If Deloitte, One of the world’s “big four” accountancy firms that provide auditing, tax consultancy and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies could allow an administrator’s account to be protected with just a password, I wonder what kind of cybersecurity advice they are providing to customers. As reported in The Guardian “The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”.The account required only a single password and did not have “two-step“ verification, sources said”.
What people and many organizations are struggling to understand is that “no password is secure when you are a target”. People think that as far as they have a long password that is made of different characters combination that they are safe. That’s not true. The entropy or length of a password can only increase the time. It doesn’t prevent it from being broken.
It can be argued that a password is enough depending on the asset to be protected. Forgetting that a simple personal information that you think is not valuable to an attacker might be what they really need to get to your sensitive resources. For example, an email address could be considered as insensitive Information but attacks such as phishing rely on sending malicious links or contents to people’s email address. According to Webroot report “an average of 1.385 million unique phishing sites are created each month” and Phishing attacks “are the number one cause of breaches, and are a growing threat to organizations around the world”. So no matter how insensitive the account or data maybe, you need to protect it as much as you could.
A simple Multi-Factor Authentication (MFA) could have prevented the Deloitte’s breach or at least make it harder for the attacker.
In same The Guardian report, it noted that “the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details”. What are passwords doing there? Are they storing passwords for their clients? Is never a secure practice to store passwords even if the password were encrypted.
Another thing that keeps me wondering is “Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016” this raises another security concern on the type of security monitoring and unauthorized access detection in place that made the attack to last for months without been detected.
In conclusion, try as much as you can to secure your accounts with Multi-factor authentication. Never store your passwords in clear-text or better still use a password manager to store your passwords. And never re-use the same password on different accounts.