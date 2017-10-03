Former Equifax CEO Blames Breach On One Individual Who Failed To Deploy Patch (techcrunch.com) 33
Equifax's recently departed CEO is blaming the largest data breach in history on a single person who failed to deploy a patch. TechCrunch reports: Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache's Struts software, according to testimony heard today from former CEO Richard Smith. However, a patch for that vulnerability had been available for months before the breach occurred. Now several top Equifax execs are being taken to task for failing to protect the information of millions of U.S. citizens. In a live stream before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.
Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team. However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice -- one person didn't do their job. "The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.
Never have a single point of failure in any system. And test the system for vulnerabilities.
What carefully parsed weasel words.
So the patch had passed testing, but wasn't applied? The only alternative is that someone has to instruct them specifically to start testing every patch in their ecosystem.
Shouldn't someone be seeing a report of all unapplied patches and how old they are? Yell at the testing group if they age too much?
Nice to have Cyber Security Team (Score:3)
What do the other 224 do?
I smell bullshit. (Score:5, Insightful)
.25Bn has been invested then there's sure as hell no process that could have allowed a single critical patch go unchecked as described. There's teams, or should be teams of people watching these things.
I smell a really shitty cop-out excuse.
the tree must be watered (Score:2)
To quote Thomas Jefferson, "The Tree of Bare Fucking Minimum Standards of Responsibility and Decorum must be refreshed from time to time with blood."
Horseshoe nail (Score:2)
Ah yes, the blame game (Score:4, Informative)
"It was his fault. That's why I sold my company stock when I found out about the breach rather than inform anyone except the other folks in the executive suite."
Wow, that's scummy (Score:5, Insightful)
"The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not,"
What a scummy thing to say, and he doesn't even realize that the statement makes Equifax look even worse.
With a couple of hundred people on the security team, the idea that it's a single person's responsibility to tell everyone to apply a patch is ludicrous. If it's true, then that's institutional incompetence.
I've been working in computer security for years, and do you know what I and all of my coworkers do? We keep up on computer security developments, particularly newly discovered vulnerabilities. And we discuss them. And send emails about them.
Even if the one team (not individual) who is responsible for ensuring that our own systems are patched for some reason fails to do that job, there is exactly zero chance that this would go unnoticed.
If that's not how it works at Equifax, that's the fault of Equifax, not some single individual.
Any security organization which relies on a single individual's action or inaction to remain in good standing is simply fairytale.
Every good process which involves a human in the loop, should always ensure that at least one more is present to enforce check-and-balance objectives.
There is a good reason why all commercial flights have two pilots as a default.
Let me state this: when you see management pointing one single downstream individual for such an event, there are at least TWO levels
Such BS (Score:4, Informative)
$225 million isn't much (Score:2)
The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team.
Spending $225 million over 3 years isn't really that much when you consider the type and amount of personal data Equifax has on us.
JP Morgan Chase spent $500 million in 2016 alone [forbes.com], Bank of America spent $400 million on cyber security in 2016 although they have an unlimited cyber security budget [forbes.com], Citibank's cyber security budget topped $400 million and Wells Fargo spends roughly $250 million per year. [forbes.com]
Failure of way more than one person (Score:2)
Failing to apply the patch would be the failure of that one person to order the patch applied, plus the failure of his superior to notice that an action item hadn't been handled, plus a failure of the security team to notice that a ticket hadn't been completed, plus the failure of the head of the security team to notice his subordinates had uncompleted tickets sitting there. All this stuff should be tracked, and where I work it is and we have daily status meetings where stuff like this gets asked about, and
Struts being an application framework... (Score:1)
Struts is an application framework, which means it is an application dependency. That means that every Struts-using application within Equifax would have needed to be upgraded, to be tested at least on the new version. That is the job of more than one person!
It is possible that Equifax's application servers (Tomcat, JBoss, etc) were configured with Struts being provided at the container level, but even that would be a full upgrade of multiple application servers within the company - a platforms team respons
Gotta be someone (Score:2)
"The buck stops somewhere else" (Score:2)
Sign on the desk of CxO's everywhere
(contrast this with the US Navy, where the captain of the Fitzgerald was relieved, even though he was not on deck when the collision occurred and in fact was almost killed by the accident. Subsequently, the Navy relieved several higher ranking officers, including Flag officers, for supervisory failures.)