Another large-scale breach? That makes two this week!

Infosec_SamInfosec_Sam Security+, CCENT, ITIL Foundation, A+Madison, WIAdmin Posts: 451 Admin
https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/

Indian IT outsourcing and consulting giant Wipro Ltd. is investigating reports that its own IT systems have been hacked and are being used to launch attacks against some of the company’s customers, multiple sources tell KrebsOnSecurity.

First a Microsoft phish, now Wipro? This is a dream for IT Security Awareness companies (heh heh heh)! What I found funny about this breach was the security posture - here's a quote from their CISO: “Security cannot be a show stopper for business priorities.” 

I'd hate to be insensitive, but it kind of sounds like they were asking for it.
Community Manager at Infosec!
Who we are | What we do
Tagged:

Comments

  • PCTechLincPCTechLinc CISSP, CHFI, CEH, MCSA Server 2008, Project+, Security+ce, Server+, Network+, A+ King City, CAMember Posts: 633 ■■■■■□□□□□
    I can't divulge why, but I have no sympathy for Wipro... they are on my biggest s*** list.
    Master of Business Administration in Information Technology Management - Western Governors University
    Master of Science in Information Security and Assurance - Western Governors University
    Bachelor of Science in Network Administration - Western Governors University
    Associate of Applied Science x4 - Heald College
  • DZA_DZA_ Untitled. Member Posts: 414 ■■■■■□□□□□
    “Security cannot be a show stopper for business priorities.”. Security is the new cost of doing business. 
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,111 ■■■■■■■■□□
    https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/

    Indian IT outsourcing and consulting giant Wipro Ltd. is investigating reports that its own IT systems have been hacked and are being used to launch attacks against some of the company’s customers, multiple sources tell KrebsOnSecurity.

    First a Microsoft phish, now Wipro? This is a dream for IT Security Awareness companies (heh heh heh)! What I found funny about this breach was the security posture - here's a quote from their CISO: “Security cannot be a show stopper for business priorities.” 

    I'd hate to be insensitive, but it kind of sounds like they were asking for it.
    No argument here. And this coming from a CISO. I've met a lot of ISOs who were handed that title because somebody in the office had to have it, regardless of qualifications. It's a checkbox to some. I wonder if this is true of Wipro's CISO. Just another business guy getting saddled with IT and security when they should've hired a real security guy?
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    edited April 2019
    tedjames said:
    No argument here. And this coming from a CISO. I've met a lot of ISOs who were handed that title because somebody in the office had to have it, regardless of qualifications. It's a checkbox to some. I wonder if this is true of Wipro's CISO. Just another business guy getting saddled with IT and security when they should've hired a real security guy?
    Yup - totally agree. But the CISO from Wipro does have a tech background. His background - https://www.linkedin.com/in/sridhargovardha/ if you are curious.

    The trouble these days is that most CISOs - (at least the ones that I know) tend to get stretched pretty thin. But others that I meet don't have the technology JOAT backgrounds that I believe is needed in high-level security management. The other problem is that if a CISO is seen as not-business friendly - they don't stay as CISO for very long - I've seen that a few times too - so there are often compromises that are made.

    And then there are CISO's which come primarily from the program management or risk/compliance backgrounds. They are really good organizational structure people and can lead program groups. I personally think those are the least equipped CISOs. They really have to trust their people and organization and they typically don't have the right perspective to make good security judgement decisions if they have to decide on where to spend their budgets. They tend to rely on vendor and marketing hype. The security tech market doesn't really do any favors there either because there's so much FUD and snake-oil out there. 

    Personally - I don't know why anyone would want to be a CISO - they are usually the first person that is blamed for any breach.

    I had listen to the interview with Sridhar and his characterization about 2fa and I entirely disagree with his comments about using risk profiles. Primarily because I've never seen a risk scoring system that could work in his scenario.  

    So far with the Wipro breach, the incident management and response has been one big giant fail.

    If any information gets released about the attack vectors and how the malicious actors pivoted to their customers - that would be interesting to see. That's really what I'm waiting for.
Sign In or Register to comment.