[mindfulplay]

Seeing way too many "incidents" these days ....

I would like at least one company to post an "incident" reveal in a more honest way:

" Due to our carelessness and relatively insecure practices, we had improperly disclosed user accounts to a moderately savvy hacker. We realize this is our fault.

If you'd like to help and given that we have your attention now, it would be valuable if you can help pentest our servers: the attacker used a simple SQL attack based on an unpatched server via CVE-3245. Are we missing anything else? Please let us know.

Thank you."

[umvi]

Yeah except in this case an employee account was likely compromised by spearphishing/social engineering/(or worst case keylogger). That can be very hard to defend against.

Good security is not easy, and not always due to "carelessness".

It's an expensive, onerous, never ending, and ever evolving process to get right. Most, if not all, companies do the bare minimum security they believe is necessary; anything beyond that is a waste of money and computing resources (if you believe otherwise, I have some retina scanners to sell you...)

[zerkten]

> Most, if not all, companies do the bare minimum security they believe is necessary; anything beyond that is a waste of money and computing resources

This why we continue to have incidents and vulnerabilities which could have been prevented, or better mitigated. Most often these companies do not even know how to make a correct assessment of their risk. They move forward with this idea that it's a waste of money and resources, yet waste everyone's time with clean-up, or just go out of business as a result. Even with minimal security training and limited curiosity, this incident could have been avoided.

[sgarman]

Customers don't want to pay for it. You can easily run yourself out of business building a more secure system. We need to get people and customers to care first to make the economics work.

[zerkten]

Plenty of these measures are just basic professionalism. Some are relatively inexpensive (enabling MFA everywhere by default given the number of MFA options.)

Other changes are mildly annoying to developers, ops, and support (e.g. re-requesting production access.) Since developers hold sway in most organizations, convenience often trumps security. None of these measures put anyone out of business.

If I had to attack something I'd go for the limited resources to help smaller organizations scale security appropriately. There are tons of resources for large dev teams, infosec specialists, etc., but there is very little that targets small organizations effectively.

[mindfulplay]

Perhaps carelessness is a strong word and implies incompetence. And perhaps its not incompetence I am complaining about but the rather fastidious and casual way of "move fast, break things, exponential growth" that builds the following without a strong foundation.

[Xylakant]

> (if you believe otherwise, I have some retina scanners to sell you...)

MFA with a U2F token would go a long long way. Even softU2F as github built might prevent this.

[umvi]

It would help... for now. Like I said though - it will be expensive and onerous for both the employees and the company... and who knows what the next evolution in attacks will be.

No matter how good security gets, attackers will always adapt. Everyone on earth is now using YubiKeys? Now you need a process in place for when people get their keys lost or stolen. Or when your computer doesn't have a USB port. And whatever "I forget my password"-esque process that is will probably be much easier to attack/manipulate/social engineer than the keys themselves would be.

[Xylakant]

Having to obtain a physical item is substantially harder to automate than credentials stuffing. Especially U2F which is a practical phishing protection and extremely hard to social engineer (you'd need to mail a token somewhere) should IMHO be default for admin interfaces with elevated privileges.

[ecf]

> Between August 26 and August 31, 2019 an unauthorized party compromised a Segment employee’s Segment web application account without their knowledge, logging in with their email and password. This account had privileged access.

They weren't using 2FA, and only enabled after this incident. This is 100% Segment negligence.

[umvi]

2FA doesn't guarantee this incident would not have taken place.

If it's not hardware-based (i.e. Yubikey), you can still spearphish people into putting their username, password, and 2FA token into a honeypot page which would give the attacker a window of unauthorized access.