Is this why Equifax was hacked?
Daneil3144
Member Posts: 152 ■■■□□□□□□□
in Off-Topic
Comments
-
mikey88 Member Posts: 495 ■■■■■■□□□□Wow is this a bad joke or something because it's ridiculous.Certs: CISSP, CySA+, Security+, Network+ and others | 2019 Goals: Cloud Sec/Scripting/Linux
-
DatabaseHead Member Posts: 2,757 ■■■■■■■■■■Band teacher heading the security department at a fortune 500. How the hell did that happen?
I'll be the first to rip on certifications, but if there ever was a person who need the CISSP it's this one..... -
Danielm7 Member Posts: 2,310 ■■■■■■■■□□Yeah I know some stupid subreddits were passing this around, absolutely silly. You think someone got to a CISO level at a company that big and doesn't have tons of proper experience and that them not having a CS degree means anything? Come on.
Also, imagine a company that large, do you think the CISO is patching servers? They can put all the policies in the world in place, if someone stands up a server that has a vuln, forget even a zero day, things can get by. -
gespenstern Member Posts: 1,243 ■■■■■■■■□□There is a JD out there for a VP of cyber position that reports to her that requires having CISSP or CISM or have them in progress. She doesn't seem to have it.
To be fair, what she labels as "Professional" were all senior positions, like a director of this and that in HP, some bank and whatever else.
I watched two of video interviews with her and she sounded meh, but the interviewer didn't grill her on anything so it's hard to judge.
She also has given 9 recommendations on linkedin to other people and IMO they are all ridiculous. Like, she recommends a guy who helped her in designing her bath and/or kitchen, some real estate specialist, some HR specialist. Only 2 recs are to the same cybersecurity guy, but nothing specific, general blah-blah.
I say we have tons of folks here on TE whose resumes are better. The question is, how come they aren't Equifax CISOs? Was this breach in part because they hired too managerial (for a lack of a better term, can't tell if her managerial skills are proven) type of person?
In my experience if a CISO lets things slide and doesn't fight for security and isn't technical enough to understand what their team is doing or capable of leads to a poor overall team quality and top-notch specialists prefer not to work in such places. No surprise this can lead to a breach.
Overall doesn't look good.
Hard to tell though if she had proper budgets and power to insist on secure solutions, etc. because not everything depends on CISO. -
636-555-3226 Member Posts: 975 ■■■■■□□□□□Ah my young brethren. In time you shall come to the truth. Many, many companies, especially the big ones that haven't modernized to the threats of 2017 and beyond, still live in the old days. In the old days the role of CISO was a joke and something you needed to check that compliance checkbox or put forth a "good faith" effort of this or that. Those old school companies get someone who knows someone, probably the CEO's old piano teacher in this case, and throws her a bone because she's the CFO's golf buddy's wife who doesnt want to retire yet but doesn't want a job where she has to do much, either. I see this all the time. Totally inappropriate person for the security position who is there just because someone needs to be and they're the quickest, easiest, and best pushover for the job.
Disclaimer - I have no idea who the CISO of equifax is, if that person indicated above is even real, etc. Just generally stating what i've seen across many, many large global companies... -
networker050184 Mod Posts: 11,962 ModYou think they were teaching how to defeat modern security threats back when she was in college anyway?An expert is a man who has made all the mistakes which can be made.
-
slinuxuzer Member Posts: 665 ■■■■□□□□□□143 Million records exposed - 300 million people in the US and not all of them have applied for credit, so virtually, almost everyone who has ever filled out a credit application was exposed. WOW! Something at this level can't be attributed to any one person, but is more than likely the product of poor leadership across the board. Sadly, in my experience a lot of the break downs occur at the engineering level, team building just isn't something that happens magically.
-
DatabaseHead Member Posts: 2,757 ■■■■■■■■■■636-555-3226 wrote: »Ah my young brethren. In time you shall come to the truth. Many, many companies, especially the big ones that haven't modernized to the threats of 2017 and beyond, still live in the old days. In the old days the role of CISO was a joke and something you needed to check that compliance checkbox or put forth a "good faith" effort of this or that. Those old school companies get someone who knows someone, probably the CEO's old piano teacher in this case, and throws her a bone because she's the CFO's golf buddy's wife who doesnt want to retire yet but doesn't want a job where she has to do much, either. I see this all the time. Totally inappropriate person for the security position who is there just because someone needs to be and they're the quickest, easiest, and best pushover for the job.
Disclaimer - I have no idea who the CISO of equifax is, if that person indicated above is even real, etc. Just generally stating what i've seen across many, many large global companies...
I love this post. -
DatabaseHead Member Posts: 2,757 ■■■■■■■■■■slinuxuzer wrote: »143 Million records exposed - 300 million people in the US and not all of them have applied for credit, so virtually, almost everyone who has ever filled out a credit application was exposed. WOW! Something at this level can't be attributed to any one person, but is more than likely the product of poor leadership across the board. Sadly, in my experience a lot of the break downs occur at the engineering level, team building just isn't something that happens magically.
Does she fall on the sword or does she live to see another day. -
stryder144 Member Posts: 1,684 ■■■■■■■■□□
I love that the person whose picture is above hers looks like he is shaking his head wondering how it all happened...The easiest thing to be in the world is you. The most difficult thing to be is what other people want you to be. Don't let them put you in that position. ~ Leo Buscaglia
Connect With Me || My Blog Site || Follow Me -
mbarrett Member Posts: 397 ■■■□□□□□□□DatabaseHead wrote: »Does she fall on the sword or does she live to see another day.
I think she has to be gone, one way or the other.
To the OP's point, I've met plenty of smart IT people without certs or CS degrees. It doesn't take a few college courses to be good at what you do. -
shochan Member Posts: 1,014 ■■■■■■■■□□CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP
-
DatabaseHead Member Posts: 2,757 ■■■■■■■■■■stryder144 wrote: »
I love that the person whose picture is above hers looks like he is shaking his head wondering how it all happened...
Well played! -
DatabaseHead Member Posts: 2,757 ■■■■■■■■■■I think she has to be gone, one way or the other.
To the OP's point, I've met plenty of smart IT people without certs or CS degrees. It doesn't take a few college courses to be good at what you do.
I don't think it's too much to ask to require your chief security officer to have some formalized education in their specific field. You wouldn't want a cardiologist with a hospitality degree working on your heart, even if they went and received their masters...... -
shochan Member Posts: 1,014 ■■■■■■■■□□https://yro.slashdot.org/story/17/09/12/074253/chatbot-lets-you-sue-equifax-for-up-to-25000-without-a-lawyer
Looks like it is only $15k nowCompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP -
jibtech Member Posts: 424 ■■■■■□□□□□https://yro.slashdot.org/story/17/09/12/074253/chatbot-lets-you-sue-equifax-for-up-to-25000-without-a-lawyer
Looks like it is only $15k now
Its variable by state. The limit is whatever small claims limit applies in your state. -
cyberguypr Mod Posts: 6,928 ModThis story is making the Target breach look like child's play.
Up until a few days ago they were pulling this:OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415. Verified PIN format w/ several people who froze today. And I got my PIN in 2007—same exact format. Equifax has been doing this for A DECADE. -
cshkuru Member Posts: 246 ■■■■□□□□□□SANS Data Breach Summit and Training - https://www.sans.org/event/data-breach-summit-2017 - maybe we should all chip in and buy a couple seats for Equifax #justsaying
-
beads Member Posts: 1,533 ■■■■■■■■■□I learned that much of my time pounding silly technical details, and endless number of reasonably difficult exams an MBA and a multi-discipline undergraduate consisting of Computer Science, Mathematics ("minor" with 46 full semester hours and psychology major) could easily be usurped simply going the music path straight to a Fortune 500 CSO position!
Also enjoy all those "professional" titles in the background. Now, if that doesn't lend some credibility to the career cover up I don't know what does!
Music school here I come!
- b/eads -
cyberguypr Mod Posts: 6,928 ModIn her defense, the degree does hold a lot of value. After all she will now have to face the music. Ba dum tsssss!
-
slinuxuzer Member Posts: 665 ■■■■□□□□□□I don't think she is the one to focus on here, she has an honest resume and profile out there, the CEO is the one at fault.
-
jibtech Member Posts: 424 ■■■■■□□□□□slinuxuzer wrote: »I don't think she is the one to focus on here, she has an honest resume and profile out there, the CEO is the one at fault.
I think we will find quite a few people at fault. Mistakes at this scale are rarely the fault of one person. I am interested to hear the results of conversations with the auditors. There are quite a few PCI/DSS red flags alone. -
DatabaseHead Member Posts: 2,757 ■■■■■■■■■■I learned that much of my time pounding silly technical details, and endless number of reasonably difficult exams an MBA and a multi-discipline undergraduate consisting of Computer Science, Mathematics ("minor" with 46 full semester hours and psychology major) could easily be usurped simply going the music path straight to a Fortune 500 CSO position!
Also enjoy all those "professional" titles in the background. Now, if that doesn't lend some credibility to the career cover up I don't know what does!
Music school here I come!
- b/eads
Great post. Pig snorted at my desk after reading this. Then Cyber followed it up with that beauty.
Good day..... Good day indeed....
I sent her a friend invite on LinkedIn. I am going to recommend Security + if she accepts. -
p@r0tuXus Member Posts: 532 ■■■■□□□□□□Think this CISO was one of the 3 executives that sold part of the $1.8 million in shares just a couple days before the announcement? And they say "they" were not aware of the hack. If she's in that position, she sure better have known of it.Completed: ITIL-F, A+, S+, CCENT, CCNA R|S
In Progress: Linux+/LPIC-1, Python, Bash
Upcoming: eJPT, C|EH, CSA+, CCNA-Sec, PA-ACE -
jibtech Member Posts: 424 ■■■■■□□□□□Think this CISO was one of the 3 executives that sold part of the $1.8 million in shares just a couple days before the announcement? And they say "they" were not aware of the hack. If she's in that position, she sure better have known of it.
Speaking of which.... how is that NOT insider trading? -
DatabaseHead Member Posts: 2,757 ■■■■■■■■■■Think this CISO was one of the 3 executives that sold part of the $1.8 million in shares just a couple days before the announcement? And they say "they" were not aware of the hack. If she's in that position, she sure better have known of it.
She sounds like an honest person....... -
infosec123 Member Posts: 48 ■■■□□□□□□□Speaking of which.... how is that NOT insider trading?
Insider trading is defined as buying or selling with knowledge of events/whathaveyou which the buyer/seller/pubic is unaware. If these people didnt know about the hack, they arent guilty, if they did know, they are guilty. -
jackie-o Registered Users Posts: 1 ■□□□□□□□□□I'd imagine that even if her university credentials weren't up to snuff, there's something else that got her into that position. Maybe her heart is really in IT but she'd already started that degree path?
Either way, that looks sketch...