Right & Wrong Lessons From the Equifax Breach

  /     /     /  
Publicated : 22/11/2024   Category : security


Right & Wrong Lessons From the Equifax Breach


There are lots of lessons to learn from the Equifax breach. Just make sure youre learning the right ones.



Equifax, the gift that keeps on giving to hackers and journalists alike, continues to rain fallout over the security landscape. At the end of last week the fallout was the retirement of the CISO and CIO, and the subsequent learning of a great many lessons, most of them wrong.
Why do I say that people learned the wrong lessons? Because, in many cases, they were looking in the wrong direction. Like the sleight-of-hand in a magicians act, looking in the wrong direction both dazzles with meaningless fluff and distracts from the truly important issues. Lets look at some of the lessons that were wrong -- and some that you really should pay attention to.
Wrong lesson: the degrees matter
Susan Mauldin, Equifaxs CISO, was found to have a pair of academic degrees, both in music. Some people latched on to this information with a loud, self-satisfied A-ha!! having identified the root of all Equifax problems. The problem with this is that, of all the companys problems, Mauldins degrees rank somewhere below the status of the TP supply in the mens room on floor six.
Heres the thing: With rare exceptions noted, the academic degree someone possesses matters when seeking a first job. After that, its irrelevant. What matters in the second job, and all subsequent jobs, is what you did in the preceding job. The Equifax C-suite wasnt Mauldins first job so its safe to assume that the executives at Equifax saw performance that warranted putting her into the office. There are plenty of problems to go around but this wasnt one of them.
Right lesson: responsibility matters
Two c-level executives lost their jobs over the breach and it seems that more resumes could change. And thats a very good thing.
People focus on the provisions within regulations that could lead to huge fines and jail terms for executives. The thing is, these penalties will be very rarely enforced. Still, there should be consequences for failure and job loss is a good one. Its non-lethal and shows that organizations take security seriously. Given the scope of Equifaxs breach, the argument could be made that a large portion of the C-suite should be looking for new work. Well see how this particular lesson continues to be applied.
Wrong lesson: cautious disclosure is best
Equifax took their time letting the public know about the breach -- time that, in an odd coincidence, included time required for a few executives to sell stock. The real lesson is clear: If youre going to keep personally identifiable information (PII) on customers and others then you should have plans and procedures in place for quickly alerting the public in case of a breach.
Airlines have plans in place for how to deal with first responders, government agencies, and the public in the case of a plane going down. No one likes to think of the possibility, and it doesnt happen very often, but the plans are there, and theyre practiced. Organizations with PII should learn their lesson from the airlines, not Equifax.
Youre invited to attend Light Readings
Virtualizing the Cable Architecture event
– a free breakfast panel at SCTE/ISBEs Cable-Tec Expo on October 18 featuring Comcasts Rob Howald and Charters John Dickinson.
Wrong lesson: open source is evil
The basic vulnerability that allowed the Equifax breach has been traced to
Apache struts
leading some people to decide that it was the open source nature of the software thats the problem. Not so much.
Open source software isnt inherently more vulnerable the commercial software. Neither is it inherently more secure. When its part of your software infrastructure, you have to analyze and test it based on function, performance and security, just as you would any other software.
The lessons? Be careful. Use best software practices. And dont use the nature of software as an excuse.
There are many more lessons from the Equifax breach and the lessons will increase as our knowledge of the issues grows. Its good to learn lessons -- just be sure youre looking in the right directions and learning the proper lessons.
Related posts:
Swirlds Seeks End to Financial Attacks
AWS Elasticsearch Servers Host Malware
Equifax Breach Wont Be the Last or Worst
— Curtis Franklin is the editor of
SecurityNow.com
. Follow him on Twitter
@kg4gwa
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security

▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security

▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Right & Wrong Lessons From the Equifax Breach