Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Encryption Businesses Government Privacy Security Software United States

Following Equifax Breach, CEO Doesn't Know If Data Is Encrypted (techtarget.com) 104

An anonymous reader quotes a report from TechTarget: Equifax alerted the public in September 2017 to a massive data breach that exposed the personal and financial information -- including names, birthdays, credit card numbers and Social Security numbers -- of approximately 145 million customers in the United States to hackers. Following the Equifax breach, the former CEO Richard Smith and the current interim CEO Paulino do Rego Barros Jr. were called to testify before the Committee on Commerce, Science, and Transportation this week for a hearing titled "Protecting Consumers in the Era of Major Data Breaches." During the hearing, Sen. Cory Gardner (R-Colo.) questioned Smith and Barros about Equifax's use of -- or lack of -- encryption for customer data at rest. Smith confirmed that the company was not encrypting data at the time of the Equifax breach, and Gardner questioned whether or not that was intentional. "Was the fact that [customer] data remained unencrypted at rest the result of an oversight, or was that a decision that was made to manage that data unencrypted at rest?" Gardner asked Smith. Smith pointed out that encryption at rest is just one method of security, but eventually confirmed that a decision was made to leave customer data unencrypted at rest. "So, a decision was made to leave it unencrypted at rest?" Gardner pushed. "Correct," Smith responded.

Gardner moved on to Barros and asked whether he has implemented encryption for data at rest since he took over the position on Sept. 26. Barros began to answer by saying that Equifax has done a "top-down review" of its security, but Gardner interrupted, saying it was a yes or no question. Barros stumbled again and said it was being reviewed as part of the response process and Gardner pushed again. "Yes or no, does the data remain unencrypted at rest?" "I don't know at this stage," Barros responded. "Senator, if I may. It's my understanding that the entire environment [in] which this criminal attack occurred is much different; it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security," Smith said.

This discussion has been archived. No new comments can be posted.

Following Equifax Breach, CEO Doesn't Know If Data Is Encrypted

Comments Filter:
  • Big Sister Corporation collecting information on you is just as invasive, just as evil, as Big Brother Government.

  • that's how dumb he sounds

  • by forkfail ( 228161 ) on Friday November 10, 2017 @05:08PM (#55528431)

    Not only are they ROT-13-ing the data, they're doing it twice for double strength security!

    • That’s disappointing, I thought that they had already upgraded to ROT-26.

      • by rtb61 ( 674572 )

        I thought it was ROT-1 as in were number 1, were number 1. Focus on profits and not doing your job and well don't be surprised when those profits cease to exist but hey, normal corporate executive practice ie maximise short term bonuses, artificially inflate share price, develop a golden parachute, and cut back on service and support, as well as product quality to maximise profit up to and including corporate collapse and then bail with your golden parachute, standard 21st corporate operating procedure, you

  • Outside of somebody stealing your drives to look at them, encryption at rest isn't that vital since when the system is live the data are going to be effectively unencrypted for use. Considering the hack had nothing to do with physical theft of drives, it's kind of off topic.

    It's like how Truecrypt can't protect your live database server from dumping data due to a SQL injection attack even if it protects the contents of the DB from physical hard drive theft.

    • by darkain ( 749283 )

      This depends on how the exploit happened. Run scp on encrypted at rest MySQL database files from the server to a remote machine to steal the data? And you've got jack shit. The whole point is to prevent different types of attacks.

    • by Anonymous Coward

      Yes it is if you want to be PCI compliant which it looks like they're supposed to be.

      And just because the system is live doesn't mean that all the data is unecrypted for use. Decrypt what you need and leave the rest encrypted.

      I've seen this many times. Just because you don't understand why a rule is in place doesn't mean it isn't useful and with purpose.

    • A real enterprise system for encryption at rest keeps the data encrypted even while running. The way to do this is you replace/add to the file system device drivers and any request for information from the encrypted file system must be from an authorized user id and process (i.e. even root can't have it, if properly configured) and then it decrypts it on the fly after the file system is read and passes it into the authorized application, which should also be designed to encrypt the data in flight anywhere,

    • by gweihir ( 88907 )

      Indeed. It basically protects against theft of your disks. For tapes, it is a bit more important. But it has zero value as defense against getting hacked. The question is about as clueless as the answer was.

  • by bradley13 ( 1118935 ) on Friday November 10, 2017 @05:23PM (#55528495) Homepage

    If I may, let me ask a possibly silly question: Why do these companies always have to be interviewed by some Congressional committee? What's the point? I mean, the damage is already done, nothing Congress can do to change that. If a crime has been committed, those responsible should be prosecuted. If civil damages occurred, they should be sued. What's the point of the grandstanding by Congresscritters?

    That said, a CEO who knows he is going to get publicly grilled ought to have all of his ducks in a row. There's no excuse for not knowing something as basic as "is your data encrypted".

    And on the gripping hand, depending on how something is hacked, "at rest" encryption may just be totally useless. It will protect you if someone gets a raw copy of your database, but if they have access to your application infrastructure, that infrastructure will happily decrypt the data for them, because that's what it does. Meanwhile, you will take a *huge* performance hit on a lot of database operations. Really, I have trouble imagining the small additional security being worth the cost in performance. But maybe I'm not familiar with enterprise-scale operations - anyone who is care to comment?

    • by Anonymous Coward

      If I may, let me ask a possibly silly question: Why do these companies always have to be interviewed by some Congressional committee? What's the point?

      in the future when all the blogs and web articles about all of this have been forgotten about, the congressional record will still hold the facts of what happened to our country

      I would remind you that those who forget history are doomed to repeat it, but you're already there.

    • Congress' job is to write laws. Committee hearings are part of the process of determining what new laws, or changes to existing ones, are needed.

      Yes, the Equifax breach is in the past, and can't be changed. That's not the point. The point is what future changes can be made to prevent things like this in the future. Note that the hearing's title is "Protecting Consumers in the Era of Major Data Breaches" - plural breaches, with more to come in the future. Equifax is just a really good example of what ca

      • by gtall ( 79522 )

        While I agree with your statement these hearings are necessary for Congress to know how to write the laws, I also suspect Congress is fully aware of the ad copy attempting to show they are on top of a critical problem. Whether they do anything is debatable. If the current tax bill is any indication, we know how much big business can count on Congress to make them feel better about themselves....and their profits.

    • by dave562 ( 969951 )

      Encryption at rest happens on the storage hardware itself. It is there to protect against someone stealing physical drives out of the storage array and reading data off of them. It does not have any affect on the performance of the applications running on top of the storage array.

      What you are thinking about that causes a performance hit is database level encryption. For example, newer versions of MSSQL server (at least 2012+) will allow encryption on individual databases, tables and even specific columns

    • by Anonymous Coward

      So,here's the issue. (well, several issues)

      Within any organization over 50 people, there are people who want to check the checkbox, and people who want to implement real security. The former are always greater/more powerful, politically, than the latter.

      Then there are these assholes, https://www.informatica.com/ca/products/data-security/data-masking/dynamic-data-masking.html selling bullshit like this: (https://www.informatica.com/content/dam/informatica-com/global/amer/us/collateral/data-sheet/dynamic-dat

    • If I may, let me ask a possibly silly question: Why do these companies always have to be interviewed by some Congressional committee? What's the point? I mean, the damage is already done, nothing Congress can do to change that. If a crime has been committed, those responsible should be prosecuted. If civil damages occurred, they should be sued. What's the point of the grandstanding by Congresscritters?

      I'll agree to to the charge of grandstanding, but Congress absolutely should interview lots of relevant people before writing new law. Maybe in the case of ignorant-seeming CEOs they should discount that testimony as self-serving or willfully-obtuse. But there's nothing wrong with listening and considering what he's willing to say about it.

      And on the gripping hand, depending on how something is hacked, "at rest" encryption may just be totally useless. It will protect you if someone gets a raw copy of your database, but if they have access to your application infrastructure, that infrastructure will happily decrypt the data for them, because that's what it does. Meanwhile, you will take a *huge* performance hit on a lot of database operations. Really, I have trouble imagining the small additional security being worth the cost in performance. But maybe I'm not familiar with enterprise-scale operations - anyone who is care to comment?

      It's not a silver bullet, but encryption at rest helps in a number of ways. It forces the attacker to continue to work from within your infrastructure, which at least ope

      • Maybe in the case of ignorant-seeming CEOs they should discount that testimony as self-serving or willfully-obtuse.

        It could even be beneficial if they take the “willfully obtuse” or “incompetent and uncaring to the bone” aspect of the testimony into account when they draw up legislation. Members of the committee could be led to observe, for example, that even in the face of the most abject and repeated failure, corporate managers keep demonstrating an extreme lack of concern about the need to protect consumers data and interests (illustrated either by their lack of tangible knowledge of any corre

    • by lhowaf ( 3348065 )
      Congress, in fact, already acted after the Equifax breach. They killed a recent, not-yet-enacted rule that would have allowed consumers to file class-action suits against financial institutions. There. Mission Accomplished. Now Equifax can show mock contrition at these hearings while consumers are left holding the tab.
  • by w3woody ( 44457 ) on Friday November 10, 2017 @05:24PM (#55528497) Homepage
    And it's poorly written, poorly managed, poorly understood and completely under-appreciated by the C-suite until something goes pear-shaped.
    • I don't think you can blame clueless CEOs on software.
    • by gtall ( 79522 )

      And when it does go pear-shaped the C-suite still doesn't know how to prevent the software from being poorly written, poorly managed, poorly understood, and completely under-appreciated. It would cost money to fix, it would also cost re-organization. However, if they knew how to reorganize to fix the problems, they'd have already done it. Instead, they are like the deer that gets whacked by a car, hops up, and then claims it was experimental error and goes ahead to stare into the next set of headlights.

  • if you have access to the server you have all the tools and information to decrypt the data so it doesn't matter if the data is encrypted or not.. they could export it decrypted from the server in plain text.. or they could copy it and decrypt it on their end once they have it.
    • That's why you don't leave your keys in the lock.

      It's also why you don't put the decryption keys in the same place as the data and you enforce what process/id has access to the encrypted data.

  • Must be another Music Major, perhaps he and the CIO studied opera together.

  • I hate equifax with a passion, but their CEO is probably correct in that most of their info comes from from third party end points (like your bank, or the utilities) directly, they might be encrypting data as it passes through them, but they are only as secure as their third party endpoints and adopted software (in this case, they say it was a bug in Apache Struts that allowed someone access).

    This whole thing is one rotten contract with no oversight, just a bunch of people cashing in on private data. Multip

    • by gtall ( 79522 )

      And even knowing their data is third hand, they still suck at verifying it. They still thought I lived in my old residence that I moved from 10 years ago. I didn't correct them because I don't believe in feeding the trolls.

    • by Luthair ( 847766 )

      t they are only as secure as their third party endpoints and adopted software (in this case, they say it was a bug in Apache Struts that allowed someone access).

      The struts bug was known, and they weren't monitoring their network for unusual traffic. Lumping in libraries you use in your software with what third parties do is ridiculous.

  • Uh, no, we're not their "customers". Used to be "product", now we're simply known as the "victims".

  • Lots of Monday morning quarterbacks in this thread. They keep putting so much money in his bank account he barely even has time to spend it. When you're the CEO you have to prioritize your time and lots of small things simply don't make the cut.

  • it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security

    Translation: Someone told me we have security but I know nothing about how it works or what it actual is.

    • by gtall ( 79522 )

      Better translation: Yes senator I understand what you are saying, but if I say that then I will look like I purposely screwed the pooch...on the other hand, if I look clueless, then I've not said anything wrong that I, and more importantly, my paycheck and golden parachute, can be held in jeopardy over.

  • The breach took 'live data', e.g. that data actively used by the system, given the access the hackers had 'encrypting data actively used' would have 0 affect on security.

    Now, if the hackers stole data from backups (actually OFFLINE/at rest), on laptops that were off etc THAN 'encryption of data at rest' would matter.

    Data 'actively used by the system' is NOT 'at rest' & if you have administrative access to the system while running encrypting it will only slow the hacker down not stop them in any way.

  • by FeelGood314 ( 2516288 ) on Friday November 10, 2017 @06:07PM (#55528723)
    What the hell does " encrypting at rest" prevent in this context? The data is constantly being queried in a thousand different ways. So sure you could encrypt it and if someone gained access to the raw data then it would be useless but since every process is decrypting it anyway and that's the vector the attacker will come in on it doesn't do you any good.

    Some controls could be put in place like storing address and personal identifiable information encrypted and only giving the decryption keys to processes that add data to the database and not ones that pull data but that's work, complexity and well it's the credit bureau's business to sell the data and there isn't a single piece of data they won't try and monetize.

    Aside - I used to carry the entire backup of the data, unencrypted to the offsite storage.
    • by gweihir ( 88907 )

      It does not matter at all for the type of attack we are talking about here. Storage encryption helps if somebody steals the physical disks out of the server, but it does not help at all for file-systems that are online where the OS will nicely decrypt everything you ask for before giving it to you. It also helps if, say, backup tapes get stolen or laptops that are off (not hibernated or suspended) get stolen. The question just reveals that the person asking it is clueless.

    • What the hell does " encrypting at rest" prevent in this context? ...
      Aside - I used to carry the entire backup of the data, unencrypted to the offsite storage.

      You answered your own question. Say you dropped, lost, or were robbed of those backups. Or say that someone at the off-site location did the same. Vola! 100% data leakage, quick & easy! Unencryped backups with personal info are just plain reckless- and sometimes illegal.

      This is why you encrypt at rest.

  • It is a dream of mine to be able to ask hard questions to these industry clowns and force them, on the spot, to provide clear, unambiguous answers.
  • by Opportunist ( 166417 ) on Friday November 10, 2017 @06:22PM (#55528793)

    For real. This gets worse and worse every time you get to hear about it. How can he NOT know this MONTHS after the breach? I could see that this isn't something he needs to know for everyday business, his background is probably in finance, legal or business administration, that's where most CEOs come from and that's also what they deal with in day-to-day business.

    This isn't fucking day-to-day business!

    How it is possible that MONTHS after the breach he obviously still doesn't know at least the crucial, important bits about the breach is beyond me! I know that I'm the odd idiot who does actually prepare for such situations, I created whole binders for PR to keep the press occupied until we're ready for a public statement so they can send them on a wild goose chase without us looking like we're stalling should something like this ever happen to us, with similar folders for the relevant C-Levels that could possibly be asked for statements, along with pretty much me only having to tell you which folder to pull out of their desk and learn (or at least read at the inevitable PK), I know that few go to those lengths but it is valuable. When the shit hits the fan, you do not have time for this bullshit.

    But, FUCK, even after ... what has it been now? 2 MONTHS? Two fucking months nobody bothered to brief the CEO so he doesn't look like a total and utterly worthless piece of junk with the only quality of being far too high maintenance to be kept alive because he might waste valuable O2 that someone could put to better use? For real?

    I mean, ok, his CISO was what? An opera singer or someone equally qualified? Ok, one could argue that it's his own fault if he has no clue how to pick and choose his C-Levels, but FUCK, how the heck is that guy still outside of a prison cell? How is it even possible that directorate and board didn't rip him a new one up so far that even a turtleneck couldn't cover it anymore?

    What the hell is going on here?

    • Is it in his best interest to know these answers? Most CEOs are pretty smart and hard working. He should have been able to learn this stuff, had notes or a binder in front of him with answers prepared by someone like you. He didn't. I suspect the lawyers decided it was better not to answer in case the answers came back to bite him or Equifax.
      • Smart I agree. Hard working, not so much.

        I honestly believe he put the cheapest idiot he could find into the CISO seat so he has someone to blame and fire. Some scapegoat, hoping that this would suffice.

        I on the other hand hope it won't.

  • If this is data that was online ("at rest" is also irrelevant here, it just means "stored in some way"), then it does really not matter whether the storage device contains it in encrypted form. If it is online, you can just access it in plain via standard OS interfaces. Storage encryption protects data that is offline, not data that is "at rest". Hence, storage encryption does fine for removed disks, tapes, etc. It can also work for disks that are online but not mapped in the decryption layer, but that is a

  • We should probably treat the executive levels in any given company as we treat high level officers in the various branches of the Military.

    Something goes wrong, at the bare minimum, the Officer in Charge takes full responsibility and is removed. Read that: CEO.

    No instant-retirement allowed to dodge the repercussions.
    Golden Parachute revoked.
    No profiting of any kind from screwing everyone else over.

    YOUR GD FAULT. Directly or indirectly it doesn't matter.
    You were in charge when it happened, you suffer the

  • Doesn't so much matter if it's encrypted at rest if you expose it publicly via an insecure website or API, right?
    • Expose it in plain text, that is.
      • Yes...but there are plenty of other means to access that data than through an API. And in those cases it matters a whole lot if data is encrypted or not. Adding encryption to any reputable data store is not difficult. In most cases it is a simple configuration setting that can be queried for as well. In most cases the apps consuming the data do not have to change at all as long as they use the proper credentials. Any company that collects personal data and does not encrypt any of it needs to be closed and a
        • I'm going through this at work, where we've deployed a product by Vormetric to provide at-rest encryption for a large production PostgreSQL database. IMO it's very security-as-theater. Essentially we're spending all this money and effort so we can say "yes" when larger customers (and auditors) ask if we encrypt at rest. All this does is prevent non-authorized system users from accessing the Postgres data files on the server where it lives. File permissions largely accomplish that already, since the file
  • Send Equifucks a cease and desist order for all their operations. They grossly abused the trust put into them and still have no leadership who takes these matters seriously. All that Equifucks deals with is data, the CEO not knowing if it is encrypted and the previous CEO not demanding encryption when his subordinates flubbed on it is prime evidence that they have absolutely not a single clue what they are doing as long as the cash rolls in regularly.
    Congress must act and pass a law that any and all collec

Keep up the good work! But please don't ask me to help.

Working...