Deloitte hack part of growing trend of big-scale breaches

Cyber experts see need for better encryption, rapid reaction, advanced technology

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The aston­ish­ing rash of dis­clo­sures of data breach­es at top-tier orga­ni­za­tions con­tin­ues. Big Four account­ing firm Deloitte has joined Equifax and the U.S. Secu­ri­ties and Exchange Com­mis­sion in going pub­lic about a cat­a­stroph­ic loss of sen­si­tive data.

Iron­i­cal­ly, Deloitte a few years ago branched from its core audit­ing and tax ser­vices to high-end cyber­se­cu­ri­ty con­sult­ing. Price­wa­ter­house­C­oop­ers, anoth­er mem­ber of the Big Four club, did much the same thing.

There is no ques­tion Deloitte and PwC take cyber­se­cu­ri­ty seri­ous­ly and have tal­ent­ed peo­ple pro­vid­ing valu­able guid­ance to mar­quee enter­pris­es and big gov­ern­ment agen­cies. Third­Cer­tain­ty has fea­tured experts from both con­sul­tan­cies in our content.

Relat­ed arti­cle: Deloitte experts offer net­work secu­ri­ty advice to cor­po­rate executives

That’s why it is so iron­ic that The Guardian and cyber­se­cu­ri­ty blog­ger Bri­an Krebs report­ed last week that Deloitte lost the con­tents of email for clients across all of the sec­tors it serves: multi­na­tion­al banks, media com­pa­nies, big phar­ma firms and fed­er­al agen­cies, includ­ing Uncle Sam. Third­Cer­tain­ty asked a round­table of indus­try experts to put the Deloitte hack into context.

William Leichter, Vir­sec Sys­tems vice pres­i­dent of marketing

William Leichter, vice pres­i­dent of mar­ket­ing, Vir­sec Systems

Cyber attacks are part of every­day life for most orga­ni­za­tions. The key ques­tion is not whether you get hacked, or even whether you have vul­ner­a­bil­i­ties. What’s crit­i­cal is to react quick­ly and close the win­dow of oppor­tu­ni­ty to lim­it dam­age. If Deloitte had set up a secu­ri­ty sys­tem for a client that didn’t detect a breach in more than six months, they would be fired, or worse.

Nir Gaist, Nyotron co-founder and chief tech­nol­o­gy officer

Nir Gaist, co-founder and chief tech­nol­o­gy offi­cer at Nyotron

As with the recent Equifax breach, the Deloitte hack is indica­tive of a grow­ing trend of breach­es of enor­mous scale. These attacks are ris­ing expo­nen­tial­ly. Cyber crim­i­nals are con­stant­ly refin­ing their tech­niques to become more cre­ative, sophis­ti­cat­ed and evasive.

Mean­while much of the secu­ri­ty indus­try is strug­gling to catch up but, unfor­tu­nate­ly, is often at least one crit­i­cal step behind. The rea­son? Most secu­ri­ty solu­tions act as gates. But when attack­ers bypass these gates, they can swift­ly and eas­i­ly com­pro­mise a net­work and cause irrepara­ble dam­age to an organization’s brand and reputation.

In light of today’s com­plex secu­ri­ty envi­ron­ment, enter­pris­es need to rec­og­nize that chas­ing threats is ulti­mate­ly a race to the bot­tom. To tru­ly arm them­selves, they need to be famil­iar with advanced tech­nolo­gies that can address unknown threats as well as new iter­a­tions of old ones. The ways to enter a net­work are infi­nite, so the solu­tion should rely on more intel­li­gent approach­es that offer com­pre­hen­sive protection.

San­jeev Ver­ma, Pre­Veil founder and chairman

San­jeev Ver­ma, founder and chair­man, Pre­Veil

Cyber­se­cu­ri­ty sys­tems must be designed to pro­tect data even if attack­ers are suc­cess­ful in breach­ing servers and oth­er cen­tral points of attack, such as a super user. The Deloitte breach report­ed­ly occurred through theft of the pass­word of the IT admin who had super user cre­den­tials. Once in, the hack­ers had full access to client emails, pass­words and all man­ner of sen­si­tive information.

Cur­rent­ly, the two most wide­ly applied email encryp­tion process­es are encryp­tion in tran­sit and encryp­tion at rest. Both leave emails and files vul­ner­a­ble to serv­er attacks because the infor­ma­tion is decrypt­ed on the serv­er while in use, and there­fore vis­i­ble to an attacker.

New think­ing on secu­ri­ty should focus on pro­tec­tion of data under the assump­tion that a hack will occur. End-to-end encryp­tion cov­ers data on its jour­ney from start to fin­ish; mes­sages and attach­ments are encrypt­ed direct­ly on the sender’s device and are decrypt­ed on the recipient’s device.”

John Gunn, VASCO Data Secu­ri­ty chief mar­ket­ing officer

John Gunn, chief mar­ket­ing offi­cer, VASCO Data Security

The mas­sive breach­es of cred­it card num­bers and Social Secu­ri­ty num­bers are con­tribut­ing to a deval­u­a­tion of these items. What we will see now is a con­tin­u­ing rise in attacks on oth­er sources of con­fi­den­tial data that can prof­it attackers.

This was first evi­denced with the suc­cess­ful attack on newswire ser­vices that yield­ed hack­ers more than $100 mil­lion of insid­er-trad­ing prof­its, and more recent­ly with the suc­cess­ful breach of the SEC for con­fi­den­tial infor­ma­tion on pub­licly trad­ed companies.

Firms such as Deloitte, that have troves of sen­si­tive, non­pub­lic infor­ma­tion that could be used for ille­gal trad­ing activ­i­ty, will find them­selves increas­ing­ly in the cross-hairs of sophis­ti­cat­ed hack­ing organizations.

More sto­ries relat­ed to com­pa­ny breaches:
As threats mul­ti­ply, cyber insur­ance and tech secu­ri­ty indus­tries start to merge
Cyber­se­cu­ri­ty experts out­line the wider rip­ples from Equifax breach
Bet­ter cyber­se­cu­ri­ty audits would mean bet­ter net­work protection


Posted in Featured Story