Deloitte breach leaves many questions
Big-four consultancy misstep may have wider implications for business at large
It was a dark month, September 2017, at least in security terms, with a string of high-profile breaches that culminated in a big-four breach.
Not only did we see an unsecured Equifax web application allegedly leak highly personal information on 145 million US users, about 44 per cent of the population, a high-profile leak of business data from the SEC, but finally it was disclosed that Deloitte had suffered a breach too.
Big-four consultancy and accounting firm Deloitte was rated the global number one in Security Consulting for the fifth consecutive year by Gartner earlier in 2017, but is now having to deal with the PR fallout of the hack.
The company admitted that an email system was breached, after a national newspaper reported that a compromise had taken place, but downplayed the significance of the incident. “Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016. The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas” - the account required only a single password and did not have “two-step“ verification”, reported the Guardian.
Initially, six of Deloitte’s clients were advised they had been ‘impacted’ by the breach, which compromised a Microsoft Azure cloud service account.
Ilia Kolochenko, CEO of web security company High-Tech Bridge said: “It is now very clear that the Big Four, as well as any other reputable cybersecurity companies, have become a very attractive target for cybercriminals. Cybersecurity consultants usually have their customers' "crown jewels", sometimes unencrypted or otherwise under protected. Frequently, rapid business growth outshines internal security requirements in our industry, and it may be the Achilles' heel even of the most secure companies in the world.”
The incident sparked investigations from the security industry, with unfortunate results - Deloitte VPN credentials were allegedly found on Github:
Then respected blogger KrebsOnSecurity claimed to have spoken to ‘a person with direct knowledge of the incident’, who said that not only did “the company...not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems” but that “investigators still are not certain that they have completely evicted the intruders from the network.”
Additionally, security researchers claimed to have combed through the thousands of Deloitte servers visible on the internet to pick out at least one Active Directory server with RDP open and pending Windows updates:
Kolochenko continued: “Third-party risk assessment and vendor management should become an obligatory security control in all large organizations. Cybersecurity companies should also continuously enhance their internal security and privacy policies, processes and procedures.”
Securing a large organisation is a significant challenge, but the policies and process behind doing so successfully must be in place no matter the size of the organisation. The message for wider business has to be one of vigilance, and in part acceptance that however good the defences, attackers will be able to find their way in - to some extent...