Compare cert salaries and plan your next career move
jibtech wrote: » Information being stored in plaintext. That was a design decision. Where was the due diligence? Where was the code review? A freeze PIN that is nothing more than a time stamp? That is patently ridiculous. If it had been a unix time stamp that was generated, I could chalk it up to incompetence. But someone made that decision, coded it and Equifax signed off on it at some level. The fact that whether you were affected is purely random, with differing answers given even when the same data is entered. That is a particularly egregious act of jackassery. None of these were unknown vulnerabilities, or even failures to patch in a timely manner. The hole may have been outside of their control, but what the hole revealed was an organization with little to no regard for the security of data that can adversely affect the lives of millions of people.
jibtech wrote: » The fact that whether you were affected is purely random, with differing answers given even when the same data is entered. That is a particularly egregious act of jackassery.
p@r0tuXus wrote: » Think this CISO was one of the 3 executives that sold part of the $1.8 million in shares just a couple days before the announcement? And they say "they" were not aware of the hack. If she's in that position, she sure better have known of it.
darkerz wrote: » however the realist has to understand a company won't prop up, hire and compensate someone 6-8 figures because they are bad at what they do.
Those lucky devils epitomize the concept of failing upward -- when incompetence is inexplicably rewarded. The phenomenon is most common in the business world, where the typical scenario plays out like this: A high-paid CEO does a poor job running a company, takes an enormous severance, and lands on his feet with a better job at a bigger corporation.
darkerz wrote: » I feel like some of the responses on here are in part tied to her being, well, a her. On reddit, and on here, particularly unconstructive commentary... Before you get ready to type out your angst and rebuttal, to utterly destroy me on the internet, continue below.
EANx wrote: » No gender bias here, someone is good at what they do or they aren't. She wasn't. Defending a woman because of their gender won't get you any dates, stop being an apologist and focus on the facts: She was the CISO Equifax was hacked She had a fiduciary duty to the shareholders and she failed in that role.
jcundiff wrote: » This is going to be the textbook case study of how not to handle a breach/notification for years to come.
Danielm7 wrote: » Outside of the time stamp PIN, which yes, is dumb, is any of this other info even known? There is speculation that it used a strut2 vuln for the breach, even the struts foundation said they don't know which one and it might be a zero day. Put most other security folks in that position, even at a high management layer. Even scan, pen test, code review, etc, all comes up clean and someone finds a new unknown bug and takes advantage of that, would you have seen it ahead of time? We don't even know how much data each record takes. They could be all pretty short text records and queried out slowly, even for 143 million, over a period of time as regular web traffic doesn't have to look like very much at all. I know everyone wants to roast one person but it's really not that cut and dry, and I doubt has anything at all to do with what school majors someone had 20 years ago.
p@r0tuXus wrote: » "Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374.. Gamble sold more than 13 percent of his stake in Equifax.. Equifax shares tumbled 13 percent to $123.81..." Using at least 13% for calculation purposes and the other two values we know for certain... I figured... 51,155 shares at $142.31/ea. = $7,279,868.05 13% of those 51,155 shares was 6,650 @ $142.31/ea = 946,361.5 (~$946,374 gains) Were he not to have sold them that day, then after the 13% devaluation, those 51,155 shares @ $123.81/ea = $6,333,500.55 The CFO would have lost a whopping $946,367.50, instead he essentially lost nothing. Since his shares dropped in value (~$823,336.5), those 6,650 shares would have been devalued by ~$123,025, had he kept them through the devaluation. One could argue he profited ~$123,025. But where is evidence of guilt and intent? How could he have known it would go down roughly 13% and that selling 13% would stym his losses? Well... I don't know. But I would think a CFO of one of the largest credit agencies is no mathematical slouch and his timing and the amounts are very suspicious. How does a company detect a data breach and the CFO of the company not know, anyway?
jcundiff wrote: » All math aside, the CFO ( and other 2 senior leaders) had access to material nonpublic information regarding the breach, and sold stock very rapidly after they learned they were breached. Textbook case of insider training. A high power lawfirm ( dont remember the name) has already filed motions on these sell offs, so hopefully the SEC throws the book at them. I see a CFO position open as well as the CSO role in the near future
Daneil3144 wrote: » You decide?
mgmguy1 wrote: » None of Senior Management will spend a day in Prison. I only know of one CEO in recent memory who went to prison and that was Stewart Parnell. The only reason he went to prison was because people died from the tainted peanut butter scandal of 2009. Since this is a Financial crime and and it's wall street the most these guys will get is a slap on the wrist and pay a fine. I even doubt congress will force Equifax and companies like them to shore up there security or business practices .
jibtech wrote: » Finally, the randomness of the results. When users enter their information, they are receiving conflicting answers on whether their data is breached. In fact, when resting the accuracy of the system, a last name of Test and SSN last six of 123456 reported back as having been breached. All evidence indicates that the website for checking whether you have been breached is in fact only security theater with no real effect.
Daneil3144 wrote: » Wow. I didn't think was true. Had to test it myself...how is this not public information?
mgmguy1 wrote: » My new question for the powers that be? What about the other credit agencies like TransUnion and Experian. Have they been hacked? What is their security looking like?
jcundiff wrote: » Plain and simple, they failed to properly patch CVE-2017-5638. Patch was available in March, they had at minimum 8-9 weeks to patch this vuln and avoid the breach. A excellent example of failure to exercise due care and should be seen as gross negligence.
TheFORCE wrote: » Not to play devils advocate but people at that level rearly have much technical background and even if they did, they lose the edge once they move up the chain to those levels. To add to that, organizations of that size rearly have one CISO or CSO. They have multiple levels of them and all reporting to someone higher. At the CSO levels I'd expect other CISO's to be reporting and im turn the CSO to report to the CRO ( Chief Risk Officer). These types of roles dont necessarily only deal with Information Security but with all aspects of Security. Security is just part of the job, but its not the only job. Thus people at those roles usually have experience in different areas of the business and business decision process. Bottom line, they care about the bottom line and cost savings.
Compare salaries for top cybersecurity certifications. Free download for TechExams community.
