After the Equifax and SEC breaches of previous weeks, international consulting and auditing firm Deloitte has been the next high-profile target to suffer a large-scale hacking attack. In this briefing we will take a look at the details of the breach and why even companies in the information security business are not immune to attack.
While little information is available from Deloitte itself, reporting by the Guardian, Forbes, and the Register implies that the email system used by the company was breached though a weak administrator password. Deloitte uses Microsoft’s Office 365 email service which offers two factor authentication as part selected price plans. Wether Deloitte chose to not use two factor authentication, chose a price plan that didn’t support it, merely forgot to set it for the account in question or if two factor authentication was somehow circumvented remains unclear.
With administrative access to the email systems, attackers theoretically had access to a large segment of emails sent and received by Deloitte and its customers. As the firm specifically caters to large enterprises, confidential information contained in such emails is very likely to be easily monetized - either by selling it to competitors or by abusing it for insider trading.
How could this breach happen?
Deloitte itself is a major provider of information security services for large companies and governments and has acquired an excellent reputation in the field. A breach of this scale naturally leads to the question of how an organization with strong security capabilities can nonetheless be vulnerable to attack.
Apart from human error being almost impossible to completely prevent, one factor in particular seems to have played a major role in this breach: Fragmentation.
Deloitte employs more than 260,000 people in almost every country across the globe. Organizations of this scale commonly prefer a decentralized management structure to allow subsidiaries to adjust to their regions customs and legal requirements. The drawback of this management structure is that security and compliance can vary greatly between locations. Reports indicate that while two factor authentication was strictly enforced across many of Deloitte’s European and Asian locations, enforcement in Northern America was more relaxed. Ultimately this appears to be what led to the breach.
At the same time, as the number of employees grows, the number of individuals putting the company at risk though accident, malice, negligence or ignorance grows as well. Since the breach, researches have found many systems or credentials belonging to Deloitte accessible over the public internet. While such misbehavior can not be fully prevented, combating it aggressively is an essential element of any organization’s security strategy.
How could this breach have been prevented?
As we have pointed out in previous briefings, no system is absolutely secure and no recommendation can guarantee that no further breaches will take place. However we do recommend that organizations with a global decentralized management structure enforce at least a minimal information security policy globally. Such a policy should include the use of two factor authentication for critical systems.
To combat employee misbehavior, a combination of strict policy enforcement, auditing and education is the best tool currently available.