Equifax CEO: All Companies Get Breached (fortune.com) 176
An anonymous reader quotes Fortune:There are two kinds of companies, according to a saying that former Equifax CEO Rick Smith shared in a speech at the University of Georgia on August 17. "There's those companies that have been breached and know it, and there are those companies that have been breached and don't know it," he said. Though it was still 21 days before his company would reveal that it had been massively hacked, Equifax, at that time, had been breached and knew it...
Smith's fastest growing area of security concern was state-sponsored hacking and espionage, he said. "It's countries you'd expect -- you know it's China, Russia, Iran, and Iraq -- and they're being very aggressive trying to get access to the know-how about how companies have built their capabilities, and transport that know-how back to their countries," said Smith. "It's my number one worry." he added.
"In a speech at the University of Georgia last month, he described a stagnating credit reporting agency with a 'culture of tenure' and 'average talent", reports Bloomberg, adding that the Equifax CEO also bragged that the company's data-crunching business nonetheless earned a gross profit margin of 90%.
Smith's fastest growing area of security concern was state-sponsored hacking and espionage, he said. "It's countries you'd expect -- you know it's China, Russia, Iran, and Iraq -- and they're being very aggressive trying to get access to the know-how about how companies have built their capabilities, and transport that know-how back to their countries," said Smith. "It's my number one worry." he added.
"In a speech at the University of Georgia last month, he described a stagnating credit reporting agency with a 'culture of tenure' and 'average talent", reports Bloomberg, adding that the Equifax CEO also bragged that the company's data-crunching business nonetheless earned a gross profit margin of 90%.
Incorrect (Score:5, Insightful)
My cousin runs a company and they build houses. He keeps all his business on ledgers and note books. Not a efficient way to run a business but it is his way. He has never been hacked.
Re: Incorrect (Score:2, Interesting)
You mean burglarized.
Re: (Score:3)
If one has time for this, there is nothing wrong with paper and pencil. There are always balances when it comes to security. For a SOHO business, barring a targeted attack specifically at that business by a well-heeled organization, having a PC with a dedicated virtual machine [1] just for the accounting software, a NAS with at least RAID 1 for fast local backups for bare metal restores, and an offsite backup using Arq for documents. Arq provides AES encryption, and works with S3 and other providers. Fo
Re: (Score:2)
IYou can always let the user's PW unlock the disk as well, but having them separate ensures that a reboot forces a would-be intruder to have to deal with a very long, infrequently typed in PW.
That is almost certainly on a sticky note on the monitor.
Re:Incorrect (Score:4, Interesting)
How much information was lost due to book keeping errors?
Was information lost by accident, or damaged due to the weather?
Could some one walk in and take the info without him knowing?
The only difference between digital data and paper, is just you can be targeted from anywhere in the world.
He would be safer if he did it on the computer, Not connected to the Internet. And took differential backups after close of business. And took those backups and locked them up.
That you you get the advantages of electric book keeping, but massive security. This doesn't work for bigger companies, but it can for a small one.
Re: (Score:2)
Not a efficient way to run a business but it is his way. He has never been hacked.
Such businesses can still be "hacked" without knowing it immediately. Burglar sneaks in and steals one of the notebooks or takes a picture of some pages; someone else bribes one of your employees to covertly tamper with some numbers or entries in your ledger or tamper with a check, transfer, deposit form, or other bank document, Etc, Etc; even a CEO Scam doesn't necessarily require the targeted business have computers --
Re: (Score:2)
Does he have backups? What happens if thieves steal them? That's hacking physically. ;)
Re: (Score:3)
Backups? Yes he does. His ledgers make 3 copies. One goes in the filing cabinet, one to the customer, and one in a fireproof safe.
It's a archaic system but it does prove that Mr CEO is flat wrong. Not every company is going to eventually be hacked. He is just in ass covering mood now.
Re: (Score:2)
Physical security doesn't always help. I did some consulting for a company a while ago that kept its customer database on a USB stick and only plugged it into a (non-networked) machine whenever it was actually useful. Pretty good security, right up until one of their directors decided he wanted to set up a competing company and walked off with the USB drive. It took about a year of lawsuits to get it back and cost a lot of reputation. The only plus side was that no one wanted to do business with the new
He's not wrong... (Score:5, Informative)
Re: (Score:2)
Not sure if you read the article but that is not what he is saying. He is saying that regardless of what you do you are breached. whether you know it or not. Which tells me that he is an idiot.
Re: (Score:2)
Idiot? No. Plausible deniability? Yes.
Although the list of CVEs is seemingly endless, there are all kinds of moats to use that ensure core assets are protected. The problem in the US is that insufficient moats are employed because they cost real money, both capex and opex, not to mention reasonably smart people. They don't want to spend the money to keep the moats trapping crack attempts.
Their data assets were huge, and made them lots of $$$. But they didn't value them sufficiently because, hey, they can't
Re: (Score:2)
The published Equifax reporting indicates they very much had a castle mentality, and an outward facing gate guarded by "admin/admin". So, you know, not realistic or practical; instead what I would consider negligence on the part of someone setting up home wifi.
once-exclusive fraternity of "death and taxes" (Score:5, Insightful)
No, he's so wrong.
What he's trying to do here is add "loss of privacy" to the once-exclusive fraternity of "death and taxes".
In medicine, if you come up with a dumb, risky implant don't do it in America. You will get sued. Leaky boob bags are not a good long-term business model.
But this guy thinks that the credit rating industry doesn't need to think long and hard about their business model, because "all implants fail".
Here's another point of view: if you know up front that you can't secure the information, perhaps your business model should not depend upon amassing all this information in the first place, get out of the way, and allow the vaunted creativity of American free enterprise find a different solution to the credit-worthiness problem.
Because your solution sucks in a way that can't ever be fixed, by your own admission.
Re: once-exclusive fraternity of "death and taxes" (Score:2)
Re: once-exclusive fraternity of "death and taxes" (Score:5, Insightful)
The fundamental problem is that the hacking victims aren't Equifax's CUSTOMERS, they're Equifax's PRODUCT.
If you, as a consumer, get harmed by Equifax's negligence, they aren't going to care until regulators MAKE them care.
Re: (Score:2)
When something is too hard to do properly there are two alternatives: don't do it, or do it half arsed.
The first one doesn't demonstrate a "can do" attitude, so guess which one is usually chosen.
Re: (Score:2, Informative)
How about we start with a basic:
Step 1) Don't hire a music major [marketwatch.com] with absolutely no technology training or education as your Chief Security Officer.
Re: (Score:2)
While I agree it is foolhardy to presume protection from the outside world is perfect, it also is an impossibly large attack surface in a company if they are of any scale and the employees are the least bit empowered to get work done.
Sure, you don't set up anything that would be week nor do you accept "it's internal" as an excuse, but for every thing you do see, there are a dozen things you don't know the employees are doing, and 90% of those are wildly insecure in some way. If they were forced to be on th
Re: (Score:3)
"the hackers will win, no matter what... why even bother doing anything?"
While no single company can really adopt that mindset safely, it is however not a bad idea for us as a society to take measures to mitigate the risk.
For example, checks and credit cards are still based on trusting a company with an open ended account number for even the smallest transactions. Even if I avoid companies that make me type in my credit card online to *their* website (most all of them) and avoided magstripe only point of
So what? (Score:1)
As he stated, all companies get breached. But we are not criticizing all other companies. We are criticizing his. He just appears to be deflecting blame, and pivoting things against his company, by stating "all companies get breached".
This was a big fuck up, no doubt about it. Mr Smith: what did your company do about it? You delayed reporting it for several weeks. You had executives who have been accused of insider trading as a result of this breach. And now you give me this pathetic excuse? Is that
It's not the Breach, stupid (Score:5, Insightful)
It's holding data. If a company wants to risk my security by profiting from amassing data on me I should be able to have some finiacial recourse when they injur me with their breach. If they can't secure my data then they should not hold it. If one really feels that all companies will be breached then that person should actually know what they are doing is going to cause an injury and therefore should be liable for it.
liability is the key here. Until companies have a dear cost associated with lack of security there will be no security.
But that's not enough. we can't have companies who are good citizens, paying money to protect others, masking data so it is stored more anonymously, and so forth incurring higher costs that some jackass comapny willing to pay fast and lose. Those risk taking companies will have lower costs of operation and put the conscientious companies out of bussiness. When they fail sometimes we respond by crippling the whole industry rather than punishing the shareholders of the bad companies.
So we need not just damages but 10 fold punative damages that reach to the stock holders that invest. Currently stock holders just lose their investments. They should be informed that if they invest in a company that holds data they will be held personally liable for injuries of the company beyond their stock ownership.
then we'd see some good data practices. We'd see companies clamoring to be regulated. we'd see a lot less naked storage of raw data behind single passwords.
it's not the breach. It's the gathering of data without direct consequences for it's loss.
Re: (Score:1, Redundant)
"it's not the breach."
It's hiring a musician as anti-breach specialist.
Re: (Score:1)
It's also restating the obvious [slashdot.org]
Re:It's not the Breach, stupid (Score:4, Interesting)
Currently stock holders just lose their investments. They should be informed that if they invest in a company that holds data they will be held personally liable for injuries of the company beyond their stock ownership.
Ok, that would pretty much kill investment. Maybe in the olden days you could invest in your small neighborhood company that would not do bad things ever, but those days have passed
I would settle for Equifax being destroyed. The remaining two "competitors" would certainly improve their security (which would only help the new generation, our data is already burned). But Equifax may survive. I am pretty sure they continue receive my new data even now.
Re: (Score:2)
Currently stock holders just lose their investments. They should be informed that if they invest in a company that holds data they will be held personally liable for injuries of the company beyond their stock ownership.
Ok, that would pretty much kill investment. M
You could make the same argument that by not allowing Nuclear and chemical companies to dump their waste into streams and landfills we would kill their investment. What I'm proposing is that companies be required to purchase a bond (an insurance policy) if they wish to engage in data retention. This would immuninze the shareholders against these reachthrough losses yet drive up the cost of doing bussiness. That is to say they would be paying for the externalities of the socail risks they create.
Re:It's not the Breach, stupid (Score:4, Interesting)
> I would settle for Equifax being destroyed.
Equifax being destroyed, plus:
1) Every single C-level, board member, and president going away into pound-me-in-the-ass federal prison... forever.
2) Anyone who knew about the breach, but sat on it for six weeks while the above sold off their stock, joins them in the pen.
3) All assets of Equifax and of the above people... no matter where, or in what form, they are... are seized and liquidated; the proceeds used to compensate anyone who suffers identity theft or other credit or financial issues because of the breach.
Unfortunately, there's some truth to this (Score:2)
The level of incompetence in corporate IT at times is staggering!!! https://thedailywtf.com/articl... [thedailywtf.com]
Until there are -real consequences- to management (personally and individually) from getting hacked, CxOs of all stripes (CEO, CIO, CISO, etc) will continue to get away with this.
Re: (Score:2)
More leftist propaganda (Score:2, Insightful)
This is leftist propaganda, trying to give businesses a bad reputation for security. The real problem here is the use of a nine digit government issued ID that the government doesn't allow you to change and requirea you to share with financial institutions as proof of identification. The problem here is not the private sector but that the government has failed to use secure methods of authentication such as two factor authentication and public key encryption. Let the private sector create industry standard
Re: (Score:1)
I swear, the whole effort of certain conservatives to see leftist conspiracies in everything is becoming a new Godwin's Law.
Time to take the tinfoil hat off for a while. There is no conspiracy on the part of the "mainstream media". Our carrot-in-chief just hates CNN because they're critical of him, and NBC because SNL roasts him on a routine basis. There is nothing on the left like the Koch brother's network of big money doners looking to promote conservative causes. There's not some secret conspiracy on th
Re: (Score:1)
My understanding of the situation is that _Equifax_ was hacked. To my knowledge the Social Security Administration, whose official policy is that you should never give your ID number to anyone /except/ the SSA, had nothing to do with this breach.
So while your statements about government being the problem, not using enough security, etc. may well be justified, they had little to do with the actual damages here.
Re: (Score:2)
Hur hur - blame the demycrats.
HOW MUCH DO THEY PAY YOU? (Score:2)
The reason you signed this post is you need to provide proof to your employer that you're shilling or you don't get paid.
It's very obvious.
Maybe you don't like the USA or maybe you're just poor and need money. But the less stable the US becomes.... and your work does destabilize the USA, the more likely it is that we will find some poor countries to drop bombs on. Probably your country will have it's turn well before there are any revolutions or major shifts in global hegemony.
I want you to spend a few
Re: (Score:2)
Re: (Score:2)
He's a paid shill.
He should remember that any country poor enough that a shill poster can earn a living... will be poor enough to carpet bomb next time the USA needs to "stimulate economic activity" with republican lead defense spending.
Re: (Score:2)
This is leftist propaganda, trying to give businesses a bad reputation for security.
reality has a left-leaning bias
Reality doesn't have a left-leaning bias, left-leaning people have a bias for truth, facts, and reality.
Leads to just one conclusion... (Score:5, Insightful)
If all companies get breached, then no company should be allowed to keep data on a scale like that that can be so damaging if it gets stolen.
maybe (Score:1)
"Equifax CEO: All Companies Get Breached "
But only you had hired a musician as an Anti-Breach specialist.
Re: (Score:2)
>> the actual subject matter is almost completely irrelevant.
Sorry but thats utter bullshit. I've interviewed and hired enough software developers to know how important a good CS education and background really is.
Apart from the lack of knowledge that an undergrad degree gives you, the best developers etc, are just hardwired that way and wouldn't dream of doing anything else. If you weren't interested enough in CS to do a CS degree when you had the chance, that tells me you're just in it for the money
Re: (Score:2)
Wow, that's quite a chip you've got on your shoulder there, mate.
For the record, an undergraduate CS degree has almost nothing to do with the kind of technical expertise you'd want working in IT security professionally and absolutely nothing to do with the kind of management expertise you'd want to hire and direct such professionals.
Also, I see little evidence of any correlation between interest in and aptitude for doing good technical work and having taken CS at undergraduate/college level. Some people too
Re: (Score:2)
>> For the record, an undergraduate CS degree has almost nothing to do with the kind of technical expertise you'd want working in IT security
Baloney, At least when I did my degree, they were teaching a lot of great knowledge around assembler and C, processor and compiler internals, what the OSI model is all about, ethernet-level comms, TCP/IP, data compression techniques, different CRC algorithms, device drivers, system security models etc, etc.
Knowing the way things go, they're probably only teaching
Re: (Score:2)
Nothing you mentioned from your degree syllabus has much to do with developing modern, production-grade security infrastructure of the kind that would safeguard personal data properly in this sort of situation, other than possibly the vague "system security models" at the end. The rest might be useful as background information, but it won't tell you much if anything about potential attack vectors and standard techniques to defend against them, the state of the art in encryption methods and how to disable an
Re: (Score:2)
>> The rest might be useful as background information
That's ridiculous. You do realise that most exploits are actually discovered and capitalised on by people using exactly the in-depth low level knowledge Im talking about right?
You can convince yourself that not knowing that stuff doesn't matter, but it really does. Your cookie-cutter "rely on conventional security policies and proper configuration of 3rd-party tools" approach is hardly creative thinking so eminently predictable to hackers and exactl
Re: (Score:2)
You do realise that most exploits are actually discovered and capitalised on by people using exactly the in-depth low level knowledge Im talking about right?
I've worked in and around this field for a long time. I'm sorry to make this a little personal, but what you're writing sounds like you read a textbook once, probably in university, and you're very proud of some of the long words and acronyms you can still half-remember. Nevertheless, what you're described has little to no connection with security management in the real world, as staff as an organisation like Equifax would (should) be doing it.
An organisation like that would have a team of system administra
Re: (Score:2)
>> the knowledge from an undergraduate-level CS degree would barely get them past writing the main function.
Maybe your degree was that shitty, but mine wasn't. Actually writing my own web server (admittedly just a small one) was pretty easy actually. Certainly one of the easiest things I've developed. But I got my degree in the UK back when/where they take or at least took a different view about learning than the US.
Re: (Score:2)
Sure, writing a program that serves text files using a simplified form of HTTP is easy. It's also about a million miles away from writing a modern, full-featured web server. Again, the knowledge included in even the best undergraduate CS course wouldn't get you close to what you need to understand to do that. And this still isn't what industrial IT security is really about anyway.
Re: (Score:2)
>> writing a program that serves text files using a simplified form of HTTP is easy.
Wow, nice ASSumptions without knowing anything about what I acutally wrote.
>> Again, the knowledge included in even the best undergraduate CS course wouldn't get you close to what you need to understand to do that.
Yes it does, or at least mine did. It gave me the basis to go out and find, and more to the point, fully understand, deep technical information about specific software tasks that I don't already know ho
Re: (Score:2)
So what exactly did you mean by "(admittedly just a small one)", then?
How much security-related material that is relevant to the original topic did you learn in your degree and then use in the software you wrote? Feel free to be specific about what was involved, and then the rest of us won't have to make any assumptions.
So far, you've claimed that someone needs to have a CS degree to know what they're doing in this field, yet now you seem to be saying that what your degree actually did was teach you how to
Re: (Score:2)
>> you've claimed that someone needs to have a CS degree to know what they're doing in this field, yet now you seem to be saying that what your degree actually did was teach you how to study further topics and more detail by yourself,
Yes, both are true. They are not mutually exclusive.
Re: (Score:2)
And yet you have not answered any of my questions, nor given any other substantial arguments to support your position that I can see, so unfortunately I don't think we're going to get anywhere useful here.
Re: (Score:2)
(Please notice that I wasn't defending anyone here, just challenging a variation on the old cliche that you need to have a formal CS degree to be any good at anything to do with technology.)
Re: (Score:2)
I've interviewed and hired enough software developers to know how important a good CS education and background really is.
I've interviewed, hired and worked with enough great software engineers to know that computer science degrees are a fucking terrible predictor of success.
the best developers etc, are just hardwired that way and wouldn't dream of doing anything else. If you weren't interested enough in CS to do a CS degree when you had the chance, that tells me you're just in it for the money not the subject itself
The best programmers skip a CS degree because it'll teach them fuck all about programming that they didn't already know.
Where do you work, I'd like to make some money shorting their stock.
Re: (Score:2)
Maybe you'd like to get some cheap open heart surgery from a friend of mine who has a social media degree but says they are also interested in biology.
Re: (Score:2)
>> computer science degrees are a fucking terrible predictor of success.
That maybe true, however the lack of one is quite a good predictor of failure for most SW jobs, especially if they chose to do an arts/humanities degree instead.
Re: (Score:2)
the lack of one is quite a good predictor of failure for most SW jobs
That's so wrong it's silly.
CS grads are, on balance, not the best programmers. Not just my view, also that of others. Some people at the very top of the profession do have CS degrees (e.g. Martin Fowler, Linus Torvalds), but others do not (e.g. Grace Hopper, Anders Hejlsberg); it's just not something you should be using in your hiring decisions.
Re: (Score:2)
>> CS grads are, on balance, not the best programmers.
I have no idea what planet you're living on, but in the real world, you're full of it.
Re: (Score:2)
Fair point. Let's judge her on her record, then.
Re: (Score:2)
He's not defending the woman. He's challenging the stupid thinking that a degree 30 years ago is even remotely fucking relevant to the job you do now.
I don't care how good she was, go get a degree and prove it to the public.
Don't be such a fuckwit. I'm a fucking good dancer, I don't have a degree in it. I'm a bloody good photographer, I don't have a degree in it. I've helped advance global software engineering, I don't have a degree in it. I know how to cut half a billion in cost out of an organisation, I happen to have a degree in it.
Your degree shows that you could get through
Re: (Score:2)
Have you even got a degree?
She'll have learned how to work to deadlines, how to do research, how to assess, evaluate and understand complex information, how to be given work and negotiate on it, how to balance work against a social life and how to have fun in an adult environment.
She may even at some point have learned something about music.
Then I guess there's only two kinds of CEOs (Score:2)
Those that we know we should fire out of a cannon and those that we don't know we should yet.
There's the third kind: The kind that doesn't store personal information unnecessarily.
Hint: You're not the third kind.
All 'dumb' Companies Get Breached (Score:5, Insightful)
A single word makes all the difference.
He's correct when the company does not maintain their Internet facing platform. Which is exactly what Equifax did.
I guess they decided to save money in IT. And perhaps had poorly qualified personnel. Because management doesn't understand IT, so it must be "easy" and something that should be cheap.
Equifax says: "Breaches are a cost of business!" Sorry, non-customer that we lost all of your data and our incompetence will cost you for years to come!!!
Given the vast negative effects of this breach Equifax should be given the "Corporate Death Penalty" like Anderson Accounting. Their continued attempts at 'deflection" will hopefully fail.
Re: (Score:2)
So let's accept that at some point or another no level of security is unbreachable (which I think is a stretch in practice but you can't prove a negative). That still doesn't make all breaches equivalent or mean that the breaches can't be detected or mitigated. Equifax fucked up on practically every level despite the importance of being especially vigilent being patently obvious because of the nature of what they held on everyone.
The negligence started well before the breach, The incompetence really shone t
Re: All 'dumb' Companies Get Breached (Score:2)
Re: (Score:2)
Arthur Andersen LLP Accounting/Consulting known as "Anderson" at the time of their demise. Once a member of the "Big 5" Accounting firms They surrendered their operating license and certifications after being found criminally liable in the Enron debacle. So in reality they really committed honorable suicide rather than be executed.
See: https://en.wikipedia.org/wiki/... [wikipedia.org]
Sorry, I did misspell their name in original post.
We can only wish EquiFax would do something similarly honorable for losing 143 milion finan
all companies WHO DO NOT PATCH get breached (Score:1)
... the clue train is slow in coming to equifax ... companies who ignore basic security practices get breached, the rest don't
Reduce the value of data (Score:5, Insightful)
Immutable data should not have any value at all.
My name and SSN are assigned to me. I cannot choose or change them. Thus, they should have no business value, esp no value in the credit / financial context.
My address, my employment, my family are essentially fixed as well. Again - this data could be public. It should have no value.
"Identity theft" as perceived in the US must disappear.
Stopping the criminals won't work - as long as there is anything of value, there will be intent and crime to get it.
The value itself must change.
Re: (Score:2)
Immutable data should not have any value at all... Stopping the criminals won't work - as long as there is anything of value, there will be intent and crime to get it. The value itself must change.
Wow, somebody just took Philosophy 101 and smoked a doobie, didn't he? If only the world were that simple, and if only you were right.
Re:Reduce the value of data (Score:5, Insightful)
Remember, there is no such thing as "identity theft". There is only fraud, committed between two parties neither of which is you. The notion that someone can "steal your identity" is a red herring invented by big companies, in the hope that this will make it sound as if it was your responsibility and you should bear the costs. It isn't - it's their responsibility to guard against fraudulent transactions and not to withdraw money from you under fraudulent circumstances. But so far they've been pretty successful in establishing the narrative that it's your fault if someone abuses the ridiculously inadequate safeguards against fraud. This is a prime example of "Establish the terms of the debate, and you've determined its outcome".
Re: (Score:2)
So, not Equifax's fault ? (Score:2)
All Companies Get Breached
Well that means we can stop patching software we know has open security holes/backdoors. Nice, makes our jobs much easier. I guess that means it was not Equifax's fault /s
I call bullshit (Score:4, Insightful)
>> All Companies Get Breached
This is not even slightly true. It is just a blatant attempt at blame avoidance through lying and misdirection.
Re: (Score:2)
Re: (Score:2)
Very true. Also, those that do get breached are not all attacked successfully because they made a really bad beginner's mistake. Although the list of companies with amateur-level security is long: RSA, Deloitte, Citibank, ...
Every company is breached (Score:3)
...so maybe we should not allow companies to store vast repositories of personal data that is very bad if breached?
It's a whole paradigm shift that needs to happen. Similar to best-practices with passwords today: you should never be storing your clients' passwords. Hash them, salt them, (I don't have all best practices off the top of my head) - but the end result is if the password database is breached, it is not catastrophic. We need to make personal data the same.
One way I think is interesting is through homomorphic encryption- it is possible to do arbitrary operations on data without the server ever knowing the plaintext. This is the future.
Re: (Score:2)
...so maybe we should not allow companies to store vast repositories of personal data that is very bad if breached?
You might be onto something here! If Equifax and their two cohorts can't be trusted to keep our credit histories and personal information secure, maybe they shouldn't be permitted to control certain aspects of our lives and defame us, no? They're not "too big to fail," so maybe we need to break them up, or at least require that they provide people in their databases with all of the information they provide to their customers, free of charge. Reporting incorrectly on me is one thing, but charging me to see s
Bought his own press? (Score:2)
Equifax CEO also bragged that the company's data-crunching business nonetheless earned a gross profit margin of 90%.
Wow, and did he brag about being an oligopoly who automatically receives everyone's data whether they want to allow that or not?
Getting to that position is a much neater trick than having a profit margin of 90%. The person who got them there deserves a big bonus indeed.
Executives: The #1 Business Priority. (Score:2)
"a stagnating credit reporting agency with a 'culture of tenure' and 'average talent'...earned a gross profit margin of 90%."
Wait, don't tell me, let me guess...you spend all your obscene profit on equally obscene executive bonuses and therefore you can't afford anything more than "average" talent?
Not that parachute-lined CxOs will start giving a shit anytime soon, but this is what happens when coddling top management becomes THE priority above all else.
Defense in Depth (Score:4, Interesting)
It's been said a million times but companies always want the magic bullet solutions.
He's right that you should expect being compromised, but no safeguards were in place for what he said was inevitable.
Looking at the timeline of events it's clear that getting past the endpoints meant free reign in their network.
https://medium.com/@thegrugq/e... [medium.com]
Over the years the focus of the security industry has changed and it is no longer considered sufficient to have a crunchy shell with a soft interior. From behavioral analysis, to canary systems and binary whitelisting/flagging. There are so many things they could have done differently it's astounding.
By publicly asserting the unavoidability of a breach, and then having no plan of action prepared for that, he's admitting that their security plan is negligent.
In other words ''Cars crash, people die... seatbelts are useless''
Sure, but... (Score:5, Informative)
Sure, but only some of them dump stocks illegally, hire arts majors to run tech security, attempt to take away the rights of victims, send their customers to illegal phishing sites, wait months to report to the public, get into a tiff with their hired outside security consultants, and otherwise completely mishandle the aftermath.
He's Right, But ... (Score:2)
All companies do get breached, but not because of sheer incompetence due to not patching a widely publicized vulnerability. The day after publication we told our product teams to update and the teams that had it did so in weeks, not months - and that was in on-prem products. Yet, Equifax couldn't patch their website in three months? That's incompetence.
To be fair, he's right. (Score:3)
Sorry, but security is almost purely a reactive thing.
And worse, HUMANS are tossed into the mix.
As such, security is a delaying action, at best.
If someone really and TRULY wants in, they're getting in. And pretty much nothing short of destroying your computing assets wholesale will prevent it.
Security has become so full of snake-oil salesman they they've forgotten that their primary purpose is hardening to the point where your average 6 year old with an iPhone can't get root on your production servers. And their secondary purpose is monitoring the network, both proactively and in the event of a breach.
So, even if someone gets in, you SEE it and you have a log trail.
This idea that security will keep your assets totally and completely hack-proof is utter nonsense. DANGEROUS utter nonsense.
Re: (Score:2)
Sorry, but security is almost purely a reactive thing.
Not if you do it correctly and effectively! Being proactive is the only way to be good at security.
Re: (Score:2)
The problem is, that you're simply being proactive about using reactive systems and methodologies.
That's like saying "this location is safe because we have hugely thick and high boundary walls, and the building itself is a combination of concrete and steel that's even thicker. The roof is 20 feet thick as is the foundation. It's bombproof and drill-proof. We've got biometric security and armed guards roaming the premises. And all our employees are heavily indoctrinated in security methods.
Meanwhile, the
Unfortunately he's correct (Score:3)
Saying that all companies will eventually get breached is, in my opinion, correct. The unfortunate thing is that nothing will ever be done to even try to improve the situation, because it's too easy for companies to just buy "cyber-insurance" as opposed to playing cat and mouse with "security researchers." In this situation, they don't even have to have the insurance company pay for credit monitoring, because they can give it away for free by just providing the same service they used to sell.
Unless you put nothing on the Internet and have a strict, enforceable we-will-fire-you-immediately policy for people who inadvertently leave the doors open, there's very little chance companies can stay ahead of attacks forever. The bigger the company, the worse it is. Outsourced IT makes security response many times slower as well because the problem has to filter down two reporting chains before it gets fixed (assuming anyone notices.) Even the NSA wasn't able to keep a lid on their information and exploit vault...that should tell you something. All the security in the world is nothing when you have humans in the loop.
What will be interesting to see is what happens when more companies start looking to put core systems into the public cloud. Obviously cloud providers have a huge incentive to keep things safe, but nothing's perfect. And the more complex things get, the more surface area an attacker has to work on. I'm sure there are more than a few "don't be like Equifax" FUD-laden sales calls being made in CIO offices all over the world lately.
The truth is that security has zero ROI in an environment where you can just say "oops," write a small check and move on like nothing happened. So far, nothing bad has happened to any company that has lost customer data. People still shop at Target, Home Depot, etc. and still keep their money in banks that have experienced data loss incidents. People just assume that these things happen and nothing can be done about it, and I agree to some extent.
Re: (Score:2)
The truth is that security has zero ROI in an environment where you can just say "oops," write a small check and move on like nothing happened.
And that is the problem. If this was classified routinely as gross negligence (unless the company can prove having followed best practices), and the CEO was jailed, then things would look a bit differently. Before that or something similar happens, data-security used to protect customer data will remain a dark joke.
Of course, when you make really stupid mistakes... (Score:2)
Even average attackers can get in. Also, when you make really stupid mistakes, in a working legal system that is called "gross negligence" and you become liable for the damage you did. Of course, Equifax being really large, they do not need to fear the law.
Information must be treated like money (Score:3)
“This wasn't a credit card play," (Score:2)
Let's be 100% true to ourselves... the security crowd is generally full of shit. When I read the headline of an article (a month ago on Slashdot sometime) making some dumb-ass remark like "There have been more hacks already in 2017 than in any previous year". They whole article rambles on non-stop for frigging ages about how bad th
The Full Time Line (Score:4, Informative)
Feb 24, 2016 - Annual 10K report - indicates only generic, boilerplate risks that a financial services company like Equifax should include in their SEC filing.
Jly 27, 2017 - Quarterly 10-Q filing with the SEC, indicating "There have been no material changes with respect to the risk factors disclosed in our 2016 Form 10-K."
Aug 1, 2017 - Chief Financial Officer John Gamble sells $946,374 in shares
Aug 2, 2017 - Joseph Loughran, President of US Information Solutions sells $584,099 in shares... and Rodolfo Ploder, President of Workforce Solutions, sells $250,458 in shares
Aug 17, 2017 - Rick Smith gives a presentation to the University of Georgia, discussing cyber security threats - and makes a memorable quote...
Sep 7, 2017 - Equifax admit to a massive data breach, impacting at least 143 million Americans, see here:-
http://www.independent.co.uk/n... [independent.co.uk]
Sep 7, 2017 - On the same day as admitting to the breach, Equifax also admit that 3 executive sold $1.8MM in shares between the breach being detected and the date it was made public. Crucially, despite Equifax claiming that the Executives had no knowledge of the breach, none of the three sales were part of planned, scheduled trading (i.e. were covered by 10b5-1 plans). In other words, these were spontaneous sales. See here:-
https://www.bloomberg.com/news... [bloomberg.com]
The crucial thing is, however, that in the above Independent article, published September 7th, is the statement,
"The Atlanta-based company said that that “criminals” exploited a US website application to access files between mid-May and July of this year - with the weakness said to have been discovered at the end of that month. "
Now, among the pieces of information we don't know are: 1) when, exactly, did the three executives sell their shares?; and 2) what internal discussions - i.e. board meetings, emails - were used to disseminate the information internally.
Obviously we're not told this, but the company will by now have received a "Preservation Order" from the SEC, requiring them to ensure that data pertaining to this event is not destroyed. Backup tapes will be pulled from cycles; current email folders will be locked; individuals will be warned that their documents are subject to such an order. Given the close proximity of events - we're talking days, not weeks or months - it should not be difficult to forensically re-create a very precise time-line.
So whilst the speech that Smith gave a the University of Georgia is going to be hugely embarrassing for him personally - and whilst the acknowledgements he makes in it will be very uncomfortable for the company - the really crucial evidence here is all about the timing. Understanding the truth behind the question, "Who knew what, and when", is going to make the difference between negligence and a criminal act.
Here is the key thing to bear in mind. That statement as reported in the UK Independent newspaper article that the breach came to light "at the end of July" is absolutely crucial. If there is enough evidence to suggest that persons within the company knew of the data breach *before* that 10-Q was filed, then I don't see how Smith and his co-directors can avoid jail time. The deciding factor [for me] is that the actual timing could very easily show conspiracy.
If there was a suggestion that a concerted effort was made to hold back the breach information until after the second quarter 10-Q, then it will not look good for the board. They are on the horns of a dilemma here. Either there was widespread knowledge of the breach and the three executives attempted of
Dozens of Lawsuits (Score:2)
a significant portion of Equifax Management are utterly incompetent and basically allowed one of the worst data breaches in history to happen on their watch... in which case we can only hope that shareholder lawsuits will follow.
Did you miss this one? [slashdot.org] The blood is most definitely in the water already.
Re: (Score:1)
I worked for European companies in the past. They same the same shit about "security has no ROI" as their American counterparts.
Re:You Americans are idiots (Score:5, Insightful)
Re: (Score:2, Funny)
Europeans are just better at hiding their problems, Europe is a contentment with people who just stick their heads in the sand, unless they really have too.
Re:You Americans are idiots (Score:5, Funny)
Like salt and vinegar?
Re: You Americans are idiots (Score:2)
Re: You Americans are idiots (Score:2, Funny)
Always wear a condiment.
Re: (Score:2, Informative)
Also European companies are not allowed to store much data about persons. For example the credit rating agency in the netherlands is not allowed to store much identifiable in their database, pretty much only the name and birth date of the person and which they have credit information on.
They are not allowed to store the equivalent of the social security number, not even the address where the person lives.
Re: (Score:2, Interesting)
"You don't hear about European companies having data breaches."
Of course. With the way the data breach laws are constructed, it's simply cheaper and easier buy off whoever discovers/exploits the breach and then pretend it never happened while locking down.
Re: (Score:2)
You are dangerously naive and have a pathetically simplistic view of information security.
I mean, even in this one situation the Equifax network wasn't hacked and Microsoft software was not involved, thus invalidating even your shit advice.