
Is Deloitte a new poster child for bad security practices? - peesar
https://techbeacon.com/deloitte-4-months-late-breach-new-poster-child-bad-security-practices
======
konceptz
A breach of emails at a cyber security consulting firm (among other things) is
very serious. It gives an attacker (consider a criminal organization) a look
at a large number of private firms. On the non technical side is may disclose
cyber security budgets, people in decision making positions, strategy and
application lists. The technicals could be worse including test accounts/urls,
application stacks, CVE lists, release cycles, source code (hope not!) and all
the other data you would need to give a trusted external provider of cyber
security.

Security firms have so many keys to so many kingdoms it’s frightening.

~~~
DCKing
It's worth stressing that Deloitte is not a cyber security firm primarily.
It's actually much worse (for them): they're a Big 4 audit company [1].

The fact that they are such a company both explains the situation and makes it
worse. First, one should realize that 99.8% of people working at these
companies don't know the first thing about cyber security. The 0.2% of people
that do might actually be really good [2] but these consultancies don't tend
to put their employees on improving the internal state of affairs.

Second, attackers getting access to security-related material might be bad,
but it will be much worse for Deloitte if people get access to the financially
sensitive data that the majority of their employees work on. Not only can this
be more directly damaging to their clients, this data and the responsibilities
around it are affected by many more laws and regulations.

[1]:
[https://en.wikipedia.org/wiki/Big_Four_accounting_firms](https://en.wikipedia.org/wiki/Big_Four_accounting_firms)

[2]: This typically also depends on which local franchisee of the Big Four
brand you're talking to, but let's not go down that rabbit hole.

~~~
aplummer
> The 0.2% of people that do might actually be really good [2] but these
> consultancies don't tend to put their employees on improving the internal
> state of affairs.

I think your percentages are off (over ~60% of the firm's revenue is now
consulting, a large part digital), but this hits the nail on the head. On the
external consulting side, I was regularly in fruitless heated argument with
internal IT.

As bad as it is, I think the recovery spin to clients (it's an important point
and true) is the the engineers they are getting in a consulting capacity are
completely separate to the people managing the laptops.

I do think your second footnote is important too, these are totally separate
companies. This is a Deloitte US breach, the IT systems are totally separate.
The brand damage (the value of the information in the audit records if
unreleased is astronomical) will be shared, but at least the scope of the
actual leak will be limited to that member firm.

------
moron4hire
This is really bothersome to me in a very personal way right now. I'm about to
start a job at Deloitte. They have this super-onerous background investigation
process (completely separate from any security clearance investigation, this
is just their own background check). They want to dig into my financial, look
at my contracts and invoices and tax returns, for the years I've been working
freelance. All to prove I wasn't just sitting on my ass, playing video games
for the last 7 years. I'm not giving them my contracts! They can't keep their
own data secure, I'm really supposed to believe the asshole programmers who
built their web 1.0 data collection portal is going to keep my clients'
proprietary information secure?

~~~
unknown_apostle
More and more companies and HR departments are acting like they're in law
enforcement or banking or something, requesting and indefinitely storing all
sorts of private and identity documents. Sometimes even for the simplest of
jobs. This proliferation of personal data stored with cringeworthy security
practices is really starting to bother me as well.

------
gerhardi
"Ironically, Deloitte Touche Tohmatsu Ltd. is the world’s No. 1 security
consulting group (at least, for now)."

From what I have seen, it really seems that the shoemakers aren't usually
wearing shoes themselves. My experience is that the internal systems for
example in Big Consultancies are often something that the companies wouldn't
be proud to design/deliver for their clients.

~~~
einrealist
The profit requirements are harsh in the world of medium and large consultancy
firms. Internal IT is a cost center that is probably understaffed, underpaid
and needs to operate at lowest cost possible.

I know stories of departments / teams having their own rogue infrastructure
because official internal IT resources are so ineffective.

~~~
numbsafari
It also doesn’t help that, if someone is good, everyone is incentivized to
turn that person into a billable asset.

I bet their accounting practices are just as screwed up.

~~~
jtbigwoo
>> I bet their accounting practices are just as screwed up.

The difference is that proper accounting has laws behind it. If your
accounting practices are crooked enough, executives can go to jail and/or be
personally liable for losses. If there were similar information security laws,
I suspect we'd have far fewer breaches like this.

------
mannykannot
There are some valid reasons for announcements of breaches to be somewhat
delayed (to assess the scope, to allow for patching a new zero-day exploit,
for ongoing investigations...), but, predictably, this leeway is being abused
to cover incompetence.

------
raverbashing
But according to, ahem, self congratulating industry "experts" they were
classified as the "best IT company" (probably the same "experts" who still
think one's mother's maiden should be used to secure anything barely
important)

~~~
tyingq
The number one rating was from Gartner, but it was number one in security
consulting based on revenue, not competency.

Like McDonalds is #1 in burgers.

[https://www2.deloitte.com/cy/en/pages/about-
deloitte/article...](https://www2.deloitte.com/cy/en/pages/about-
deloitte/articles/deloitte-ranked-1-gartner-in-security-consulting-for-5th-
consecutive-year.html)

 _" Deloitte announced today that Gartner, the world’s leading information
technology and advisory company, ranked Deloitte #1 globally, based on
revenue"_

~~~
baby
He was probably referring to Gartner yes, and this ranking is absurd since a
lot of companies just blindly follow Gartner's publication to contract. There
are way better companies in this industry... (I might be biased since I work
for NCC Group)

------
yardie
This actually comes as a surprise to me. Because they are following most
infosec security best practices. A family member works for them in financial
consulting. She showed me some of the equipment in her deployment bag
including an MFA keyfob, a mifi (never touch the client network), privacy
screen filters.

Compared to your average remote employee network, it’s pretty rigorous. And
comes with loads of training. I wouldn’t doubt this security breach was
targeted as extremely sophisticated. Just casually sending an email attachment
would not have worked.

~~~
jaclaz
As a side note - and not necessarily being this the case - I have seen in my
experience companies/institutions that have reasonable "good" security
policies and provisions at _user level_ (including the "common"
employees/contractors) and then a much more lax one at a _higher level_ (like
- literally - having the login/password for _every_ system scribbled on a
post-it pinned to the IT administrator monitor or allowing some top executives
access the systems without login/password - or with "123456" \- because it was
_inconvenient_ for them to use a secure method).

~~~
yardie
In the interest of security we've had to take on a white glove approach to
senior execs. No we won't allow you to use the same shitty password. Their
assistants handle the password changes.

~~~
jaclaz
Sure, and - actual anecdata, names changed or omitted to protect both the
innocent and the guilty,I was present (talking with a top-level executive in a
private largish - though not very very large - firm about a possible
consulting contract with them) when he attempted accessing his e-mail or
something and muttered something like:

Strupid IT guys,they must have changed the password again!

Then called his secretary/assistant (with the speakerphone on):

Hey, Susan, what is the new password?

And Susan, promptly replied:

It is "123456", I have written it on a post-it I put in your left top drawer.

Admittedly the above happened a few years ago (roughly 2008 or 2009), but I
wouldn't be so sure that anything has changed much in the meantime.

------
qaq
After I started working for a prominent company in the field, the only thing I
can say is I really hope none of the top people I met ever turn blackhat.
Regardless of how good your practices are they would be able to get in and
given intimate knowledge of IR tools and processes there will be virtually 0
chance of detection.

------
vectorEQ
nothing is 100% secure. no matter how many audits you do.

However, not having 2fa on email server story.. what happen? Was email server
directly on internet? (who has mail gateways right??) or was owa configured
without 2fa. Those 2 things should come out in any pentest or external network
audit. Seems a bit silly oversight. That being said. i repeat, nothing is 100%
secure.

99.8% of people working at this company dont know anything about security is
very inaccurate. They do have a big team of hackers (40+) besides all of their
security officers, auditors and whatnot. So i think ,as they really push for
the cyber side of things also, they will have a little more aware people. And
really, i think these companies should practice what they preach. If they miss
such a missconfiguration on their own servers, why trust them auditing
mine????

------
mtmail
When submitting use direct URLs, not tracking URLs or URL shorteners. Those
will be blacklisted on Hackernews.

------
thiscatis
Is this an article or random ramblings?

~~~
richij
it's a carefully-curated roundup. I appreciate not everyone likes my style --
you can't please all the people all the time

------
moretai
I feel like people are just using this as an opportunity to trash consultants.

------
quietchaos1
Nice try, Equifax! I see what you did there...

------
coldcode
Please change the url to the real one:
[https://techbeacon.com/deloitte-4-months-late-breach-new-
pos...](https://techbeacon.com/deloitte-4-months-late-breach-new-poster-child-
bad-security-practices)

