House Oversight Committee Equifax Breach Report
cshkuru
Member Posts: 246 ■■■■□□□□□□
Just read it today, and it's pretty scathing - "Entirely Preventable" were the words used. If you are in the security field it should probably be mandatory reading as it's a laundry list of what not to do: https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf
Comments
-
JDMurray Admin Posts: 13,101 AdminThe Equifax report PDF has been move from the above URL. You can still find it in Google cache: https://webcache.googleusercontent.com/search?q=cache:aTZleR_OSlsJ:https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf+&cd=1&hl=en&ct=clnk&gl=us
-
SaSkiller Member Posts: 337 ■■■□□□□□□□Anyone want to TLDR the technical causes?
OSWP, GPEN, GWAPT, GCIH, CPT, CCENT, CompTIA Trio. -
JoJoCal19 Mod Posts: 2,835 ModTLDR technical causes:1. Not implementing the Apache Struts patch on a public facing system2. Storing a file with plaintext usernames and passwords on the unpatched system (giving attackers some keys to other parts of the kingdom)3. Not encrypting data at rest in various systems4. Not keeping up with security monitoring devices (expired software), therefore unable to detect it for several monthsHave: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework -
cyberguypr Mod Posts: 6,928 ModThe biggest lesson here is what Lance Spitzner from SANS argues: a people problem.
https://krebsonsecurity.com/2018/12/a-chief-security-concern-for-executive-teams/
Krebs comment:
But why wasn’t it patched? And why did it take them two months to identify the breach? Spitzner says the House report shows the ultimate reason was because the CSO Susan Mauldin did not report to the CIO, but was buried underneath the Chief Legal Officer. IT was siloed from security; the two rarely communicated or coordinated, leaving gaping holes in the organization.
-
Swimfan2516 Member Posts: 42 ■■■□□□□□□□A good read for sure. Agree with the comments above, especially "a people problem". This highlights the need for more/better communication to/from leaders. In a few environments I have worked in.. alot of folks think just because they are a director, senior manager, or C-Something in their title they are automatically sharing information between each other; which is not always the case.
Again, a good read and certainly some very good lessons learned that can be shared in your organizations.
Cheers. -
paul78 Member Posts: 3,016 ■■■■■■■■■■cyberguypr said:Spitzner says the House report shows the ultimate reason was because the CSO Susan Mauldin did not report to the CIO, but was buried underneath the Chief Legal Officer. IT was siloed from security; the two rarely communicated or coordinated, leaving gaping holes in the organization.meh - that argument about organizational structure has been going on forever. If the CSO reported to CIO, there would have been a bunch of other armchair quarterbacks saying that the CSO could never be effective because the CSO was not independent of CIO's organization.The problem at Equifax is very unfortunate - and multiple layers of defenses failed. As did poor execution of what appears to be in-place processes.The reality is that cyber defsec is much harder than cyber offsec.
-
JoJoCal19 Mod Posts: 2,835 ModCert_God said:Sounds like they patched but missed a few, happens everywhere.Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework