Meanwhile Equifax stock is at ~130 compared to ~145 it had before the news broke of the back. With their lowest dip at ~90 and a long time dragging along at ~110.
¯\_(ツ)_/¯
I'm seriously considering that on the next massive data breach of a public traded company I'm gonna buy some stock in the onset. Even though it feels like betting against my own principles it just seems like a too good of an opportunity to miss out on...
Isn't the claim made in the article as sensational -- that the investigators replayed what the attackers did -- just kinda good practice?
It'd just make sense to me that, during an investigation, one would replay what the attackers did to get a good understanding of the results. This just seems like responsible investigation.
(The flipside would instead be claiming that X was compromised, and not being able to honestly answer questions as to whether one retraced the attacker's steps to provide assurance.)
While your data is being stolen and sold in the dark web, Equifax is happy to sell you Identity protection for your business: https://www.equifax.com/business/credit-monitoring-and-ident...
So, someone forgot to input this certificate into their Outlook Calendar, Slack /remind, or whatever, and as a result 150mm people are at risk for identity theft. Awesome. I'm so glad I have no option to prevent my data going to this super-competent company and there's no oversight by anyone external.
Imagine all the companies who Equifax is probably contracted that need bulk query access to their data. It’s easy for the crowd here to poo poo this kind of behavior, and it is bad, and they should be punished for their incompetence. They should not be in business any longer, it’s not like there aren’t other companies operating in this space to fill the void.
That said, how do you seriously prevent such a thing from eventually happening? In this case it was their systems that were compromised but it could have easily been a downstream user or similar that had enough direct access. I’m curious to know what, if any technical solutions could be possible?
I’d never take a tech job protecting such a thing. The only way I could think would be to have some very trusted people manually reviewing all access to the primary data store, and even that probably wouldn’t be enough. Miss one unauthorized query and you’re toast.
The entire system of social security numbers is flawed by design from a security perspective and there in lies the problem.
The apache struts vulnerability is easy enough to detect -- java runs programs it shouldn't. If a bigcorp like that doesn't have a nextgen av to detect that,executable logging+SIEM correlation would have done the trick.
They detected the traffic after the tls inspection box was fixed, that was the box that deteced it not the point of entry from what I understand. Regardless, TLS inspection has it's place (this is why you can't have end-to-end cryto in a corporate environment).
From my experience, most bigcorps do IT like it's still 2009. There is so much architectural bloat,bureaucracy and unseen system complexity,it reduces security controls to mere cosmetic theatrics.
It's like having a 200ft tall,50ft thick iron wall around your castle with 100k foot soldiers armed with the best weapons and training. The problem is that your soldiers(IT staff) can't act fast due to bureaucracy and half of the duties are someone else's problem due to over-segregation of duties. Your fancy wall(security solutions and controls) is neat but there are holes wide enough to fit ten people all over it.
In the end the enemy is complexity. You can't solve that by adding more security vendors,solutions and staff which is exactly what everyone seems to be doing.
It's worth nothing that such a display of negligence didn't stop the IRS from awarding Equifax a 7 million dollar contract:
https://www.politico.com/story/2017/10/03/equifax-irs-fraud-...
And Equifax is the is same incompetent company providing identification services for healthcare:
http://www.specialtycreditreports.com/equifax-contract-healt...
Nor did it prevent 18F from awarding a similar multi-million dollar contract to Equifax for login.gov:
https://federalnewsradio.com/reporters-notebook-jason-miller...
There is no incentive for Equifax to take security seriously.
The best, and possibly only way of preventing the theft of personal data is to not have it.
The amount of surface area a large organization needs to always protect its just too large, we can just assume at some point all that info will be taken.
PSA: On Sept 21st freezing or thawing your credit will be free.
https://krebsonsecurity.com/2018/09/in-a-few-days-credit-fre...
Nicked.. British English is fun.. is there a compendium of phrases like this?
I actually read the GAO report and it does not say this.
Thought I should point out a major error right there in the title.
Just wondering, are the queries executed against the state of the databases in that moment?
The headline is by far the least concerning part of this.
At a certain point (age, level of wisdom, whatever) you realize when a company is focused on short term gain vs everything else. At that point, unless you just don't give a shit, you move on.
Not to bring politics into this, but there's a variant of capitalism that runs rampant in developed economies that is based almost exclusively on short term gain.
Equifax, like so many other companies, illustrates this story in painful detail - especially for those who work there.
There are so many executive poor behaviors that go on, affection not just their employees but their customers and beyond, that you might think by now there would be more attention paid to this. But the people who should be paying attention are quite like the executives who are overly focused on short term gain.
I know for a fact that they also had Splunk ES bought, built, and running, then the CISO had them turn off the alerts because they were "too noisy" and sure enough, they could see all this happening when it was retroactively inspected.
There are so many things wrong in that sentence but my most glaring question is: why on earth was she even receiving the alerts? That's so far below her level. So, there's more here than just the cert issue. There's also just a complete disregard for a secure mindset from the person that is supposed to be setting that mindset in the culture, along with what sounds like micro-managing to a state of no-managing.