Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/18/2017
06:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
0%
100%

Equifax Exec Departures Raise Questions About Responsibility for Breach

Disclosed details suggest a failure by the technology team but senior executives and the board are not above responsibility as well, experts say.

With two senior technology officials stepping down from Equifax late last week, experts say the question now is whether responsibility for the recently disclosed data breach at the company should in fact go all the way to the top.

Equifax on Friday announced that chief security officer Susan Mauldin and CIO David Webb were "retiring" from the company effectively immediately. Two other executives have been appointed to their roles in an interim capacity, Equifax said in an update.

The announcement was careful to avoid all suggestion that either Mauldin or Webb were being fired over the breach, although it was clear their departures were directly related to the incident, which exposed personally identity information on 143 million US consumers.

In a separate development, BloombergMarkets on Monday reported that the US Department of Justice has opened a criminal investigation into whether three top Equifax executives broke insider-trading laws when they sold company stock in the days immediately following the breach. Equifax CFO John Gamble, the company's president of workforce solutions Rodolfo Ploder, and president of U.S. information solutions Joseph Loughran together sold nearly $2 million in stock in early August, a few days after the breach discovery. Equifax has said the executives did not know of the massive data compromise at the time.

The company has admitted the breach resulted from its failure to address a previously disclosed Apache Struts vulnerability (CVE-2017-5638) that let intruders gain an initial foothold on its systems. In its Friday update, Equifax said its security organization had been aware of the vulnerability and took efforts to address it. "While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing," and more information will be released as it becomes available.

Equifax discovered the intrusion on July 29, more than one-and-a-half months after the intruders first broke in via the Apache Struts flaw. It hired security vendor Mandiant to investigate the break-in, which some have speculated might have been perpetrated by a nation-state actor.

John Pescatore, director of emerging security threats at the SANS Institute, says given the details so far, it is little surprise that Mauldin and Webb are no longer at Equifax. Unlike some breaches that have resulted from systemic top-down inattention to security practices, in this case, the intrusion stemmed from Equifax's failure to address a known security issue that was being actively exploited. So there is little reason to believe that Mauldin and Webb are merely being made scapegoats, as is sometimes the case with major breaches, he says.

"For something where it is one of these failures of basic security hygiene, it is very rarely you would say 'we need support from upper management to patch,'" Pescatore says. "For something like this, it is appropriate to say it falls squarely on the security team" to have prevented the breach, Pescatore says.

"When basic security hygiene doesn't happen, security people with C's in front of their names bear the brunt of the responsibility," he notes.

But the Equifax board cannot be absolved from responsibility, says Todd Thibodeaux, CEO of CompTIA.

"Should the internal team at Equifax have implemented the patch, enforced stricter passwords policies and any number of other things? Absolutely," Thibodeaux says. "Should their board of directors have some responsibility for not ensuring a proper adherence to best practices and a verifiable audit trail? The answer is also, absolutely."

Boards of directors tend to scapegoat their CISOs and IT teams when avoidable breaches such as this occur. But if this had been a financial issue, the board would have been held accountable because they hire and fire the auditors, Thibodeaux says.

The reality is that corporate boards have been less than proactive in engaging in, and understanding, cybersecurity matters. While most board members can decipher a balance sheet, few are likely to know what a penetration test is, how their corporate intellectual property is being safeguarded, or if their company is following NIST's best practices, Thibodeaux says.

"It's time for directors to step up and take the same fiduciary oversight role and responsibility for cyber protection, just as they do in looking out for shareholder interests on the financial side," he says.

CISO's can play a big role in making this happen by being better advocates for cybersecurity, says Christopher Pierson, chief security officer and general counsel at Viewpost.

Instead of being all about technology all the time, CISOs need to focus on making cybersecurity more about business enablement, customer trust, and risk reduction. In addition to security skills, it is increasingly vital for the CISO to have business, legal, and communications expertise, Pierson says.

"Unless your company understands and agrees that cybersecurity is a top-level board issue it is impossible [for the CISO] to escape being a scapegoat," when breaches such as the one at Equifax happen, he says. "We do not know what this looked like at Equifax, but most publicly traded companies focus on cyber as a tech issue when it should not be," Pierson notes.

Importantly, informed boards and executives understand that data breaches are a reality of doing business and if they are properly aligned with the CISO, when a breach occurs they will look to the CISO for guidance on how best to navigate the waters ahead, not as someone to blame for what has already occurred, says Michael Sutton, CISO at Zscaler.

A CISO cannot be effective without support from the board and the executive team, he says. But it is up to the CISO to build that support.

"CISOs who approach security as a necessity, regardless of business needs, will never succeed," Sutton says. "It is critical that a CISO invest time to fully understand and appreciate business processes and find ways to adapt their security model to the needs of the business, not the other way around."

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/20/2017 | 7:51:21 AM
Responsibility
indeed - patching is a security basic and if any IT professional does not understand it or operate within framework - please, consider welding as a second career option.  Patching does NOT require management approval.  It is PART OF THE JOB OF THE IT STAFF to perform on all levels.  I am not surprised that these two took the bullet.  The buck has to stop somewhere.  But IT basics are ignored all over the map.  Merck was wrecked by ransomware over the summer and from I read, they did not have a valid DR and Recovery plan.  Delta crashed global because they lacked APC POWER BATTERIES in the data centers or a fallover generator farm in the parking lot to carry load.  This is BASIC STUFF!!!!  
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.