Attacks/Breaches

9/18/2017
06:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
0%
100%

Equifax Exec Departures Raise Questions About Responsibility for Breach

Disclosed details suggest a failure by the technology team but senior executives and the board are not above responsibility as well, experts say.

With two senior technology officials stepping down from Equifax late last week, experts say the question now is whether responsibility for the recently disclosed data breach at the company should in fact go all the way to the top.

Equifax on Friday announced that chief security officer Susan Mauldin and CIO David Webb were "retiring" from the company effectively immediately. Two other executives have been appointed to their roles in an interim capacity, Equifax said in an update.

The announcement was careful to avoid all suggestion that either Mauldin or Webb were being fired over the breach, although it was clear their departures were directly related to the incident, which exposed personally identity information on 143 million US consumers.

In a separate development, BloombergMarkets on Monday reported that the US Department of Justice has opened a criminal investigation into whether three top Equifax executives broke insider-trading laws when they sold company stock in the days immediately following the breach. Equifax CFO John Gamble, the company's president of workforce solutions Rodolfo Ploder, and president of U.S. information solutions Joseph Loughran together sold nearly $2 million in stock in early August, a few days after the breach discovery. Equifax has said the executives did not know of the massive data compromise at the time.

The company has admitted the breach resulted from its failure to address a previously disclosed Apache Struts vulnerability (CVE-2017-5638) that let intruders gain an initial foothold on its systems. In its Friday update, Equifax said its security organization had been aware of the vulnerability and took efforts to address it. "While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing," and more information will be released as it becomes available.

Equifax discovered the intrusion on July 29, more than one-and-a-half months after the intruders first broke in via the Apache Struts flaw. It hired security vendor Mandiant to investigate the break-in, which some have speculated might have been perpetrated by a nation-state actor.

John Pescatore, director of emerging security threats at the SANS Institute, says given the details so far, it is little surprise that Mauldin and Webb are no longer at Equifax. Unlike some breaches that have resulted from systemic top-down inattention to security practices, in this case, the intrusion stemmed from Equifax's failure to address a known security issue that was being actively exploited. So there is little reason to believe that Mauldin and Webb are merely being made scapegoats, as is sometimes the case with major breaches, he says.

"For something where it is one of these failures of basic security hygiene, it is very rarely you would say 'we need support from upper management to patch,'" Pescatore says. "For something like this, it is appropriate to say it falls squarely on the security team" to have prevented the breach, Pescatore says.

"When basic security hygiene doesn't happen, security people with C's in front of their names bear the brunt of the responsibility," he notes.

But the Equifax board cannot be absolved from responsibility, says Todd Thibodeaux, CEO of CompTIA.

"Should the internal team at Equifax have implemented the patch, enforced stricter passwords policies and any number of other things? Absolutely," Thibodeaux says. "Should their board of directors have some responsibility for not ensuring a proper adherence to best practices and a verifiable audit trail? The answer is also, absolutely."

Boards of directors tend to scapegoat their CISOs and IT teams when avoidable breaches such as this occur. But if this had been a financial issue, the board would have been held accountable because they hire and fire the auditors, Thibodeaux says.

The reality is that corporate boards have been less than proactive in engaging in, and understanding, cybersecurity matters. While most board members can decipher a balance sheet, few are likely to know what a penetration test is, how their corporate intellectual property is being safeguarded, or if their company is following NIST's best practices, Thibodeaux says.

"It's time for directors to step up and take the same fiduciary oversight role and responsibility for cyber protection, just as they do in looking out for shareholder interests on the financial side," he says.

CISO's can play a big role in making this happen by being better advocates for cybersecurity, says Christopher Pierson, chief security officer and general counsel at Viewpost.

Instead of being all about technology all the time, CISOs need to focus on making cybersecurity more about business enablement, customer trust, and risk reduction. In addition to security skills, it is increasingly vital for the CISO to have business, legal, and communications expertise, Pierson says.

"Unless your company understands and agrees that cybersecurity is a top-level board issue it is impossible [for the CISO] to escape being a scapegoat," when breaches such as the one at Equifax happen, he says. "We do not know what this looked like at Equifax, but most publicly traded companies focus on cyber as a tech issue when it should not be," Pierson notes.

Importantly, informed boards and executives understand that data breaches are a reality of doing business and if they are properly aligned with the CISO, when a breach occurs they will look to the CISO for guidance on how best to navigate the waters ahead, not as someone to blame for what has already occurred, says Michael Sutton, CISO at Zscaler.

A CISO cannot be effective without support from the board and the executive team, he says. But it is up to the CISO to build that support.

"CISOs who approach security as a necessity, regardless of business needs, will never succeed," Sutton says. "It is critical that a CISO invest time to fully understand and appreciate business processes and find ways to adapt their security model to the needs of the business, not the other way around."

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/20/2017 | 7:51:21 AM
Responsibility
indeed - patching is a security basic and if any IT professional does not understand it or operate within framework - please, consider welding as a second career option.  Patching does NOT require management approval.  It is PART OF THE JOB OF THE IT STAFF to perform on all levels.  I am not surprised that these two took the bullet.  The buck has to stop somewhere.  But IT basics are ignored all over the map.  Merck was wrecked by ransomware over the summer and from I read, they did not have a valid DR and Recovery plan.  Delta crashed global because they lacked APC POWER BATTERIES in the data centers or a fallover generator farm in the parking lot to carry load.  This is BASIC STUFF!!!!  
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.