Another large-scale breach? That makes two this week!

Infosec_SamInfosec_Sam Admin Posts: 527 Admin
in Security News & Breaches
https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/

Indian IT outsourcing and consulting giant Wipro Ltd. is investigating reports that its own IT systems have been hacked and are being used to launch attacks against some of the company’s customers, multiple sources tell KrebsOnSecurity.

First a Microsoft phish, now Wipro? This is a dream for IT Security Awareness companies (heh heh heh)! What I found funny about this breach was the security posture - here's a quote from their CISO: “Security cannot be a show stopper for business priorities.” 

I'd hate to be insensitive, but it kind of sounds like they were asking for it.
Community Manager at Infosec!
Who we are | What we do
Tagged:
· Share on FacebookShare on Twitter

Comments

  • PCTechLincPCTechLinc Member Posts: 646 ■■■■■■□□□□
    I can't divulge why, but I have no sympathy for Wipro... they are on my biggest s*** list.
    Master of Business Administration in Information Technology Management - Western Governors University
    Master of Science in Information Security and Assurance - Western Governors University
    Bachelor of Science in Network Administration - Western Governors University
    Associate of Applied Science x4 - Heald College
    · Share on FacebookShare on Twitter
  • DZA_DZA_ Member Posts: 467 ■■■■■■■□□□
    “Security cannot be a show stopper for business priorities.”. Security is the new cost of doing business. 
    · Share on FacebookShare on Twitter
  • tedjamestedjames Member Posts: 1,179 ■■■■■■■■□□
    Infosec_Sam said:
    https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/

    Indian IT outsourcing and consulting giant Wipro Ltd. is investigating reports that its own IT systems have been hacked and are being used to launch attacks against some of the company’s customers, multiple sources tell KrebsOnSecurity.

    First a Microsoft phish, now Wipro? This is a dream for IT Security Awareness companies (heh heh heh)! What I found funny about this breach was the security posture - here's a quote from their CISO: “Security cannot be a show stopper for business priorities.” 

    I'd hate to be insensitive, but it kind of sounds like they were asking for it.
    No argument here. And this coming from a CISO. I've met a lot of ISOs who were handed that title because somebody in the office had to have it, regardless of qualifications. It's a checkbox to some. I wonder if this is true of Wipro's CISO. Just another business guy getting saddled with IT and security when they should've hired a real security guy?
    · Share on FacebookShare on Twitter
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    edited April 2019
    tedjames said:
    No argument here. And this coming from a CISO. I've met a lot of ISOs who were handed that title because somebody in the office had to have it, regardless of qualifications. It's a checkbox to some. I wonder if this is true of Wipro's CISO. Just another business guy getting saddled with IT and security when they should've hired a real security guy?
    Yup - totally agree. But the CISO from Wipro does have a tech background. His background - https://www.linkedin.com/in/sridhargovardha/ if you are curious.

    The trouble these days is that most CISOs - (at least the ones that I know) tend to get stretched pretty thin. But others that I meet don't have the technology JOAT backgrounds that I believe is needed in high-level security management. The other problem is that if a CISO is seen as not-business friendly - they don't stay as CISO for very long - I've seen that a few times too - so there are often compromises that are made.

    And then there are CISO's which come primarily from the program management or risk/compliance backgrounds. They are really good organizational structure people and can lead program groups. I personally think those are the least equipped CISOs. They really have to trust their people and organization and they typically don't have the right perspective to make good security judgement decisions if they have to decide on where to spend their budgets. They tend to rely on vendor and marketing hype. The security tech market doesn't really do any favors there either because there's so much FUD and snake-oil out there. 

    Personally - I don't know why anyone would want to be a CISO - they are usually the first person that is blamed for any breach.

    I had listen to the interview with Sridhar and his characterization about 2fa and I entirely disagree with his comments about using risk profiles. Primarily because I've never seen a risk scoring system that could work in his scenario.  

    So far with the Wipro breach, the incident management and response has been one big giant fail.

    If any information gets released about the attack vectors and how the malicious actors pivoted to their customers - that would be interesting to see. That's really what I'm waiting for.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.