Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

9/27/2017
01:42 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Deloitte Hack Still Has More Questions Than Answers

The huge hack of global accounting firm Deloitte is still presenting more questions than answers for security professionals.

Two days after an email admin security weakness was first reported, Deloitte is still not saying much about it. Nothing has been posted on the Deloitte Website and the public's righteous thirst for information goes unquenched. As a PR operation, it sucks. As an attack that could apparently have been easily prevented, it's a disaster.

Coming within two weeks of revelations about unsecured Equifax consumer data, the Deloitte problem seems to be on a smaller numerical scale, but the market value of the exposed data is unknown. Equifax exposed the private consumer information of about 143 million people in the US and the UK. In what little Deloitte has said, it quantifies its data loss to information it holds of about six clients. Data exposure was apparently caused by theft and exploitation of super-user admin authentication details for an email platform -- which looks like it could easily have been avoided.

Two-factor security -- or the lack of it -- seems to be behind the relative ease of ingress as an attack gained access to confidential email information including text and attachments. Reportedly, data containing email addresses, usernames, passwords, IP addresses, architectural diagrams for businesses and health information may have been exposed by Deloitte adversaries. The extent is as-yet unknown, but given that Deloitte is suspected to have discovered the intrusion as early as October 2016, observers are questioning the scale of the breach versus public disclosure to date.

"Deloitte should have hired Deloitte," Ajit Sancheti, co-founder and CEO at Preempt Security, told SecurityNow referring to Deloitte's renowned cybersecurity consultancy business. "They seem to have had a laissez faire attitude to security. Even though they teach best security practice to their clients, they just didn't employ it internally. In this case, somehow, they allowed access to private credentials because there was no multifactor security [present]."

He speculates that when Deloitte first discovered the exploit in 2016, they thought it was a small enough incident to comfortably handle internally. But then it became bigger, and they've struggled to offer enough actionable information to clients without risking losing them.

"It's very difficult for them to be able to do that," said Sancheti. "Have they shown that they have done enough to operate within best practice here? That's still not clear to me. If Deloitte was compromised, did anyone actually see that at the time?" To date it's unclear how long the intrusion went unnoticed, or even if the intruder is still active in any capacity.

Deloitte is not being unfairly targeted for criticism. But many big enterprises are still tussling with security, and are not making good of it. That's not because they're unaware of the security risks, but because practically speaking, they are spending too much time triaging possible security concerns that require a solution. Hackers are probing everywhere, and... well, they might just be security fatigued and unable to make good decisions, like a climber snow-blinded on a mountain pass.

"In fairness, all large organizations are really struggling," Sanjeev Verma, founder and chairman of PreVeil told SecurityNow. Verma founded Airvana, the world's second-largest supplier of CDMA-based data infrastructure in 2000, and now he's back for another challenge. "The widespread security paradigm is perimeter defense, but that just doesn't work: companies continue to build walls around data, but no matter how tall they make the walls, people always find a way in."


Want to learn more about the tech and business cases for deploying virtualized solutions in the cable network? Join us in Denver on October 18 for Light Reading's Virtualizing the Cable Architecture event – a free breakfast panel at SCTE/ISBE's Cable-Tec Expo featuring speakers from Comcast and Charter.

Verma's firm has patented a new approach which follows his philosophy and assumes that servers, for example, will continue to be breached. PreVeil posits end-to-end encryption across the entire data lifecycle, so that servers never have access to unencrypted data. So, in theory, someone can set up a siege engine and storm the walls -- typically using brute-force, exploiting a vulnerability or targeting a super-user, as in the case of Deloitte. But all they get in PreVeil's new paradigm, is encrypted non-sequitur.

Recent attacks on apparently bulletproof institutions have the appearance of hacking individuals or groups wanting to make a point or running a vendetta; Deloitte may have become an "honor-target" because of the very cybersecurity practice it runs. Equifax may have been brought low by hackers interested in smearing the name of a company charged with large-scale security of intimate consumer data. CCleaner may have been targeted because the small PC cleanup utility was being acquired by security giant Avast.

"There will be more attacks and more panic. I guess we may know more [about motivations] in the next few weeks," said Sancheti.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-4020
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-23654
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
CVE-2021-43785
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
CVE-2021-43776
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
CVE-2021-41243
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...