Submitted via IRC for Fnord666_
In a continued effort to pass on any responsibility for the largest data breach in American history, Equifax's recently departed CEO is blaming it all on a single person who failed to deploy a patch.
Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache's Struts software, according to testimony heard today from former CEO Richard Smith. However, a patch for that vulnerability had been available for months before the breach occurred.
Now several top Equifax execs are being taken to task for failing to protect the information of millions of U.S. citizens. In a live stream before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.
Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team.
However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice — one person didn't do their job.
"The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.
(Score: 4, Insightful) by Thexalon on Monday October 09 2017, @06:49PM
Good security doesn't have 1 person who checks and notices such things. Good security has, say, the 10 employees who work at that branch noticing such things, because they all walked through that door when they came into work that day and all noticed something was wrong and immediately reported it to the branch manager (ideally, getting rewarded for their vigilance). And then the branch manager does something along the lines of hiring a locksmith to come in and take care of it immediately, and maybe ensure somebody jury-rigs a chain or something to keep that door shut until the locksmith can come.
What happens in many IT organizations is that:
- There is at most 1 peon assigned to look at that lock.
- If that peon notices something wrong and reports it, the very best they can hope for is to be told that they need to work into the night for no extra pay to fix it immediately or lose their job.
- No outside help is hired, in part because the lower-level manager actually handling the problem doesn't have the budget authority to do that, but also because nobody really cares.
- While the problem still exists, upper management will insist that the door remain openable, and if there's no lock on it, so be it.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.