Another large-scale breach? That makes two this week!

https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/

Indian IT outsourcing and consulting giant Wipro Ltd. is investigating reports that its own IT systems have been hacked and are being used to launch attacks against some of the company’s customers, multiple sources tell KrebsOnSecurity.

First a Microsoft phish, now Wipro? This is a dream for IT Security Awareness companies (heh heh heh)! What I found funny about this breach was the security posture - here's a quote from their CISO: “Security cannot be a show stopper for business priorities.”

I'd hate to be insensitive, but it kind of sounds like they were asking for it.

Find more posts tagged with

Security

News

breach

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

PCTechLinc

I can't divulge why, but I have no sympathy for Wipro... they are on my biggest s*** list.

DZA_

“Security cannot be a show stopper for business priorities.”. Security is the new cost of doing business.

tedjames

Infosec_Sam said:

https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/

Indian IT outsourcing and consulting giant Wipro Ltd. is investigating reports that its own IT systems have been hacked and are being used to launch attacks against some of the company’s customers, multiple sources tell KrebsOnSecurity.

First a Microsoft phish, now Wipro? This is a dream for IT Security Awareness companies (heh heh heh)! What I found funny about this breach was the security posture - here's a quote from their CISO: “Security cannot be a show stopper for business priorities.”

I'd hate to be insensitive, but it kind of sounds like they were asking for it.

No argument here. And this coming from a CISO. I've met a lot of ISOs who were handed that title because somebody in the office had to have it, regardless of qualifications. It's a checkbox to some. I wonder if this is true of Wipro's CISO. Just another business guy getting saddled with IT and security when they should've hired a real security guy?

paul78

tedjames said:

No argument here. And this coming from a CISO. I've met a lot of ISOs who were handed that title because somebody in the office had to have it, regardless of qualifications. It's a checkbox to some. I wonder if this is true of Wipro's CISO. Just another business guy getting saddled with IT and security when they should've hired a real security guy?

Yup - totally agree. But the CISO from Wipro does have a tech background. His background - https://www.linkedin.com/in/sridhargovardha/ if you are curious.

The trouble these days is that most CISOs - (at least the ones that I know) tend to get stretched pretty thin. But others that I meet don't have the technology JOAT backgrounds that I believe is needed in high-level security management. The other problem is that if a CISO is seen as not-business friendly - they don't stay as CISO for very long - I've seen that a few times too - so there are often compromises that are made.

And then there are CISO's which come primarily from the program management or risk/compliance backgrounds. They are really good organizational structure people and can lead program groups. I personally think those are the least equipped CISOs. They really have to trust their people and organization and they typically don't have the right perspective to make good security judgement decisions if they have to decide on where to spend their budgets. They tend to rely on vendor and marketing hype. The security tech market doesn't really do any favors there either because there's so much FUD and snake-oil out there.

Personally - I don't know why anyone would want to be a CISO - they are usually the first person that is blamed for any breach.

I had listen to the interview with Sridhar and his characterization about 2fa and I entirely disagree with his comments about using risk profiles. Primarily because I've never seen a risk scoring system that could work in his scenario.

So far with the Wipro breach, the incident management and response has been one big giant fail.

If any information gets released about the attack vectors and how the malicious actors pivoted to their customers - that would be interesting to see. That's really what I'm waiting for.