Is this why Equifax was hacked?

DatabaseHead · September 2017

jcundiff wrote: »

Not from my experience ... I work for a very large financial sector player, we have one CSO, every bank we deal with has one CSO... all of whom are are technical, come from a security background and know what is going on in their environment... maybe I have just been lucky

+1 here as well and I have been an FTE and contractor in over 5 fortune 500's. I have never seen a resource model mapped out like the one Force just kicked out.

jstock · September 2017

It will be interesting to see if the three executives who sold stock days after the discovery of the breach are convicted of insider trading. If the breach was communicated correctly internally (which I doubt), the information should be non-discoverable.

In the event of a breach, all communication over email and phone should cease to avoid further compromise and, more importantly for these executives, e-discovery. Or, any communication is in the presence of a lawyer through Cc-ing or conference calling (attorney-client privileges). Given the handling of the breach so far, I doubt the competence of the leaders of Equifax to effectively protect themselves from legal action.

jcundiff · September 2017

jstock wrote: »

It will be interesting to see if the three executives who sold stock days after the discovery of the breach are convicted of insider trading. If the breach was communicated correctly internally (which I doubt), the information should be non-discoverable.

In the event of a breach, all communication over email and phone should cease to avoid further compromise and, more importantly for these executives, e-discovery. Or, any communication is in the presence of a lawyer through Cc-ing or conference calling (attorney-client privileges). Given the handling of the breach so far, I doubt the competence of the leaders of Equifax to effectively protect themselves from legal action.

A huge +1 here... if you know you are compromised, you don't give the bad guy the chance to read your battle plan.

Here is another huge twist to all this from a stock market perspective... someone ( either insider trading or hackers) made millions

https://www.cnbc.com/2017/09/08/suspect-trading-in-equifax-options-before-breach-might-have-generated-millions-in-profit.html

limited options trading ( 260 in July total) then August 21st, someone buys 2600 contracts to sell 260,000 shares in September for 135 a share, or $10 less than stock was currently trading... turning a $156,000 investment into possibly 11 million plus

xxxkaliboyxxx · September 2017

jstock wrote: »

It will be interesting to see if the three executives who sold stock days after the discovery of the breach are convicted of insider trading. If the breach was communicated correctly internally (which I doubt), the information should be non-discoverable.

In the event of a breach, all communication over email and phone should cease to avoid further compromise and, more importantly for these executives, e-discovery. Or, any communication is in the presence of a lawyer through Cc-ing or conference calling (attorney-client privileges). Given the handling of the breach so far, I doubt the competence of the leaders of Equifax to effectively protect themselves from legal action.

A lot of these companies have Legal Counsel to Technology positions. Their whole job is this and they train their c-suites to cc them and/or put the magic statement at the bottom of the emails. I do not see why they wouldn't consult before they sold their stocks. They might not know security, but they know how to stay rich lol.

cyberguypr · September 2017

On the topic of reporting structure I would be curious to hear of any place that has multiple CISOs. My experience has also been as the others mentioned where the IT/IS risk function includes a bunch of directors, lower officers, managers, etc. yet they all answer to one main C-level.

jstock · September 2017

xxxkaliboyxxx wrote: »

A lot of these companies have Legal Counsel to Technology positions. Their whole job is this and they train their c-suites to cc them and/or put the magic statement at the bottom of the emails. I do not see why they wouldn't consult before they sold their stocks. They might not know security, but they know how to stay rich lol.

Unfortunately, the training does not go past the c-suites. There are many cases where an email containing breach information is initiated by an analyst or manager. This is the email that would be proof of notification and would not be protected from e-discovery. Any incident responder and management in the IR process need to conduct breach training frequently to avoid disclosing information unnecessarily over discoverable mediums in the event of a breach.

Also, confidentiality disclaimers at the bottom of emails serve no legal purpose and will not be protected during the e-discovery process.

xxxkaliboyxxx · September 2017

jstock wrote: »

Unfortunately, the training does not go past the c-suites. There are many cases where an email containing breach information is initiated by an analyst or manager. This is the email that would be proof of notification and would not be protected from e-discovery. Any incident responder and management in the IR process need to conduct breach training frequently to avoid disclosing information unnecessarily over discoverable mediums in the event of a breach.

Also, confidentiality disclaimers at the bottom of emails serve no legal purpose and will not be protected during the e-discovery process.

Good point about the pawns in the game of chess, we are usually the backdoor to cases like that. I guess it depends how careful they are. I know from experience that Legal Counsel to the C-Suites strictly only advise the execs so that could leave an open door in the chain of custody. Now I'm no lawyer, so I wouldn't know anything about the disclaimer or statements, I just see them on emails. I'm sure there are all kinds of tricks and loopholes in the legal system, where these guys could get away free.

TheFORCE · September 2017

cyberguypr wrote: »

On the topic of reporting structure I would be curious to hear of any place that has multiple CISOs. My experience has also been as the others mentioned where the IT/IS risk function includes a bunch of directors, lower officers, managers, etc. yet they all answer to one main C-level.

Perfect example are the international companies with bramches and head offices in those countries and regions. In this case you would need regional CISO's because each country faces different regulations and compliance issues.

Another example is companies that act as parent/holding companies of smaller companies in different verticals. Think of it as an organizational chart.

From my experience and others I've talked to for example a big financial org has a CISO who reports to CRO who in turn reports to CEO. I've seen it also organized as VP or SVP of IT reporting to head of IT who in turn reports to COO who in turns repprts to CEO/Board.

Companies are creating these roles for a reason, theres a lot of responsibility thay affects the bottom line and the $$$.
Some acronyms that are not necessarily interchangeable are CTO- Chief Technology Officer, CIO- Chief Information Officer, CISO - Chief Information Security Officer, CSO -
Chief Security Officer, CRO - Chief Risk Officer, ITSO - IT Security Officer, CCO - Chief Compliance Officer. You think all those people report to the CEO? In big orgs the person reporting to the CEO is the CSO with everyone else reportu g to him or someone else below them.

jcundiff · September 2017

Actually Our COO, CRO, CLO, CFO all report to CEO... CIO and CSO report to COO... we have a CSO not a CISO due to physical security rolling up through CSO as well as infosec

@TheForce: several of those titles are interchangeable... CIO/CTO, CSO/CISO/ISO, CCO/CPO/CRO from my experience

jibtech · September 2017

I have definitely seen multiple CISOs where there are independent subsidiaries. Also where geographic and regional differences warrant different treatment.

In the community colleges here in Virginia, there is often an ISO at each school, who are independent, but also report data to the head office CISO. They are independent...but not.

I have also seen a trend where risk, compliance and security are starting to report to the board, rather than the CEO.

jibtech · September 2017

New phrase so just saw from Brian Krebs:

Equif*cked.

New favorite word.

stryder144 · September 2017

jibtech wrote: »

New phrase so just saw from Brian Krebs:

Equif*cked.

New favorite word.

I like Equi-hacked myself...

jcundiff · September 2017

equihax.com has already been registered ( fortunately by a researcher, not a threat actor)

stryder144 · September 2017

Nice! Kind of cheeky but I like it.

jstock · September 2017

And the first casualties of the Equifax breach. Definitely not surprised here: https://www.cnbc.com/2017/09/15/equifax-security-and-information-executives-to-retire-dj-reports.html

Also, sheds a little light on their reporting structure. CISO reported to CIO.

jibtech · September 2017

This feels like little more than damage control. Replacing these positions with others who were in the environment means the same attitudes can persist.

i would have much preferred to see an outside influence bringing a fresh set of eyes to systemic problems.

jstock · September 2017

jibtech wrote: »

This feels like little more than damage control. Replacing these positions with others who were in the environment means the same attitudes can persist.

i would have much preferred to see an outside influence bringing a fresh set of eyes to systemic problems.

The CISO replacement is only interim, which means more than likely they will hire externally.

xxxkaliboyxxx · September 2017

jstock wrote: »

And the first casualties of the Equifax breach. Definitely not surprised here: https://www.cnbc.com/2017/09/15/equifax-security-and-information-executives-to-retire-dj-reports.html

Also, sheds a little light on their reporting structure. CISO reported to CIO.

Are those two out of the 3 C-suites that sold their stocks?

jibtech · September 2017

@jstock, Let's hope so. I have a feeling this will be a search that leads to his confirmation, due to his "knowledge of the organization and culture". Shoot me, I am a little bit pessimistic.

Also, where did you see that the CISO reported to the CIO? I may have missed it.

jibtech · September 2017

xxxkaliboyxxx wrote: »

Are those two out of the 3 C-suites that sold their stocks?

Nope. The execs who sold stock were:
Gamble - CFO
Loughran - US Information Solutions President
Ploder - Workforce Solutions President

jstock · September 2017

jibtech wrote: »

@jstock, Let's hope so. I have a feeling this will be a search that leads to his confirmation, due to his "knowledge of the organization and culture". Shoot me, I am a little bit pessimistic.

Also, where did you see that the CISO reported to the CIO? I may have missed it.

I wouldn't be surprised if the interim replacement turned into the permanent replacement. But labeling the replacement as interim shows the intention of continued search. And the reporting structure I mentioned was an educated guess based on the "retirements" of the CIO and CISO. It only makes sense that the person responsible for the security of the organization and the person they report to be the first high profile casualties.

mbarrett · September 2017

Equifax hired a music major as chief security officer and she has just retired - MarketWatch

She also made her LinkedIn profile private & replaced the last name with "M"

NEODREAM · September 2017

mbarrett wrote: »

Equifax hired a music major as chief security officer and she has just retired - MarketWatch

She also made her LinkedIn profile private & replaced the last name with "M"

Appears the LinkedIn profile has been deactivated

DatabaseHead · September 2017

mbarrett wrote: »

Equifax hired a music major as chief security officer and she has just retired - MarketWatch

She also made her LinkedIn profile private & replaced the last name with "M"

What a total joke......

Unreal, you would hire someone in that role with that horrible education. We aren't talking about an analyst or manager we are talking about leading the direction of the security vertical.

At the very least get the CISSP.....

Retiring my ass..... She was canned

UnixGuy · September 2017

Privacy wrote: »

Don'e be silly, backups and resetting passwords would cover the experience needed. That's if you did not just find someone to do you a favour and sign it off.

This is unfortunately true, I've seen it before

dhay13 · September 2017

Privacy wrote: »

Don'e be silly, backups and resetting passwords would cover the experience needed. That's if you did not just find someone to do you a favour and sign it off.

Have you taken the CISSP? Pretty tough to pass with no experience, or even minimal. Sure it can be done but that is definitely the exception. If you can't pass in the first place then a sign-off and experience in 2 domains is meaningless. Resetting passwords and conducting backups for 5 years will not get many people a passing score.

The CISSP is definitely not the end-all be-all but I would agree with geostern and hire a CISSP over any Master's holder unless they had substantially more proven experience.

TechGromit · September 2017

cyberguypr wrote: »

In her defense, the degree does hold a lot of value. After all she will now have to face the music. Ba dum tsssss!

In her defense, often times the job you end up getting, isn't the degree you went to college for. However I would expect to see a progression of her IT career, her last three jobs listed as Professional, what the hell is that? I would expect any other CIO was at minimum an IT manager before, usually a director.

gespenstern · September 2017

TechGromit wrote: »

In her defense, often times the job you end up getting, isn't the degree you went to college for. However I would expect to see a progression of her IT career, her last three jobs listed as Professional, what the hell is that? I would expect any other CIO was at minimum an IT manager before, usually a director.

She held multiple positions titled "Director of" in previous companies. Easily searchable online.

TechGromit · September 2017

jcundiff wrote: »

limited options trading ( 260 in July total) then August 21st, someone buys 2600 contracts to sell 260,000 shares in September for 135 a share, or $10 less than stock was currently trading... turning a $156,000 investment into possibly 11 million plus

You know if wouldn't surprise me in the least if this turns out to be an Equifax executive or employee with know ledge of the breech and when it was going to go public. It it's entirely possible that the actors responsible for the breach, where monitoring internal company communications and make the play. This case has way too much public expose on it for the SEC to drop the ball on this. The executives will be forced to surrender than profits and face huge fines for insider trading, possibly even jail time. As for the options thing, who's "someone" you can't make trades anonymously on the stock market for tax reporting purposes.

TheFORCE · September 2017

Its funny how she will "retire" and still get that huge paycheck golden parachute.

Heard that all of their Infosec group or IT also quit or walked out. Who would stay? Might be good point to get into that company though, not sure if it will be around though and what reputation damage it will suffer.

Is this why Equifax was hacked?

Comments