Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/18/2017
06:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
0%
100%

Equifax Exec Departures Raise Questions About Responsibility for Breach

Disclosed details suggest a failure by the technology team but senior executives and the board are not above responsibility as well, experts say.

With two senior technology officials stepping down from Equifax late last week, experts say the question now is whether responsibility for the recently disclosed data breach at the company should in fact go all the way to the top.

Equifax on Friday announced that chief security officer Susan Mauldin and CIO David Webb were "retiring" from the company effectively immediately. Two other executives have been appointed to their roles in an interim capacity, Equifax said in an update.

The announcement was careful to avoid all suggestion that either Mauldin or Webb were being fired over the breach, although it was clear their departures were directly related to the incident, which exposed personally identity information on 143 million US consumers.

In a separate development, BloombergMarkets on Monday reported that the US Department of Justice has opened a criminal investigation into whether three top Equifax executives broke insider-trading laws when they sold company stock in the days immediately following the breach. Equifax CFO John Gamble, the company's president of workforce solutions Rodolfo Ploder, and president of U.S. information solutions Joseph Loughran together sold nearly $2 million in stock in early August, a few days after the breach discovery. Equifax has said the executives did not know of the massive data compromise at the time.

The company has admitted the breach resulted from its failure to address a previously disclosed Apache Struts vulnerability (CVE-2017-5638) that let intruders gain an initial foothold on its systems. In its Friday update, Equifax said its security organization had been aware of the vulnerability and took efforts to address it. "While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing," and more information will be released as it becomes available.

Equifax discovered the intrusion on July 29, more than one-and-a-half months after the intruders first broke in via the Apache Struts flaw. It hired security vendor Mandiant to investigate the break-in, which some have speculated might have been perpetrated by a nation-state actor.

John Pescatore, director of emerging security threats at the SANS Institute, says given the details so far, it is little surprise that Mauldin and Webb are no longer at Equifax. Unlike some breaches that have resulted from systemic top-down inattention to security practices, in this case, the intrusion stemmed from Equifax's failure to address a known security issue that was being actively exploited. So there is little reason to believe that Mauldin and Webb are merely being made scapegoats, as is sometimes the case with major breaches, he says.

"For something where it is one of these failures of basic security hygiene, it is very rarely you would say 'we need support from upper management to patch,'" Pescatore says. "For something like this, it is appropriate to say it falls squarely on the security team" to have prevented the breach, Pescatore says.

"When basic security hygiene doesn't happen, security people with C's in front of their names bear the brunt of the responsibility," he notes.

But the Equifax board cannot be absolved from responsibility, says Todd Thibodeaux, CEO of CompTIA.

"Should the internal team at Equifax have implemented the patch, enforced stricter passwords policies and any number of other things? Absolutely," Thibodeaux says. "Should their board of directors have some responsibility for not ensuring a proper adherence to best practices and a verifiable audit trail? The answer is also, absolutely."

Boards of directors tend to scapegoat their CISOs and IT teams when avoidable breaches such as this occur. But if this had been a financial issue, the board would have been held accountable because they hire and fire the auditors, Thibodeaux says.

The reality is that corporate boards have been less than proactive in engaging in, and understanding, cybersecurity matters. While most board members can decipher a balance sheet, few are likely to know what a penetration test is, how their corporate intellectual property is being safeguarded, or if their company is following NIST's best practices, Thibodeaux says.

"It's time for directors to step up and take the same fiduciary oversight role and responsibility for cyber protection, just as they do in looking out for shareholder interests on the financial side," he says.

CISO's can play a big role in making this happen by being better advocates for cybersecurity, says Christopher Pierson, chief security officer and general counsel at Viewpost.

Instead of being all about technology all the time, CISOs need to focus on making cybersecurity more about business enablement, customer trust, and risk reduction. In addition to security skills, it is increasingly vital for the CISO to have business, legal, and communications expertise, Pierson says.

"Unless your company understands and agrees that cybersecurity is a top-level board issue it is impossible [for the CISO] to escape being a scapegoat," when breaches such as the one at Equifax happen, he says. "We do not know what this looked like at Equifax, but most publicly traded companies focus on cyber as a tech issue when it should not be," Pierson notes.

Importantly, informed boards and executives understand that data breaches are a reality of doing business and if they are properly aligned with the CISO, when a breach occurs they will look to the CISO for guidance on how best to navigate the waters ahead, not as someone to blame for what has already occurred, says Michael Sutton, CISO at Zscaler.

A CISO cannot be effective without support from the board and the executive team, he says. But it is up to the CISO to build that support.

"CISOs who approach security as a necessity, regardless of business needs, will never succeed," Sutton says. "It is critical that a CISO invest time to fully understand and appreciate business processes and find ways to adapt their security model to the needs of the business, not the other way around."

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/20/2017 | 7:51:21 AM
Responsibility
indeed - patching is a security basic and if any IT professional does not understand it or operate within framework - please, consider welding as a second career option.  Patching does NOT require management approval.  It is PART OF THE JOB OF THE IT STAFF to perform on all levels.  I am not surprised that these two took the bullet.  The buck has to stop somewhere.  But IT basics are ignored all over the map.  Merck was wrecked by ransomware over the summer and from I read, they did not have a valid DR and Recovery plan.  Delta crashed global because they lacked APC POWER BATTERIES in the data centers or a fallover generator farm in the parking lot to carry load.  This is BASIC STUFF!!!!  
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4031
PUBLISHED: 2019-10-16
IBM Workload Scheduler Distributed 9.2, 9.3, 9.4, and 9.5 contains a vulnerability that could allow a local user to write files as root in the file system, which could allow the attacker to gain root privileges. IBM X-Force ID: 155997.
CVE-2019-17626
PUBLISHED: 2019-10-16
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
CVE-2019-17627
PUBLISHED: 2019-10-16
The Yale Bluetooth Key application for mobile devices allows unauthorized unlock actions by sniffing Bluetooth Low Energy (BLE) traffic during one authorized unlock action, and then calculating the authentication key via simple computations on the hex digits of a valid authentication request. This a...
CVE-2019-17625
PUBLISHED: 2019-10-16
There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron, such...
CVE-2019-17624
PUBLISHED: 2019-10-16
In X.Org X Server 1.20.4, there is a stack-based buffer overflow in the function XQueryKeymap. For example, by sending ct.c_char 1000 times, an attacker can cause a denial of service (application crash) or possibly have unspecified other impact.