
How Not to Acknowledge a Data Breach - hsnewman
https://krebsonsecurity.com/2019/04/how-not-to-acknowledge-a-data-breach/
======
pm90
This is not surprising at all. Friends that work at such firms have shared
stories of horrifying incompetence at every level. Most of the engineers with
talent leave as soon as they realize leadership is dumb as rocks and got there
by conniving politics rather than a meritocratic rise by accomplishing actual
engineering tasks.

The only reason these kinds of companies continue to exist is the continuing
stupidity of American Executives who will go to any lengths to not pay a
decent wage for their Software operations. Fuck them, and they deserve exactly
this for fucking over good quality talent.

Nobody would be surprised if a bridge built by cheapo contractors failed. Its
much the same way with Software.

~~~
chris_wot
Companies I have worked at that have outsourced their IT infrastructure have
almost always consistently showed a lack of care, experience, training and
competence when it came to looking after our systems. In many cases I really
believe that it ultimately cost the company _more_ in lost efficiencies and
downtime than if they had kept the infrastructure expertise in-house.

------
lainga
Who uses outsourcing firms like Wipro (government agencies)? What do they
_do_? It seems to me, living in the bubble of _haute tech_ , that the only
things you ever hear about these firms are (a.) they exist and (b.) they are
very large.

~~~
korethr
One of the things they do is man the call centers in which the call agents are
only allowed to: a) open tickets b) follow a script intended for people who
didn't do basic troubleshooting before calling tech support c) be very sorry
that your business is losing money due to the service interruption d) give you
vague non-answers as to when the team with the authority to actually fix
things but which is not allowed to interact directly with customers will
actually get around to working on your issue, and e) ask you to kindly rate
them highly on the customer satisfaction survey that you will be automatically
connected to after this call.

Another thing they do is supply you with an endless cascade of developers who
rotate in and out of your dev team on a 3-month basis. In those three months
they will a) tell your IT team that they need a newer laptop because their
current one gets slow when trying to run 3 instances of Visual Studio
concurrently b) wonder why hard drive failures are correlated with rough
handling of the laptop c) ask IT to troubleshoot their compilation errors d)
only save their code locally instead of to a shared repo e) get upset when 3
months of said locally saved code, which IT was never told about, gets lost
when the laptop, previously issued to the dev they replaced, is re-imaged
before redeployment as per company policy/standard-procedure f) thereafter
dodge turning in laptops to IT after their rotation ends, instead giving it
directly to their replacement, causing IT's stores of deployable laptops to
get depleted, and thus causing IT to come hunting after the never-turned-in
laptops, because the next wave of 3-month devs is coming and hardware to issue
them is needed, and finally g) treat company-issued laptops so roughly that
when IT eventually does them back, what was brand shiny and new 3 months prior
is now chipped, cracked, scratched and covered in grease and crumbs, and has a
full kitten's worth of fluff accumulation in the cooling fan.

Okay, that last one was a bit hyperbolic, but every single point there did
happen, and more than once.

Yes, I have been embittered by contractors from these large Indian IT firms,
both as an end user 'supported' by them and as a co-worker supporting them. My
experience with them has not been a positive one.

~~~
privateSFacct
password resets? The one time I had to work with goverment IT they had a call
center. They were trying to introduce a VPN product that required a super old
version of IE / Java to connect (we literally had to run Windows XP with IE to
get this thing to work). This was the "new" software that was like 10 years
old when purchased.

I'll skip all the drama - but one thing you could do is call the help desk to
get your password reset because of one clusterf after another. It actually
worked great. Hi, my username is JoeBob. Ok JoeBob, your new password is XXXX.

That was it. This is a system with super long passwords that had to be changed
ridiculously often, and an account lock feature after a few messed up entries
which required a password reset and lots of temp staff who came and went among
other issues (there were two layers of passwords and people constantly got
them confused).

So they had a metric TON of password calls. Despite all the drama with
passwords, you could get your password reset just by knowing your username and
the number to call for resets. It was brilliant and did save a TON of time,
but I had to laugh at the security of the system given your username was
derived directly from your name and was widely available in reports etc.

I never mentioned anything though because the thought of a more complicated
procedure to deal with for all the staff would have been a nightmare.

~~~
adamson
That's terrifying. What agency was this?

~~~
grepthisab
A major one.

------
wyldfire
Sometimes I think I'm pretty hip to the jargon but every once in a while I
learn a new one. IoC is an "Indicator of compromise."

~~~
tru3_power
Afaik I it’s a pretty common term. Altering/monitoring teams often times hit
up product security teams for IoCs they can use in their alerting
implementation.

~~~
jstarfish
It is common; everything in security is an ambiguous acronym.

"C-and-C", for "command-and-control," is particularly vague and has multiple
presentations-- C+C (Music Factory? An equation?), CnC (machining for
materials fabrication), C2 (tutoring? Dicarbons?), C&C (a law firm?), CC
(credit card).

APT (advanced persistent threat or Aptitude package manager?) is also
annoying.

If you're curious, a whole bunch of security-related acronyms are reflected in
the various product names and descriptions here:

[https://github.com/hslatman/awesome-threat-
intelligence](https://github.com/hslatman/awesome-threat-intelligence)

~~~
DCoder
C&C also used to stand for the old game series _Command & Conquer_.

------
thisisit
One things I always wonder - Why do IT folks, people who are supposedly expert
in computers, fall for phishing emails etc? You'd think they'd know better.

Couple of years ago I was working at the offshore office of a large internet
company. They claimed that their platform touched nearly 15-30% of internet
users. They had a large Security Operations Center to ensure every threat was
monitored and mitigated.

Our software and systems were frequently flagged for security issues. Any
suggestions to alleviate the issue fell on deaf ears.

The onshore US IT team always complained about how security changes will make
life difficult for them. The biggest critic was someone who had once opened a
phishing mail and got his password stolen (using memory dumps in Windows).

While the offshore team was afraid that pushing US onshore team too hard might
put their jobs in danger.

And as if getting hacked wasn't enough, these guys exchanged plain text files
containing everyone's salary via email. No amount of training or meeting
helped.

Finally, a roundabout solution was put in place. Give US folks two laptops -
one with heavy encryption for work and second, for checking mails.

But they wouldn't budge on spending salaries in plain text. They said, it was
easier for them to manage this way.

~~~
TeMPOraL
> _Why do IT folks, people who are supposedly expert in computers, fall for
> phishing emails etc?_

Phishing is a numbers game. Make it convincing enough, send to enough people,
and wait for someone who's too busy/tired to think to fall for it.

> _The onshore US IT team always complained about how security changes will
> make life difficult for them._

Because that's absolutely true and valid complaint. From their point of view,
they're being paid for doing jobs, and then the company starts spending money
to prevent them from doing their jobs. I've been on the receiving end of this
in the past, where only sanity of our internal IT team prevented making all
software development take 3 times longer, because the company decided to apply
some completely bullshit "security practices" they found in ISO-whatever
compliance handbook.

Security needs to work _with_ people, not against people. You can't just
announce security changes that utterly destroy existing workflows, without
helping develop equivalent replacement workflow (with all corner cases
accounted for), and while still expecting the same amount of work from people.
You'll just see people push back hard, and then ignore the new changes to the
extent possible while still trying to meet their deadlines.

~~~
keanebean86
The dumbest security restriction I've dealt with is not giving devs local
admin access to their work compeers. In a previous job I had to contact my
manager every time I needed to install or update software. Sometimes he had to
get approval from the IT gods before he could do anything. I usually just
figured out ways to run applications without installing them.

It was a huge waste of time. From what I understand a dev installed something
bad one time so they punished everyone. Then again that's usually how these
things happen.

~~~
TeMPOraL
Oh yes. Taking away admin access was one of the dumb ISO-whatever security
restrictions they tried to impose on us top-down. We could retain it iff we
signed a form that put any and all responsibility and blame for any problems
coming from our admin access on us personally. Fortunately, right people in
the right places arranged it so the forms got "lost", and admin access was not
taken away.

------
ian0
Quick bullet points on the steps a company should perform when a data breech
comes to light?

~~~
autoexec
If you don't have internal IT folks and an incident response team already in
place you're going to need to bring in some outside assistance.

\- Take all compromised or infected systems offline immediately and have them
carefully examined to determine what data those systems contained (customer,
internal, and employee) and what was exposed to attackers.

\- look for additional signs of compromise in other systems as well paying
close attention to those connected with the ones that were compromised

\- log and record everything extensively throughout the process

\- consult with your lawyers to see what legal obligations you have to
disclose the breach publicly

\- notify everyone directly impacted by the breach as soon as you've
identified them so they can start taking steps to protect themselves. Don't
wait until you have all the details, you can update them as more information
is discovered.

\- Make sure you have professionals to perform the investigation and re-secure
your impacted systems before they are put back online. This isn't the time to
count on that one guy in the office who "knows computers real good" to fix it.

\- continue to keep extensive logs and keep a close eye on everything for a
time after the attack to make sure you're not compromised again.

If you can manage even that much you're doing better than most of the
companies I've seen who were hacked. I've seen banks leave compromised systems
connected to the network for months after being notified. I've seen some
pretty large companies refuse to bring in outside help because they don't want
the expense even after they get hacked over and over. Many small to midsize
companies try to handle everything as quietly as possible and never tell
anyone what happened.

------
GrryDucape
This is very interesting facts that cyber security is something required
specialized knowledge and training to quickly respond with appropriate info
rather than jumping around that actually creates confusion around the industry
as such.

------
morgosmaci
How not to report about how not to acknowledge a data breach includes dubbing
silly music over the other guy speaking to further prove your smugness. While
it is always fun to say I told you so, you can still be professional about it.

~~~
zenexer
If I’m not mistaken, the video was made by someone else.

~~~
jrace
Correct, the video was made by:
[https://www.youtube.com/channel/UCc5jsl5zRbbGbXO0AB4aW4w](https://www.youtube.com/channel/UCc5jsl5zRbbGbXO0AB4aW4w)

Graham Cluley

