It is considered a bit overzealous by most but I believe that passwords should have been done away with a long time ago in favor of cryptographic keypair logins - we have already found the "2FA" in practice like emails and cellphone text messages not an adequate replacement. I'm aware there are other problems with storing your keys and loss but I believe that is a better approach for anything that needs security. I wish I could get my bank accounts to use key based logins.
> Why were you hacked
> Weak passwords
> What are you going to do about it
> We've forced all systems and employees to regenerate passwords and service keys
Now lets try this again without an honest answer
> How were you hacked
> No idea
> What are you going to do? Are you still vulnerable?
> No idea. We'll have to do an extensive audit. No one knows how long this will take. There's not even an inventory of systems or data flow
> Could they have installed backdoors
And same as I said previously: If the bad actors can brute force weak passwords, the company itself should be able to do it too and force those with weak passwords to update them.
I think businesses with critical infrastructure should use hardware keys (e.g. yubikeys) to provide at least one of the factors needed to log in to a server. Using a yubikey as an authentication key for ssh is not that difficult and I do it for my own hobby stuff.
For web based stuff one can now use webauthn to provide key based authentication (in addition to whatever other factors one would like). This requires the enterprise to run up to date browser however.
Why is this so hard?!? I agree with you, but this sentence rang so true it was sad. I've been forced to work with/around unbelievably out-of-date browsers in order to install current firmware updates on systems at almost every place I've worked.
Depressingly often, these things are installed as part of a box ticking exercise to pass an audit or meet another form of compliance. however they never get set up right from the outset or the security professionals who were there leave and never get replaced.
In this case, if they’re talking about infrastructure available on the public internet with password only authentication then I’d wager any skilled professionals they may or may not have had, had already left. Because no security minded engineer would have okayed that practice. Which means even if they did have an IDS, I’m highly doubtful that would have been managed properly either.
We aren't getting the whole story from Citrix.