Attacks/Breaches

9/18/2017
06:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
0%
100%

Equifax Exec Departures Raise Questions About Responsibility for Breach

Disclosed details suggest a failure by the technology team but senior executives and the board are not above responsibility as well, experts say.

With two senior technology officials stepping down from Equifax late last week, experts say the question now is whether responsibility for the recently disclosed data breach at the company should in fact go all the way to the top.

Equifax on Friday announced that chief security officer Susan Mauldin and CIO David Webb were "retiring" from the company effectively immediately. Two other executives have been appointed to their roles in an interim capacity, Equifax said in an update.

The announcement was careful to avoid all suggestion that either Mauldin or Webb were being fired over the breach, although it was clear their departures were directly related to the incident, which exposed personally identity information on 143 million US consumers.

In a separate development, BloombergMarkets on Monday reported that the US Department of Justice has opened a criminal investigation into whether three top Equifax executives broke insider-trading laws when they sold company stock in the days immediately following the breach. Equifax CFO John Gamble, the company's president of workforce solutions Rodolfo Ploder, and president of U.S. information solutions Joseph Loughran together sold nearly $2 million in stock in early August, a few days after the breach discovery. Equifax has said the executives did not know of the massive data compromise at the time.

The company has admitted the breach resulted from its failure to address a previously disclosed Apache Struts vulnerability (CVE-2017-5638) that let intruders gain an initial foothold on its systems. In its Friday update, Equifax said its security organization had been aware of the vulnerability and took efforts to address it. "While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing," and more information will be released as it becomes available.

Equifax discovered the intrusion on July 29, more than one-and-a-half months after the intruders first broke in via the Apache Struts flaw. It hired security vendor Mandiant to investigate the break-in, which some have speculated might have been perpetrated by a nation-state actor.

John Pescatore, director of emerging security threats at the SANS Institute, says given the details so far, it is little surprise that Mauldin and Webb are no longer at Equifax. Unlike some breaches that have resulted from systemic top-down inattention to security practices, in this case, the intrusion stemmed from Equifax's failure to address a known security issue that was being actively exploited. So there is little reason to believe that Mauldin and Webb are merely being made scapegoats, as is sometimes the case with major breaches, he says.

"For something where it is one of these failures of basic security hygiene, it is very rarely you would say 'we need support from upper management to patch,'" Pescatore says. "For something like this, it is appropriate to say it falls squarely on the security team" to have prevented the breach, Pescatore says.

"When basic security hygiene doesn't happen, security people with C's in front of their names bear the brunt of the responsibility," he notes.

But the Equifax board cannot be absolved from responsibility, says Todd Thibodeaux, CEO of CompTIA.

"Should the internal team at Equifax have implemented the patch, enforced stricter passwords policies and any number of other things? Absolutely," Thibodeaux says. "Should their board of directors have some responsibility for not ensuring a proper adherence to best practices and a verifiable audit trail? The answer is also, absolutely."

Boards of directors tend to scapegoat their CISOs and IT teams when avoidable breaches such as this occur. But if this had been a financial issue, the board would have been held accountable because they hire and fire the auditors, Thibodeaux says.

The reality is that corporate boards have been less than proactive in engaging in, and understanding, cybersecurity matters. While most board members can decipher a balance sheet, few are likely to know what a penetration test is, how their corporate intellectual property is being safeguarded, or if their company is following NIST's best practices, Thibodeaux says.

"It's time for directors to step up and take the same fiduciary oversight role and responsibility for cyber protection, just as they do in looking out for shareholder interests on the financial side," he says.

CISO's can play a big role in making this happen by being better advocates for cybersecurity, says Christopher Pierson, chief security officer and general counsel at Viewpost.

Instead of being all about technology all the time, CISOs need to focus on making cybersecurity more about business enablement, customer trust, and risk reduction. In addition to security skills, it is increasingly vital for the CISO to have business, legal, and communications expertise, Pierson says.

"Unless your company understands and agrees that cybersecurity is a top-level board issue it is impossible [for the CISO] to escape being a scapegoat," when breaches such as the one at Equifax happen, he says. "We do not know what this looked like at Equifax, but most publicly traded companies focus on cyber as a tech issue when it should not be," Pierson notes.

Importantly, informed boards and executives understand that data breaches are a reality of doing business and if they are properly aligned with the CISO, when a breach occurs they will look to the CISO for guidance on how best to navigate the waters ahead, not as someone to blame for what has already occurred, says Michael Sutton, CISO at Zscaler.

A CISO cannot be effective without support from the board and the executive team, he says. But it is up to the CISO to build that support.

"CISOs who approach security as a necessity, regardless of business needs, will never succeed," Sutton says. "It is critical that a CISO invest time to fully understand and appreciate business processes and find ways to adapt their security model to the needs of the business, not the other way around."

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/20/2017 | 7:51:21 AM
Responsibility
indeed - patching is a security basic and if any IT professional does not understand it or operate within framework - please, consider welding as a second career option.  Patching does NOT require management approval.  It is PART OF THE JOB OF THE IT STAFF to perform on all levels.  I am not surprised that these two took the bullet.  The buck has to stop somewhere.  But IT basics are ignored all over the map.  Merck was wrecked by ransomware over the summer and from I read, they did not have a valid DR and Recovery plan.  Delta crashed global because they lacked APC POWER BATTERIES in the data centers or a fallover generator farm in the parking lot to carry load.  This is BASIC STUFF!!!!  
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Symantec Intros USB Scanning Tool for ICS Operators
Jai Vijayan, Freelance writer,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10008
PUBLISHED: 2018-12-10
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended...
CVE-2018-10008
PUBLISHED: 2018-12-10
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace br...
CVE-2018-10008
PUBLISHED: 2018-12-10
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jen...
CVE-2018-10008
PUBLISHED: 2018-12-10
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
CVE-2018-10008
PUBLISHED: 2018-12-10
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy san...