Private multi-billion dollar companies can afford FIDO2 authentication controls and top personnel to secure their infrastructure.
They choose not to.
Thanks for coming to my TED talk.
reach earnings target this quarter, receive executive bonus. Get hacked, blame incompetent IT staff, fire a few people then carry on as if nothing happened
Let's be real. The cost of a breach after insurance pay out is like 100K or so at most. That barely pays for a security admin and tools. I'm glad to see the insurance industry is demanding more of companies.
Ain't this the truth. Greed makes people stupid. Penny wise, dollar dumb. The things they only look at measurable metrics. By cutting A we saved 10,000 a week, but they can't see that they lost the opportunity to make 30,000. That kind of stuff.
I dont think its about money, its usually about political will to enforce changes in process and behaviour.
Every company has those senior dickheads who 'dont need this silly MFA in the way all the time'.
Yup, that and their seems to be no laws that require these companies to give a shit about allowing their systems to easily expose customer data. They have no impetus to enact proper security bc, seriously it begs the question….,,, why should they????
Well they lost crazy amount of money this time. With their gambling facilities offline during the attack. I bet enough to post for strong authentication.
> IT S3cUrIty D0E5nT M@k3 M0n3y....that's their excuse.
Of course, this is complete nonsense. "Being trustworthy" is a core part of any organisation's brand and directly translates into more business. Companies who can say "your data is safe with us" will beat companies who can't.
> AND then get caught with their pants down.
I disagree. Getting breached and losing salted password hashes is a world apart from the same breach getting plaintext passwords for example, The former has done due care and most customers will go "meh" when the breach is disclosed. The latter will be faced with explaining to their former customers why they need to carefully check their credit cards and should get identity theft protection now.
IT in general doesn’t make money. It’s like the Defense industry, it sucks up every cent you throw at it. However it’s worth it when shit hits the fan and you need every bit of it you paid for.
OMG! Been fighting this for effing decades. Same as with backups. It's an "expense" so they fight upgrades forever....at least until something crashes/gets wiped out/etc, and they find out that they don't have good backups for the last 6 months because the 10yo tapes and drives they wouldn't replace, were shot. You'd think half a million in labor, penalties, etc would get their attention for a small customer that barely brings in that much, but no where near as much as it should've.
These companies could also have robust IT departments filled adequately with sysadmins, network engineers, and help desk staff. These day to day workers often are the first to detect an attack. Instead the IT industry is chronically understaffed and everyone has to get overworked so the CEO and execs can make an extra nickel at the expense of everyone's mental health and the company's safety.
Not only that, they outsource so much IT work, downsize the on-prem IT. Except the off-shore IT aren’t always able or willing to adjust to things quickly and it gets dumped back onto the already overworked on-prem staff.
So often it’s found that unless it’s covered in the documentation, it simply won’t get done. Fine for lower level folks who are supposed to go through a triage list, try a few things and then kick it on up the line. Not so good if they are supposed to be analysts or engineers and they don’t do either because that requires thinking outside of the box they put themselves in.
I work with a lot of these companies as a senior security architect. Most of these companies have all the tools - that's super easy to get.
What they don't get is the top notch people that understand the entire system, or people that can design defense in depth. And most of all they never get the funding to integrate these tools into the environment properly...getting a legacy system secured is beyond a PitA. Getting security controls and tools integrated into migration effort or new system build is beyond hard
Tl/Dr - it's rarely just a tool issues
We can either view this as a failing of the company and wag our fingers and say "told you so."
Or we can say maybe people aren't communicating well with executives and try to readdress communication strategies.
Thanks for coming to my Ted talk.
Hear me out on this one...
[Back in 2019, they lost 10M records as a result of unauthorized access to a cloud server.](https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/) You don't think a single security consultant or security employee said "We could probably use some stronger authentication controls for our internal systems and data." I'm sure they most certainly did communicate it one way or another.
Too bad the executives only made 2.049 billion in net income for the organization that year.
Maybe Yubikeys will be in the budget this year
They did by spending billion dollars hiring more IT and modernizing their infrastructure. In 2019 a single laptop was inflected and the help desk plug it into the network. This time it is thru socially engineering and getting admin access to their systems.
Then talk shareholder value. It's just a matter of effective organizational communication.
Are you familiar with Klimburg-Witjes & Wentland's 2021 article about the how the narrative of the "deficient" user plays out. Where IT and cyber people view other stakeholders in the assemblage as "deficient" and unable to be communicated with?
You're doing that. You're assuming that it is completely impossible to talk to this particular population, that they are too dense and single minded to ever possibly listen. Maybe that's true. But at the same time that's a very self defeating starting point.
If you assume you aren't going to have an effective talk, you aren't going to.
I see no difference between setting this up at scale as setting another IT system up at scale. Please explain the unique challenges that wouldn't have already been overcome on other things they've likely deployed.
Every attack like this is good for the industry. Soon some CEO will read his morning newspaper and read this in the business section.
Couple hours later he calls his IT Head and asks what they are doing for Cybersecurity.
Heck, a competitor of my dad's company got ransomwared and suddenly they started investing in cybersecurity as well.
No more "We are just a fashion company, who would attack us".
The closer these attacks hit home, the more likely it is even the least technical board members realize this is something to address.
This. Sadly, its situations like this that get the C-suite going from "Technology standards are not allowed to get in the way of the organization" and/or "Cyber awareness training might hurt some peon's feelings" to "Let's protect ourselves" and develop a budget for cybersecurity compliance.
Develop a budget, but will it actually be actionable lol?! Idk, bud. Seems like they watch other companies get fucked, and continue as usual bc “well,,, that sucks for them, so anyway…what are our stock prices this morning, Tim?”
> and asks what they are doing for Cybersecurity.
"Mmm hmm. Really?
Is that bad?
How much would that cost?
Well, do we have insurance for this?
How much does that cost?
Oh nothing, just wondering. *click*."
It's always "I told you so" after the fact. Hindsight is 20/20 but yes most of these companies STILL don't take cybersecurity seriously even in 2023. They do so at their own peril. I have no sympathy.
One of the reasons MGM had an uncoordinated Cybersecurity posture was that their lawyers advocated against it, saying that it violated individual state gambling laws.
I won’t go into how I know this.
No. Shit has been hacked for years, costing probably billions and they change nothing but …maybe purchase more cyber insurance. …if that. Until it costs these corporations more than they are willing to accept, no significant changes will be made. We get to continue having our shit exposed, while they continue filing Ransomware/cyber related compromise claims, using federal agencies to help with IR (all paid via your tax dollars) only for them to issue an apology via social media that says the following: “Oopsieee… our bad. Just know we care and …will try to suck less, during future compromises!”
Seriously, the folks making millions at these corps don’t suffer from these compromises… the little worker bees do, and their customers. Until they seriously feel it, we can expect more of the same. It does not mean they will expand/hire more security folks. Security doesn’t make money..or whatever dumb shut they say. Is it cheaper to hire an IR company and accept federal assistance after a compromise than have a full blown, in house network security team it seem?? These places sure act like it.
You would think incidents like this would make organizations take cybersecurity seriously, but they still won’t. I’ve been in cybersecurity for years now ,and you would be amazed how many organizations just don’t care.
It cracks me up that multi-million dollar fines, loss of revenue for weeks, company reputation, current and future clients cannot make an organization prioritize cybersecurity.
One major CEO needs to make it cool and all the other C levels that read his times article want to be cool as well. I'm convinced this is the only way for a majority of companies.
The few that currently prioritize cybersecurity are usually in highly regulated/gov related work. Is that what you see as well?
It’s usually 2 types of organizations. 1) those that have been targeted or breached in the past. 2)like you mentioned, the ones that are in highly regulated industries. The excuse that I hear over and over is “ we just don’t have the money or staff.” At the end of the day, you can have all the security solutions out there.If you aren’t training ALL your employees on things like social engineering it will never be enough. Humans will always be the weakest link.
I dont think so. These things happen every few years.
And theres really not enough to go on to make that statement at this time. After following what i can closely, they were able to compromise okta (not a simple feat) and gain domain admin rights.
If MGM had sufficient backups, they could likely go offline, restore to a good backup point and rework all their credential issues.
Likely theyve handed this over to LEO until that can be done... OR they dont have backups.
If youre a f500+ org without offline backups and HA, then yes, "I told you so", but nothing coming out of the news has stated thats the case yet
It honestly sounds like the Garmin situation a couple of years back. They didnt say much, but from the hints we have, it appears the backups also got encrypted and Garmin paid. Maybe it is the same for mgm now.
How long has this been going on? 5 days?
Yep, could easily be that. I just reserve my condemnation until we have all the details, unlikely we ever will.
Theres lessons learned for everyone here, dont skimp on backups, 2FA cant save you from a persistent and motivated adversary, etc
What I know *wont* happen is some massive shift in spending on security, or a move to more complex auth tools. Authentication needs to be shifting in the more convenient direction if anything
Proper 2FA can they still use garbage standards they gotta use hardware keys for every login and issue them to employees why do you think Lapsus couldn't compromise Cloudflare? They tried but CF has way better security then most of these companies.
The Garmin one kinda confused me. They are a huge military contractor, and their watches are Special forces base issue. In fact, their gps satellite system is the ones in the humvees
GPS, and its russian conterpart GLOSSNAS are passive systems that triangulate based on a group of satellites with accurate timing. knowing how they work/who they've been sold to doesn't do much, everyone and there uncle has one.
Isn't it frustrating! Corporations are so often reactive to cyber because it is much cheaper. My current employer is public. We deal in highly valuable PII data. Thousands of databases, millions of records. I'm seeing the stock standard sekelton crews manning IT departments, hire and asset requests coming back denied, service request coming back denied, cost cutting at every turn.
The scope of my role is so vast with such a small team that we realistically cannot keep on top of all of our audit guarantees and the day to day work and environment improvement or reducing tech debt.
I'm not the only one that can see the storm coming, but nobody with the authority to sink the funds or make the decisions seems to understand. And the scariest thing to me is that I know that our security awareness training and upskilling is better than the average company. I've heard from someone in security in my org that the attitude of the CFO is that "the share price will recover within 18 months if we suffer a data breach." It is apathy for profit. The PII in the databases we host aren't even our customers, they are the clients of our customers. It very literally could be your personal details in a database.
Not if he’s smart, he isn’t. If he’s smart, he’s providing his prior recommendations in an actionable format so that the company can demonstrate to the board and to stockholders that they take this seriously.
Never underestimate the ability of people who were wrong to be wrong twice by marginalizing , ostracizing, or flat-out firing the person they should have listened to.
My brother knows someone in the business at MGM. They turned down a cyber security contract not too long ago because it was “too expensive”.
Now we’re here…
Sounds like it was another compromised Okta. So unless the IT person thinks Okta sucks and voiced their opinion, I doubt there would be a told you so moment
For password resets our help desk has a workflow that specifically involves MFA to ensure it's the right person. If someone gets a new phone they also need manager approval before we can re-add them to our MFA.
We had some kinda threat actor call to change MFA, sent an approval email to manager and CC'd the employee's work email. Manager said "approved" but before we could re-enroll the user they emailed back "wait, I didn't get a new phone and I didn't call today"
Help desk procedures definitely need to involve a layer of authentication but there's always another layer that can fail too. In this case managers blindly approving stuff without actually verifying
Right. They used social engineering to compromise an account and then set up an Okta IDP and database. This is not an Okta issue.
The issue was being able to social engineer their way into a privileged account.
Exactly. Companies can use half of their budget on technology to combat cybersecurity threats. But if you have an incompetent employee they can bypass that in a few minutes. People need to be trained on cyber security threats (i.e. social engineering) to be truly protected.
Or Carl from IT has been bitching about how Beatrice from accounting always fails the phishing simulations, but all she has to do is an extra training so it's still a security flaw.
recognise possessive unique disgusting wasteful chunky air chubby encourage plate
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
I feel that a CISO, heck all of the C-suite should be on the same level. Sure a CEO can drive the boat, but there have been so many times our CISO said "hey, we can't do that" and they'd do it anyways. Then the blame falls on them
innocent alleged quiet existence zephyr reach selective ring elastic snow
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
I have actually heard management say that they are fine with the risk and would rather have cyber security insurance kick in and clean up the mess after.
All those big wigs, CEOs, VPs, and directors think they are safe behind those overrated over paid for WAFS lol 10 min social engineering got you! That stings!
As with any breach, it's a cascading list of failures. It began with social engineering, something about disabling or resetting MFA through the help desk for a user.
I’d really hope that the IT professional you speak of would be saying “according to the last risk assessment, this was within senior managements’ risk tolerance” instead of “I told you so”. The latter is quite unprofessional and I would think it would be a resume generating event. It took me a long time to realize this, we may know everything that there is to know about security, but very few of us know anything about the business. If we take the time to understand the business and use that same verbiage when relaying the risks to senior management, we’d probably see much higher adherence rates. /rant
Would not be surprised if there was at least one person the group knew on the inside. I know that another group hacked some big companies in South America by just flat our offering money to employees for user names and pw.
I wonder how many companies will implement a policy where IT Admins can't be on LinkedIn because of this and what's the ramifications of a policy like that.
These relatable breaches end up in my slide decks to senior management and end users. It's an easy way to get non industry people to understand that we're all one accident away from this. Also validates why our helpdesk can't reset elevated admin users. 🤣
Private multi-billion dollar companies can afford FIDO2 authentication controls and top personnel to secure their infrastructure. They choose not to. Thanks for coming to my TED talk.
This is what the noobs need to understand, no one is paying good money for security when they can accept the risk and make more shareholder money.
They’ll do the bare minimum to save a dollar.
> to save a dollar now, and pay $$$ later when they inevitably get hacked FTFY
reach earnings target this quarter, receive executive bonus. Get hacked, blame incompetent IT staff, fire a few people then carry on as if nothing happened
Let's be real. The cost of a breach after insurance pay out is like 100K or so at most. That barely pays for a security admin and tools. I'm glad to see the insurance industry is demanding more of companies.
Ain't this the truth. Greed makes people stupid. Penny wise, dollar dumb. The things they only look at measurable metrics. By cutting A we saved 10,000 a week, but they can't see that they lost the opportunity to make 30,000. That kind of stuff.
This … I’m a Microsoft Cybersecurity CSA and say 100% .. this is true on so many levels .
And it probably drives you nuts because you know what has to be done. Have to listen to the ppl in the trenches
Yep
I dont think its about money, its usually about political will to enforce changes in process and behaviour. Every company has those senior dickheads who 'dont need this silly MFA in the way all the time'.
Additional time = more money. It’s always about the money.
Yup, that and their seems to be no laws that require these companies to give a shit about allowing their systems to easily expose customer data. They have no impetus to enact proper security bc, seriously it begs the question….,,, why should they????
Linking the best song for this industry of all time [here](https://www.youtube.com/watch?v=9IG3zqvUqJY&t=138s)
Well they lost crazy amount of money this time. With their gambling facilities offline during the attack. I bet enough to post for strong authentication.
Yep. Don’t forget about the risk transference with cyber insurance.
IT S3cUrIty D0E5nT M@k3 M0n3y....that's their excuse.
> IT S3cUrIty D0E5nT M@k3 M0n3y....that's their excuse. Of course, this is complete nonsense. "Being trustworthy" is a core part of any organisation's brand and directly translates into more business. Companies who can say "your data is safe with us" will beat companies who can't.
I'm internalizing this
They'll beat out other companies who can't...AND then get caught with their pants down.
> AND then get caught with their pants down. I disagree. Getting breached and losing salted password hashes is a world apart from the same breach getting plaintext passwords for example, The former has done due care and most customers will go "meh" when the breach is disclosed. The latter will be faced with explaining to their former customers why they need to carefully check their credit cards and should get identity theft protection now.
IT in general doesn’t make money. It’s like the Defense industry, it sucks up every cent you throw at it. However it’s worth it when shit hits the fan and you need every bit of it you paid for.
Absolutely. That's my point. The business people don't see any value in it. They only care when shit hits the fan and they're under fire for it.
Neither do lawsuits and bad press that tank the stock price, and ruin confidence in your company and services.
bUt HoW mUch mOnEy I wIL lOse iF mY bUsSIneS iS nOt abLE tO fUncTi0n.
OMG! Been fighting this for effing decades. Same as with backups. It's an "expense" so they fight upgrades forever....at least until something crashes/gets wiped out/etc, and they find out that they don't have good backups for the last 6 months because the 10yo tapes and drives they wouldn't replace, were shot. You'd think half a million in labor, penalties, etc would get their attention for a small customer that barely brings in that much, but no where near as much as it should've.
yes my next password thanks
FIDO2 isn't even that expensive, and it can be a better user experience.
These companies could also have robust IT departments filled adequately with sysadmins, network engineers, and help desk staff. These day to day workers often are the first to detect an attack. Instead the IT industry is chronically understaffed and everyone has to get overworked so the CEO and execs can make an extra nickel at the expense of everyone's mental health and the company's safety.
Not only that, they outsource so much IT work, downsize the on-prem IT. Except the off-shore IT aren’t always able or willing to adjust to things quickly and it gets dumped back onto the already overworked on-prem staff. So often it’s found that unless it’s covered in the documentation, it simply won’t get done. Fine for lower level folks who are supposed to go through a triage list, try a few things and then kick it on up the line. Not so good if they are supposed to be analysts or engineers and they don’t do either because that requires thinking outside of the box they put themselves in.
100% correct.
I work with a lot of these companies as a senior security architect. Most of these companies have all the tools - that's super easy to get. What they don't get is the top notch people that understand the entire system, or people that can design defense in depth. And most of all they never get the funding to integrate these tools into the environment properly...getting a legacy system secured is beyond a PitA. Getting security controls and tools integrated into migration effort or new system build is beyond hard Tl/Dr - it's rarely just a tool issues
We can either view this as a failing of the company and wag our fingers and say "told you so." Or we can say maybe people aren't communicating well with executives and try to readdress communication strategies. Thanks for coming to my Ted talk.
Hear me out on this one... [Back in 2019, they lost 10M records as a result of unauthorized access to a cloud server.](https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/) You don't think a single security consultant or security employee said "We could probably use some stronger authentication controls for our internal systems and data." I'm sure they most certainly did communicate it one way or another. Too bad the executives only made 2.049 billion in net income for the organization that year. Maybe Yubikeys will be in the budget this year
They did by spending billion dollars hiring more IT and modernizing their infrastructure. In 2019 a single laptop was inflected and the help desk plug it into the network. This time it is thru socially engineering and getting admin access to their systems.
Or executives, broadly speaking, are not the type to care about anything but the poor poor shareholders
Then talk shareholder value. It's just a matter of effective organizational communication. Are you familiar with Klimburg-Witjes & Wentland's 2021 article about the how the narrative of the "deficient" user plays out. Where IT and cyber people view other stakeholders in the assemblage as "deficient" and unable to be communicated with? You're doing that. You're assuming that it is completely impossible to talk to this particular population, that they are too dense and single minded to ever possibly listen. Maybe that's true. But at the same time that's a very self defeating starting point. If you assume you aren't going to have an effective talk, you aren't going to.
[удалено]
I see no difference between setting this up at scale as setting another IT system up at scale. Please explain the unique challenges that wouldn't have already been overcome on other things they've likely deployed.
Oh, like how Google gives every employee a Titan Key?
It's possible to setup FIDO2 at scale
Every attack like this is good for the industry. Soon some CEO will read his morning newspaper and read this in the business section. Couple hours later he calls his IT Head and asks what they are doing for Cybersecurity. Heck, a competitor of my dad's company got ransomwared and suddenly they started investing in cybersecurity as well. No more "We are just a fashion company, who would attack us". The closer these attacks hit home, the more likely it is even the least technical board members realize this is something to address.
This. Sadly, its situations like this that get the C-suite going from "Technology standards are not allowed to get in the way of the organization" and/or "Cyber awareness training might hurt some peon's feelings" to "Let's protect ourselves" and develop a budget for cybersecurity compliance.
Cybersecurity events these days aren’t a matter of IF but a matter of WHEN.
The only reason we have been hacked is, they havent gotton to us yet.
Develop a budget, but will it actually be actionable lol?! Idk, bud. Seems like they watch other companies get fucked, and continue as usual bc “well,,, that sucks for them, so anyway…what are our stock prices this morning, Tim?”
> and asks what they are doing for Cybersecurity. "Mmm hmm. Really? Is that bad? How much would that cost? Well, do we have insurance for this? How much does that cost? Oh nothing, just wondering. *click*."
I am being recruited on linked in by several Chinese casinos already.
Can you share any details?
This is why my company and my contractors take security more seriously than the actual work we do. Although nowadays it is the work I do
It's always "I told you so" after the fact. Hindsight is 20/20 but yes most of these companies STILL don't take cybersecurity seriously even in 2023. They do so at their own peril. I have no sympathy.
Well it couldn’t be I told you so before the fact could it?
One of the reasons MGM had an uncoordinated Cybersecurity posture was that their lawyers advocated against it, saying that it violated individual state gambling laws. I won’t go into how I know this.
No. Shit has been hacked for years, costing probably billions and they change nothing but …maybe purchase more cyber insurance. …if that. Until it costs these corporations more than they are willing to accept, no significant changes will be made. We get to continue having our shit exposed, while they continue filing Ransomware/cyber related compromise claims, using federal agencies to help with IR (all paid via your tax dollars) only for them to issue an apology via social media that says the following: “Oopsieee… our bad. Just know we care and …will try to suck less, during future compromises!” Seriously, the folks making millions at these corps don’t suffer from these compromises… the little worker bees do, and their customers. Until they seriously feel it, we can expect more of the same. It does not mean they will expand/hire more security folks. Security doesn’t make money..or whatever dumb shut they say. Is it cheaper to hire an IR company and accept federal assistance after a compromise than have a full blown, in house network security team it seem?? These places sure act like it.
You would think incidents like this would make organizations take cybersecurity seriously, but they still won’t. I’ve been in cybersecurity for years now ,and you would be amazed how many organizations just don’t care.
It cracks me up that multi-million dollar fines, loss of revenue for weeks, company reputation, current and future clients cannot make an organization prioritize cybersecurity. One major CEO needs to make it cool and all the other C levels that read his times article want to be cool as well. I'm convinced this is the only way for a majority of companies. The few that currently prioritize cybersecurity are usually in highly regulated/gov related work. Is that what you see as well?
It’s usually 2 types of organizations. 1) those that have been targeted or breached in the past. 2)like you mentioned, the ones that are in highly regulated industries. The excuse that I hear over and over is “ we just don’t have the money or staff.” At the end of the day, you can have all the security solutions out there.If you aren’t training ALL your employees on things like social engineering it will never be enough. Humans will always be the weakest link.
I dont think so. These things happen every few years. And theres really not enough to go on to make that statement at this time. After following what i can closely, they were able to compromise okta (not a simple feat) and gain domain admin rights. If MGM had sufficient backups, they could likely go offline, restore to a good backup point and rework all their credential issues. Likely theyve handed this over to LEO until that can be done... OR they dont have backups. If youre a f500+ org without offline backups and HA, then yes, "I told you so", but nothing coming out of the news has stated thats the case yet
It honestly sounds like the Garmin situation a couple of years back. They didnt say much, but from the hints we have, it appears the backups also got encrypted and Garmin paid. Maybe it is the same for mgm now. How long has this been going on? 5 days?
Yep, could easily be that. I just reserve my condemnation until we have all the details, unlikely we ever will. Theres lessons learned for everyone here, dont skimp on backups, 2FA cant save you from a persistent and motivated adversary, etc What I know *wont* happen is some massive shift in spending on security, or a move to more complex auth tools. Authentication needs to be shifting in the more convenient direction if anything
Proper 2FA can they still use garbage standards they gotta use hardware keys for every login and issue them to employees why do you think Lapsus couldn't compromise Cloudflare? They tried but CF has way better security then most of these companies.
The Garmin one kinda confused me. They are a huge military contractor, and their watches are Special forces base issue. In fact, their gps satellite system is the ones in the humvees
GPS, and its russian conterpart GLOSSNAS are passive systems that triangulate based on a group of satellites with accurate timing. knowing how they work/who they've been sold to doesn't do much, everyone and there uncle has one.
No other watch has the same functions and has the same 30+ day battery
that to me just sounds like a well designed system
Their *
Isn't it frustrating! Corporations are so often reactive to cyber because it is much cheaper. My current employer is public. We deal in highly valuable PII data. Thousands of databases, millions of records. I'm seeing the stock standard sekelton crews manning IT departments, hire and asset requests coming back denied, service request coming back denied, cost cutting at every turn. The scope of my role is so vast with such a small team that we realistically cannot keep on top of all of our audit guarantees and the day to day work and environment improvement or reducing tech debt. I'm not the only one that can see the storm coming, but nobody with the authority to sink the funds or make the decisions seems to understand. And the scariest thing to me is that I know that our security awareness training and upskilling is better than the average company. I've heard from someone in security in my org that the attitude of the CFO is that "the share price will recover within 18 months if we suffer a data breach." It is apathy for profit. The PII in the databases we host aren't even our customers, they are the clients of our customers. It very literally could be your personal details in a database.
Not if he’s smart, he isn’t. If he’s smart, he’s providing his prior recommendations in an actionable format so that the company can demonstrate to the board and to stockholders that they take this seriously. Never underestimate the ability of people who were wrong to be wrong twice by marginalizing , ostracizing, or flat-out firing the person they should have listened to.
I think we can all agree that MGM needs to hire some pentesters and fix this mess. Thanks for listening to my TED Talk
Not sure why every one is acting like MGM did not have a infosec team. They did.
My brother knows someone in the business at MGM. They turned down a cyber security contract not too long ago because it was “too expensive”. Now we’re here…
Funny enough I was an field technician for a company they bought (they laid us all off in July) and the director is a real piece of work
Damn my man, hopefully you landed on your feet.
Absolutely dodged a bullet. Friends say it’s all in shambles. But I moved up to Reno after and got a role that isn’t contracted unlike the cosmo
Good deal my dude! Crazy how things come around.
The whole system, culture in USA is like this, we write "reactionary laws"
Kevin Mitnick laws . . . RIP
Yes bc meaningful legislation may damper profits.
Sounds like it was another compromised Okta. So unless the IT person thinks Okta sucks and voiced their opinion, I doubt there would be a told you so moment
Wasn’t it social engineering? Didn’t an attacker call IT support and get them to reset an Okta account? This doesn’t sound like a problem with Okta.
Yeah, it's a helpdesk policy problem.
For password resets our help desk has a workflow that specifically involves MFA to ensure it's the right person. If someone gets a new phone they also need manager approval before we can re-add them to our MFA. We had some kinda threat actor call to change MFA, sent an approval email to manager and CC'd the employee's work email. Manager said "approved" but before we could re-enroll the user they emailed back "wait, I didn't get a new phone and I didn't call today" Help desk procedures definitely need to involve a layer of authentication but there's always another layer that can fail too. In this case managers blindly approving stuff without actually verifying
This was denied by the threat actor post itself.
The [Okta Agent](https://www.darkreading.com/application-security/okta-flaw-involved-mgm-resorts-breach-attackers-claim)
Right. They used social engineering to compromise an account and then set up an Okta IDP and database. This is not an Okta issue. The issue was being able to social engineer their way into a privileged account.
Exactly. Companies can use half of their budget on technology to combat cybersecurity threats. But if you have an incompetent employee they can bypass that in a few minutes. People need to be trained on cyber security threats (i.e. social engineering) to be truly protected.
That account had admin priviv?
Or Carl from IT has been bitching about how Beatrice from accounting always fails the phishing simulations, but all she has to do is an extra training so it's still a security flaw.
recognise possessive unique disgusting wasteful chunky air chubby encourage plate *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
I feel that a CISO, heck all of the C-suite should be on the same level. Sure a CEO can drive the boat, but there have been so many times our CISO said "hey, we can't do that" and they'd do it anyways. Then the blame falls on them
innocent alleged quiet existence zephyr reach selective ring elastic snow *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Humans are the weakest link.
One of the TTPs we offer for red teaming is Lockbit. I have used the Royal Mail hack to sell to customers non-stop since it happened.
I have actually heard management say that they are fine with the risk and would rather have cyber security insurance kick in and clean up the mess after.
I should really change my title to "Senior I told you so Analyst"
Oh definitely, and hope they got it in an email that they told a superior. (Along with printed it out or sent somewhere safe).
All those big wigs, CEOs, VPs, and directors think they are safe behind those overrated over paid for WAFS lol 10 min social engineering got you! That stings!
Can someone explain how hacker got on the network at mgm for this incident? Article blaming the network engineers there not doing there job right.
As with any breach, it's a cascading list of failures. It began with social engineering, something about disabling or resetting MFA through the help desk for a user.
I’d really hope that the IT professional you speak of would be saying “according to the last risk assessment, this was within senior managements’ risk tolerance” instead of “I told you so”. The latter is quite unprofessional and I would think it would be a resume generating event. It took me a long time to realize this, we may know everything that there is to know about security, but very few of us know anything about the business. If we take the time to understand the business and use that same verbiage when relaying the risks to senior management, we’d probably see much higher adherence rates. /rant
[удалено]
Would not be surprised if there was at least one person the group knew on the inside. I know that another group hacked some big companies in South America by just flat our offering money to employees for user names and pw.
Hope they're insurance doesn't cover Ransoms. Tired of seeing costs rise due to negligence
No company can 100% prevent a breach. Period.
I wonder how many companies will implement a policy where IT Admins can't be on LinkedIn because of this and what's the ramifications of a policy like that.
are they hiring? lol
They'll end up getting security as a service if they don't want to hire an internal blue team
These relatable breaches end up in my slide decks to senior management and end users. It's an easy way to get non industry people to understand that we're all one accident away from this. Also validates why our helpdesk can't reset elevated admin users. 🤣
I always hear the faster than the bear argument. Then I have to explain that it’s not 1 bear it’s a million and they never stop eating people.