Following Equifax Breach, CEO Doesn't Know If Data Is Encrypted (techtarget.com) 104
An anonymous reader quotes a report from TechTarget: Equifax alerted the public in September 2017 to a massive data breach that exposed the personal and financial information -- including names, birthdays, credit card numbers and Social Security numbers -- of approximately 145 million customers in the United States to hackers. Following the Equifax breach, the former CEO Richard Smith and the current interim CEO Paulino do Rego Barros Jr. were called to testify before the Committee on Commerce, Science, and Transportation this week for a hearing titled "Protecting Consumers in the Era of Major Data Breaches." During the hearing, Sen. Cory Gardner (R-Colo.) questioned Smith and Barros about Equifax's use of -- or lack of -- encryption for customer data at rest. Smith confirmed that the company was not encrypting data at the time of the Equifax breach, and Gardner questioned whether or not that was intentional. "Was the fact that [customer] data remained unencrypted at rest the result of an oversight, or was that a decision that was made to manage that data unencrypted at rest?" Gardner asked Smith. Smith pointed out that encryption at rest is just one method of security, but eventually confirmed that a decision was made to leave customer data unencrypted at rest. "So, a decision was made to leave it unencrypted at rest?" Gardner pushed. "Correct," Smith responded.
Gardner moved on to Barros and asked whether he has implemented encryption for data at rest since he took over the position on Sept. 26. Barros began to answer by saying that Equifax has done a "top-down review" of its security, but Gardner interrupted, saying it was a yes or no question. Barros stumbled again and said it was being reviewed as part of the response process and Gardner pushed again. "Yes or no, does the data remain unencrypted at rest?" "I don't know at this stage," Barros responded. "Senator, if I may. It's my understanding that the entire environment [in] which this criminal attack occurred is much different; it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security," Smith said.
Gardner moved on to Barros and asked whether he has implemented encryption for data at rest since he took over the position on Sept. 26. Barros began to answer by saying that Equifax has done a "top-down review" of its security, but Gardner interrupted, saying it was a yes or no question. Barros stumbled again and said it was being reviewed as part of the response process and Gardner pushed again. "Yes or no, does the data remain unencrypted at rest?" "I don't know at this stage," Barros responded. "Senator, if I may. It's my understanding that the entire environment [in] which this criminal attack occurred is much different; it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security," Smith said.
There is no way we should trust these companies (Score:4, Insightful)
Big Sister Corporation collecting information on you is just as invasive, just as evil, as Big Brother Government.
Re: (Score:3)
Re: (Score:2)
No, Big Sister Corporation is far more fragmented- and far less competent.
following divorce, husband doesn't know why (Score:1)
that's how dumb he sounds
Re: (Score:1)
Re: (Score:2, Insightful)
CEO: Hey guys, I'm going to go get grilled by Congress about our IT standards, anything I should know about?
IT: ...crickets...
CEO: Great, I'll run that by the lawyers.
Lawyers: ...crickets...
CEO: Great, I'm ready to testify before Congress!
Re:CEO? (Score:4, Insightful)
Re:CEO? (Score:5, Funny)
This is why he gets paid the big bucks! Not just anyone is capable of staying this conveniently negligent and uninformed.
Re: (Score:3)
Thank god he runs a corporation who makes it their job to collect, store, and act on highly sensitive personal information about hundreds of millions of people. I'm glad he's got his plausible deniability down pat.
Re:CEO? (Score:5, Interesting)
A CEO of a financial services firm should know what encryption at rest is as well as he knows what a balance sheet is. I work in the financial services and I've had many meetings where we discussed what personal identifiers and other data that needs to be encrypted at rest. It is often the first thing they ask about when we are moving an existing system to a cloud based vendor. At two companies where I was either heavily involved or in charge of moving data to a new system, I have only had a handful of incompetent managers ask me what encryption at rest meant.
Every competent member of management at a company which values their customers should know basic security concepts like encryption at rest.
Re: (Score:1)
Hell, people still think deidentifying information means to remove the names.
The issue here is that there are fewer competent members of management than there are angry customers, and that's going to be the case for decades to come.
Security training doesn't stick for this generation because many simply don't care o
Re: (Score:3)
Re: (Score:3, Insightful)
Well, bouncing the exact details to some VP of security (the CISO) is pretty much what will happen, out of necessity. But, and this is crucial, he must make sure that everyone knows that anything security related that comes out of the CISO is like it came from him himself and has to be implemented with an implied "or else".
Anything less means the next thing a sensible CISO does is hand in his resignation. The CEOs job is to define the strategic goal and the target what security should achieve. He needn't un
Re:CEO? (Score:5, Informative)
Because encryption at rest of any taxpayer identification data is a federal government requirement as part of a normal contracting process. So either Equifax does something different between their government-facing systems and their public ones (possible), or they are also in noncompliance of the contractual requirement.
In a large, security conscious organization, even one much, much larger than Equifax (like where I work, which probably has a few hundred or more Equifax sized financial operations), any security vulnerability like not encrypting restricted data at rest would be specifically risk accepted by the business and technical owners of the system, and then would be included in a report to the CEO and the Board highlighting the issue and requiring them to specifically sign off on it before it was allowed.
So yeah, it doesn't shock me that the CEO of Equifax (which doesn't appear to have much in the way of data security processes) doesn't know, but in a responsible organization, the CEO and the Board would not only know about something like that, they'd have explicitly signed off on taking the risk, because there isn't anyone else besides the shareholders who are going to be holding the bag when the risk turns into a reality. Wouldn't you want to know, if you were in that position of responsibility?
Re: (Score:2)
So you apparently have experience in organizations like Equifax, rather than ones with good security and risk management practices.
Some places actually take this stuff seriously and have people whose job it is to ensure the company isn't taking risks which the CEO and the Board aren't fully aware of. That tends to concentrate the minds of those individual contributors and their immediate managers you mention.
Re: (Score:2)
I wouldn't expect him to know it right after the breach. If this had been the first question asked right after he learned about the breach, I'd be with you.
But we're literally MONTHS after the public learned about it. Which is usually at least DAYS after he learned about it. His CI(S)O didn't immediately and without being asked hand him that information? Fire that CI(S)O. Out of a cannon.
He didn't ask for that information? How the FUCK did he become the head honcho of a company dealing with insanely sensiti
Re: (Score:2)
He's not in prison because he's done nothing against the law. The law here is a problem, idiot CEOs are another problem. And if I was CEO of a company that just got rifled of all the valuable bits, I'd be damn sure I was on top of the solutions and would be able to answer whether the data is currently being encrypted. However, I suspect he does indeed know that it isn't, but he's almost but not quite stupid enough to answer truthfully, so he claims he doesn't know.
Re: (Score:2)
This is basically what's wrong with the law. He didn't break the law, I'd go to jail for eliminating this problem and he's not worth a second of jail time.
Re: (Score:3)
it's such a fundamental fucking question considering who he is, and why he was being summoned.
Re: (Score:2)
Indeed. And in addition, it does not even matter for the attack that happened one bit. The question is clueless, the answer is not so much. Equifax did a lot of things wrong. but this is not one of them. Now, if their disks had been stolen, this question would be relevant, but it was an online-attack, and storage encryption does provide zero protection for data that is online during such an attack.
Re: (Score:3)
Why the heck would anyone expect a CEO to know the details of the software implementation? It's not his job to know, nor would I expect him to know, and whatever understanding he might have is probably not to be trusted.
Other people in the company should know, but this, come on?
My company's CEO has a very good understanding of our security that goes deeper than just knowing if it's encrypted or not. For example, he knows exactly how customer keys are protected by an HSM (and how the HSM is mirrored across multiple regions). He's given more than one public talk on our security.
Just like Equifax, we're an information company, so a better question is why the heck doesn't a CEO know how they protect the company's most valuable asset?
Re: CEO? (Score:1)
Gee, a Congressional Committee's given me an invite. I wonder what they want to talk to me about? I don't suppose it'll be that massive data breach we had a couple of months ago.
Super Secure Security (Score:4, Funny)
Not only are they ROT-13-ing the data, they're doing it twice for double strength security!
Re: (Score:2)
That’s disappointing, I thought that they had already upgraded to ROT-26.
Re: (Score:2)
I thought it was ROT-1 as in were number 1, were number 1. Focus on profits and not doing your job and well don't be surprised when those profits cease to exist but hey, normal corporate executive practice ie maximise short term bonuses, artificially inflate share price, develop a golden parachute, and cut back on service and support, as well as product quality to maximise profit up to and including corporate collapse and then bail with your golden parachute, standard 21st corporate operating procedure, you
Re: (Score:2)
He doesn't have time for small details like that when they keep giving him so much money to spend. It takes literally all his time burning though that hot paycheck.
Is encryption at rest really that important? (Score:2, Insightful)
Outside of somebody stealing your drives to look at them, encryption at rest isn't that vital since when the system is live the data are going to be effectively unencrypted for use. Considering the hack had nothing to do with physical theft of drives, it's kind of off topic.
It's like how Truecrypt can't protect your live database server from dumping data due to a SQL injection attack even if it protects the contents of the DB from physical hard drive theft.
Re: (Score:2)
This depends on how the exploit happened. Run scp on encrypted at rest MySQL database files from the server to a remote machine to steal the data? And you've got jack shit. The whole point is to prevent different types of attacks.
Re: Is encryption at rest really that important? (Score:2, Informative)
Yes it is if you want to be PCI compliant which it looks like they're supposed to be.
And just because the system is live doesn't mean that all the data is unecrypted for use. Decrypt what you need and leave the rest encrypted.
I've seen this many times. Just because you don't understand why a rule is in place doesn't mean it isn't useful and with purpose.
Re: (Score:1)
A real enterprise system for encryption at rest keeps the data encrypted even while running. The way to do this is you replace/add to the file system device drivers and any request for information from the encrypted file system must be from an authorized user id and process (i.e. even root can't have it, if properly configured) and then it decrypts it on the fly after the file system is read and passes it into the authorized application, which should also be designed to encrypt the data in flight anywhere,
Re: (Score:3)
Indeed. It basically protects against theft of your disks. For tapes, it is a bit more important. But it has zero value as defense against getting hacked. The question is about as clueless as the answer was.
Re: (Score:2)
And you are clueless about databases and about data exfiltration _and_ actual IT security. But you have a big, big ego to match those small skills. (Usually, the latter causes the former....) Pathetic.
Why testify in front of Congress? (Score:3)
If I may, let me ask a possibly silly question: Why do these companies always have to be interviewed by some Congressional committee? What's the point? I mean, the damage is already done, nothing Congress can do to change that. If a crime has been committed, those responsible should be prosecuted. If civil damages occurred, they should be sued. What's the point of the grandstanding by Congresscritters?
That said, a CEO who knows he is going to get publicly grilled ought to have all of his ducks in a row. There's no excuse for not knowing something as basic as "is your data encrypted".
And on the gripping hand, depending on how something is hacked, "at rest" encryption may just be totally useless. It will protect you if someone gets a raw copy of your database, but if they have access to your application infrastructure, that infrastructure will happily decrypt the data for them, because that's what it does. Meanwhile, you will take a *huge* performance hit on a lot of database operations. Really, I have trouble imagining the small additional security being worth the cost in performance. But maybe I'm not familiar with enterprise-scale operations - anyone who is care to comment?
Re: (Score:1)
If I may, let me ask a possibly silly question: Why do these companies always have to be interviewed by some Congressional committee? What's the point?
in the future when all the blogs and web articles about all of this have been forgotten about, the congressional record will still hold the facts of what happened to our country
I would remind you that those who forget history are doomed to repeat it, but you're already there.
Re: (Score:3)
Congress' job is to write laws. Committee hearings are part of the process of determining what new laws, or changes to existing ones, are needed.
Yes, the Equifax breach is in the past, and can't be changed. That's not the point. The point is what future changes can be made to prevent things like this in the future. Note that the hearing's title is "Protecting Consumers in the Era of Major Data Breaches" - plural breaches, with more to come in the future. Equifax is just a really good example of what ca
Re: (Score:2)
While I agree with your statement these hearings are necessary for Congress to know how to write the laws, I also suspect Congress is fully aware of the ad copy attempting to show they are on top of a critical problem. Whether they do anything is debatable. If the current tax bill is any indication, we know how much big business can count on Congress to make them feel better about themselves....and their profits.
Re: (Score:3)
Encryption at rest happens on the storage hardware itself. It is there to protect against someone stealing physical drives out of the storage array and reading data off of them. It does not have any affect on the performance of the applications running on top of the storage array.
What you are thinking about that causes a performance hit is database level encryption. For example, newer versions of MSSQL server (at least 2012+) will allow encryption on individual databases, tables and even specific columns
Re: (Score:1)
So,here's the issue. (well, several issues)
Within any organization over 50 people, there are people who want to check the checkbox, and people who want to implement real security. The former are always greater/more powerful, politically, than the latter.
Then there are these assholes, https://www.informatica.com/ca/products/data-security/data-masking/dynamic-data-masking.html selling bullshit like this: (https://www.informatica.com/content/dam/informatica-com/global/amer/us/collateral/data-sheet/dynamic-dat
Re: (Score:2)
If I may, let me ask a possibly silly question: Why do these companies always have to be interviewed by some Congressional committee? What's the point? I mean, the damage is already done, nothing Congress can do to change that. If a crime has been committed, those responsible should be prosecuted. If civil damages occurred, they should be sued. What's the point of the grandstanding by Congresscritters?
I'll agree to to the charge of grandstanding, but Congress absolutely should interview lots of relevant people before writing new law. Maybe in the case of ignorant-seeming CEOs they should discount that testimony as self-serving or willfully-obtuse. But there's nothing wrong with listening and considering what he's willing to say about it.
And on the gripping hand, depending on how something is hacked, "at rest" encryption may just be totally useless. It will protect you if someone gets a raw copy of your database, but if they have access to your application infrastructure, that infrastructure will happily decrypt the data for them, because that's what it does. Meanwhile, you will take a *huge* performance hit on a lot of database operations. Really, I have trouble imagining the small additional security being worth the cost in performance. But maybe I'm not familiar with enterprise-scale operations - anyone who is care to comment?
It's not a silver bullet, but encryption at rest helps in a number of ways. It forces the attacker to continue to work from within your infrastructure, which at least ope
Re: (Score:2)
Maybe in the case of ignorant-seeming CEOs they should discount that testimony as self-serving or willfully-obtuse.
It could even be beneficial if they take the “willfully obtuse” or “incompetent and uncaring to the bone” aspect of the testimony into account when they draw up legislation. Members of the committee could be led to observe, for example, that even in the face of the most abject and repeated failure, corporate managers keep demonstrating an extreme lack of concern about the need to protect consumers data and interests (illustrated either by their lack of tangible knowledge of any corre
Re: (Score:2)
Re: (Score:2)
Bureau Director Richard Cordray called the Senate vote “a giant setback for every consumer in this country” and urged Trump to veto the repeal legislation.
“It robs consumers of their most effective legal tool against corporate wrongdoing,” Cordray said. “As a result, companies like Wells Fargo and Equifax remain free to break the law without fear of legal blowback from their customers.”
Cordray is the head of the Consumer Financial Protection Bureau - the bureau that issued the rule.
Software is eating the world. (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
And when it does go pear-shaped the C-suite still doesn't know how to prevent the software from being poorly written, poorly managed, poorly understood, and completely under-appreciated. It would cost money to fix, it would also cost re-organization. However, if they knew how to reorganize to fix the problems, they'd have already done it. Instead, they are like the deer that gets whacked by a car, hops up, and then claims it was experimental error and goes ahead to stare into the next set of headlights.
Equifax Doesnt Know If Data Is Encrypt Dont Matter (Score:1)
Re: (Score:2)
That's why you don't leave your keys in the lock.
It's also why you don't put the decryption keys in the same place as the data and you enforce what process/id has access to the encrypted data.
Small wonder (Score:2)
Must be another Music Major, perhaps he and the CIO studied opera together.
Re: (Score:2)
Hey they were Phi Beta Kappa. That means they're better than me and you put together bub!
Barros is basically correct. (Score:2)
I hate equifax with a passion, but their CEO is probably correct in that most of their info comes from from third party end points (like your bank, or the utilities) directly, they might be encrypting data as it passes through them, but they are only as secure as their third party endpoints and adopted software (in this case, they say it was a bug in Apache Struts that allowed someone access).
This whole thing is one rotten contract with no oversight, just a bunch of people cashing in on private data. Multip
Re: (Score:2)
And even knowing their data is third hand, they still suck at verifying it. They still thought I lived in my old residence that I moved from 10 years ago. I didn't correct them because I don't believe in feeding the trolls.
Re: (Score:2)
t they are only as secure as their third party endpoints and adopted software (in this case, they say it was a bug in Apache Struts that allowed someone access).
The struts bug was known, and they weren't monitoring their network for unusual traffic. Lumping in libraries you use in your software with what third parties do is ridiculous.
Re: (Score:2)
Yes it is, welcome to the real world.
customer data? <chuckle> (Score:2)
Uh, no, we're not their "customers". Used to be "product", now we're simply known as the "victims".
He doesn't have time for that shit. (Score:1)
Lots of Monday morning quarterbacks in this thread. They keep putting so much money in his bank account he barely even has time to spend it. When you're the CEO you have to prioritize your time and lots of small things simply don't make the cut.
Re: (Score:3)
Throw that asshole into a jail cell and you'll see how he suddenly has plenty of time.
And don't tell me there isn't PLENTY of reason for doing so.
Re: (Score:2)
I don't think you read my post.
In other words (Score:2)
it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security
Translation: Someone told me we have security but I know nothing about how it works or what it actual is.
Re: (Score:2)
Better translation: Yes senator I understand what you are saying, but if I say that then I will look like I purposely screwed the pooch...on the other hand, if I look clueless, then I've not said anything wrong that I, and more importantly, my paycheck and golden parachute, can be held in jeopardy over.
'Encryption of data at rest'? Define 'at rest'? (Score:1)
The breach took 'live data', e.g. that data actively used by the system, given the access the hackers had 'encrypting data actively used' would have 0 affect on security.
Now, if the hackers stole data from backups (actually OFFLINE/at rest), on laptops that were off etc THAN 'encryption of data at rest' would matter.
Data 'actively used by the system' is NOT 'at rest' & if you have administrative access to the system while running encrypting it will only slow the hacker down not stop them in any way.
Re: (Score:2)
Thats amazing! its the same combination on my luggage!
I worked for a credit bureau - encrypting at rest (Score:4, Insightful)
Some controls could be put in place like storing address and personal identifiable information encrypted and only giving the decryption keys to processes that add data to the database and not ones that pull data but that's work, complexity and well it's the credit bureau's business to sell the data and there isn't a single piece of data they won't try and monetize.
Aside - I used to carry the entire backup of the data, unencrypted to the offsite storage.
Re: (Score:2)
It does not matter at all for the type of attack we are talking about here. Storage encryption helps if somebody steals the physical disks out of the server, but it does not help at all for file-systems that are online where the OS will nicely decrypt everything you ask for before giving it to you. It also helps if, say, backup tapes get stolen or laptops that are off (not hibernated or suspended) get stolen. The question just reveals that the person asking it is clueless.
Re: (Score:2)
What the hell does " encrypting at rest" prevent in this context? ...
Aside - I used to carry the entire backup of the data, unencrypted to the offsite storage.
You answered your own question. Say you dropped, lost, or were robbed of those backups. Or say that someone at the off-site location did the same. Vola! 100% data leakage, quick & easy! Unencryped backups with personal info are just plain reckless- and sometimes illegal.
This is why you encrypt at rest.
I envy the senator (Score:2)
What kind of garage shop is this? (Score:3)
For real. This gets worse and worse every time you get to hear about it. How can he NOT know this MONTHS after the breach? I could see that this isn't something he needs to know for everyday business, his background is probably in finance, legal or business administration, that's where most CEOs come from and that's also what they deal with in day-to-day business.
This isn't fucking day-to-day business!
How it is possible that MONTHS after the breach he obviously still doesn't know at least the crucial, important bits about the breach is beyond me! I know that I'm the odd idiot who does actually prepare for such situations, I created whole binders for PR to keep the press occupied until we're ready for a public statement so they can send them on a wild goose chase without us looking like we're stalling should something like this ever happen to us, with similar folders for the relevant C-Levels that could possibly be asked for statements, along with pretty much me only having to tell you which folder to pull out of their desk and learn (or at least read at the inevitable PK), I know that few go to those lengths but it is valuable. When the shit hits the fan, you do not have time for this bullshit.
But, FUCK, even after ... what has it been now? 2 MONTHS? Two fucking months nobody bothered to brief the CEO so he doesn't look like a total and utterly worthless piece of junk with the only quality of being far too high maintenance to be kept alive because he might waste valuable O2 that someone could put to better use? For real?
I mean, ok, his CISO was what? An opera singer or someone equally qualified? Ok, one could argue that it's his own fault if he has no clue how to pick and choose his C-Levels, but FUCK, how the heck is that guy still outside of a prison cell? How is it even possible that directorate and board didn't rip him a new one up so far that even a turtleneck couldn't cover it anymore?
What the hell is going on here?
Re: (Score:2)
Re: (Score:2)
Smart I agree. Hard working, not so much.
I honestly believe he put the cheapest idiot he could find into the CISO seat so he has someone to blame and fire. Some scapegoat, hoping that this would suffice.
I on the other hand hope it won't.
Actually, the answer is irrelevant (Score:2)
If this is data that was online ("at rest" is also irrelevant here, it just means "stored in some way"), then it does really not matter whether the storage device contains it in encrypted form. If it is online, you can just access it in plain via standard OS interfaces. Storage encryption protects data that is offline, not data that is "at rest". Hence, storage encryption does fine for removed disks, tapes, etc. It can also work for disks that are online but not mapped in the decryption layer, but that is a
Silly idea (Score:2)
We should probably treat the executive levels in any given company as we treat high level officers in the various branches of the Military.
Something goes wrong, at the bare minimum, the Officer in Charge takes full responsibility and is removed. Read that: CEO.
No instant-retirement allowed to dodge the repercussions.
Golden Parachute revoked.
No profiting of any kind from screwing everyone else over.
YOUR GD FAULT. Directly or indirectly it doesn't matter.
You were in charge when it happened, you suffer the
eh (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Cease and desist (Score:2)
Congress must act and pass a law that any and all collec