptive access control methods that apply risk analysis and introduce a biometric second factor, eliminating the utterly broken technology of password-based authentication.