Hindsight Analysis 23andMe - missing security mitigations

Why hindsight analysis? Attack Techniques Missing Detections User Account Authentication Missing Mitigations Multi-factor authentication User Account Management 8K/A Summary 8-K/A Notes Why hindsight analysis? The goal of this hindsight analysis is help people involved in cybersecurity risk management reflect on their organization’s security posture and hopefully learn from the challenges others have gone through. Intended audience includes board directors, executive management and security practitioners. While reading 23andMe’s 8-KA updated on their October 1, 2023 cybersecurity incident, I thought it might be helpful to do a quick analysis of the attack and presumed missing security mitigations leveraging the MITRE ATT&CK framework.

Why Board Cybersecurity?

Cybersecurity has gone mainstream because it is materially impacting our security, our investments and our privacy. This is underscored by the SEC’s new cybersecurity disclosure rules and represents a clear opportunity to improve the status quo. The mission of Board Cybersecurity is to provide board directors, executive management and investors the resources to properly assess, manage and mitigate cybersecurity risk. The following initiatives will be the initial focus of Board Cybersecurity.