EQUIFAX BREACH PATCH
"There's really no excuse whether it's a difficult patch or not, for an organization of that size with that kind of magnitude of data," said Jon Hendren, director of strategy at security firm UpGuard. However, security experts say Equifax should have moved faster. They must first identify the vulnerability, then implement and test the patch to make sure it doesn't break anything before making it public.
EQUIFAX BREACH SOFTWARE
Patching software at big corporations with many machines does take time.
EQUIFAX BREACH SERIES
With help from Mandiant, Equifax was able to determine a series of breaches had occurred from May 13 through July 30, the company said.
EQUIFAX BREACH PROFESSIONAL
Related: Why Millennials should be really worried about the Equifax breachĪnd on August 2 Equifax contacted Mandiant, a professional cybersecurity firm, to help the company assess what data had been compromised. On Friday, it said it waited until it "observed additional suspicious activity" a day later to take the affected web application offline. Yet, according to the company, hackers exploited the flaw months later.Įquifax has said it discovered the data breach on July 29. Department of Homeland Security, US-CERT, "identified and disclosed" the Apache Struts flaw in March, Equifax said in a statement.Īnd the company's security department "was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems." More at his blog post.Related: Equifax's chief information officer and chief security officer are outĪ cybersecurity arm of the U.S. Less than 5% even list such individuals on their website. He researched how Fortune 100 prioritize the CSO/CISO position. UPDATE: Renowned security blogger Brian Krebs has posted a fantastic follow-up on this blog and the Equifax report. But what the Equifax report shows us is a strong need to take a step back and ask WHY that was the case and what was the root cause analysis? I would like to commend the efforts of Congress on this amazing report, and hope we will have more reports like these in the future. I feel this is one of the most critical findings.) As a result, the new CSO of Equifax is actually called the CISO and that individual now reports directly to the CEO.įar too often, when we look at incidents like these, we take a very tactical approach X was not patched or Y was not monitored. (Full details of this strategic failure start on page 55 of the report. However, when Equifax’s new CIO David Webb and new CSO Susan Mauldin came on board, this split was never resolved. Since the two could not work together, the CSO was moved under legal. The reason for this split? Ten years prior, the CSO reported to the CIO, however they had strong personality conflicts. IT was siloed from security the two rarely communicated or coordinated, leaving gaping holes in the organization. But why wasn’t it patched? And why did it take them two months to identify the breach? The ultimate reason was because the CSO, Susan Mauldin did not report to the CIO, but was buried underneath the Chief Legal Officer. When you bring up the Equifax breach, most people respond that it was a patching issue, the bad guys exploited a Struts vulnerability that Equifax knew about and should have patched. My key take-away? The Equifax hack was ultimately a people / structure issue.
The Executive Summary itself is worth the time, but the detailed timeline, root cause analysis, how Equifax (and Mandiant) responded, and ultimately lessons learned are a gold mine of information. I highly recommend that if you are involved in cybersecurity, especially from a senior or management level, read the report.
Wouldn’t it be great if we had a detailed report similar to what the US FAA produces after every major airline crash? How can we improve if we cannot learn from the mistakes of the past? In the over twenty years I’ve spent in the cybersecurity industry, this report is one of the most detailed accounts I have ever seen on a breach at this scale.įor years, we the security community have been complaining that there is so little visibility in past breaches and lessons learned. To be honest, so few people seem to be talking about this and I am stunned. House of Representatives Committee on Oversight and Government Reform released their official report on the 2017 Equifax Data Breach.
0 kommentar(er)
