I think this definitely qualifies as irony. Congrats to Dan (@viss) Tentler.
Monday’s news that multinational consultancy Deloitte had been hacked was dismissed by the firm as a small incident. Now evidence suggests it's no surprise the biz was infiltrated: it appears to be all over the shop, security wise. On Tuesday, what seemed to be a collection of Deloitte's corporate VPN passwords, user names, …
I am still laughing *. We highlighted this a few years ago after we tested a lot of networks when we set up their client SSO system. We emailed, wrote and spoke to their ITD to say that just about every portal was hopelessly insecure, that in many cases we could see PT cookies in use, that forms did not have any SSL and so on. Nice to see that instead of listening they actually went one step further and stored all the information on an open GitHub repo.
* - laughing because otherwise I would be crying.
As it is often the case nowadays, consulting companies are not always practicing what they're preaching. Which doesn't mean that what they're preaching is wrong, it only means that practicing it is more complex, difficult and costly in real life than what the consultants are telling you.
Or, to put it differently: managers of consultant organizations are quick to charge their customers for security services, but not as quick to pay themselves the security fees.
"consulting companies are not always practicing what they're preaching."
OTOH in such a field the you should expect to be judged by the way you run your own business. If that isn't very good why should you expect anyone else to buy your services. In fact, you're no better than all those would-be SEO specialists who write from gmail addresses and don't seem to have a domain name that should logically appear on first page in Google if one were to search for "first page in Google".
Want a bet on Deloitte's cyber business being more or less the same size as it is today in five years' time? There may be a couple of variously-sized cheeses rolling down the street outside their HQ in the weeks ahead as scapegoats are found, they'll announce a big reorg, Powerpoint will fly like leaflets off a printing press in a Laurel & Hardy film, and it'll be buzzword-compliant business as usual before you know it.
"Or, to put it differently: managers of consultant organizations are quick to charge their customers for security services, but not as quick to pay themselves the security fees."
What;s even more sad, is these are the very companies doing the assessments for standards which in some cases are a legal requirement if you want to stay in business. You HAVE to pay them or their ilk for the service. Who does their assessments and who signed off on it?
Do they have some ISO audits/certifications?
Is the weak security inherited from acquired businesses?
How, in today's internet where there's constant background noise of malicious scanning for vulnerabilities by bots and haxxors, do these things come to light now? Or they choose not to screw with big corporations unless they can get juicy private data?
They must use the BOFH password strategy...
"A good thing too, because I have three passwords I use for everything – Low, Medium and High Security."
"And I'm assuming that this is low security?"
"No, work is low security, this is medium and all the personal stuff I care about is high."
"Work is LOW?!" he gasps.
"Of course it is. It used to be Medium High, but then I realised that there was no point so I just went to low. One capital, some lowercase, 2 numbers."
"Yeah, that was our admin password for about two years."
Done two types of implementation (not security) audits in the past. Ones for companies who were largely in a mess and were surprised when their issues (rather than the implementer issues) were highlighted as the most important. And ones from companies who didn't really have a problem but really encouraged identifying anything that was found and went on to fix it.
So there are good reasons to audit as well as bad ones. Ironically given how they make their money, Deloitte's problems look like they needed an audit but never got one.
Not just "awards", anything Gartner related is purely paid for and has no value except among the clueless. Or possibly to laugh at a year or so later. Usually it's easy to work out who paid for any given gartner report.
Unfortunately many of the clueless are in positions of influence and believe that the paid-for-reports that Gartner produce for their customers have any value.
Observation: the highest bidder is almost always going to be cr*p. Otherwise they wouldn't need to use high bids. It also occurs to me that there may be interesting questions for gartner itself apropos the UK and US anti-bribery statutes, depending on the jurisdictions in which the
bribesbids are banked... (I mean first banked, prior to being laundered)
Don't forget the follow up "So this policy you're insisting on, how come your company doesn't follow it?".
Bonus points for refusing to allow their auditors to connect their laptops to your network because "they don't adhere to our security or patching policies".
It's a like a hackers wet dream, the right searches will yield lots of useful system passwords, even more so as we all move to cloud services. It's great fun seeing how many developers out there have a total lack of common sense when it comes to security, not all them just the really stupid ones!
“You’d think Deloitte claims to have all this super elder-god style security talent. If that was the case they might consider using that talent on its own infrastructure.”
Having worked with people from a a number of consultancies over the years, their talent/attitude ratio is rapidly heading towards zero. It's been astonishing, and rather sad, to see the levels of arrogance and basic incompetence on show and to think how much morale and cash has been squandered by these parasites. And they're all as bad as each other; the elder gods retired long ago, if indeed they ever existed.
Someone becomes a consultant (in the CSC, rather than the medical sense) for three and three reasons only:
1. They like the sound of their own voice much more than anyone else's.
2. They think they can earn more money and finally get that Beemer (never BMW, always 'Beemer').
3. They don't want to use their brains or do any work any more. But they like seeing other people do so.
My list deliberately does not include talent or a deep knowledge of a subject or a desire to help others do things better. A mistake people sometimes make is to confuse consultants with mentors. They are at opposite ends of the spectrum.
I'd like to think someone at Deloitte is panicking around now. But I expect no-one there reads sites like this. Cyber-security is merely a phrase on a PowerPoint.
Fair warning - former employee....
You don't work for Deloitte, you sell for Deloitte. If you perform the service, then you aren't adding value to the firm. All they care about is selling work and billing. Why bother thinking about who will actually DO the JOB when YOUR NAME allows everyone to assume the work is good. All you need to do to succeed at one of the big 4 be able to sound intelligent and close the deal.
To be fair, there are great people at Deloitte. The problem is the partnership model, the application of accounting ideologies to IT and the resulting lack of understanding of the importance of controls when price is a factor. Did they really understand the risk they were taking? Bet they do now!
"An ounce of image is worth a pound of performance." - Peters
I wonder how many of the other consultancy companies are now going into turbo-panic?
(A state seen only in PHB's with their necks on the line and sales people who forgot to book something and are about to lose a deal).
"QUICK, CHECK EVERYTHING!"
A lot of poor IT staff just lost their weekend and evenings for a while.
They did a cyber security review for me recently and commented I had no two factor auth on my admin account (small business and until now no one wanted to spend money). Within hours I'd got TFA up and running so surely they should be able to mange it. I've resisted so far from dropping them an email to see if they need a hand lol
Interestingly I found their US (fed) consultancy rate card. It looks like the sort of thing that should be an internal use only document, but hey, they don't seem to know the difference!
Appears they charge out their contract CISOs or senior systems security bods around $1,700 / day (£1,270). Maybe they should have held some of these guys back to get their own house in order...
"Deloitte" isn't a single company so there's no such thing as "global standards" for them. Each region and sometimes country is separate. It's not even a real company as it is a partnership so the partners are paying for the work to secure their systems and they would rather have the cash themselves.
But to be fair, this won't be because they've consciously decided to be insecure; they're just too busy raking in oodles of cash to think about it.
It was during a handover on a client site, I was there to recover essential admin information from the previous company handling network administration.
During talks with the soon-to-be-ex admin, we agreed that he would give me the list of passwords for administering the network - you know, as per normal.
He handed me a USB stick. I plugged it in and had it scanned, as per normal. Then I asked him which file I was supposed to copy. Under his instructions, I copied an xlsx file that he stated had the relevant data.
We parted ways not long after that and I went back to the office. While writing up my report, I looked at the file.
Now, just to be clear, this was a file given to me by a senior admin from a major local consultancy firm that has scores of big companies on its customer list, not a beginner. It just so happened that, yes, the file was an xlsx file, and it just so happens that he had a filter on his formatted table.
Guess what happened when I removed the filter ?
Yes, all the passwords for all the clients he was responsible for.
This is the level of intelligence we are dealing with these days. I blame Facebook.
I am bloody sure those are NOT ALL Deloitte's customers but also TalkTalk's ... pretty sure that bloke used to work for TalkTalk, got hired by Deloitte, simply carried his excel file over to Deloitte and used it there.
The probability of finding two d0uch3s of this kind in the same universe is 1 to a googolplex!
I had a slightly better insight on this in another industry I spent a lot of time in, but I cynically formed the view they're all the same.
Pretty much everyone has a glass cabinet in reception/the boardroom, the MDs office with 2 or 3 shiny baubles per year for "best in sector", "most magnificent new product", "innovation leader" or other such meaningless twoddle.
Once a year, some "industry body" (actually several )sends everyone on the mailing list an invite to the annual award ceremony and tells them they've been nominated for a few of this year's prestigious medals. You've just got to turn up and pay for a table, pre-book meals and bottles of bubbly, buy an advert in the commemorative arse-wipe brochure etc. This will run you will into 4 figures, if not 5, all on expenses, natch.
Everyone who turns up will get something, kind of in proportion to what they've forked out to get there. It's usually the marketing dept go and get these things, so they get a 3-day coke-fuelled orgy somewhere nice, with the industry award circle-jerk in the middle of it. They can then go home and boast about how amazing it is to win such a highly regarded thing, to a bewildered bunch of underpaid staff who still don't see what difference it makes to their torrid days of misery.
Or maybe I'm wrong and some merit is involved, champagnes all round!
Well, given Southeastern just won a Customer Service Excellence award at some
railway awards ceremony piss-up or other, your cynicism is entirely justified.
This is the company who, when challenged over constant lying about their performance figures, on having a requested meeting with a passengers' representative group, got hauled over the coals by their MD for parodying him on Twitter. And refused to discuss resetting the relationship between the 2 parties until an apology for this was forthcoming.
It turned out, of course, not to be a lie but a fucked-up copy'n'paste from Excel, which anyone can do. What was appalling was the insistence the figures were right, and audited (!!!) despite the arithmetic being quite clearly wrong.
If you don't practice what you preach... you won't have a practice.
and our CIO wanted to outsource the IT security, risk, compliance to these losers
check out most of the practice leaders in the big 4. they all have worked in their own "echo chamber"
no real life experience in an industry other than Big 4... out of touch, overpriced and pompous.
Nothing like one of them telling you how to do IT security in your industry when they were just an accountant 5yrs ago... bitter no. laughing my ass off yes. let it burn.
The way this is being handled, you can imagine what they believe is a 'good' emergency breach plan of action.
1 - Have someone finally read the logs; notice you only keep them for 6 months; come up with the idea the breach has only going on for 6 months--according to the logs.
2 - State you believe the threat is eradicated (A real InfoSec pro knows this is impossible)
3 - Keep all external connections as wide open as possible and don't audit them for the time you've been keeping this secret.
4 - Rely on our own idiots (who we contract out for security advice) to handle this problem
5 - Think about sending some people to a forensic course, but don't actually do it.
6 - Use a search engine to research, Network Breach Plan... look at the recommended checklist items and then do the opposite -- to be original and different from competitors
7 - Remember to keep this a secret for months
8 - Pull 80% of your resources to come up with an excuse because you know it will eventually leak out.
This is too easy.
Although I find the Gartner bashing hilarious, they only ranked Deloitte as number one based on revenue. Doesn't necessarily mean they were ranked first in terms of capability. Makes for a nice line in an article though I guess...
'[Gartner] ranked Deloitte #1 globally, based on revenue, in Security Consulting for the fifth consecutive year in its May 2017 report titled, Gartner: Market Share: Security Consulting Services, Worldwide, 2016.'
It's always amused me, in a "I'm fucking annoyed" sort of way, how these accountancy firms will merrily stomp across every other profession's territory, based mostly on their position as financial auditors.
Now, how many engineering consultancies have you seen doing a firm's audits or accounts ??...... You just try, and see the response from the accountants.
...pointed out that the Gartner award was being mislead by the media in a way to add fuel to the fire of this Deloitte situation, as it was an award for revenue in Security Consulting, not actual Security Consulting. However, not according Deloitte themselves:
"Deloitte ranked #1 by Gartner in Security Consulting for the 5th consecutive year"
Biting the hand that feeds IT © 1998–2019