SoylentNews is people
SoylentNews
Submitted via IRC for Fnord666_
In a continued effort to pass on any responsibility for the largest data breach in American history, Equifax's recently departed CEO is blaming it all on a single person who failed to deploy a patch.
Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache's Struts software, according to testimony heard today from former CEO Richard Smith. However, a patch for that vulnerability had been available for months before the breach occurred.
Now several top Equifax execs are being taken to task for failing to protect the information of millions of U.S. citizens. In a live stream before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.
Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team.
However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice — one person didn't do their job.
"The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.
(Score: 3, Insightful) by SomeGuy on Monday October 09 2017, @02:10PM (1 child)
I haven't delved in to the exact details of the breach, but what it all sounds like makes me think of a bank with no security.
Imagine if the lock on the back door of your bank broke, no one noticed, and anyone could just waltz in and take all of the money!
In reality, if the lock on a bank's back door broke, someone would probably be specifically assigned to check and notice such things in the first place. Even if that did go unnoticed or unfixed for a while, there would be other locked doors, one after another right up to a big honking metal bank vault door. And someone would have checked and locked all of those and may even still be sitting there waiting. If someone did walk in that back door even if they couldn't get any further, there would still be security cameras catching them in the act and security alarms. Any desks or cabinets right inside that door would be locked and otherwise secured, so at best an intruder might be able to make off with the stapler before an entire parade of police chase him down and unload a military sized can of whoop-ass on his butt.
If none of that was in place at your bank and all the money vanished then whose fault is it? The janitor's fault for not getting that lock fixed in a timely manner?
BULL FUCKING SHIT, NO!
(Score: 4, Insightful) by Thexalon on Monday October 09 2017, @06:49PM
Good security doesn't have 1 person who checks and notices such things. Good security has, say, the 10 employees who work at that branch noticing such things, because they all walked through that door when they came into work that day and all noticed something was wrong and immediately reported it to the branch manager (ideally, getting rewarded for their vigilance). And then the branch manager does something along the lines of hiring a locksmith to come in and take care of it immediately, and maybe ensure somebody jury-rigs a chain or something to keep that door shut until the locksmith can come.
What happens in many IT organizations is that:
- There is at most 1 peon assigned to look at that lock.
- If that peon notices something wrong and reports it, the very best they can hope for is to be told that they need to work into the night for no extra pay to fix it immediately or lose their job.
- No outside help is hired, in part because the lower-level manager actually handling the problem doesn't have the budget authority to do that, but also because nobody really cares.
- While the problem still exists, upper management will insist that the door remain openable, and if there's no lock on it, so be it.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.