Stolen credentials and no MFA.....
Let's break this down:
Username ✔️
Password ✔️
......no multi factor ?
They are in the system, for 10 days before serious damage erupts.
10 days?
What security posture allows a threat actor to browse, investigate, and surf about for 10 days undetected?
Harsh question. I don't envy the stress at Change Healthcare. Hindsight is always 20/20 of course.
This is just 1 huge reminder that if you're still a member of #itwonthappentome just remember, that cost Change Healthcare a self reported 892 million. Oh and the PHI of 1/3 of the country.... which they did not get back.
Harden the Target, stay Vigilant!
Reflections on article tagged below: