House Oversight Committee Equifax Breach Report

cshkurucshkuru Posts: 230Member ■■■□□□□□□□
Just read it today, and it's pretty scathing - "Entirely Preventable" were the words used.  If you are in the security field it should probably be mandatory reading as it's a laundry list of what not to do:  https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf

Comments

  • DatabaseHeadDatabaseHead Posts: 2,328Member ■■■■■■■■□□
    https://www.music.uga.edu/graduate-degrees

    You forgot the critical masters degree.  
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,079Admin Admin
  • SaSkillerSaSkiller Senior Member Posts: 323Member ■■■□□□□□□□
    Anyone want to TLDR the technical causes?
    OSWP, GPEN, GWAPT, GCIH, CPT, CCENT, CompTIA Trio.
  • JoJoCal19JoJoCal19 California Kid Posts: 2,735Mod Mod
    edited January 7
    TLDR technical causes:
    1. Not implementing the Apache Struts patch on a public facing system
    2. Storing a file with plaintext usernames and passwords on the unpatched system (giving attackers some keys to other parts of the kingdom)
    3. Not encrypting data at rest in various systems
    4. Not keeping up with security monitoring devices (expired software), therefore unable to detect it for several months
    Have: CISSP, CISM, CISA, CRISC, GCIA, GSEC, CCSP, CCSK, AWS CCP, CEHv8, CHFIv8, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: eJPT, Learning: Linux/CLI, Git, Python, Pentesting
    Next Up:​ eJPT, eCPPTv2, OSCP
    Studying:​ Code Academy (CLI, Git, Python), eLearnSecurity PTSv3
  • cyberguyprcyberguypr Senior Member Posts: 6,637Mod Mod
    The biggest lesson here is what Lance Spitzner from SANS argues: a people problem. 

    https://krebsonsecurity.com/2018/12/a-chief-security-concern-for-executive-teams/

    Krebs comment:
    But why wasn’t it patched? And why did it take them two months to identify the breach? Spitzner says the House report shows the ultimate reason was because the CSO Susan Mauldin did not report to the CIO, but was buried underneath the Chief Legal Officer.  IT was siloed from security; the two rarely communicated or coordinated, leaving gaping holes in the organization.
  • Swimfan2516Swimfan2516 Posts: 40Member ■□□□□□□□□□
    A good read for sure. Agree with the comments above, especially "a people problem". This highlights the need for more/better communication to/from leaders. In a few environments I have worked in.. alot of folks think just because they are a director, senior manager, or C-Something in their title they are automatically sharing information between each other; which is not always the case.

    Again, a good read and certainly some very good lessons learned that can be shared in your organizations.  

    Cheers.
  • paul78paul78 Posts: 2,856Member ■■■■■■■■■■
    Spitzner says the House report shows the ultimate reason was because the CSO Susan Mauldin did not report to the CIO, but was buried underneath the Chief Legal Officer.  IT was siloed from security; the two rarely communicated or coordinated, leaving gaping holes in the organization.
    meh - that argument about organizational structure has been going on forever. If the CSO reported to CIO, there would have been a bunch of other armchair quarterbacks saying that the CSO could never be effective because the CSO was not independent of CIO's organization.

    The problem at Equifax is very unfortunate - and multiple layers of defenses failed. As did poor execution of what appears to be in-place processes. 

    The reality is that cyber defsec is much harder than cyber offsec.
  • JoJoCal19JoJoCal19 California Kid Posts: 2,735Mod Mod
    Cert_God said:
    Sounds like they patched but missed a few, happens everywhere.
    There were failures on several levels there. If just ONE of the failures had been rectified it's possible that the breach either wouldn't have happened or wouldn't have been as damaging as it was.
    Have: CISSP, CISM, CISA, CRISC, GCIA, GSEC, CCSP, CCSK, AWS CCP, CEHv8, CHFIv8, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: eJPT, Learning: Linux/CLI, Git, Python, Pentesting
    Next Up:​ eJPT, eCPPTv2, OSCP
    Studying:​ Code Academy (CLI, Git, Python), eLearnSecurity PTSv3
Sign In or Register to comment.