The Guardian recently broke the news that the accounting firm Deloitte was hit last year by a cyber attack that exposed the confidential emails and plans of at least six of its clients.
The attackers gained access to Deloitte's systems in October or November of 2016, the report states, but the company didn't discover the breach until March of 2017.
Deloitte's global email server was compromised through an admin account that provided them with what the Guardian describes as "privileged, unrestricted 'access to all areas.'"
Notably, the account was password-protected but did not have multi-factor authentication.https://o1.qnsr.com/log/p.gif?;n=203;c=204660770;s=9477;x=7936;f=201812281321530;u=j;z=TIMESTAMP;a=20396194;e=i
In addition to client emails, the hackers gained access to user names, passwords, IP addresses, architectural diagrams for businesses and health information.
Assessing the Breach
In a statement provided to the Guardian, the company said, "In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilizing a team of cyber security and confidentiality experts inside and outside of Deloitte."
"As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators," the company added.
Still, a source with direct knowledge of the investigation told Krebs on Security that Deloitte doesn't yet know exactly when the breach took place or for how long the hacker or hackers had access to the company's systems -- or, in fact, if they still have access.
The source also noted that the company sent a notice on October 13, 2016 to all U.S. employees, requiring them to change their passwords within four days.
"I think it's unfortunate how we have handled this and swept it under the rug," the source told Krebs. "It wasn't a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients."
Protecting Key Data
Raytheon chief strategy officer for cyber services Josh Douglas pointed out that the data seems to have been less well protected than the average Facebook page. "Two-factor authentication ... is a basic part of cyber hygiene, and while it might not have prevented the intrusion altogether, it would have at least slowed the attackers and forced them to use more sophisticated methods," he said.
Still, Douglas said, 2FA alone isn't enough. "Organizations need to hunt threats to their network proactively and adopt an incident response plan that prevents or limits the exfiltration of sensitive data," he said. "Comprehensive cybersecurity is especially important in the era of cloud computing, where companies are storing sensitive data remotely. As we tell our clients, cloud computing puts your information on someone else's computer -- so it's vital to protect the cloud exactly as you would your own servers."
And Netsurion CISO John Christly said all companies should understand by now that perfect breach prevention simply isn't possible -- instead, he said, it's crucial to focus on effective monitoring, intelligent detection and rapid incident response.
"Some key elements to such a strategy are an optimally deployed and tuned SIEM platform leveraging machine learning, a combination of internal and external expertise actively engaged in analysis, and the use of deception technology to identify active attackers and suspicious behavior," Christly said.
A Shift in Focus
VASCO Data Security CMO John Gunn said the Deloitte breach is part of a trend of hackers moving away from targeting credit card numbers and Social Security numbers, and focusing instead on other types of confidential data. "This was first evidenced with the successful attack on newswire services that yielded hackers more than $100 million of insider trading profits, and more recently with the successful breach of the SEC for confidential information on publicly traded companies," he said.
"Firms such as Deloitte that have troves of sensitive, non-public information that could be used for illegal trading activity will find themselves increasingly in the cross-hairs of sophisticated hacking organizations," Gunn added.
Nyotron co-founder and CTO Nir Gaist said massive attacks like the Deloitte breach and the recent Equifax breach may just be the tip of the iceberg. "It's no secret that the number of similar threats are rising exponentially -- a trend that has galvanized enterprise organizations to not only find new and innovative ways to safeguard sensitive data, but to protect their brand and reputation over the long term," he said.
"Cyber criminals are constantly refinining their techniques to become more creative, sophisticated and evasive," Gaist added. "Meanwhile, much of the security industry is struggling to catch up, but unfortunately is often at least one critical step behind. The reason? Most security solutions act as gates. But when attackers bypass these gates, they can swiftly and easily compromise a network and cause irreparable damage to an organization's brand and reputation."