Slashdot Mirror
Squabble With Contractor Delayed Equifax's Response To Data Breach (bloomberg.com)
An anonymous reader quotes Bloomberg's report on the contractor Equifax first hired to investigate their breach:
Equifax and Mandiant got into a dispute just as the hackers were gaining a foothold in the company's network... Mandiant warned Equifax that its unpatched systems and misconfigured security policies could indicate major problems, a person familiar with the perspectives of both sides said. For its part, Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company...
That rift, which appears to have squelched a broader look at weaknesses in the company's security posture, looks to have given the intruders room to operate freely within the company's network for months. According to an internal analysis of the attack, the hackers had time to customize their tools to more efficiently exploit Equifax's software, and to query and analyze dozens of databases to decide which held the most valuable data. The trove they collected was so large it had to be broken up into smaller pieces to try to avoid tripping alarms as data slipped from the company's grasp through the summer... By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax's computer systems.
"They may not have immediately grasped the value of their discovery, but, as the attack escalated over the following months, that first group -- known as an entry crew -- handed off to a more sophisticated team of hackers," reports Bloomberg, suggesting that the attack may have been sponsored by a nation-state.
That rift, which appears to have squelched a broader look at weaknesses in the company's security posture, looks to have given the intruders room to operate freely within the company's network for months. According to an internal analysis of the attack, the hackers had time to customize their tools to more efficiently exploit Equifax's software, and to query and analyze dozens of databases to decide which held the most valuable data. The trove they collected was so large it had to be broken up into smaller pieces to try to avoid tripping alarms as data slipped from the company's grasp through the summer... By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax's computer systems.
"They may not have immediately grasped the value of their discovery, but, as the attack escalated over the following months, that first group -- known as an entry crew -- handed off to a more sophisticated team of hackers," reports Bloomberg, suggesting that the attack may have been sponsored by a nation-state.
There is no excuse, especially how Equifax has also mishandled just about everything after the breach was made public. Make it a $1,000 fine per person per day for not notifying them within seven days of discovering the breach. The only exception is if law enforcement requests that the breach not be disclosed to protect the integrity of an investigation.
Squabble With Equifax Delayed Equifax's Response To Data Breach
The way the headline reads as published makes it sound as if the contractor is to blame -- which is obviously horseshit.
Beware of the Leopard.
Mandiant - that name rings a bell. I can't be arsed to google it, but IIRC this isn't their first clusterfuck,
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Regardless of whatever they may have believed, they were warned and ignored the warnings. Sure seems like gross negligence or possibly even criminal negligence. If the system weren't corrupted, I would expect indictments. It's too bad our government doesn't function properly.
Anons need not reply. Questions end with a question mark.
Actually I have no idea what Equifax uses but it seems every time i read of these breaches they are because of a lack of communication between various internal groups. Working for a company that is often hit with DDOS or other intrusion attempts by nation-states, I know that the overriding thing to keep them out is open candid communication between staff, management, and vendors.
Also, probably shouldn't put Access databases outside teh DMZ.
The Kai's Semi-Updated Website Thingy
whoa whoa whoa, So a foreign power now has access to the credit records of the entire country? We need to stop dicking around and bring in the NSA.
This is in their mandate.
sounds like Equifax didn't like what it heard so it disregarded their consultant's advise.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Who the hell gave these freaks the right to have the personal info on millions of Americans???
Did YOU say that they could have YOUR personal info?
Did your parents? Did your kids? Did your neighbors or co-workers?
Who gave them the gun and let them load it and then get drunk and start shooting?
"The investigation in March was described internally as "a top-secret project" and one that Smith was overseeing personally, according to one person with direct knowledge of the matter."
WTF? CEO was trying to cover-up the breach, instead of being a real leader and shutting down equifax until it was fixed, he let hackers just slowly take the data over 6 months. .
The government regulations that stifle the industry and make it hard to do business is the real cause here. As usual, all government is bad government. We need to deregulate the industry so that the free market can fix this problem once and for all. Guaranteed.
Some of the best engineers I've worked with have had music degrees.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
There's two issues here. The CEO didn't insist on security, so either he's naive or mis-informed. Either is bad.
The CTO didn't insist or wasn't given budget for appropriate security measures. Either is bad.
The CEO wasn't managing the CTO in regards to requirements, and the CTO wasn't managing up the requirements.
When you look at BoA where security is king; they'd rather have a production outage, break something and then scream at the vendor to fix it, than lose customer data. A customer facing production outage costs them a lot less than the loss of customer data, where they're concerned the whole company could go to the wall.
This is a management fuck up, of the highest order. This was business risk 101 and they failed to identify it, quantify it and migitate it.
Mandiant may not have sent their A team, but from the sounds of things their C team would have been enough to start to deal with their issues. Unpatched systems, c'mon are we still in high school?
Curiosity was framed; ignorance killed the cat. -- Author unknown
Security is only an expense for them. Losing data they have on people doesn't affect their business. Hell the data only needs to be accurate 90% of the time for them to make a profit. Don't be surprised by this. Equifax is acting completely rationally. If you really cared maybe we should have an organization that is run by the public to do things that can't efficiently by private companies because their motivations don't align with how they are paid. I suggest we give this organization a cool name like "government".
Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company.
So I guess they weren't as well-qualified as the music major you hired as your chief security officer?
SJW: Someone who has run out of real oppression, and has to fake it.
... or possibly not how unbelievably common this is. And most of the time, in my experience, the management is not even aware of the issues. The last security assessment I did were shot down as "unpractical and impossible to execute on" by the IT managers or directors. Simply because it started with "take XXX days to level all systems to a known updated state" along with the report from a vulnerability scanner. These IT managers/directors were actually the ones saying "if I go to my management with this proposal, I will lose my job", not the top management itself, happily thinking that everything was hunky-dory. My experience is that many CTOs do not like telling their CEO "we need to talk" or "we need to fix up things and that involves changing the way people think too."
What's your fucking problem?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Still no reason to let Equifax continue to exist.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Ever heard the old joke about the three guys on a safari that piss off a lion?
First guys says "We're all dead". Second guy says "I only need to outrun one of you". Third guy takes his walking stick and cracks the second guy in the knee.
In Equifax's case, the CEO, CIO and CSO left the company and took their parachutes to the bank. Not their problem anymore.
Don't feed the trolls
Curiosity was framed; ignorance killed the cat. -- Author unknown
Incident response, vulnerability scanning, and pen-testing are all different things.
Vuln scans as you describe are a useful service if your organization does not have the resources perform them, and consume the resulting data. Equifax sized organizations should have an internal security that are able to do that. If the hired Mandiant to do it; that indicates a defective security organization right there. A vulnerability scan is a bottom drawer service that is generally sold to small shops and shops that are aware they have seriously immature security posture.
Its not possible to make much in the way of recommendations based on a vulnerability scan. A systemic pentest will usually reveal things hey your admins are doing web surfing and e-mail reading with accounts that map to uid-0! It will let you make some intelligent recommendations to isolate compromises, limit lateral movement, and prevent large data leaks; maybe without investing half a billion dollars.
With a vulnerability scan all you get is "hey all this software is unpatched with published CVEs and POCs." Other than prioritizing mitigation there is little you can say as a security professional other than patch it or update it. You don't have the information needed to diagnose or offer intelligent advice on other issues.
So what happened here. Did Mandiant show up and do a VS when Equifax hired them to do incident response? Did Mandiant's sales team sell them wrong service? Did Equifax cheap out and buy the bottom draw offering, despite it not meeting their needs against advice? Who knows!
The reality of the InfoSec consulting industry is its extremely immature. The sales folks don't understand what they are selling, the customers don't know what they need, the practitioners bias very young, they tend to have the technical know how but not the communications experience. The also lack the industry experience to know how to get from point A to point B organizationally. They know what a well run textbook program looks like but they don't know how to manage people and which changes to try and make first.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Security done correctly is expensive and management hates that. They also hate things they do not understand so security so when somebody tells them they need to spend money on something expensive that they don't understand they resist. They hire people that understand security to take care of it but they rarely give them the real resources and backing they need to do things properly.
Compliance standards help some but the trend I've been seeing is that compliance is merely a checkbox for management and their defined maximum. Whereas, security professionals often see compliance as a minimum.
Security is a hot topic right now and the industry is doing well. Management thinks they are being taken advantage of and to some extent they are but only because security has been largely ignored.
Keep the Classic Slashdot.
Hubris, ego, and ass covering are responsible for the delay. The head shed was concerned about its own collective assess and jobs.
So what happened here. Did Mandiant show up and do a VS when Equifax hired them to do incident response? Did Mandiant's sales team sell them wrong service? Did Equifax cheap out and buy the bottom draw offering, despite it not meeting their needs against advice? Who knows!
Well, exactly. This is why I'm reluctant to make too many assumptions here.
It's very possible that Mandiant were completely shit.
It's equally possible that Mandiant were pragmatic, insightful, informed and informative, and Equifax were incapable of understanding this.
They know what a well run textbook program looks like but they don't know how to manage people and which changes to try and make first.
Worse, there are no right answers. The business benefit of not having a data breach is extremely hard to give a line-item on the balance sheet but the prevention costs are very apparent in the P&L. So how and where to prioritise the resources available is a properly difficult business decision for which you'll get no thanks from anybody.
When your under the gun to meet the numbers, it's amazing how many "problems" you can find in a customer's system. Selling unnecessary "solutions" is a great way to boost commissions.
It's buyer beware in this industry.
Not only did they know about the breach long before they told anybody, they knew about the likelihood of a breach at a time when they might have drastically curtailed the damage of the one that was already in progress. All while they were arguing the equivalent of how many angels can dance on the head of a pin. Such is corporate hubris.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
The business benefit of not having a data breach is extremely hard to give a line-item on the balance sheet but the prevention costs are very apparent in the P&L.
I could not agree with that more. How much should you spend on security specific efforts well many would argue: X = risk probability * cost of a breach
I think its actually the case an organization like Equifax probably has actually not invested to much in security. All the costs they have really incurred have mostly to do with dumb mistakes after the breach. Had they literally said and done nothing at all. What if when asked about it all the did was say "yup looks like, we are trying make sure it does not happen again, no further comment." Suppose they did not offer credit monitoring or freezes. Suppose they did not setup that stupid site to see if your info was leaked that did not even work? Suppose the CxOs had not been dumb and triggered a likely SEC investigation with their stock sales. What would have happened?
I would suggest most civil suits against them would fail, nobody can show direct harm. Even someone had their identity stolen right after the breach its pretty easy to show the information need to do that could have easily come from elsewhere. Consumers have essentially no recourse against them. Customers (lenders) have little real reason to care, what laws would they have broken for government to go after them on, none that I am aware of. If any regulation results from this, it will hit their competitors equally..
I am not sure this breach had to cost them much of anything. I really think almost all the price tag associated with this is missteps in the response.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
I'd suggest waiting until their next financial announcement and admiring the trend in quarterly revenues.
The real price isn't the reparation costs, it's the reputational one. Equifax rely on other people's data and if that dries up because they're not trusted with it, the competition are eager to step in.
Lets see if I understand this. Equifax hires a company to check its security stuff.
Company: "ya, you've got problems."
Equifax: "fix'em."
Company: "lets talk price."
Equifax: "your not as good as we thought."
Company: "not for free? Yup."
Nobody knows anything; ya, got it. A company like Equifax doesn't do security checking by an outside source without a reason. Equifax's existence is based on good security, but now they need help? I question why are there 3 known upper management types that shorted their stocks when all this squabbling was going on. To many unknowns by folks who's job it is to know.
I'm buying Futures in micro wave popcorn, this looks good.
Repeal the 17th Amendment TODAY! That's funny.
3 known exec's didn't, that's says something.
As far as they went. They found the vulns. It's not clear if they had anyone on team experienced enough to see the syptoms (live systems unpatched for months) then diagnose the cultural problem and pass that information, loudly and clearly, to the level it needed to get in Equifax (the Board via the CEO, on the record).
Based on my experience with corporate 'contractors' (been one), they put their results through channels. Which is just as good as burning them as far as results go, covers ass though.
As this matures, we'll eventually get to the point where there's something like a structural engineer ticket for network security. Won't be for decades. The 'responsible professional person' model can work.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
I've heard a lot about "block chaining." Could the Equifax event usher in a new business model for credit reporting?
I could not agree with that more. How much should you spend on security specific efforts well many would argue: X = risk probability * cost of a breach
In most cases, the company never pays the full cost of a breach because their customer are the victims, not them. The only way to ensure that this calculus is done correctly is to ensure that the company bears at least the true cost of the breach. The most effective way to do this is through fines that meet or exceed the actual cost of the failure. The problem with regulations in the United states, is not that they exist, but that they are not properly sized for the actual behavior they are there to prevent. Fines resulting from regulation must potentially be large enough to bankrupt a company if the violation is egregious enough. If they are not, then by definition they are not performing their intended function in society.
I wish I had a good sig, but all the good ones are copyrighted
I've got a Fine Art degree and 15+ years working as a developer. The worst code I've ever seen was from a CSci grad with the job title "systems architect" (my guess is he got that title to get around normal pay range issues with being an "engineer"). Just the crappiest garbage I've ever seen. Normally the worst I see from CSci types is a tendency to over-engineer, which counterpoints the tendency of others to use copy/paste or bizarre workarounds to issues they don't understand because they lack the CSci chops. And unless I'm missing something, organizational management isn't taught at all during a regular Csci program, so the assumption that CSci degree holders should manage technical groups seems rather flawed to me.
I do not have a signature
It's totally off-topic, but it does have some merit. The 17 amendment is one of the steps that limited the power of the states and increased the centralized power of the Federal Government. It's plausible that it was a mistake, though it was intended to address real existing problems. And the problems that it caused is one of the things making me hesitant to support efforts to remove the electoral college. I can see the clear problems that it causes, but what I can't see is the problems it prevents.
I think we've pushed this "anyone can grow up to be president" thing too far.
It's not *just* that they aren't adequately staffed and funded, though that is also true. Regulatory capture is an even worse problem. No regulator should be allowed to accept any remuneration from those they regulate, not even after they retire from the body. And I mean not allowed to accept *ANY* remuneration. No jobs. No dinners. No speaking fees. No consultant arrangements. No discounted apartments. No payments for stock owned. NOTHING. And not just while regulating, but also afterwards. (If they own stocks or bonds then they better sell it before they take the job as regulator, because afterwards they are allowed neither to collect dividends nor to sell it.)
Being a regulator should entail a final and permanent severance of all connections with those regulated. If the regulatee is the spouse of the regulated, this should not only require a divorce, it should require that they never henceforth exchange any communications. Not even through intermediates...such as children. So in that case don't take the job.
I think we've pushed this "anyone can grow up to be president" thing too far.
That isn't even what they said. What they said was "When the hack turned out to be unexpectedly valuable, they turned it over to a more skilled group", and that *this* indicated it was a nation-state.
To me that sounds like they found something valuable and sold it to someone else...who might have been a nation-state. Why not, they have deeper pockets than most.
I think we've pushed this "anyone can grow up to be president" thing too far.
Amusingly, I ran in to almost this exact scenario last month. A former co-worker went to her doctor, her doctor's practice had just been slammed by TWO ransomware hits. Their server was totally screwed. She gave them my name, I contacted them the next day. They never asked my price, I only charged them $30 an hour for 15 hours over two days, didn't even charge them for the time it took to put together a four page report describing what happened to them and the additional steps they needed to take.
They decided they didn't need my further services the next week or since.
When I lived in the Big City, my consulting rate was $50-125, and that was over a decade ago. But here, wages are horribly suppressed, and then people wonder why there's no good talent in the area. I'll discount my services depending on what I'm doing and how charitable I'm feeling, but no, I do not work for free.
They were running Windows Server 2008 R2 and unpatched SQL Server 2008 R2 with a CenturyLink-provided DSL router without an external firewall appliance, so it was pretty much child's play for the malware to root the server. Among the things that I was going to do the next week was inspect the 18 PCs (running Win 7 Home to Win 10 Pro -- but no domain model: it was all one big workgroup) with a bootable CD, but apparently they're happy with what they'll have. It would've been interesting to see what was lurking there. I wonder who is going to configure their brand-new Cisco firewall: I offered to help them find someone qualified to do it as it's outside of my area of expertise, haven't heard word one.
When you sympathize with stupidity, you start thinking like an idiot.
One of them has composition and conducting degrees from Juliard, and a BA in computer science from Rutgers. One of my early mentors was an organist, with a music degree from some very small college whose name I don't recall, and he leaned what he knew about writing code entirely on the job.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
The worst code I've ever seen came from some clown I never met, no idea what his schooling was. There was some really strange shit in his code, like declaring a global array of a hundred ints called "constants", filling it with the values from 0 to 99, and then using "constants[whatever]" anytime he needed a constant value in the code.
I asked my customer what happened to the guy (he was long gone by the time I got there), and found out that he'd been shitcanned for getting drunk at the office christmas party and punching a girl out.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
As a lay person I would like to ask the technical readers here: why don't companies with sensitive data encrypt the data in the databases and only decrypt it for processing? Wouldn't that make these thefts of data pointless?