Irony?
I think this definitely qualifies as irony. Congrats to Dan (@viss) Tentler.
Monday’s news that multinational consultancy Deloitte had been hacked was dismissed by the firm as a small incident. Now evidence suggests it's no surprise the biz was infiltrated: it appears to be all over the shop, security wise. On Tuesday, what seemed to be a collection of Deloitte's corporate VPN passwords, user names, …
I am still laughing *. We highlighted this a few years ago after we tested a lot of networks when we set up their client SSO system. We emailed, wrote and spoke to their ITD to say that just about every portal was hopelessly insecure, that in many cases we could see PT cookies in use, that forms did not have any SSL and so on. Nice to see that instead of listening they actually went one step further and stored all the information on an open GitHub repo.
* - laughing because otherwise I would be crying.
This post has been deleted by its author
As it is often the case nowadays, consulting companies are not always practicing what they're preaching. Which doesn't mean that what they're preaching is wrong, it only means that practicing it is more complex, difficult and costly in real life than what the consultants are telling you.
Or, to put it differently: managers of consultant organizations are quick to charge their customers for security services, but not as quick to pay themselves the security fees.
"consulting companies are not always practicing what they're preaching."
OTOH in such a field the you should expect to be judged by the way you run your own business. If that isn't very good why should you expect anyone else to buy your services. In fact, you're no better than all those would-be SEO specialists who write from gmail addresses and don't seem to have a domain name that should logically appear on first page in Google if one were to search for "first page in Google".
Want a bet on Deloitte's cyber business being more or less the same size as it is today in five years' time? There may be a couple of variously-sized cheeses rolling down the street outside their HQ in the weeks ahead as scapegoats are found, they'll announce a big reorg, Powerpoint will fly like leaflets off a printing press in a Laurel & Hardy film, and it'll be buzzword-compliant business as usual before you know it.
"Or, to put it differently: managers of consultant organizations are quick to charge their customers for security services, but not as quick to pay themselves the security fees."
What;s even more sad, is these are the very companies doing the assessments for standards which in some cases are a legal requirement if you want to stay in business. You HAVE to pay them or their ilk for the service. Who does their assessments and who signed off on it?
Do they have some ISO audits/certifications?
Is the weak security inherited from acquired businesses?
How, in today's internet where there's constant background noise of malicious scanning for vulnerabilities by bots and haxxors, do these things come to light now? Or they choose not to screw with big corporations unless they can get juicy private data?
They must use the BOFH password strategy...
From https://www.theregister.co.uk/2017/02/03/bofh_2017_episode_1/
"A good thing too, because I have three passwords I use for everything – Low, Medium and High Security."
"And I'm assuming that this is low security?"
"No, work is low security, this is medium and all the personal stuff I care about is high."
"Work is LOW?!" he gasps.
"Of course it is. It used to be Medium High, but then I realised that there was no point so I just went to low. One capital, some lowercase, 2 numbers."
"Like Banana47."
"Yeah, that was our admin password for about two years."
...
Done two types of implementation (not security) audits in the past. Ones for companies who were largely in a mess and were surprised when their issues (rather than the implementer issues) were highlighted as the most important. And ones from companies who didn't really have a problem but really encouraged identifying anything that was found and went on to fix it.
So there are good reasons to audit as well as bad ones. Ironically given how they make their money, Deloitte's problems look like they needed an audit but never got one.
Not just "awards", anything Gartner related is purely paid for and has no value except among the clueless. Or possibly to laugh at a year or so later. Usually it's easy to work out who paid for any given gartner report.
Unfortunately many of the clueless are in positions of influence and believe that the paid-for-reports that Gartner produce for their customers have any value.
Observation: the highest bidder is almost always going to be cr*p. Otherwise they wouldn't need to use high bids. It also occurs to me that there may be interesting questions for gartner itself apropos the UK and US anti-bribery statutes, depending on the jurisdictions in which the bribesbids are banked... (I mean first banked, prior to being laundered)
Don't forget the follow up "So this policy you're insisting on, how come your company doesn't follow it?".
Bonus points for refusing to allow their auditors to connect their laptops to your network because "they don't adhere to our security or patching policies".
It's a like a hackers wet dream, the right searches will yield lots of useful system passwords, even more so as we all move to cloud services. It's great fun seeing how many developers out there have a total lack of common sense when it comes to security, not all them just the really stupid ones!
“You’d think Deloitte claims to have all this super elder-god style security talent. If that was the case they might consider using that talent on its own infrastructure.”
Not really.
Having worked with people from a a number of consultancies over the years, their talent/attitude ratio is rapidly heading towards zero. It's been astonishing, and rather sad, to see the levels of arrogance and basic incompetence on show and to think how much morale and cash has been squandered by these parasites. And they're all as bad as each other; the elder gods retired long ago, if indeed they ever existed.
Someone becomes a consultant (in the CSC, rather than the medical sense) for three and three reasons only:
1. They like the sound of their own voice much more than anyone else's.
2. They think they can earn more money and finally get that Beemer (never BMW, always 'Beemer').
3. They don't want to use their brains or do any work any more. But they like seeing other people do so.
My list deliberately does not include talent or a deep knowledge of a subject or a desire to help others do things better. A mistake people sometimes make is to confuse consultants with mentors. They are at opposite ends of the spectrum.
I'd like to think someone at Deloitte is panicking around now. But I expect no-one there reads sites like this. Cyber-security is merely a phrase on a PowerPoint.
Fair warning - former employee....
You don't work for Deloitte, you sell for Deloitte. If you perform the service, then you aren't adding value to the firm. All they care about is selling work and billing. Why bother thinking about who will actually DO the JOB when YOUR NAME allows everyone to assume the work is good. All you need to do to succeed at one of the big 4 be able to sound intelligent and close the deal.
To be fair, there are great people at Deloitte. The problem is the partnership model, the application of accounting ideologies to IT and the resulting lack of understanding of the importance of controls when price is a factor. Did they really understand the risk they were taking? Bet they do now!
"An ounce of image is worth a pound of performance." - Peters
I wonder how many of the other consultancy companies are now going into turbo-panic?
(A state seen only in PHB's with their necks on the line and sales people who forgot to book something and are about to lose a deal).
"QUICK, CHECK EVERYTHING!"
A lot of poor IT staff just lost their weekend and evenings for a while.
They did a cyber security review for me recently and commented I had no two factor auth on my admin account (small business and until now no one wanted to spend money). Within hours I'd got TFA up and running so surely they should be able to mange it. I've resisted so far from dropping them an email to see if they need a hand lol
Interestingly I found their US (fed) consultancy rate card. It looks like the sort of thing that should be an internal use only document, but hey, they don't seem to know the difference!
Appears they charge out their contract CISOs or senior systems security bods around $1,700 / day (£1,270). Maybe they should have held some of these guys back to get their own house in order...
https://www2.deloitte.com/content/dam/Deloitte/us/Documents/public-sector/us-fed-contractor-site-hourly-rates-10172014.pdf