Slashdot Mirror
Equifax CSO 'Retires'. Known Bug Was Left Unpatched For Nearly Five Months (marketwatch.com)
phalse phace quotes MarketWatch: Following on the heels of a story that revealed that Equifax hired a music major with no education related to technology or security as its Chief Security Officer, Equifax announced on Friday afternoon that Chief Security Officer Susan Mauldin has quit the company along with Chief Information Officer David Webb.
Chief Information Officer David Webb and Chief Security Officer Susan Mauldin retired immediately, Equifax said in a news release that did not mention either of those executives by name. Mark Rohrwasser, who had been leading Equifax's international information-technology operations since 2016, will replace Webb and Russ Ayres, a member of Equifax's IT operation, will replace Mauldin.
The company revealed Thursday that the attackers exploited Apache Struts bug CVE-2017-5638 -- "identified and disclosed by U.S. CERT in early March 2017" -- and that they believed the unauthorized access happened from May 13 through July 30, 2017.
Thus, MarketWatch reports, Equifax "admitted that the security hole that attackers used was known in March, about two months before the company believes the breach began." And even then, Equifax didn't notice (and remove the affected web applications) until July 30.
Chief Information Officer David Webb and Chief Security Officer Susan Mauldin retired immediately, Equifax said in a news release that did not mention either of those executives by name. Mark Rohrwasser, who had been leading Equifax's international information-technology operations since 2016, will replace Webb and Russ Ayres, a member of Equifax's IT operation, will replace Mauldin.
The company revealed Thursday that the attackers exploited Apache Struts bug CVE-2017-5638 -- "identified and disclosed by U.S. CERT in early March 2017" -- and that they believed the unauthorized access happened from May 13 through July 30, 2017.
Thus, MarketWatch reports, Equifax "admitted that the security hole that attackers used was known in March, about two months before the company believes the breach began." And even then, Equifax didn't notice (and remove the affected web applications) until July 30.
What will happen with the one that sold they stock before annoncement.
So, one year they send me two documents. One says "pci compliance". One is for data breach insurance. I do the PCI, and toss the insurance. The next year, they send me PCI compliance, and charge me for the insurance. I call, tell them no, as I don't have any hackable databases, unless you break into my office and pull out handwritten credit card numbers from each individual file. I argue with them, and they tell me that it is mandatory. I read the policy, and find it is almost useless. If I don't PCI, they charge me $20 per month "noncompliance fee". If I do, they then charge me a bit under $200 for this useless insurance anyway. Meanwhile, someone goes to the front door and walks off with the whole database ? I know interchange is a huge ripoff and is in desperate need of renovation...if Africa can move money with a dumb-phone for a lower commission rate, then V/MC/AX need to die in a fire today...but WTF ? Meanwhile, I'm stuck with paying for insurance I can't use, with a system that is not easily electronically hackable (no stored numbers anywhere..period, and I use their portal to charge HTTPS).........
..but were David Webb and/or Susan Mauldin amongst those execs that sold shares before the breach was made public?
It means the all things being equal between candidates in technical knowledge
In all my years of sorting through job applications and conducting interviews, "all things being equal" has never occurred.
Instead, what does occur is that HR managers or upper management hint strongly that "won't someone rid me of this meddlesome diversity quota imbalance". The end result is that some will hire the first diversity candidate that in good light meets absolute minimum requirements, despite there being better candidates available.
I wondered if Equifax intended to circle the wagons, hold on to upper management, and then try to buy, bribe, or schmooze their way out of this mess via political channels. For a lesser P.R. disaster than this recent exploit, such a strategy might have worked.
But abruptly canning the CSO and CIO says three things to me:
(1) Equifax's internal auditing shows that this mess is considerably worse than what has been publicly revealed so far.
(2) The CEO has now shifted to "I have to save my own job" mode. The CSO and CIO have been thrown under the bus, and more will probably follow.
(3) Equifax is going to take it on the chin, financially speaking. Canning the CSO and CIO is a clear admission that Equifax was negligent. The lawsuits are going to increase exponentially from this point. But worse than that is the overwhelming demand by millions of consumers to freeze their credit reports. Equifax (along with Experian and Transunion) makes a lot of money selling credit information to banks so that they can offer credit cards to you. Credit freezes prevent that. Every new credit freeze is another hit on the annual bottom line. Equifax is bleeding from millions of tiny cuts, and it will only get worse.
Frankly, it couldn't happen to a more deserving bunch of guys.
We don't know if she did or didn't have the necessary experience or qualifications. We only know her degree was in music. I understand your point, and in and of itself it is valid. We just need more information to determine if she is actually qualified or not.
At the executive level, you can assume that anyone holding that position has no actual expertise and sometimes no experience. Anyone with a CxO title is appointed to that position, and is usually well-connected on the boards of several companies. BUT -- good people in this position know they have to hire people who actually do understand the areas they're responsible for. If she wasn't capable of doing this, or was just hiring her friends for key positions, this is the result you get. I've been doing IT work in big companies for over 20 years now and have witnessed stuff like this over and over. It's a constant battle to do a good job when you have executives hiring incompetent people at the top, offshoring or outsourcing key IT functions for big kickbacks, etc. (I'm assuming that when we peel back the covers on this, the unpatched system will be a result of the IT department getting so disconnected that a simple system change takes 3 months and people on 2 different continents coordinating it.)
What I don't like about IT in general is that people can mess up badly, get fired or be allowed to "retire", then go to another company and mess things up there as well. I would love the idea of a professional organization that would ban incompetent people from working in the field after a fair finding of facts. This would really cut down on the number of slapped-together "solutions" that cause breaches like this in the long run. If my reputation were on the line, I wouldn't rush through a system design the way I'm sometimes forced to by schedules. As it is, IT people can do the equivalent of joining the French Foreign Legion and come out on the other end with a clean reputation. (For those unfamiliar, the FFL is France's overseas military force who basically accepts anyone who wants to escape their current situation and grants them a new identity in exchange for military service.)