One weak password brought down a 158-year-old company

[pnntmp]

Well, even though the employee was at fault for using an easy to guess password, the IT manager is equally at fault for not setting up enforcement of minimum password complexity requirements.

It's entirely IT manager's fault. They apparently didn't have backups. Most people have no idea what's the proper level of password complexity. The IT guy is paid specifically to take care of that.

 

[ScottSoapbox]

I've been sent to an emergency before, not a client, but contacted us for emergency help as we were a close IT firm, and they had their backups stored on a local NAS, that replicated to an offsite NAS.

But both sites were flat networks, security didn't really exist in any of the setup, the domain administrator account was used for access to the NAS shares for example, and that's the same account the backup software used to access everything.

Once the hackers got hold of that password, they deleted everything they could from the backups.

What was interesting though and the reason I bring it up here, I didn't want to name Synology, but it's worth putting out and apparently, this is fixed in newer firmware releases, but on the firmware this company was on, the hackers had logged into the NAS's with some engineering account and completely hard reset both NAS's.

That didn't delete the data on the drives, I was able to re-setup the NAS's, it discovered the existing RAID and put itself back together again, the hackers did a poor job of deleting the backups, they logged into the software (Veeam) and deleted the backup jobs etc... but didn't check Veeam had actually deleted the data, which it hadn't luckily for me. Then I just restored everything to a new Azure environment that was actually locked down.

I hadn't considered a business only counting on NAS backups and not a major backup company, but that isn't that surprising now that I think about it.

 

[Hotlynx16]

Pulling the plug and restoring from the most recent backup then spending a few days firefighting was too much effort I guess.

Probably didn't want to pay for backups! I worked for a global company and we had training to spot Phishing attacks all the time and my company sent out "Test" emails and still had dummies fall for them! They had a scale, first one fall for, back for retraining, Second one no internet or email access for a month! If you fell for a third one you were fired! We did have a vendor get hacked and they tried to get into our system and the company sent a warning out to everyone!!

 

[Mortyric]

I also really do not see how a hack could have been able to down the company so easily, this means at anytime any of the employees had the power to run the company to the ground so easily which is a very vulnerable position for a company to be in.

It is surprising how little businesses pay to cybersecurity and how they scratch off pennies on that, while investing heavily in a lot of other things.

Ridiculous all round, from the business owners and the hacker who got nothing in return.

 

[Rudyduu]

It's entirely IT manager's fault. They apparently didn't have backups. Most people have no idea what's the proper level of password complexity. The IT guy is paid specifically to take care of that.

How many people do you think were on their security team? How can you blame a person that might not even exist? Do you know how much IT professionals are paid in the UK? How do you know the person in charge of their security or the person who did it as an additional duty didn't make suggestions to leadership that they ignored? You shouldn't be so sure in posting blame and only suggest what might be to blame.

 

[pnntmp]

How many people do you think were on their security team? How can you blame a person that might not even exist? Do you know how much IT professionals are paid in the UK? How do you know the person in charge of their security or the person who did it as an additional duty didn't make suggestions to leadership that they ignored? You shouldn't be so sure in posting blame and only suggest what might be to blame.

Making regular backups does not require a "security team". It's a completely automated process.
Enforcing password complexity and regular password changes does not require a "security team".

 

[Burty117]

Making regular backups does not require a "security team". It's a completely automated process.
Enforcing password complexity and regular password changes does not require a "security team".

As someone that's worked at an MSP in the UK for over 15 years, some companies refuse basic security measures, they don't want MFA, they don't want to change their passwords.

Backups is another one, you ask the client "what downtime can you afford, what is your recovery time objectives" blah blah blah... clients that don't take IT seriously go "we want 100% uptime"... So you quote them for a system with the fastest recovery rates or what it would cost to get them into the cloud in a highly redunant state, it's always mega money.

They laugh at you, thinking it's a joke, so you ask what their budget is for a backup solution for their IT Infrastructure to see what you can do and they'll just give you some insanely small budget that would never be able to recover very quickly.

If this company failed after 158 years of operation from a single password guess, I would put good money on they're one of "those" clients.

 

[pnntmp]

As someone that's worked at an MSP in the UK for over 15 years, some companies refuse basic security measures, they don't want MFA, they don't want to change their passwords.

Backups is another one, you ask the client "what downtime can you afford, what is your recovery time objectives" blah blah blah... clients that don't take IT seriously go "we want 100% uptime"... So you quote them for a system with the fastest recovery rates or what it would cost to get them into the cloud in a highly redunant state, it's always mega money.

They laugh at you, thinking it's a joke, so you ask what their budget is for a backup solution for their IT Infrastructure to see what you can do and they'll just give you some insanely small budget that would never be able to recover very quickly.

If this company failed after 158 years of operation from a single password guess, I would put good money on they're one of "those" clients.

What you're saying was definitely true 10 years ago, maybe even 5 .. but today? After so many ransomware cyberattacks that became widely known, only a complete idi0t may keep that attitude.
A backup solution for a transport company does not require anything big and expensive. It's probably cheaper than a truck tire.

 

[Burty117]

What you're saying was definitely true 10 years ago, maybe even 5 .. but today? After so many ransomware cyberattacks that became widely known, only a complete idi0t may keep that attitude.
A backup solution for a transport company does not require anything big and expensive. It's probably cheaper than a truck tire.

The UK has been stood still for years now, old companies run by older generations that don’t care for IT, that is how they operate, I’ve met them, I run into them from time to time, I’m always amazed they haven’t been broken into, some of them have run on luck for many years now.

Cloud services has helped a big way here, these kind of people want to move to the cloud because they’ve heard their competitors are doing it, that’s given us the chance to get some real security and backups installed.

Still got some sizeable clients holding out on pure luck though, this year in-fact, a client with a backup that doesn’t fully work, a SAN with constantly failing disks, and one of the controllers has been dead since last year. They won’t fix the SAN, they won’t change their backup system, they won’t move to the cloud, the moment that controller goes bang, they’ll be down for days, we tell them regularly the dire state of their hardware, they just shrug.

As I said in another comment, sometimes it just feels like they deliberately want their business to fail.