Hacker Eye on the Consultant Guy: Deloitte and the Art of spotting Vulnerable Firms from the Outside

In the latest Security Ledger podcast, we analyze the breach of Deloitte by talking to two people who spend a lot of time judging the security of firms by how they look to the outside world. Dan Tentler of the firm Phobos Group tells us what he found out about Deloitte doing some fast and dirty open source research. Also: we talk to Stephen Boyer of the firm BitSight about a new study that firm did of the gap between the security readiness of financial services firms and the third-party software supply chain they rely on. 

The recent compromise of the CCleaner security scanning tool and MEDocs financial software raised concerns about the risk posed by vulnerable software supply chains. But companies face other, serious supply chain risks in the form of third-party service providers like law firms and technology service companies. Such firms often have carte blanche access to their clients networks and collect reams of sensitive documents and intellectual property.

How secure are these third-party firms’ networks? If the consulting firm Deloitte is any measure, the answer is that they’re not very secure at all. That company, we learned, is the victim of a wide-ranging breach that exposed email information on employees as well as customers. And that may not be all. A report by security blogger Brian Krebs, citing a company insider, claims that attackers may have been roaming Deloitte’s network for months. Subsequent open source research in the wake of the breach turned up a slew of red flags including virtual private network credentials tucked into Deloitte code posted to the GitHub cloud based source code repository and thousands of company systems directly accessible from the Internet using Windows remote desktop protocol.

Keeping up Appearances…or not

Looking at companies from the outside.
What can you tell about a company’s security just by looking at it from the outside? A lot.

How seriously should we take those kinds of revelations? On this week’s podcast we’re going to talk to two people who spend a lot of time judging the security of firms from how they look to the outside world. One is the guy who dug into Deloitte’s dirty laundry, Dan Tentler of the firm Phobos Group. He’s going to tell us what he found and about what he sees as the root cause of incidents like the hacks at Deloitte and Equifax: a breakdown in the security industry’s ability to create and field knowledgeable security professionals.

To start off our podcast, though, we’re looking at the larger issue of third-party security. A challenge that many companies have is evaluating how secure their business partners and suppliers are. Firms like Target, hacked by way of an air conditioning servicing contractor, learn the hard way to pay attention to third-party security. But Stephen Boyer of BitSight says that the lesson often goes unlearned. His company recently completed a study that found financial firms that found they are far more secure than the third-party providers like law firms and services companies that serve them. BitSight has developed a score – akin to a consumer credit rating -to quantify how secure companies are based on their public profile. While financial services firms average a score of 710, Legal Organizations, Technology Firms, and Business Services firm ranked, on average, thirty points lower. Boyer said there’s a correlation between firms that have a hard time keeping up appearances and firms that get breached.

The Security Industry is sick

And, in our second segment: when I called up Dan Tentler to talk about his open source research into the consulting firm Deloitte, I was expecting to hear him complain about the evidently lax security practices at the firm, including leaving thousands of company systems publicly exposed to the Internet. But Tentler had much less to say about Deloitte than what he considers the bigger problem facing companies of all stripes: a culture of what he considers “smoke and mirrors” in information security, with lax accountability and weak professional standards that pervade many companies. “The security industry is sick,” he said – and incidents like Deloitte and Equifax are just symptoms of that sickness.

As always: check our full conversation in our latest Security Ledger podcast below or over at Soundcloud. You can also listen to it on iTunes.  As always, if you like our intro music, give some love to the group JoeLess Shoe, who recorded “Baxton,” the song we use in just about every podcast.

Security Ledger wants to hear your thoughts! Leave a reply.