by finnigja on 12/10/18, 10:29 PM with 139 comments
by txcwpalpha on 12/10/18, 11:08 PM
> Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains.
(on page 2 of the Executive Summary)
I've been following the Equifax breach story but this is the first I'm hearing about the expired certificates. That is shockingly bad.
I'm a little disappointed in the final "conclusion" of the report, though. The end of the executive summary basically chalks the breach up to two things: "Equifax's IT management structure was complicated" and "Equifax uses legacy software that is hard to secure". These are valid points, but these are also issues that nearly every single major corporation in the world faces, and yet many of them still manage to prevent (or at least mitigate) major breaches. These aren't good enough reasons to explain why Equifax failed so spectacularly compared to every other bureaucratic company with legacy software.
Also, I know this report isn't meant to be a remediation strategy roadmap, but it's also pretty disappointing that the recommendations section is basically just 3 pages of fluffy, vague, "X and Y should work together to increase cybersecurity" bullshit. Such a high profile incident would have been a great time for the federal government to really show some leadership (or at least strong guidance) in this realm, but they really didn't. I mean hell, at least link your recommendations to the NIST Cybersecurity Framework...
by jedberg on 12/10/18, 11:04 PM
I'm disappointed this is recommendation 6, but at least it is in there. I'm also disappointed that they suggest the executive fix this problem instead of legislating a solution. Hopefully they take some action on their own recommendation!
by mbesto on 12/10/18, 11:11 PM
> Second, Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Equifax ran a number of its most critical IT applications on custombuilt legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging. Equifax recognized the inherent security risks of operating legacy IT systems because Equifax had begun a legacy infrastructure modernization effort. This effort, however, came too late to prevent the breach.
As someone who works in Tech M&A, I often tell clients "hackers go after the weakest link and you just acquired a new link". They nearly unilaterally ignore this advice and ignored hardening even the smallest of acquisitions, because well, "growth". Someday people will learn.
by Someone1234 on 12/10/18, 11:14 PM
The recommendation is essentially "Try to convince the public and private sector to use them less." But I'd argue it is well passed time that SSNs be replaced by something fit for purpose. SSNs were never designed to be a unique form of ID, and using things like the cardboard card as further verification is almost comical.
I'd like to see an aggressive alternative that uses the best of our security knowledge and then have it vetted by everyone in the security industry with a pulse. We've seen other countries try this. But most of those countries outsource it to the lowest government bidder, who hide the inner workings behind proprietary claims, and never vet the resulting proposal.
Instead we need something more akin to the United States Digital Service, a publically created proposal (fully released specs) that is vetted by every academic and security expert they can find.
The hardest part will be saying "no" to requirements creep. Allow certain government agencies to continue to use SSNs for now, and have the new ID "flip" into an SSN behind the scenes. Better than needing five hundred different departments to adopt the new standard before it can go live.
by yalogin on 12/11/18, 12:11 AM
A company like Bear Sterns got "killed", Enron and others got litigated out. But it looks like Equifax did not face any consequences. Its high time we treat data as an asset class and regulate accordingly. Particularly personal information is acquired by every company and is treated as a valuable commodity. Companies get acquired purely for the amoutn of data they have. The market has already declared it as an asset why is it not regulated?
by strict9 on 12/10/18, 11:19 PM
It is easy to fall in the trap of seeing the most miniscule of vulnerabilities and dismissing it as "no one could ever possibly utilize that as a vector, it's not critical."
But that miniscule vulnerability becomes a single link in a ladder to everything in the system. Every seemingly-small vulnerability matters, like this painfully shows.
[1] referenced here: https://blog.hellobloom.io/how-hard-was-the-equifax-hack-a3b...
by infodocket on 12/11/18, 1:43 AM
Another report from the committee's minority is also available.
https://democrats-oversight.house.gov/sites/democrats.oversi... Minority Report - FINAL 12-10-2018.pdf
by citilife on 12/10/18, 11:12 PM
Speaking of which... why is it only ~50% of the adult population in the U.S.?
If the intruders were going around the Equifax network at will (which from the report it appears they were). We should assume 100% of the data was breached.
[1] https://www.cnbc.com/2017/09/14/equifax-used-admin-for-the-l...
[2] https://www.bloomberg.com/news/articles/2018-03-14/sec-says-...
by evolvedlight on 12/10/18, 11:35 PM
by Twirrim on 12/11/18, 12:22 AM
From my understanding of FEDRAMP, all of the things that Equifax failed to do should be already covered. Software patching, isolation of data, audit trails etc. etc. Seems more like a massive auditing fail.
by loteck on 12/11/18, 1:47 AM
Now pardon me while I go route my patch management procedures through the nearest baffling and inane dependency.
A senior Equifax official was terminated for failing to forward an email – an action he was not directed to do – the day before former CEO Richard Smith testified in front of Congress. This type of public relations-motivated maneuver seems gratuitous against the back drop of all the facts
by ne0n on 12/11/18, 1:25 AM
1970s? Am I reading that right? HTML wasn't even developed yet.
by Nelkins on 12/11/18, 12:32 AM
by artursapek on 12/10/18, 11:08 PM
Ouch.
by lifeisstillgood on 12/11/18, 7:08 AM
For the non physical world I have some ideas
- The entire infrastructure of IT can be rebuilt in an automated fashion and is done so in a prod-parallel equivalent at least weekly
- Any chnage to "vital" files on any server is audited
- err?
by cronix on 12/11/18, 2:05 AM
by onetimemanytime on 12/11/18, 12:35 AM
I feel for them (not!). BUT they shouldn't store any valuable data then. They should be not-insurable.