Following Equifax Breach, CEO Doesn't Know If Data Is Encrypted

An anonymous reader quotes a report from TechTarget: Equifax alerted the public in September 2017 to a massive data breach that exposed the personal and financial information -- including names, birthdays, credit card numbers and Social Security numbers -- of approximately 145 million customers in the United States to hackers. Following the Equifax breach, the former CEO Richard Smith and the current interim CEO Paulino do Rego Barros Jr. were called to testify before the Committee on Commerce, Science, and Transportation this week for a hearing titled "Protecting Consumers in the Era of Major Data Breaches." During the hearing, Sen. Cory Gardner (R-Colo.) questioned Smith and Barros about Equifax's use of -- or lack of -- encryption for customer data at rest. Smith confirmed that the company was not encrypting data at the time of the Equifax breach, and Gardner questioned whether or not that was intentional. "Was the fact that [customer] data remained unencrypted at rest the result of an oversight, or was that a decision that was made to manage that data unencrypted at rest?" Gardner asked Smith. Smith pointed out that encryption at rest is just one method of security, but eventually confirmed that a decision was made to leave customer data unencrypted at rest. "So, a decision was made to leave it unencrypted at rest?" Gardner pushed. "Correct," Smith responded.

Gardner moved on to Barros and asked whether he has implemented encryption for data at rest since he took over the position on Sept. 26. Barros began to answer by saying that Equifax has done a "top-down review" of its security, but Gardner interrupted, saying it was a yes or no question. Barros stumbled again and said it was being reviewed as part of the response process and Gardner pushed again. "Yes or no, does the data remain unencrypted at rest?" "I don't know at this stage," Barros responded. "Senator, if I may. It's my understanding that the entire environment [in] which this criminal attack occurred is much different; it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security," Smith said.

There is no way we should trust these companies

[Marxist+Hacker+42]

Big Sister Corporation collecting information on you is just as invasive, just as evil, as Big Brother Government.

Re:There is no way we should trust these companies

[K.+S.+Kyosuke]

Wasn't there a merger of the two in the US recently?

Re:There is no way we should trust these companies

[Marxist+Hacker+42]

No, Big Sister Corporation is far more fragmented- and far less competent.

following divorce, husband doesn't know why

that's how dumb he sounds

Super Secure Security

[forkfail]

Not only are they ROT-13-ing the data, they're doing it twice for double strength security!

Re:Super Secure Security

[Picodon]

That’s disappointing, I thought that they had already upgraded to ROT-26.

Re:Super Secure Security

[rtb61]

I thought it was ROT-1 as in were number 1, were number 1. Focus on profits and not doing your job and well don't be surprised when those profits cease to exist but hey, normal corporate executive practice ie maximise short term bonuses, artificially inflate share price, develop a golden parachute, and cut back on service and support, as well as product quality to maximise profit up to and including corporate collapse and then bail with your golden parachute, standard 21st corporate operating procedure, your personal profits first and fuck everyone else.

Re:CEO?

He should punt (pivot) to his liberal arts educated IS boss. Oh wait, she's gone.

Re:CEO?

CEO: Hey guys, I'm going to go get grilled by Congress about our IT standards, anything I should know about?

IT: ...crickets...

CEO: Great, I'll run that by the lawyers.

Lawyers: ...crickets...

CEO: Great, I'm ready to testify before Congress!

Is encryption at rest really that important?

[CajunArson]

Outside of somebody stealing your drives to look at them, encryption at rest isn't that vital since when the system is live the data are going to be effectively unencrypted for use. Considering the hack had nothing to do with physical theft of drives, it's kind of off topic.

It's like how Truecrypt can't protect your live database server from dumping data due to a SQL injection attack even if it protects the contents of the DB from physical hard drive theft.

Re:Is encryption at rest really that important?

[darkain]

This depends on how the exploit happened. Run scp on encrypted at rest MySQL database files from the server to a remote machine to steal the data? And you've got jack shit. The whole point is to prevent different types of attacks.

Re: Is encryption at rest really that important?

Yes it is if you want to be PCI compliant which it looks like they're supposed to be.

And just because the system is live doesn't mean that all the data is unecrypted for use. Decrypt what you need and leave the rest encrypted.

I've seen this many times. Just because you don't understand why a rule is in place doesn't mean it isn't useful and with purpose.

Re:Is encryption at rest really that important?

[gweihir]

Indeed. It basically protects against theft of your disks. For tapes, it is a bit more important. But it has zero value as defense against getting hacked. The question is about as clueless as the answer was.

Re:Is encryption at rest really that important?

[gweihir]

And you are clueless about databases and about data exfiltration _and_ actual IT security. But you have a big, big ego to match those small skills. (Usually, the latter causes the former....) Pathetic.

Re:CEO?

[phik]

He should know this, but I also see your point. It's a real "got you" question. I'm sure the CEO knows exactly what encryption is, and roughly how it works, but may not know exactly what the difference between "encryption" and "encryption at rest" is, and didn't want to say something under oath that turned out to be wrong.

Why testify in front of Congress?

[bradley13]

If I may, let me ask a possibly silly question: Why do these companies always have to be interviewed by some Congressional committee? What's the point? I mean, the damage is already done, nothing Congress can do to change that. If a crime has been committed, those responsible should be prosecuted. If civil damages occurred, they should be sued. What's the point of the grandstanding by Congresscritters?

That said, a CEO who knows he is going to get publicly grilled ought to have all of his ducks in a row. There's no excuse for not knowing something as basic as "is your data encrypted".

And on the gripping hand, depending on how something is hacked, "at rest" encryption may just be totally useless. It will protect you if someone gets a raw copy of your database, but if they have access to your application infrastructure, that infrastructure will happily decrypt the data for them, because that's what it does. Meanwhile, you will take a *huge* performance hit on a lot of database operations. Really, I have trouble imagining the small additional security being worth the cost in performance. But maybe I'm not familiar with enterprise-scale operations - anyone who is care to comment?

Re:Why testify in front of Congress?

If I may, let me ask a possibly silly question: Why do these companies always have to be interviewed by some Congressional committee? What's the point?

in the future when all the blogs and web articles about all of this have been forgotten about, the congressional record will still hold the facts of what happened to our country

I would remind you that those who forget history are doomed to repeat it, but you're already there.

Re:Why testify in front of Congress?

[DanielRavenNest]

Congress' job is to write laws. Committee hearings are part of the process of determining what new laws, or changes to existing ones, are needed.

Yes, the Equifax breach is in the past, and can't be changed. That's not the point. The point is what future changes can be made to prevent things like this in the future. Note that the hearing's title is "Protecting Consumers in the Era of Major Data Breaches" - plural breaches, with more to come in the future. Equifax is just a really good example of what can go wrong.

Personally, I would rather that personal data was not all stored in big databases, making them attractive targets to be hacked. Split the data up, so that users hold part, and business hold part, and you need both parts to make it readable.

Re:Why testify in front of Congress?

[dave562]

Encryption at rest happens on the storage hardware itself. It is there to protect against someone stealing physical drives out of the storage array and reading data off of them. It does not have any affect on the performance of the applications running on top of the storage array.

What you are thinking about that causes a performance hit is database level encryption. For example, newer versions of MSSQL server (at least 2012+) will allow encryption on individual databases, tables and even specific columns. (I am only familiar with MSSQL. I cannot speak to Oracle or others.) While there is a performance hit, your characterization of it as *huge* is a bit dramatic. (https://sqlperformance.com/2015/08/sql-server-2016/perf-impact-always-encrypted)

Somewhat on topic here, the fact that Equifax's data was not encrypted at rest and in the database is beyond belief. My company works with the largest financial institution in the world. They have been doing regular yearly audits of our infrastructure for nearly a decade. Encryption has been on the audit checklist forever and we have been running it since 2012.

The only thing that sucks about encrypted databases from an operational point of view is backing them up. Most enterprise backup systems use some sort of compression and deduplication. As do SANs. Encrypted data does not de-dupe worth a damn. So it is very expensive from a CapEx perspective. But this is Equifax we are talking about. They have all the money in the world, more or less. A couple tens of million dollars for enterprise grade storage and backup is nothing to them.

Re:Why testify in front of Congress?

[gtall]

While I agree with your statement these hearings are necessary for Congress to know how to write the laws, I also suspect Congress is fully aware of the ad copy attempting to show they are on top of a critical problem. Whether they do anything is debatable. If the current tax bill is any indication, we know how much big business can count on Congress to make them feel better about themselves....and their profits.

Re:Why testify in front of Congress?

So,here's the issue. (well, several issues)

Within any organization over 50 people, there are people who want to check the checkbox, and people who want to implement real security. The former are always greater/more powerful, politically, than the latter.

Then there are these assholes, https://www.informatica.com/ca/products/data-security/data-masking/dynamic-data-masking.html selling bullshit like this: (https://www.informatica.com/content/dam/informatica-com/global/amer/us/collateral/data-sheet/dynamic-data-masking_data-sheet_1779.pdf) to check a checkbox. Your data is encrypted! No, no it is not. Every field, row, column, table, database and file system are un-encrypted. Some SQL query results are obfuscated. That's it.

In short, pressure from all around to do the wrong thing. You know what counts as encrypting data at rest? Encryption on hard drives, between the controller and the disk. Literally? The only encryption in use in that scenario is at the bytes on the disk level. Any other access? Clear text all the way, baby! Yet, it checks the checkbox for encrypted data at rest. Is it practically secure? God no. The only intrusion this covers is if someone comes into your data center and physically STEALS _all_ the drives in your RAID but forgets the controller and server, then takes that somewhere, spools it up, and tries to copy the data off. (sure, that's likely, right? No)

Every other serious compromise, intrusion or breach will copy the database files off the filesystem (while the DB is online or not) and get it all in the clear. (setting aside OWASP Top 10 web based issues) Or even better, just take a backup, of which there are always plenty, and typically world readable, because chmod -R o-rwx ../backups/* is hard. Sorry, I'm digressing.

The performance hit is nothing. CPU, Disk(IOPS), Disk(storage), Memory (capacity and speed) and Network (speed, latency) can be grown without limit, if you're doing it right and following even the slightest best practices for any kind of redundancy model. 48+ cores, hundreds of GB of ECC ram, hundreds of thousands of IOPS, dozens or hundreds of TB of SSD RAID, battery backed everything, cross-grid electrical supplies, and gigabit minimum everywhere is a modern data center. Encrypting every field, row, column, table, database and filesystem? Who cares? It's not even a blip to a modern machine. I doubt you could even measure the impact in human-measurable terms with less than a million rows in a query.

Public, free, open source databases offer complete encryption of everything in the database. https://mariadb.com/kb/en/library/data-at-rest-encryption/ There are no more excuses to offer, for Equifax or anyone else. As part of a PCI pentest, gaining access to and copying out any and all databases that contain PCI PII is an often achieved goal. Trivial to verify if your data is encrypted at rest.

Ideally, end to end transport encryption (HTTPS) protects your data in transit. That's a solved problem.
What you need to test for data-at-rest encryption is: What happens if a) someone gets access to the filesystem while the db is online or offline and if b) someone gets access to the backups? Are you fine or screwed? Fix, test, and verify quarterly.

Finally, this is all very easy, typically, to justify doing in a post-breach company/environment. Prior to that? Almost impossible.

Re:Why testify in front of Congress?

[Wrath0fb0b]

If I may, let me ask a possibly silly question: Why do these companies always have to be interviewed by some Congressional committee? What's the point? I mean, the damage is already done, nothing Congress can do to change that. If a crime has been committed, those responsible should be prosecuted. If civil damages occurred, they should be sued. What's the point of the grandstanding by Congresscritters?

I'll agree to to the charge of grandstanding, but Congress absolutely should interview lots of relevant people before writing new law. Maybe in the case of ignorant-seeming CEOs they should discount that testimony as self-serving or willfully-obtuse. But there's nothing wrong with listening and considering what he's willing to say about it.

And on the gripping hand, depending on how something is hacked, "at rest" encryption may just be totally useless. It will protect you if someone gets a raw copy of your database, but if they have access to your application infrastructure, that infrastructure will happily decrypt the data for them, because that's what it does. Meanwhile, you will take a *huge* performance hit on a lot of database operations. Really, I have trouble imagining the small additional security being worth the cost in performance. But maybe I'm not familiar with enterprise-scale operations - anyone who is care to comment?

It's not a silver bullet, but encryption at rest helps in a number of ways. It forces the attacker to continue to work from within your infrastructure, which at least opens the possibility you might detect what's going on. It allows you to partition credentials so that applications have least privilege and can only decrypt data for which they have a business need to access. It's an excellent place to design in reporting so that red flags are raised when all of a sudden every row in the DB is requested when normally they don't operate at such volume. Rate-limiting can suspend a service if it blows through its decryption quota, which is a very good way to get attention that something is amiss.

In short, encryption at rest enables (but doesn't magically provide in and of itself) the ability to have a single source of policy that is enforced cryptographically --- you must satisfy the policy in order to see sensitive data. It should be viewed as a building block to that end.

Of course if you are just interested in buzzwords and box-ticking, you can encrypt everything and then just have a dumb decryption service that lets any application decrypt as much data from any domain and with no logging and no limits. Then you're right -- it's no better than having it in plain.

Re:Why testify in front of Congress?

[lhowaf]

Congress, in fact, already acted after the Equifax breach. They killed a recent, not-yet-enacted rule that would have allowed consumers to file class-action suits against financial institutions. There. Mission Accomplished. Now Equifax can show mock contrition at these hearings while consumers are left holding the tab.

Re:Why testify in front of Congress?

[Picodon]

Maybe in the case of ignorant-seeming CEOs they should discount that testimony as self-serving or willfully-obtuse.

It could even be beneficial if they take the “willfully obtuse” or “incompetent and uncaring to the bone” aspect of the testimony into account when they draw up legislation. Members of the committee could be led to observe, for example, that even in the face of the most abject and repeated failure, corporate managers keep demonstrating an extreme lack of concern about the need to protect consumers data and interests (illustrated either by their lack of tangible knowledge of any corrective actions, or by their weaseling out of pointed questions); and to conclude that it plainly demonstrates the need for strict regulatory oversight.

Re: Why testify in front of Congress?

[lhowaf]

You may be right but the LA Times reported:

Bureau Director Richard Cordray called the Senate vote “a giant setback for every consumer in this country” and urged Trump to veto the repeal legislation.

“It robs consumers of their most effective legal tool against corporate wrongdoing,” Cordray said. “As a result, companies like Wells Fargo and Equifax remain free to break the law without fear of legal blowback from their customers.”

Cordray is the head of the Consumer Financial Protection Bureau - the bureau that issued the rule.

Software is eating the world.

[w3woody]

And it's poorly written, poorly managed, poorly understood and completely under-appreciated by the C-suite until something goes pear-shaped.

Re:Software is eating the world.

[freeze128]

I don't think you can blame clueless CEOs on software.

Re:Software is eating the world.

[gtall]

And when it does go pear-shaped the C-suite still doesn't know how to prevent the software from being poorly written, poorly managed, poorly understood, and completely under-appreciated. It would cost money to fix, it would also cost re-organization. However, if they knew how to reorganize to fix the problems, they'd have already done it. Instead, they are like the deer that gets whacked by a car, hops up, and then claims it was experimental error and goes ahead to stare into the next set of headlights.

Equifax Doesnt Know If Data Is Encrypt Dont Matter

[ZippyTheChicken]

if you have access to the server you have all the tools and information to decrypt the data so it doesn't matter if the data is encrypted or not.. they could export it decrypted from the server in plain text.. or they could copy it and decrypt it on their end once they have it.

Re:CEO?

[w3woody]

No, but the CEO, along with the CTO, are responsible for creating the policies which drive the procedures for the company. So while he may not be expected to know the specific implementation, he should know the policies and goals for corporate security. Bouncing those policies to some "VP of Security" only means those policies will not be taken seriously.

Small wonder

[nospam007]

Must be another Music Major, perhaps he and the CIO studied opera together.

Re:Small wonder

[i286NiNJA]

Hey they were Phi Beta Kappa. That means they're better than me and you put together bub!

Barros is basically correct.

[CaptnCrud]

I hate equifax with a passion, but their CEO is probably correct in that most of their info comes from from third party end points (like your bank, or the utilities) directly, they might be encrypting data as it passes through them, but they are only as secure as their third party endpoints and adopted software (in this case, they say it was a bug in Apache Struts that allowed someone access).

This whole thing is one rotten contract with no oversight, just a bunch of people cashing in on private data. Multiple layers! Hah! Multiple layers of greed, shady data mining, and companies selling their customer up the river is more like it.

Re:Barros is basically correct.

[gtall]

And even knowing their data is third hand, they still suck at verifying it. They still thought I lived in my old residence that I moved from 10 years ago. I didn't correct them because I don't believe in feeding the trolls.

Re:Barros is basically correct.

[Luthair]

t they are only as secure as their third party endpoints and adopted software (in this case, they say it was a bug in Apache Struts that allowed someone access).

The struts bug was known, and they weren't monitoring their network for unusual traffic. Lumping in libraries you use in your software with what third parties do is ridiculous.

Re:Barros is basically correct.

[CaptnCrud]

Yes it is, welcome to the real world.

customer data? <chuckle>

[Trailer+Trash]

Uh, no, we're not their "customers". Used to be "product", now we're simply known as the "victims".

Re:CEO?

[i286NiNJA]

This is why he gets paid the big bucks! Not just anyone is capable of staying this conveniently negligent and uninformed.

Re:Easy to tell

[i286NiNJA]

He doesn't have time for small details like that when they keep giving him so much money to spend. It takes literally all his time burning though that hot paycheck.

Re:CEO?

[_Sharp'r_]

Because encryption at rest of any taxpayer identification data is a federal government requirement as part of a normal contracting process. So either Equifax does something different between their government-facing systems and their public ones (possible), or they are also in noncompliance of the contractual requirement.

In a large, security conscious organization, even one much, much larger than Equifax (like where I work, which probably has a few hundred or more Equifax sized financial operations), any security vulnerability like not encrypting restricted data at rest would be specifically risk accepted by the business and technical owners of the system, and then would be included in a report to the CEO and the Board highlighting the issue and requiring them to specifically sign off on it before it was allowed.

So yeah, it doesn't shock me that the CEO of Equifax (which doesn't appear to have much in the way of data security processes) doesn't know, but in a responsible organization, the CEO and the Board would not only know about something like that, they'd have explicitly signed off on taking the risk, because there isn't anyone else besides the shareholders who are going to be holding the bag when the risk turns into a reality. Wouldn't you want to know, if you were in that position of responsibility?

In other words

[duke_cheetah2003]

it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security

Translation: Someone told me we have security but I know nothing about how it works or what it actual is.

Re:In other words

[gtall]

Better translation: Yes senator I understand what you are saying, but if I say that then I will look like I purposely screwed the pooch...on the other hand, if I look clueless, then I've not said anything wrong that I, and more importantly, my paycheck and golden parachute, can be held in jeopardy over.

Re:CEO?

[Opportunist]

I wouldn't expect him to know it right after the breach. If this had been the first question asked right after he learned about the breach, I'd be with you.

But we're literally MONTHS after the public learned about it. Which is usually at least DAYS after he learned about it. His CI(S)O didn't immediately and without being asked hand him that information? Fire that CI(S)O. Out of a cannon.

He didn't ask for that information? How the FUCK did he become the head honcho of a company dealing with insanely sensitive personal data? Why is that guy still not in prison?

Re:Equifax Doesnt Know If Data Is Encrypt Dont Mat

[_Sharp'r_]

That's why you don't leave your keys in the lock.

It's also why you don't put the decryption keys in the same place as the data and you enforce what process/id has access to the encrypted data.

'Encryption of data at rest'? Define 'at rest'?

The breach took 'live data', e.g. that data actively used by the system, given the access the hackers had 'encrypting data actively used' would have 0 affect on security.

Now, if the hackers stole data from backups (actually OFFLINE/at rest), on laptops that were off etc THAN 'encryption of data at rest' would matter.

Data 'actively used by the system' is NOT 'at rest' & if you have administrative access to the system while running encrypting it will only slow the hacker down not stop them in any way.

Re:CEO?

[Opportunist]

Well, bouncing the exact details to some VP of security (the CISO) is pretty much what will happen, out of necessity. But, and this is crucial, he must make sure that everyone knows that anything security related that comes out of the CISO is like it came from him himself and has to be implemented with an implied "or else".

Anything less means the next thing a sensible CISO does is hand in his resignation. The CEOs job is to define the strategic goal and the target what security should achieve. He needn't understand the details, that's what the CISO is there for, but he must back up the CISO. Else the CISO is just the scapegoat, to be fired when (not if) the shit hits the fan.

And I have this suspicion that this is exactly what went down in this case.

Re:CEO?

[gtall]

He's not in prison because he's done nothing against the law. The law here is a problem, idiot CEOs are another problem. And if I was CEO of a company that just got rifled of all the valuable bits, I'd be damn sure I was on top of the solutions and would be able to answer whether the data is currently being encrypted. However, I suspect he does indeed know that it isn't, but he's almost but not quite stupid enough to answer truthfully, so he claims he doesn't know.

I worked for a credit bureau - encrypting at rest

[FeelGood314]

What the hell does " encrypting at rest" prevent in this context? The data is constantly being queried in a thousand different ways. So sure you could encrypt it and if someone gained access to the raw data then it would be useless but since every process is decrypting it anyway and that's the vector the attacker will come in on it doesn't do you any good.

Some controls could be put in place like storing address and personal identifiable information encrypted and only giving the decryption keys to processes that add data to the database and not ones that pull data but that's work, complexity and well it's the credit bureau's business to sell the data and there isn't a single piece of data they won't try and monetize.

Aside - I used to carry the entire backup of the data, unencrypted to the offsite storage.

Re:He doesn't have time for that shit.

[Opportunist]

Throw that asshole into a jail cell and you'll see how he suddenly has plenty of time.

And don't tell me there isn't PLENTY of reason for doing so.

I envy the senator

[OneHundredAndTen]

It is a dream of mine to be able to ask hard questions to these industry clowns and force them, on the spot, to provide clear, unambiguous answers.

What kind of garage shop is this?

[Opportunist]

For real. This gets worse and worse every time you get to hear about it. How can he NOT know this MONTHS after the breach? I could see that this isn't something he needs to know for everyday business, his background is probably in finance, legal or business administration, that's where most CEOs come from and that's also what they deal with in day-to-day business.

This isn't fucking day-to-day business!

How it is possible that MONTHS after the breach he obviously still doesn't know at least the crucial, important bits about the breach is beyond me! I know that I'm the odd idiot who does actually prepare for such situations, I created whole binders for PR to keep the press occupied until we're ready for a public statement so they can send them on a wild goose chase without us looking like we're stalling should something like this ever happen to us, with similar folders for the relevant C-Levels that could possibly be asked for statements, along with pretty much me only having to tell you which folder to pull out of their desk and learn (or at least read at the inevitable PK), I know that few go to those lengths but it is valuable. When the shit hits the fan, you do not have time for this bullshit.

But, FUCK, even after ... what has it been now? 2 MONTHS? Two fucking months nobody bothered to brief the CEO so he doesn't look like a total and utterly worthless piece of junk with the only quality of being far too high maintenance to be kept alive because he might waste valuable O2 that someone could put to better use? For real?

I mean, ok, his CISO was what? An opera singer or someone equally qualified? Ok, one could argue that it's his own fault if he has no clue how to pick and choose his C-Levels, but FUCK, how the heck is that guy still outside of a prison cell? How is it even possible that directorate and board didn't rip him a new one up so far that even a turtleneck couldn't cover it anymore?

What the hell is going on here?

Re:What kind of garage shop is this?

[FeelGood314]

Is it in his best interest to know these answers? Most CEOs are pretty smart and hard working. He should have been able to learn this stuff, had notes or a binder in front of him with answers prepared by someone like you. He didn't. I suspect the lawyers decided it was better not to answer in case the answers came back to bite him or Equifax.

Re:What kind of garage shop is this?

[Opportunist]

Smart I agree. Hard working, not so much.

I honestly believe he put the cheapest idiot he could find into the CISO seat so he has someone to blame and fire. Some scapegoat, hoping that this would suffice.

I on the other hand hope it won't.

Re:He doesn't have time for that shit.

[i286NiNJA]

I don't think you read my post.

Re:CEO?

[rogoshen1]

it's such a fundamental fucking question considering who he is, and why he was being summoned.

Re:CEO?

[rogoshen1]

Thank god he runs a corporation who makes it their job to collect, store, and act on highly sensitive personal information about hundreds of millions of people. I'm glad he's got his plausible deniability down pat.

Actually, the answer is irrelevant

[gweihir]

If this is data that was online ("at rest" is also irrelevant here, it just means "stored in some way"), then it does really not matter whether the storage device contains it in encrypted form. If it is online, you can just access it in plain via standard OS interfaces. Storage encryption protects data that is offline, not data that is "at rest". Hence, storage encryption does fine for removed disks, tapes, etc. It can also work for disks that are online but not mapped in the decryption layer, but that is a rare situation.

Ask an irrelevant question - get an irrelevant answer.

Now, I have no intention to defend Equifax in any way, but at least accuse them of something where they actually did it wrong.

Re:I worked for a credit bureau - encrypting at re

[gweihir]

It does not matter at all for the type of attack we are talking about here. Storage encryption helps if somebody steals the physical disks out of the server, but it does not help at all for file-systems that are online where the OS will nicely decrypt everything you ask for before giving it to you. It also helps if, say, backup tapes get stolen or laptops that are off (not hibernated or suspended) get stolen. The question just reveals that the person asking it is clueless.

Re:CEO?

[gweihir]

Indeed. And in addition, it does not even matter for the attack that happened one bit. The question is clueless, the answer is not so much. Equifax did a lot of things wrong. but this is not one of them. Now, if their disks had been stolen, this question would be relevant, but it was an online-attack, and storage encryption does provide zero protection for data that is online during such an attack.

Re:CEO?

[hawguy]

Why the heck would anyone expect a CEO to know the details of the software implementation? It's not his job to know, nor would I expect him to know, and whatever understanding he might have is probably not to be trusted.

      Other people in the company should know, but this, come on?

My company's CEO has a very good understanding of our security that goes deeper than just knowing if it's encrypted or not. For example, he knows exactly how customer keys are protected by an HSM (and how the HSM is mirrored across multiple regions). He's given more than one public talk on our security.

Just like Equifax, we're an information company, so a better question is why the heck doesn't a CEO know how they protect the company's most valuable asset?

Re:CEO?

[ranton]

A CEO of a financial services firm should know what encryption at rest is as well as he knows what a balance sheet is. I work in the financial services and I've had many meetings where we discussed what personal identifiers and other data that needs to be encrypted at rest. It is often the first thing they ask about when we are moving an existing system to a cloud based vendor. At two companies where I was either heavily involved or in charge of moving data to a new system, I have only had a handful of incompetent managers ask me what encryption at rest meant.

Every competent member of management at a company which values their customers should know basic security concepts like encryption at rest.

Silly idea

[nehumanuscrede]

We should probably treat the executive levels in any given company as we treat high level officers in the various branches of the Military.

Something goes wrong, at the bare minimum, the Officer in Charge takes full responsibility and is removed. Read that: CEO.

No instant-retirement allowed to dodge the repercussions.
Golden Parachute revoked.
No profiting of any kind from screwing everyone else over.

YOUR GD FAULT. Directly or indirectly it doesn't matter.
You were in charge when it happened, you suffer the consequences for it.

It might actually force the company to do things the right way if their own ass is on the line.

eh

[buddyglass]

Doesn't so much matter if it's encrypted at rest if you expose it publicly via an insecure website or API, right?

Re:eh

[buddyglass]

Expose it in plain text, that is.

Re:eh

[MoarSauce123]

Yes...but there are plenty of other means to access that data than through an API. And in those cases it matters a whole lot if data is encrypted or not. Adding encryption to any reputable data store is not difficult. In most cases it is a simple configuration setting that can be queried for as well. In most cases the apps consuming the data do not have to change at all as long as they use the proper credentials. Any company that collects personal data and does not encrypt any of it needs to be closed and all data deleted immediately. The entire organization failed big time and swapping out one inept CEO for another inept one is not helping. Although, by now it doesn't matter much, half of the US population is screwed for life. At least give us the satisfaction to see these reckless aholes pay up with their personal wealth and go to jail for a really long time....and please pick the worst craphole there is. They do not deserve better.

Re:eh

[buddyglass]

I'm going through this at work, where we've deployed a product by Vormetric to provide at-rest encryption for a large production PostgreSQL database. IMO it's very security-as-theater. Essentially we're spending all this money and effort so we can say "yes" when larger customers (and auditors) ask if we encrypt at rest. All this does is prevent non-authorized system users from accessing the Postgres data files on the server where it lives. File permissions largely accomplish that already, since the files aren't world-readable and are owned by the postgres user. So an attacker with shell access to the database server would still need to promote himself to root. If he can do that, then Vormetric doesn't help, since at that point he can just become postgres and access the files.

Moreover, the individual pushing Vormetric hasn't made much effort to secure the credentials used by our application (and developers) to access Postgres. For instance, the application accesses it using a role that has super-admin rights (i.e. "drop database"). The few engineers that have access to the production database also use this same role, so they also have super-admin rights. The password for this role is deployed various places in configuration files though, thankfully, not in source control. But suffice it to say it's more widely distributed than it ought to be. And if you have that password it doesn't matter whether the data is encrypted at rest because you can connect to Postgres and just dump a copy of the database that way.

Re:Equifax's encryption key...

[CaptnCrud]

Thats amazing! its the same combination on my luggage!

Re: CEO?

[bestweasel]

Gee, a Congressional Committee's given me an invite. I wonder what they want to talk to me about? I don't suppose it'll be that massive data breach we had a couple of months ago.

Re:I worked for a credit bureau - encrypting at re

[MrLogic17]

What the hell does " encrypting at rest" prevent in this context? ...
  Aside - I used to carry the entire backup of the data, unencrypted to the offsite storage.

You answered your own question. Say you dropped, lost, or were robbed of those backups. Or say that someone at the off-site location did the same. Vola! 100% data leakage, quick & easy! Unencryped backups with personal info are just plain reckless- and sometimes illegal.

This is why you encrypt at rest.

Re:CEO?

[_Sharp'r_]

So you apparently have experience in organizations like Equifax, rather than ones with good security and risk management practices.

Some places actually take this stuff seriously and have people whose job it is to ensure the company isn't taking risks which the CEO and the Board aren't fully aware of. That tends to concentrate the minds of those individual contributors and their immediate managers you mention.

Re:CEO?

[kalieaire]

Then you go to local, state, tribal, and federal gov't organizations and talk to them about fancy things like at rest encryption, unencrypted mpls with transport encryption, deidentifying pii/phi.

Hell, people still think deidentifying information means to remove the names.

The issue here is that there are fewer competent members of management than there are angry customers, and that's going to be the case for decades to come.

Security training doesn't stick for this generation because many simply don't care or can't wrap their heads around the concepts.  Security is about the fact that vulnerabilities and risks exist and that the only choices are to:

1) take ownership and accepting risks, and then mitigating risks where they can
or
2) ignoring risk completely and get a friction burn from it

Cease and desist

[MoarSauce123]

Send Equifucks a cease and desist order for all their operations. They grossly abused the trust put into them and still have no leadership who takes these matters seriously. All that Equifucks deals with is data, the CEO not knowing if it is encrypted and the previous CEO not demanding encryption when his subordinates flubbed on it is prime evidence that they have absolutely not a single clue what they are doing as long as the cash rolls in regularly.
Congress must act and pass a law that any and all collection of personal information can only occur after explicit written consent and only for a very specific purpose. All data has to be encrypted in rest and in transfer. All practices have to be reviewed at least annually by an independent third party. Any data that is no longer needed for the purpose the consent was given has to be deleted. That also applies to all branches and organizations of governments. Exceptions can be granted to law enforcement after a decision by an elected judge (means no anonymous rubberstampers in back rooms). Or does the US really have to join the EU to get some decent privacy regulation in place?

Re:CEO?

[Opportunist]

This is basically what's wrong with the law. He didn't break the law, I'd go to jail for eliminating this problem and he's not worth a second of jail time.