SoylentNews is people
SoylentNews
Submitted via IRC for Fnord666_
In a continued effort to pass on any responsibility for the largest data breach in American history, Equifax's recently departed CEO is blaming it all on a single person who failed to deploy a patch.
Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache's Struts software, according to testimony heard today from former CEO Richard Smith. However, a patch for that vulnerability had been available for months before the breach occurred.
Now several top Equifax execs are being taken to task for failing to protect the information of millions of U.S. citizens. In a live stream before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.
Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team.
However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice — one person didn't do their job.
"The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.
(Score: 2, Interesting) by Anonymous Coward on Monday October 09 2017, @05:02PM
i watched the hearing. while the quote in the summary is accurate, that whole verbal exchange was a cluster fuck. the reps didn't know what they were saying/asking and the ceo was nervous and so worried about using the right words he couldn't just explain it where they could understand.
what the ceo really was trying to say is that there were two teams: the tech team(IT/LSA?/Web devs/devops) and the security team. the "one person" he's referring to is someone on the tech team. that person never told the security team that apache struts was even installed. that's why it never got patched. it wasn't on the list of installed shit. the security team also has some presumably proprietary shitware (probably gpl violating shit that uses nmap poorly) that is supposed to scan the network(s) looking for services that are accessible and identify vulns and tell the security team about it. it couldn't find apache struts even though it was obviously publicly available.
so, to sum up. some devops dude spins up public servers whenever he wants but doesn't tell security team. security team is dependent on some shitware to find publicly accessible servers but it doesn't work for shit.
hey, dumb ass companies, if your "security team" is a bunch of windows using dumb asses who can't find publicly accessible servers using nmap, then you're going to get "hacked".