Home Cybersecurity “Enforced Zero Trust” – A Lesson from Clorox.

“Enforced Zero Trust” – A Lesson from Clorox.

By on

A cybersecurity acquaintance posted the following to LinkedIn – I can’t seem to embed his post, so reposting in it’s entirety here:

Clorox, a prominent US bleach and cleaning product company, has taken legal action against IT services provider Cognizant with a $380 million lawsuit. The lawsuit, filed in Alameda County Superior Court, alleges that Cognizant’s helpdesk staff negligently disclosed network passwords to cybercriminals without proper verification.

The complaint, supported by recorded conversations, highlights the alarming simplicity of the August 2023 breach that led to significant $380 million damages for Clorox. According to the lawsuit, the cybercriminal acquired access to Clorox’s network by directly requesting credentials from Cognizant’s Service Desk, which were promptly provided without due diligence.

The lawsuit emphasizes that the breach was not a result of sophisticated hacking methods but rather a straightforward request for sensitive information, illustrating a critical lapse in security protocols.

This incident underscores the importance of robust cybersecurity measures and stringent verification processes to safeguard against unauthorized access and potential data breaches.

The full story is here: https://www.outlookbusiness.com/amp/story/corporate/why-cognizant-is-being-sued-for-380-mn-lawsuit-explained

The IT Helpdesk hands out credentials to an unauthorized party over the phone – next thing Clorox knows, massive data breach. Really, this should have not even been possible. I think it safe to say we’ve entered the age in which “security guiderails” are mandatory; for example, making it literally impossible to just give working credentials over the phone without meeting certain requirements – not just “by policy”, but per an actual technology process and solution to prevent this. I’m not sure what that solution is offhand, there are probably a lot of great tools out there already – just saying, the notion that any business would even make it possible to simply hand out working credentials this way is both quaint and hopelessly foolish by now.

Think “Enforced Zero Trust” – what do you have that is not merely discouraging but actively preventing this? If the answer is “nothing” – then you need to learn from Clorox/Cognizant’s mistake and start thinking about it.

Categories: Cybersecurity