As I sift through the myriad of articles surrounding the Equifax case my stomach begins to turn, on its website it boasts a collection of some 820 million consumers. That equates to mamaging 1,200 times more data than the Library of Congress ("Equifax manages 1,200 times more data", 2017). Equifax is a sleeping giant amoung data warehousers. “They’re the rails that the financial train runs on. Without them, everything would grind to a halt.” said Keith Snyder. Apparently,
there are multiple data attributes reported whenever a person is paid, including how much a person earns and how much was comprised of a bonus, so were in an uproar about SSN and creditor information but the truth is they hold much more information on each consumer in their datastore. For several days after the notification, consumers were directed to a fake site that looked like Equifax but was a hoax.
For years I patched servers on patch Tuesdays, or whenever patched were released at least weekly if not daily depending on the criticality of the patch released. While it would have been great to have had the luxury of multiple systems so we could patch and test, that was not always the case. My team and I were charged with securing our systems. Sometimes we were proactive and sometimes reactive. In the case of virus outbreaks, depending on the severity the team would be more concerned with putting out the immediate fire and dealing with smoldering ashes later. In other words, sometimes we would spend the next few hours fixing the application etc., Equifax stated patching software at big corporations with many machines does takes time. They had to first identify the vulnerability, then implement and test the patch to make sure it didn't break anything before making it public. I saw hogwash! Any security expert worth theheir salt will tell you Equifax should have moved faster ("How the Equifax data", 2018).
"There's really no excuse whether it's a difficult patch or not, for an organization of that size with that kind of magnitude of data," said Jon Hendren, director of strategy at security firm UpGuard. "When you're a big organization like that, it's a systemic failure of process and the blame goes straight to the top." ("How the Equifax data", 2018). Equifax announced its chief information officer and chief security officer are "retiring.", to little, to late. Timing is key when notifying stakeholders after a breach. Proposed European regulations mandate breach notification within 72 hours. There needs to be processes in place by which companies notify customers of a breach, this should be part of their post-breach responsibilities ("Three big lessons we all need", 2017).
This Equifax event is another reminder that we depend on critical systems, networks and data repositories that are not as secure as they should be. These commonplace data breaches will continue and have widespread effects until society as a whole (industry, government and individual users) is able to objectively assess and improve cybersecurity procedures. This event was larger than the following:
110 million victims in 2013 at Target
45 million TJX customers hit in 2007
20 million or so current and former government employees in the 2015 U.S. Office of Personnel Management incident.
Yahoo’s 2016 loss of user records, with a purported one billion victims, likely holds the dubious record for most victims in a single incident.
Cyber-complacency is here and growing, one element of this problem is the so-called “cyber insurance” market. Companies can purchase insurance policies to cover the costs of response to, and recovery from, security incidents like data breaches. Equifax’s policy, for example, is reportedly more than US$100 million; Sony Pictures Entertainment had in place a $60 million policy to help cover expenses after its 2014 breach "Equifax breach is a reminder", 2018).
Effective security guidelines and practices must become fundamental parts of daily business. We must change our thinking for the better. Unless we change, the same mistakes will happen again. These breaches are a failure of leadership and culture as much as they are failures of network security.
References
Bohmayr, D. D. (2017, September 20). Three big lessons we all need to learn from the Equifax data breach. Retrieved March 14, 2018, from https://www.cnbc.com/2017/09/20/cybersecurity-lessons-from-equifax-data-breach--commentary.html
Forno Senior Lecturer, R. (2018, March 13). Equifax breach is a reminder of society's larger cybersecurity problems. Retrieved March 14, 2018, from http://theconversation.com/equifax-breach-is-a-reminder-of-societys-larger-cybersecurity-problems-84034
Happen, H. D. (n.d.). How the Equifax data breach happened: What we know now. Retrieved March 14, 2018, from http://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html
Merle, R. (2017, September 25). Equifax manages 1,200 times more data than the Library of Congress. That's why people are so worried. Retrieved March 14, 2018, from https://www.washingtonpost.com/business/economy/equifaxs-breach-is-not-its-first-brush-with-concerns-over-handling-of-personal-data/2017/09/25/3f41cfee-9fc4-11e7-8ea1-ed975285475e_story.html?utm_term=.79d8951f9028
there are multiple data attributes reported whenever a person is paid, including how much a person earns and how much was comprised of a bonus, so were in an uproar about SSN and creditor information but the truth is they hold much more information on each consumer in their datastore. For several days after the notification, consumers were directed to a fake site that looked like Equifax but was a hoax.
For years I patched servers on patch Tuesdays, or whenever patched were released at least weekly if not daily depending on the criticality of the patch released. While it would have been great to have had the luxury of multiple systems so we could patch and test, that was not always the case. My team and I were charged with securing our systems. Sometimes we were proactive and sometimes reactive. In the case of virus outbreaks, depending on the severity the team would be more concerned with putting out the immediate fire and dealing with smoldering ashes later. In other words, sometimes we would spend the next few hours fixing the application etc., Equifax stated patching software at big corporations with many machines does takes time. They had to first identify the vulnerability, then implement and test the patch to make sure it didn't break anything before making it public. I saw hogwash! Any security expert worth theheir salt will tell you Equifax should have moved faster ("How the Equifax data", 2018).
"There's really no excuse whether it's a difficult patch or not, for an organization of that size with that kind of magnitude of data," said Jon Hendren, director of strategy at security firm UpGuard. "When you're a big organization like that, it's a systemic failure of process and the blame goes straight to the top." ("How the Equifax data", 2018). Equifax announced its chief information officer and chief security officer are "retiring.", to little, to late. Timing is key when notifying stakeholders after a breach. Proposed European regulations mandate breach notification within 72 hours. There needs to be processes in place by which companies notify customers of a breach, this should be part of their post-breach responsibilities ("Three big lessons we all need", 2017).
This Equifax event is another reminder that we depend on critical systems, networks and data repositories that are not as secure as they should be. These commonplace data breaches will continue and have widespread effects until society as a whole (industry, government and individual users) is able to objectively assess and improve cybersecurity procedures. This event was larger than the following:
110 million victims in 2013 at Target
45 million TJX customers hit in 2007
20 million or so current and former government employees in the 2015 U.S. Office of Personnel Management incident.
Yahoo’s 2016 loss of user records, with a purported one billion victims, likely holds the dubious record for most victims in a single incident.
Cyber-complacency is here and growing, one element of this problem is the so-called “cyber insurance” market. Companies can purchase insurance policies to cover the costs of response to, and recovery from, security incidents like data breaches. Equifax’s policy, for example, is reportedly more than US$100 million; Sony Pictures Entertainment had in place a $60 million policy to help cover expenses after its 2014 breach "Equifax breach is a reminder", 2018).
Effective security guidelines and practices must become fundamental parts of daily business. We must change our thinking for the better. Unless we change, the same mistakes will happen again. These breaches are a failure of leadership and culture as much as they are failures of network security.
References
Bohmayr, D. D. (2017, September 20). Three big lessons we all need to learn from the Equifax data breach. Retrieved March 14, 2018, from https://www.cnbc.com/2017/09/20/cybersecurity-lessons-from-equifax-data-breach--commentary.html
Forno Senior Lecturer, R. (2018, March 13). Equifax breach is a reminder of society's larger cybersecurity problems. Retrieved March 14, 2018, from http://theconversation.com/equifax-breach-is-a-reminder-of-societys-larger-cybersecurity-problems-84034
Happen, H. D. (n.d.). How the Equifax data breach happened: What we know now. Retrieved March 14, 2018, from http://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html
Merle, R. (2017, September 25). Equifax manages 1,200 times more data than the Library of Congress. That's why people are so worried. Retrieved March 14, 2018, from https://www.washingtonpost.com/business/economy/equifaxs-breach-is-not-its-first-brush-with-concerns-over-handling-of-personal-data/2017/09/25/3f41cfee-9fc4-11e7-8ea1-ed975285475e_story.html?utm_term=.79d8951f9028
No comments:
Post a Comment