{"id":621,"date":"2017-10-06T14:20:59","date_gmt":"2017-10-06T14:20:59","guid":{"rendered":"https:\/\/securitycurve.com\/?p=621"},"modified":"2017-10-06T14:20:59","modified_gmt":"2017-10-06T14:20:59","slug":"sole-equifax-worker-responsible-yeah-the-ceo","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=621","title":{"rendered":"Sole Equifax worker responsible? Yeah: the CEO"},"content":{"rendered":"

If you haven’t seen it yet, the new theory is that “one security worker” is at fault for the Equifax breach<\/a>.\u00a0 Rick Smith, former Equifax CEO and now CEO of “lying facedown in some alley, Inc” testified before congress that, “…protocol broke down at Equifax due to human error, meaning no one was told to apply patches for the flaw. And, astonishingly, this is all one person’s fault rather than an obvious failure for the business as a whole…”<\/p>\n

Bull.\u00a0 This statement is irresponsible, and also a microcosm of why Equifax got hacked in the first place.\u00a0 Why?\u00a0 Because if ensuring that 145 million people’s data isn’t compromised is one person’s job, there’s an institutional problem.<\/p>\n

Here’s what I mean.\u00a0 Let’s assume that there’s someone that works at Equifax as a security ops guy.\u00a0 Let’s call him “Billy”.\u00a0 Now, the ex-CEO’s position seems to be that there was a meeting about whether to patch for the Apache Struts issue where Billy did some “human error” that caused the patch to not get applied.\u00a0 They didn’t say what exactly – maybe he took the action to go patch the issue and he failed to do it… or maybe he forgot to bring that one up in the meeting… or maybe he forgot to write it down on his task list… or maybe it got accidentally left out of the meeting minutes.\u00a0 It doesn’t matter.\u00a0 It’s horse shiz anyway.<\/p>\n

Here’s the deal.\u00a0 Why is this one person’s sole responsibility anyway?\u00a0 If it is, it’s an institutional problem.\u00a0 For it to be “Billy’s fault”, that would mean he would have been responsible for all of the various decisions that caused cascading failure down the line – and also “Billy’s fault” for not setting up any mechanisms to catch human error, prioritize patches, or otherwise fill in the gaps.\u00a0 For example, who’s decision was it to not encrypt the data to keep it protected if it’s stolen?\u00a0 Billy.\u00a0 Who decided to not scan for vulnerabilities to find the missing patch?\u00a0 Billy.\u00a0 Who neglected to automate the process so that patches this big couldn’t be overlooked?\u00a0 Billy.\u00a0 No patch management?\u00a0 Billy.\u00a0 IDS\/IPS failure?\u00a0 Billy.\u00a0 Missing exfiltration alerts?\u00a0 Billy.<\/p>\n

One of two things is true: either “Billy” is in a job that is so tremendously overscoped, with absolutely no automated processes that compensate for human error (which I would argue is the fault of Equifax’s management), or alternatively the failure was systemic and institutional (which I would argue is also the fault of Equifax management). So either way you slice it, Equifax leadership was at fault.\u00a0 Billy is just a convenient scapegoat.<\/p>\n

Ultimately, the Equifax issue rests solely at the feet of the CEO.\u00a0 I get it that he’d love something else to be true — like that Billy is the reincarnation of Korrok the Slavemaster<\/a> from John Dies at the End.\u00a0 Because I’m sure he’s excited to go parasailing on his golden parachute or whatever — but really his attempt to deflect the blame onto some unnamed IT dude is transparently disingenuous, dangerous if believed, and does absolutely nothing to address the broader issue.<\/p>\n

The point?\u00a0 Let’s hope people have the sense to see through the lame excuses to what was really going on.\u00a0 I’m skeptical, but I’m hopeful people are smarter than that.<\/p>\n","protected":false},"excerpt":{"rendered":"

If you haven’t seen it yet, the new theory is that “one security worker” is at fault for the Equifax breach.\u00a0 Rick Smith, former Equifax CEO and now CEO of “lying facedown in some alley, Inc” testified before congress that, “…protocol broke down at Equifax due to human error, meaning no one was told to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[47],"class_list":["post-621","post","type-post","status-publish","format-standard","hentry","category-security","tag-equifax"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/621","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=621"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/621\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=621"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=621"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}