Slashdot Mirror
Squabble With Contractor Delayed Equifax's Response To Data Breach (bloomberg.com)
An anonymous reader quotes Bloomberg's report on the contractor Equifax first hired to investigate their breach:
Equifax and Mandiant got into a dispute just as the hackers were gaining a foothold in the company's network... Mandiant warned Equifax that its unpatched systems and misconfigured security policies could indicate major problems, a person familiar with the perspectives of both sides said. For its part, Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company...
That rift, which appears to have squelched a broader look at weaknesses in the company's security posture, looks to have given the intruders room to operate freely within the company's network for months. According to an internal analysis of the attack, the hackers had time to customize their tools to more efficiently exploit Equifax's software, and to query and analyze dozens of databases to decide which held the most valuable data. The trove they collected was so large it had to be broken up into smaller pieces to try to avoid tripping alarms as data slipped from the company's grasp through the summer... By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax's computer systems.
"They may not have immediately grasped the value of their discovery, but, as the attack escalated over the following months, that first group -- known as an entry crew -- handed off to a more sophisticated team of hackers," reports Bloomberg, suggesting that the attack may have been sponsored by a nation-state.
That rift, which appears to have squelched a broader look at weaknesses in the company's security posture, looks to have given the intruders room to operate freely within the company's network for months. According to an internal analysis of the attack, the hackers had time to customize their tools to more efficiently exploit Equifax's software, and to query and analyze dozens of databases to decide which held the most valuable data. The trove they collected was so large it had to be broken up into smaller pieces to try to avoid tripping alarms as data slipped from the company's grasp through the summer... By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax's computer systems.
"They may not have immediately grasped the value of their discovery, but, as the attack escalated over the following months, that first group -- known as an entry crew -- handed off to a more sophisticated team of hackers," reports Bloomberg, suggesting that the attack may have been sponsored by a nation-state.
There is no excuse, especially how Equifax has also mishandled just about everything after the breach was made public. Make it a $1,000 fine per person per day for not notifying them within seven days of discovering the breach. The only exception is if law enforcement requests that the breach not be disclosed to protect the integrity of an investigation.
I guess that under trained security team had their shit together and Equifax is now SCREWED!
Squabble With Equifax Delayed Equifax's Response To Data Breach
The way the headline reads as published makes it sound as if the contractor is to blame -- which is obviously horseshit.
Beware of the Leopard.
Mandiant - that name rings a bell. I can't be arsed to google it, but IIRC this isn't their first clusterfuck,
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Regardless of whatever they may have believed, they were warned and ignored the warnings. Sure seems like gross negligence or possibly even criminal negligence. If the system weren't corrupted, I would expect indictments. It's too bad our government doesn't function properly.
Anons need not reply. Questions end with a question mark.
Give companies like Equifax the corporate death penalty, which is revoking their corporate charter. Give the CEO the actual death penalty, especially when he gets $90 million to retire due to his incompetence. The laws need to change to put an end to this ridiculousness from companies like Equifax. We should be marching in the streets and engaging in civil disobedience like blocking streets until the laws change to protect the people from vile corporations like Equifax.
Actually I have no idea what Equifax uses but it seems every time i read of these breaches they are because of a lack of communication between various internal groups. Working for a company that is often hit with DDOS or other intrusion attempts by nation-states, I know that the overriding thing to keep them out is open candid communication between staff, management, and vendors.
Also, probably shouldn't put Access databases outside teh DMZ.
The Kai's Semi-Updated Website Thingy
expect them to not grok security and put budget concerns above everything else. Our CTO has a degree is social justice, and he fired everyone that was educated in order to hide his incompetence. Plus, he fired all of the white people, and our company repeatedly lied to the state that they were fired with cause so they couldn't get unemployment.
whoa whoa whoa, So a foreign power now has access to the credit records of the entire country? We need to stop dicking around and bring in the NSA.
This is in their mandate.
sounds like Equifax didn't like what it heard so it disregarded their consultant's advise.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Take care of yourself and be educated about the world.
There are three companies with the exact same info on you.
Ever heard the old joke about the three guys on a safari that piss off a lion? One guy says âoeshit weâ(TM)re deadâ, one guy says âoemaybe we can outrun itâ, and the last guy says âoeI just have to outrun one of youâ.
Thatâ(TM)s this situation. One was always going to be the slowest to run from the lion and it happened to be Equifax. So what? It was going to happen... freeze your credit except for when you need it, take the effort to pull a report from one of the three every four months (which is free), use a password manager and enable multi factor auth in your primary email.
Donâ(TM)t trust others to take care of you. Take care of yourself.
because a corporation that couldnt manage basic security - can not be attacked and brought law by common hackers even if they are given enough time and room to bring in specialists.
Sounds like the "undertrained team without the expertise it expected" nailed it. Described a potential problem, how to fix said problem. Rather then act on the information provided equifax said they knew better and asked for a "better team' that would do as they were told.
With hindsight .... oh wait.
Who the hell gave these freaks the right to have the personal info on millions of Americans???
Did YOU say that they could have YOUR personal info?
Did your parents? Did your kids? Did your neighbors or co-workers?
Who gave them the gun and let them load it and then get drunk and start shooting?
"The investigation in March was described internally as "a top-secret project" and one that Smith was overseeing personally, according to one person with direct knowledge of the matter."
WTF? CEO was trying to cover-up the breach, instead of being a real leader and shutting down equifax until it was fixed, he let hackers just slowly take the data over 6 months. .
The government regulations that stifle the industry and make it hard to do business is the real cause here. As usual, all government is bad government. We need to deregulate the industry so that the free market can fix this problem once and for all. Guaranteed.
There's two issues here. The CEO didn't insist on security, so either he's naive or mis-informed. Either is bad.
The CTO didn't insist or wasn't given budget for appropriate security measures. Either is bad.
The CEO wasn't managing the CTO in regards to requirements, and the CTO wasn't managing up the requirements.
When you look at BoA where security is king; they'd rather have a production outage, break something and then scream at the vendor to fix it, than lose customer data. A customer facing production outage costs them a lot less than the loss of customer data, where they're concerned the whole company could go to the wall.
This is a management fuck up, of the highest order. This was business risk 101 and they failed to identify it, quantify it and migitate it.
Mandiant may not have sent their A team, but from the sounds of things their C team would have been enough to start to deal with their issues. Unpatched systems, c'mon are we still in high school?
Curiosity was framed; ignorance killed the cat. -- Author unknown
BULLSHIT!
nation state source will divert equifux's responsibility.
Burn equifux with extreme prejudice and take every penny from every exec. These mother fuckers deserve to be homeless as I'm positive they are responsible for many of those.
Mandiant had sent an undertrained team without the expertise it expected from a marquee security company...
No, that is exactly the level of competence I expect from a 'marquee security company,' specially several years after they've been bought out by a large corp.
You'd expect about the same level of quality that you'd get from a development team at Oracle.
"First they came for the slanderers and i said nothing."
Are they just going to blame everybody else?
It seems like they are in the process of trying to figure out which people to place the blame on. Once they have figured out which bits are the bad bits, they will cut them off and pretend they are clean again. Every institution that goes through a scandal does this.
Step 1: Suffer from bad code.
Step 2: Blame the hardware instead of the software (Obviously it's not the code since I know I'm perfect).
Step 3: Replace the hardware you decided to blame and pretend the problem is fixed.
Step 4: Run the same shitty code.
Security is only an expense for them. Losing data they have on people doesn't affect their business. Hell the data only needs to be accurate 90% of the time for them to make a profit. Don't be surprised by this. Equifax is acting completely rationally. If you really cared maybe we should have an organization that is run by the public to do things that can't efficiently by private companies because their motivations don't align with how they are paid. I suggest we give this organization a cool name like "government".
Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company.
So I guess they weren't as well-qualified as the music major you hired as your chief security officer?
SJW: Someone who has run out of real oppression, and has to fake it.
I have personally never met anybody who signed a contract with TRW, Equifax, etc authorizing them to spy and monitor and store.
You must be the singular idiot who did slap his John Hancock onto a contract with these evil companies telling them they could data mine and monitor you for your entire life, selling everything they learned to the highest bidder and potentially ruining your chances of buying a home or getting a job.
Thanks a lot, dude.
This is completely irrelevant.
It doesn't matter who is at fault, Equifax is ultimately responsible.
... or possibly not how unbelievably common this is. And most of the time, in my experience, the management is not even aware of the issues. The last security assessment I did were shot down as "unpractical and impossible to execute on" by the IT managers or directors. Simply because it started with "take XXX days to level all systems to a known updated state" along with the report from a vulnerability scanner. These IT managers/directors were actually the ones saying "if I go to my management with this proposal, I will lose my job", not the top management itself, happily thinking that everything was hunky-dory. My experience is that many CTOs do not like telling their CEO "we need to talk" or "we need to fix up things and that involves changing the way people think too."
Still no reason to let Equifax continue to exist.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Described a potential problem, how to fix said problem. Rather then act on the information provided equifax said they knew better and asked for a "better team' that would do as they were told.
It's fucking easy to walk into a company the size of Equifax, run a vulnerability scan or three, and go, "You have unpatched vulnerabilities! You need to patch all these systems!!"
What I want from a professional security firm is a fuck of a lot more. E.g., how do I keep those systems sufficiently secure and manage those security risks without investing half a billion dollars into my IT estate, making half my product line unprofitable.
Any cunt can spot the issues, I'm not surprised Equifax were seeking actual security expertise on how to manage and deal with them.
Ever heard the old joke about the three guys on a safari that piss off a lion?
First guys says "We're all dead". Second guy says "I only need to outrun one of you". Third guy takes his walking stick and cracks the second guy in the knee.
In Equifax's case, the CEO, CIO and CSO left the company and took their parachutes to the bank. Not their problem anymore.
Why is that whenever a hack turns out to be even remotely complicated, it suddenly it has to be "sponsored by some state" or whatever? This makes no sense. Nobody is more motivated to learn and use the latest techniques then people doing this for fun and sports. Especially if it can be coupled with some personal vendetta or political view to keep the fire alive.
Apparently not the cunts at Equifax.
Incident response, vulnerability scanning, and pen-testing are all different things.
Vuln scans as you describe are a useful service if your organization does not have the resources perform them, and consume the resulting data. Equifax sized organizations should have an internal security that are able to do that. If the hired Mandiant to do it; that indicates a defective security organization right there. A vulnerability scan is a bottom drawer service that is generally sold to small shops and shops that are aware they have seriously immature security posture.
Its not possible to make much in the way of recommendations based on a vulnerability scan. A systemic pentest will usually reveal things hey your admins are doing web surfing and e-mail reading with accounts that map to uid-0! It will let you make some intelligent recommendations to isolate compromises, limit lateral movement, and prevent large data leaks; maybe without investing half a billion dollars.
With a vulnerability scan all you get is "hey all this software is unpatched with published CVEs and POCs." Other than prioritizing mitigation there is little you can say as a security professional other than patch it or update it. You don't have the information needed to diagnose or offer intelligent advice on other issues.
So what happened here. Did Mandiant show up and do a VS when Equifax hired them to do incident response? Did Mandiant's sales team sell them wrong service? Did Equifax cheap out and buy the bottom draw offering, despite it not meeting their needs against advice? Who knows!
The reality of the InfoSec consulting industry is its extremely immature. The sales folks don't understand what they are selling, the customers don't know what they need, the practitioners bias very young, they tend to have the technical know how but not the communications experience. The also lack the industry experience to know how to get from point A to point B organizationally. They know what a well run textbook program looks like but they don't know how to manage people and which changes to try and make first.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Security done correctly is expensive and management hates that. They also hate things they do not understand so security so when somebody tells them they need to spend money on something expensive that they don't understand they resist. They hire people that understand security to take care of it but they rarely give them the real resources and backing they need to do things properly.
Compliance standards help some but the trend I've been seeing is that compliance is merely a checkbox for management and their defined maximum. Whereas, security professionals often see compliance as a minimum.
Security is a hot topic right now and the industry is doing well. Management thinks they are being taken advantage of and to some extent they are but only because security has been largely ignored.
Keep the Classic Slashdot.
For me IT Looks AS if mandiant did a proper Job, but the Equifax losers wanted a magic pixidust Security solution. One which was cheap instead of correct.
Hubris, ego, and ass covering are responsible for the delay. The head shed was concerned about its own collective assess and jobs.
So what happened here. Did Mandiant show up and do a VS when Equifax hired them to do incident response? Did Mandiant's sales team sell them wrong service? Did Equifax cheap out and buy the bottom draw offering, despite it not meeting their needs against advice? Who knows!
Well, exactly. This is why I'm reluctant to make too many assumptions here.
It's very possible that Mandiant were completely shit.
It's equally possible that Mandiant were pragmatic, insightful, informed and informative, and Equifax were incapable of understanding this.
They know what a well run textbook program looks like but they don't know how to manage people and which changes to try and make first.
Worse, there are no right answers. The business benefit of not having a data breach is extremely hard to give a line-item on the balance sheet but the prevention costs are very apparent in the P&L. So how and where to prioritise the resources available is a properly difficult business decision for which you'll get no thanks from anybody.
When your under the gun to meet the numbers, it's amazing how many "problems" you can find in a customer's system. Selling unnecessary "solutions" is a great way to boost commissions.
It's buyer beware in this industry.
FUD 1: Sure, our execs ended up on easy street, but we are going to investigate that ourselves, so don't worry.
FUD 2: It can't be us, we had a problem with an outside contractor we used for security.
Can't wait for #3.
Not only did they know about the breach long before they told anybody, they knew about the likelihood of a breach at a time when they might have drastically curtailed the damage of the one that was already in progress. All while they were arguing the equivalent of how many angels can dance on the head of a pin. Such is corporate hubris.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
The business benefit of not having a data breach is extremely hard to give a line-item on the balance sheet but the prevention costs are very apparent in the P&L.
I could not agree with that more. How much should you spend on security specific efforts well many would argue: X = risk probability * cost of a breach
I think its actually the case an organization like Equifax probably has actually not invested to much in security. All the costs they have really incurred have mostly to do with dumb mistakes after the breach. Had they literally said and done nothing at all. What if when asked about it all the did was say "yup looks like, we are trying make sure it does not happen again, no further comment." Suppose they did not offer credit monitoring or freezes. Suppose they did not setup that stupid site to see if your info was leaked that did not even work? Suppose the CxOs had not been dumb and triggered a likely SEC investigation with their stock sales. What would have happened?
I would suggest most civil suits against them would fail, nobody can show direct harm. Even someone had their identity stolen right after the breach its pretty easy to show the information need to do that could have easily come from elsewhere. Consumers have essentially no recourse against them. Customers (lenders) have little real reason to care, what laws would they have broken for government to go after them on, none that I am aware of. If any regulation results from this, it will hit their competitors equally..
I am not sure this breach had to cost them much of anything. I really think almost all the price tag associated with this is missteps in the response.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
I'd suggest waiting until their next financial announcement and admiring the trend in quarterly revenues.
The real price isn't the reparation costs, it's the reputational one. Equifax rely on other people's data and if that dries up because they're not trusted with it, the competition are eager to step in.
Lets see if I understand this. Equifax hires a company to check its security stuff.
Company: "ya, you've got problems."
Equifax: "fix'em."
Company: "lets talk price."
Equifax: "your not as good as we thought."
Company: "not for free? Yup."
Nobody knows anything; ya, got it. A company like Equifax doesn't do security checking by an outside source without a reason. Equifax's existence is based on good security, but now they need help? I question why are there 3 known upper management types that shorted their stocks when all this squabbling was going on. To many unknowns by folks who's job it is to know.
I'm buying Futures in micro wave popcorn, this looks good.
Repeal the 17th Amendment TODAY! That's funny.
3 known exec's didn't, that's says something.
I've heard a lot about "block chaining." Could the Equifax event usher in a new business model for credit reporting?
I could not agree with that more. How much should you spend on security specific efforts well many would argue: X = risk probability * cost of a breach
In most cases, the company never pays the full cost of a breach because their customer are the victims, not them. The only way to ensure that this calculus is done correctly is to ensure that the company bears at least the true cost of the breach. The most effective way to do this is through fines that meet or exceed the actual cost of the failure. The problem with regulations in the United states, is not that they exist, but that they are not properly sized for the actual behavior they are there to prevent. Fines resulting from regulation must potentially be large enough to bankrupt a company if the violation is egregious enough. If they are not, then by definition they are not performing their intended function in society.
I wish I had a good sig, but all the good ones are copyrighted
It's totally off-topic, but it does have some merit. The 17 amendment is one of the steps that limited the power of the states and increased the centralized power of the Federal Government. It's plausible that it was a mistake, though it was intended to address real existing problems. And the problems that it caused is one of the things making me hesitant to support efforts to remove the electoral college. I can see the clear problems that it causes, but what I can't see is the problems it prevents.
I think we've pushed this "anyone can grow up to be president" thing too far.
It's not *just* that they aren't adequately staffed and funded, though that is also true. Regulatory capture is an even worse problem. No regulator should be allowed to accept any remuneration from those they regulate, not even after they retire from the body. And I mean not allowed to accept *ANY* remuneration. No jobs. No dinners. No speaking fees. No consultant arrangements. No discounted apartments. No payments for stock owned. NOTHING. And not just while regulating, but also afterwards. (If they own stocks or bonds then they better sell it before they take the job as regulator, because afterwards they are allowed neither to collect dividends nor to sell it.)
Being a regulator should entail a final and permanent severance of all connections with those regulated. If the regulatee is the spouse of the regulated, this should not only require a divorce, it should require that they never henceforth exchange any communications. Not even through intermediates...such as children. So in that case don't take the job.
I think we've pushed this "anyone can grow up to be president" thing too far.
That isn't even what they said. What they said was "When the hack turned out to be unexpectedly valuable, they turned it over to a more skilled group", and that *this* indicated it was a nation-state.
To me that sounds like they found something valuable and sold it to someone else...who might have been a nation-state. Why not, they have deeper pockets than most.
I think we've pushed this "anyone can grow up to be president" thing too far.
Amusingly, I ran in to almost this exact scenario last month. A former co-worker went to her doctor, her doctor's practice had just been slammed by TWO ransomware hits. Their server was totally screwed. She gave them my name, I contacted them the next day. They never asked my price, I only charged them $30 an hour for 15 hours over two days, didn't even charge them for the time it took to put together a four page report describing what happened to them and the additional steps they needed to take.
They decided they didn't need my further services the next week or since.
When I lived in the Big City, my consulting rate was $50-125, and that was over a decade ago. But here, wages are horribly suppressed, and then people wonder why there's no good talent in the area. I'll discount my services depending on what I'm doing and how charitable I'm feeling, but no, I do not work for free.
They were running Windows Server 2008 R2 and unpatched SQL Server 2008 R2 with a CenturyLink-provided DSL router without an external firewall appliance, so it was pretty much child's play for the malware to root the server. Among the things that I was going to do the next week was inspect the 18 PCs (running Win 7 Home to Win 10 Pro -- but no domain model: it was all one big workgroup) with a bootable CD, but apparently they're happy with what they'll have. It would've been interesting to see what was lurking there. I wonder who is going to configure their brand-new Cisco firewall: I offered to help them find someone qualified to do it as it's outside of my area of expertise, haven't heard word one.
When you sympathize with stupidity, you start thinking like an idiot.
As a lay person I would like to ask the technical readers here: why don't companies with sensitive data encrypt the data in the databases and only decrypt it for processing? Wouldn't that make these thefts of data pointless?
What I want from a professional security firm is a fuck of a lot more. E.g., how do I keep those systems sufficiently secure and manage those security risks without investing half a billion dollars into my IT estate, making half my product line unprofitable.
The going rate for EIS IA solutions services in flyover country is $150-250 per hour per team member plus expenses. It would take 4-6 weeks, typically. Just the proposal and business analysis will take up several days for a company the size of Equifax. The total bill just for a report and associated presentation would be about 65-85k for a minimal, hands-off analysis. That would include pricey upper-level IR/DR/BC plan creation, either with the current setup or an expected implementation. The equipment, software, personnel, and implementation costs can't really be guessed at and all depend on the corporate risk tolerance culture.
Are you willing to pay what a professional costs? Many are not.
Yeah and it's unusual enough that you remember it to this day. Usually the music degree security guru has ear gauges or at least long hair.
This bitch was not some oddball hacker she was a manager who had so little interest in learning that she majored in her high school extracurricular activity. She's just a competent try-hard. Managers look down on tech people so much that CISO is a good spot to put a promising C-level executive and not a good place for a hacker to ride out the end of their career until retirement. You are less than her.
I see people all over the internet defending this bitch because they knew so and so who had a degree in karmic prostate massage and could [code/hack] circles around [someone else]. Yes we all know that guy and this is not that guy.
-jcr
He's one of the good ones he will defend master for free which is his duty as a prole.
-jcr