After hack, security researchers probe Deloitte’s security posture

It’s difficult – if not impossible – for any organization to keep their networks and systems completely safe from knowledgeable, well-resourced and determined attackers.

Still, we expect companies that advise other companies on information security to be better that most at protecting themselves. But is that expectation misplaced?

Take, for example, the recent Deloitte hack.

For the last five years, Deloitte (Touche Tohmatsu Limited) ranked as the most profitable security consulting services company in the world.

But increased scrutiny after the public revelation of the breach, apparently unnoticed for months, shows that Deloitte is not listening to its own advice and doing the housekeeping it advises others to do.

Since the disclosure, security researchers have been combing the Internet for information that could have allowed the attackers to compromise the company’s network, and they have found plenty: VPN credentials on Github and proxy login credentials on Google+ (now removed), thousands of hosts exposed on the Internet:

Among those, DNS servers and at least one Active Directory server with RDP open and pending Windows updates:

It’s practically inevitable that a sprawling company like Deloitte, with many business units and many IT departments around the globe, will drop the security ball occasionally. The size and complexity of the networks and systems almost guarantees it.

As breaches go, this one apparently isn’t that catastrophic. But whether these revelations will have an impact on the company’s bottom line in the long run remains to be seen.

After all, perhaps its clients will simply come to the conclusion that security is hard for everyone, and than it’s easier to find holes in other companies’ systems than apply controls that will keep them plugged in yours.