House Oversight Committee Equifax Breach Report

cshkurucshkuru Posts: 231Member ■■■□□□□□□□
Just read it today, and it's pretty scathing - "Entirely Preventable" were the words used.  If you are in the security field it should probably be mandatory reading as it's a laundry list of what not to do:  https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf

Comments

  • DatabaseHeadDatabaseHead CSM, ITIL x3, Teradata Assc, MS SQL Server, Project +, Server +, A+, N+, MS Project, CAPM, RMP Posts: 2,453Member ■■■■■■■■■□
    https://www.music.uga.edu/graduate-degrees

    You forgot the critical masters degree.  
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,309Admin Admin
  • SaSkillerSaSkiller OSWP, GPEN, GWAPT, GCIH Posts: 332Member ■■■□□□□□□□
    Anyone want to TLDR the technical causes?
    OSWP, GPEN, GWAPT, GCIH, CPT, CCENT, CompTIA Trio.
  • JoJoCal19JoJoCal19 California Kid Posts: 2,772Mod Mod
    edited January 7
    TLDR technical causes:
    1. Not implementing the Apache Struts patch on a public facing system
    2. Storing a file with plaintext usernames and passwords on the unpatched system (giving attackers some keys to other parts of the kingdom)
    3. Not encrypting data at rest in various systems
    4. Not keeping up with security monitoring devices (expired software), therefore unable to detect it for several months
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, CEHv8, CHFIv8, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • cyberguyprcyberguypr Senior Member Posts: 6,751Mod Mod
    The biggest lesson here is what Lance Spitzner from SANS argues: a people problem. 

    https://krebsonsecurity.com/2018/12/a-chief-security-concern-for-executive-teams/

    Krebs comment:
    But why wasn’t it patched? And why did it take them two months to identify the breach? Spitzner says the House report shows the ultimate reason was because the CSO Susan Mauldin did not report to the CIO, but was buried underneath the Chief Legal Officer.  IT was siloed from security; the two rarely communicated or coordinated, leaving gaping holes in the organization.
  • Swimfan2516Swimfan2516 Posts: 40Member ■■■□□□□□□□
    A good read for sure. Agree with the comments above, especially "a people problem". This highlights the need for more/better communication to/from leaders. In a few environments I have worked in.. alot of folks think just because they are a director, senior manager, or C-Something in their title they are automatically sharing information between each other; which is not always the case.

    Again, a good read and certainly some very good lessons learned that can be shared in your organizations.  

    Cheers.
  • paul78paul78 Posts: 3,013Member ■■■■■■■■■■
    Spitzner says the House report shows the ultimate reason was because the CSO Susan Mauldin did not report to the CIO, but was buried underneath the Chief Legal Officer.  IT was siloed from security; the two rarely communicated or coordinated, leaving gaping holes in the organization.
    meh - that argument about organizational structure has been going on forever. If the CSO reported to CIO, there would have been a bunch of other armchair quarterbacks saying that the CSO could never be effective because the CSO was not independent of CIO's organization.

    The problem at Equifax is very unfortunate - and multiple layers of defenses failed. As did poor execution of what appears to be in-place processes. 

    The reality is that cyber defsec is much harder than cyber offsec.
  • JoJoCal19JoJoCal19 California Kid Posts: 2,772Mod Mod
    Cert_God said:
    Sounds like they patched but missed a few, happens everywhere.
    There were failures on several levels there. If just ONE of the failures had been rectified it's possible that the breach either wouldn't have happened or wouldn't have been as damaging as it was.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, CEHv8, CHFIv8, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
Sign In or Register to comment.