Video: Equifax teaches us what not to do after a data breach

Why did Equifax take a beating in the headlines, but the SEC breach was barely a blip?

Equifax is primarily a B2B company, but the data stolen was consumer data. Couple that with one of the worst responses to a breach possible, including: giving inconsistent answers; asking users to sign up for its own products; the end user license agreement fiasco which drew attention from New York Attorney General Eric Schneiderman; discovery of a prior hack by the same group; and the routing of users to a fake website put up by a security researcher.

Also: Equifax's big fat fail: How not to handle a data breach

Equifax getting pummeled is not too surprising, or undeserved for that matter.

The tepid response to the SEC breach can be boiled down to two factors:

Business data was stolen from the SEC. While that isn't a victimless crime by any stretch, individual consumers don't have to scramble to place a freeze on their credit report because of what happened at the SEC. Most citizens will not need to alter their daily lives due to the SEC breach. No sitting on the phone with three different credit bureaus or website enrollments for credit monitoring.

While that isn't a victimless crime by any stretch, individual consumers don't have to scramble to place a freeze on their credit report because of what happened at the SEC. Most citizens will not need to alter their daily lives due to the SEC breach. No sitting on the phone with three different credit bureaus or website enrollments for credit monitoring. Hide your announcement in the shadows of a bigger breach. One of the not so secret secrets in the incident response, public relations, and crisis communications worlds is that sometimes timing your announcement to coincide with a larger, more public, and more sensational breach can help minimize the attention it receives. Now, there is no information available that indicates that the SEC was even thinking along those lines when it announced its own breach, but Equifax's continued missteps certainly didn't hurt the SEC.

What do the hacks signal? Is this a trend? How does Deloitte fit?

It's always tough to call hacking a trend; after all, "hackers gonna hack." However, it does continue to prove the oft-used Willie Sutton adage about robbing banks "because that's where the money is" has not become irrelevant in the 21st century. Hackers have adapted to the digital transformation and data economy much like Enterprises have. Moreover, that means adjusting how and what they target Deloitte fits in three ways:

Deloitte has massive amounts of data. The days of consulting firms simply being a body shop or running through checklists in audits is long over. Deloitte is a global consulting firm that provides services across numerous business lines, which includes architecture, development, deployment, and ongoing services. Deloitte has scooped up digital agencies that design software, continues to perform Advisory services around taxes and accounting, and of course, consults on information security engagements.

The days of consulting firms simply being a body shop or running through checklists in audits is long over. Deloitte is a global consulting firm that provides services across numerous business lines, which includes architecture, development, deployment, and ongoing services. Deloitte has scooped up digital agencies that design software, continues to perform Advisory services around taxes and accounting, and of course, consults on information security engagements. The data you steal from Deloitte makes every other attack easier. By sitting inside Deloitte as a threat actor, you gain valuable intelligence about the attack surface of hundreds of global enterprise companies. This data includes emails, email attachments, design documents, configuration details in spreadsheets, passwords emailed between engineers, etc. Your chances of success against other targets increase proportionately to the amount of information you harvest from Deloitte. Consulting firms and service providers are targets because they represent force multipliers for threat actors.

You can make insider trades with this data as well. It isn't just the information from the SEC that has value for a threat actor seeking to monetize information via stock market trades. Deloitte has an Advisory practice, and that means taxation and accounting audits for organizations. That information is the source of the data used in those very same SEC filings that may have been accessed by attackers in the SEC breach. Therefore, Deloitte - or any taxation and advisory firm - is a good target for the same reasons as the SEC.

Sure, but Deloitte sells security services, and the SEC is a regulatory body. Both should be better at this, right?

It seems by 2017 we have - hopefully - moved past the "tar and feathers" approach when a breach comes to light. A smidge of public shaming, inevitable litigation, and third party contractual issues should be sufficient in all but the most egregious scenarios. But:

Deloitte's consulting practice does not run Deloitte's information security. With that in mind, its capability as an information security consulting firm does not necessarily reflect its ability to defend itself against hackers. The same is true for the SEC. They don't share the same budgets, KPI's, or organizational structure. However, it is right to ask whether Deloitte engaged in "dogfooding," or perhaps as one of the Big 4, the preferred phrase to use is: "Drinking its own champagne?"

With that in mind, its capability as an information security consulting firm does not necessarily reflect its ability to defend itself against hackers. The same is true for the SEC. They don't share the same budgets, KPI's, or organizational structure. However, it is right to ask whether Deloitte engaged in "dogfooding," or perhaps as one of the Big 4, the preferred phrase to use is: "Drinking its own champagne?" Think stones and glass houses here. In Fight Club by Chuck Palahniuk the narrator states: "On a long enough time line, the survival rate for everyone drops to zero." That advice seems to apply to cyber as well, since one mistake by a user, one prematurely closed event by the SOC, or one failure to apply a patch can result in disaster weeks, months, or years later. Learn lessons and develop takeaways as detail emerge, but remember that no one is immune to attack.

What should security professionals do if they work with a breached service provider?

If you are the customer of any service provider that gets breached, you should consider your organization more at risk. Here are some things to think about based on the nature of the Deloitte breach: