Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

9/22/2017
04:51 PM
Curtis Franklin
Curtis Franklin
Curt Franklin
50%
50%

Right & Wrong Lessons From the Equifax Breach

There are lots of lessons to learn from the Equifax breach. Just make sure you're learning the right ones.

Equifax, the gift that keeps on giving to hackers and journalists alike, continues to rain fallout over the security landscape. At the end of last week the fallout was the "retirement" of the CISO and CIO, and the subsequent learning of a great many lessons, most of them wrong.

Why do I say that people learned the wrong lessons? Because, in many cases, they were looking in the wrong direction. Like the sleight-of-hand in a magician's act, looking in the wrong direction both dazzles with meaningless fluff and distracts from the truly important issues. Let's look at some of the lessons that were wrong -- and some that you really should pay attention to.

Wrong lesson: the degrees matter
Susan Mauldin, Equifax's CISO, was found to have a pair of academic degrees, both in music. Some people latched on to this information with a loud, self-satisfied "A-ha!!" having identified the root of all Equifax problems. The problem with this is that, of all the company's problems, Mauldin's degrees rank somewhere below the status of the TP supply in the men's room on floor six.

Here's the thing: With rare exceptions noted, the academic degree someone possesses matters when seeking a first job. After that, it's irrelevant. What matters in the second job, and all subsequent jobs, is what you did in the preceding job. The Equifax C-suite wasn't Mauldin's first job so it's safe to assume that the executives at Equifax saw performance that warranted putting her into the office. There are plenty of problems to go around but this wasn't one of them.

Right lesson: responsibility matters
Two c-level executives lost their jobs over the breach and it seems that more resumes could change. And that's a very good thing.

People focus on the provisions within regulations that could lead to huge fines and jail terms for executives. The thing is, these penalties will be very rarely enforced. Still, there should be consequences for failure and job loss is a good one. It's non-lethal and shows that organizations take security seriously. Given the scope of Equifax's breach, the argument could be made that a large portion of the C-suite should be looking for new work. We'll see how this particular lesson continues to be applied.

Wrong lesson: cautious disclosure is best
Equifax took their time letting the public know about the breach -- time that, in an odd coincidence, included time required for a few executives to sell stock. The real lesson is clear: If you're going to keep personally identifiable information (PII) on customers and others then you should have plans and procedures in place for quickly alerting the public in case of a breach.

Airlines have plans in place for how to deal with first responders, government agencies, and the public in the case of a plane going down. No one likes to think of the possibility, and it doesn't happen very often, but the plans are there, and they're practiced. Organizations with PII should learn their lesson from the airlines, not Equifax.


You're invited to attend Light Reading's Virtualizing the Cable Architecture event – a free breakfast panel at SCTE/ISBE's Cable-Tec Expo on October 18 featuring Comcast's Rob Howald and Charter's John Dickinson.

Wrong lesson: open source is evil
The basic vulnerability that allowed the Equifax breach has been traced to Apache strutsleading some people to decide that it was the open source nature of the software that's the problem. Not so much.

Open source software isn't inherently more vulnerable the commercial software. Neither is it inherently more secure. When it's part of your software infrastructure, you have to analyze and test it based on function, performance and security, just as you would any other software.

The lessons? Be careful. Use best software practices. And don't use the nature of software as an excuse.

There are many more lessons from the Equifax breach and the lessons will increase as our knowledge of the issues grows. It's good to learn lessons -- just be sure you're looking in the right directions and learning the proper lessons.

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16137
PUBLISHED: 2020-08-12
** UNSUPPORTED WHEN ASSIGNED ** A privilege escalation issue in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers to reset the credentials for the SSH administrative console to arbitrary values. Note: We cannot prove this vulnerability exists. Out of an abundance of ...
CVE-2020-16138
PUBLISHED: 2020-08-12
** UNSUPPORTED WHEN ASSIGNED ** A denial-of-service issue in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers to remotely disable the device until it is power cycled. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being ...
CVE-2020-16139
PUBLISHED: 2020-08-12
** UNSUPPORTED WHEN ASSIGNED ** A denial-of-service in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers restart the device remotely through sending specially crafted packets. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE i...
CVE-2020-16186
PUBLISHED: 2020-08-12
A stored Cross-site scripting (XSS) vulnerability in Firco Continuity 6.2.0.0 allows remote unauthenticated attackers to inject arbitrary web script or HTML through the username field of the login page.
CVE-2020-8904
PUBLISHED: 2020-08-12
An arbitrary memory overwrite vulnerability in the trusted memory of Asylo exists in versions prior to 0.6.0. As the ecall_restore function fails to validate the range of the output_len pointer, an attacker can manipulate the tmp_output_len value and write to an arbitrary location in the trusted (en...