House Oversight Committee Equifax Breach Report

cshkuru

Just read it today, and it's pretty scathing - "Entirely Preventable" were the words used.  If you are in the security field it should probably be mandatory reading as it's a laundry list of what not to do:  https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf

DatabaseHead

https://www.music.uga.edu/graduate-degrees

You forgot the critical masters degree.  

JDMurray

The Equifax report PDF has been move from the above URL. You can still find it in Google cache: https://webcache.googleusercontent.com/search?q=cache:aTZleR_OSlsJ:https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf+&cd=1&hl=en&ct=clnk&gl=us

SaSkiller

Anyone want to TLDR the technical causes?

JoJoCal19

TLDR technical causes:

1. Not implementing the Apache Struts patch on a public facing system

2. Storing a file with plaintext usernames and passwords on the unpatched system (giving attackers some keys to other parts of the kingdom)

3. Not encrypting data at rest in various systems

4. Not keeping up with security monitoring devices (expired software), therefore unable to detect it for several months

cyberguypr

The biggest lesson here is what Lance Spitzner from SANS argues: a people problem. 

https://krebsonsecurity.com/2018/12/a-chief-security-concern-for-executive-teams/

Krebs comment:
But why wasn’t it patched? And why did it take them two months to identify the breach? Spitzner says the House report shows the ultimate reason was because the CSO Susan Mauldin did not report to the CIO, but was buried underneath the Chief Legal Officer.  IT was siloed from security; the two rarely communicated or coordinated, leaving gaping holes in the organization.

Swimfan2516

A good read for sure. Agree with the comments above, especially "a people problem". This highlights the need for more/better communication to/from leaders. In a few environments I have worked in.. alot of folks think just because they are a director, senior manager, or C-Something in their title they are automatically sharing information between each other; which is not always the case.

Again, a good read and certainly some very good lessons learned that can be shared in your organizations.  

Cheers.

paul78

cyberguypr said:

Spitzner says the House report shows the ultimate reason was because the CSO Susan Mauldin did not report to the CIO, but was buried underneath the Chief Legal Officer.  IT was siloed from security; the two rarely communicated or coordinated, leaving gaping holes in the organization.

meh - that argument about organizational structure has been going on forever. If the CSO reported to CIO, there would have been a bunch of other armchair quarterbacks saying that the CSO could never be effective because the CSO was not independent of CIO's organization.

The problem at Equifax is very unfortunate - and multiple layers of defenses failed. As did poor execution of what appears to be in-place processes. 

The reality is that cyber defsec is much harder than cyber offsec.

JoJoCal19

Cert_God said:

Sounds like they patched but missed a few, happens everywhere.

There were failures on several levels there. If just ONE of the failures had been rectified it's possible that the breach either wouldn't have happened or wouldn't have been as damaging as it was.