Is this why Equifax was hacked?

Daneil3144Daneil3144 Member Posts: 152 ■■■□□□□□□□
in Off-Topic


You decide?
· Share on FacebookShare on Twitter
«134

Comments

  • scaredoftestsscaredoftests Mod Posts: 2,780 Mod
    Could be...
    Never let your fear decide your fate....
    · Share on FacebookShare on Twitter
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    Bizarre to say the least.
    · Share on FacebookShare on Twitter
  • mikey88mikey88 Member Posts: 495 ■■■■■■□□□□
    Wow is this a bad joke or something because it's ridiculous.
    Certs: CISSP, CySA+, Security+, Network+ and others | 2019 Goals: Cloud Sec/Scripting/Linux

    · Share on FacebookShare on Twitter
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    Band teacher heading the security department at a fortune 500. How the hell did that happen?

    I'll be the first to rip on certifications, but if there ever was a person who need the CISSP it's this one.....
    · Share on FacebookShare on Twitter
  • Danielm7Danielm7 Member Posts: 2,310 ■■■■■■■■□□
    Yeah I know some stupid subreddits were passing this around, absolutely silly. You think someone got to a CISO level at a company that big and doesn't have tons of proper experience and that them not having a CS degree means anything? Come on.

    Also, imagine a company that large, do you think the CISO is patching servers? They can put all the policies in the world in place, if someone stands up a server that has a vuln, forget even a zero day, things can get by.
    · Share on FacebookShare on Twitter
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    There is a JD out there for a VP of cyber position that reports to her that requires having CISSP or CISM or have them in progress. She doesn't seem to have it.

    To be fair, what she labels as "Professional" were all senior positions, like a director of this and that in HP, some bank and whatever else.

    I watched two of video interviews with her and she sounded meh, but the interviewer didn't grill her on anything so it's hard to judge.

    She also has given 9 recommendations on linkedin to other people and IMO they are all ridiculous. Like, she recommends a guy who helped her in designing her bath and/or kitchen, some real estate specialist, some HR specialist. Only 2 recs are to the same cybersecurity guy, but nothing specific, general blah-blah.

    I say we have tons of folks here on TE whose resumes are better. The question is, how come they aren't Equifax CISOs? Was this breach in part because they hired too managerial (for a lack of a better term, can't tell if her managerial skills are proven) type of person?

    In my experience if a CISO lets things slide and doesn't fight for security and isn't technical enough to understand what their team is doing or capable of leads to a poor overall team quality and top-notch specialists prefer not to work in such places. No surprise this can lead to a breach.

    Overall doesn't look good.

    Hard to tell though if she had proper budgets and power to insist on secure solutions, etc. because not everything depends on CISO.
    · Share on FacebookShare on Twitter
  • 636-555-3226636-555-3226 Member Posts: 975 ■■■■■□□□□□
    Ah my young brethren. In time you shall come to the truth. Many, many companies, especially the big ones that haven't modernized to the threats of 2017 and beyond, still live in the old days. In the old days the role of CISO was a joke and something you needed to check that compliance checkbox or put forth a "good faith" effort of this or that. Those old school companies get someone who knows someone, probably the CEO's old piano teacher in this case, and throws her a bone because she's the CFO's golf buddy's wife who doesnt want to retire yet but doesn't want a job where she has to do much, either. I see this all the time. Totally inappropriate person for the security position who is there just because someone needs to be and they're the quickest, easiest, and best pushover for the job.

    Disclaimer - I have no idea who the CISO of equifax is, if that person indicated above is even real, etc. Just generally stating what i've seen across many, many large global companies...
    · Share on FacebookShare on Twitter
  • networker050184networker050184 Mod Posts: 11,962 Mod
    You think they were teaching how to defeat modern security threats back when she was in college anyway?
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • slinuxuzerslinuxuzer Member Posts: 665 ■■■■□□□□□□
    143 Million records exposed - 300 million people in the US and not all of them have applied for credit, so virtually, almost everyone who has ever filled out a credit application was exposed. WOW! Something at this level can't be attributed to any one person, but is more than likely the product of poor leadership across the board. Sadly, in my experience a lot of the break downs occur at the engineering level, team building just isn't something that happens magically.
    · Share on FacebookShare on Twitter
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    636-555-3226 wrote: »
    Ah my young brethren. In time you shall come to the truth. Many, many companies, especially the big ones that haven't modernized to the threats of 2017 and beyond, still live in the old days. In the old days the role of CISO was a joke and something you needed to check that compliance checkbox or put forth a "good faith" effort of this or that. Those old school companies get someone who knows someone, probably the CEO's old piano teacher in this case, and throws her a bone because she's the CFO's golf buddy's wife who doesnt want to retire yet but doesn't want a job where she has to do much, either. I see this all the time. Totally inappropriate person for the security position who is there just because someone needs to be and they're the quickest, easiest, and best pushover for the job.

    Disclaimer - I have no idea who the CISO of equifax is, if that person indicated above is even real, etc. Just generally stating what i've seen across many, many large global companies...

    I love this post.
    · Share on FacebookShare on Twitter
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    slinuxuzer wrote: »
    143 Million records exposed - 300 million people in the US and not all of them have applied for credit, so virtually, almost everyone who has ever filled out a credit application was exposed. WOW! Something at this level can't be attributed to any one person, but is more than likely the product of poor leadership across the board. Sadly, in my experience a lot of the break downs occur at the engineering level, team building just isn't something that happens magically.

    Does she fall on the sword or does she live to see another day.
    · Share on FacebookShare on Twitter
  • stryder144stryder144 Member Posts: 1,684 ■■■■■■■■□□


    I love that the person whose picture is above hers looks like he is shaking his head wondering how it all happened...
    The easiest thing to be in the world is you. The most difficult thing to be is what other people want you to be. Don't let them put you in that position. ~ Leo Buscaglia

    Connect With Me || My Blog Site || Follow Me
    · Share on FacebookShare on Twitter
  • mbarrettmbarrett Member Posts: 397 ■■■□□□□□□□
    DatabaseHead wrote: »
    Does she fall on the sword or does she live to see another day.

    I think she has to be gone, one way or the other.
    To the OP's point, I've met plenty of smart IT people without certs or CS degrees. It doesn't take a few college courses to be good at what you do.
    · Share on FacebookShare on Twitter
  • shochanshochan Member Posts: 1,013 ■■■■■■■■□□
    daneil3144 wrote: »

    you decide?

    dammit dammit SOB!

    https://www.youtube.com/watch?v=fTWvEgb3Egw
    CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP
    · Share on FacebookShare on Twitter
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    stryder144 wrote: »

    I love that the person whose picture is above hers looks like he is shaking his head wondering how it all happened...

    Well played!
    · Share on FacebookShare on Twitter
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    mbarrett wrote: »
    I think she has to be gone, one way or the other.
    To the OP's point, I've met plenty of smart IT people without certs or CS degrees. It doesn't take a few college courses to be good at what you do.

    I don't think it's too much to ask to require your chief security officer to have some formalized education in their specific field. You wouldn't want a cardiologist with a hospitality degree working on your heart, even if they went and received their masters......
    · Share on FacebookShare on Twitter
  • shochanshochan Member Posts: 1,013 ■■■■■■■■□□
    https://yro.slashdot.org/story/17/09/12/074253/chatbot-lets-you-sue-equifax-for-up-to-25000-without-a-lawyer

    Looks like it is only $15k now
    CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP
    · Share on FacebookShare on Twitter
  • jibtechjibtech Member Posts: 424 ■■■■■□□□□□
    shochan wrote: »
    https://yro.slashdot.org/story/17/09/12/074253/chatbot-lets-you-sue-equifax-for-up-to-25000-without-a-lawyer

    Looks like it is only $15k now

    Its variable by state. The limit is whatever small claims limit applies in your state.
    · Share on FacebookShare on Twitter
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    This story is making the Target breach look like child's play.

    Up until a few days ago they were pulling this:
    OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415. Verified PIN format w/ several people who froze today. And I got my PIN in 2007—same exact format. Equifax has been doing this for A DECADE.
    It's fixed now and they are allegedly providing "random" PINs, but clearly indicative of of a massive lack of common Infosec sense.
    · Share on FacebookShare on Twitter
  • cshkurucshkuru Member Posts: 246 ■■■■□□□□□□
    SANS Data Breach Summit and Training - https://www.sans.org/event/data-breach-summit-2017 - maybe we should all chip in and buy a couple seats for Equifax #justsaying
    · Share on FacebookShare on Twitter
  • beadsbeads Member Posts: 1,533 ■■■■■■■■■□
    I learned that much of my time pounding silly technical details, and endless number of reasonably difficult exams an MBA and a multi-discipline undergraduate consisting of Computer Science, Mathematics ("minor" with 46 full semester hours and psychology major) could easily be usurped simply going the music path straight to a Fortune 500 CSO position!

    Also enjoy all those "professional" titles in the background. Now, if that doesn't lend some credibility to the career cover up I don't know what does!

    Music school here I come!

    - b/eads
    · Share on FacebookShare on Twitter
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    In her defense, the degree does hold a lot of value. After all she will now have to face the music. Ba dum tsssss!
    · Share on FacebookShare on Twitter
  • slinuxuzerslinuxuzer Member Posts: 665 ■■■■□□□□□□
    I don't think she is the one to focus on here, she has an honest resume and profile out there, the CEO is the one at fault.
    · Share on FacebookShare on Twitter
  • jibtechjibtech Member Posts: 424 ■■■■■□□□□□
    slinuxuzer wrote: »
    I don't think she is the one to focus on here, she has an honest resume and profile out there, the CEO is the one at fault.

    I think we will find quite a few people at fault. Mistakes at this scale are rarely the fault of one person. I am interested to hear the results of conversations with the auditors. There are quite a few PCI/DSS red flags alone.
    · Share on FacebookShare on Twitter
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    beads wrote: »
    I learned that much of my time pounding silly technical details, and endless number of reasonably difficult exams an MBA and a multi-discipline undergraduate consisting of Computer Science, Mathematics ("minor" with 46 full semester hours and psychology major) could easily be usurped simply going the music path straight to a Fortune 500 CSO position!

    Also enjoy all those "professional" titles in the background. Now, if that doesn't lend some credibility to the career cover up I don't know what does!

    Music school here I come!

    - b/eads

    Great post. Pig snorted at my desk after reading this. Then Cyber followed it up with that beauty.

    Good day..... Good day indeed....

    I sent her a friend invite on LinkedIn. I am going to recommend Security + if she accepts. ;)
    · Share on FacebookShare on Twitter
  • p@r0tuXusp@r0tuXus Member Posts: 532 ■■■■□□□□□□
    Think this CISO was one of the 3 executives that sold part of the $1.8 million in shares just a couple days before the announcement? And they say "they" were not aware of the hack. If she's in that position, she sure better have known of it.
    Completed: ITIL-F, A+, S+, CCENT, CCNA R|S
    In Progress: Linux+/LPIC-1, Python, Bash
    Upcoming: eJPT, C|EH, CSA+, CCNA-Sec, PA-ACE
    · Share on FacebookShare on Twitter
  • jibtechjibtech Member Posts: 424 ■■■■■□□□□□
    p@r0tuXus wrote: »
    Think this CISO was one of the 3 executives that sold part of the $1.8 million in shares just a couple days before the announcement? And they say "they" were not aware of the hack. If she's in that position, she sure better have known of it.

    Speaking of which.... how is that NOT insider trading?
    · Share on FacebookShare on Twitter
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    p@r0tuXus wrote: »
    Think this CISO was one of the 3 executives that sold part of the $1.8 million in shares just a couple days before the announcement? And they say "they" were not aware of the hack. If she's in that position, she sure better have known of it.

    She sounds like an honest person.......
    · Share on FacebookShare on Twitter
  • infosec123infosec123 Member Posts: 48 ■■■□□□□□□□
    jibtech wrote: »
    Speaking of which.... how is that NOT insider trading?

    Insider trading is defined as buying or selling with knowledge of events/whathaveyou which the buyer/seller/pubic is unaware. If these people didnt know about the hack, they arent guilty, if they did know, they are guilty.
    · Share on FacebookShare on Twitter
  • jackie-ojackie-o Registered Users Posts: 1 ■□□□□□□□□□
    I'd imagine that even if her university credentials weren't up to snuff, there's something else that got her into that position. Maybe her heart is really in IT but she'd already started that degree path?

    Either way, that looks sketch...
    · Share on FacebookShare on Twitter
Sign In or Register to comment.