As the former Equifax CEO, Richard Smith, testified before Congress today, he gave a detailed timeline of how the company failed, its incident response, and changes the InfoSec team has made since then to secure the data of hundreds of millions of Americans.
This part of his testimony may not get much coverage in mainstream media, but it matters to SecureWorld readers, so here are details.
Former Equifax CEO details InfoSec and technology errors that lead to breach
Smith says there was a combination of human error and technology error involved and the play by play goes like this:
- The company was aware of the US-CERT notification on the Apache Struts Vulnerability
- The notification was shared by email, with a request for patching within 48hours (Equifax standard operating procedure)
- The patch was never implemented
- Several scans failed to catch the Apache Struts patch had not been implemented
Former Equifax CEO says InfoSec has made significant changes since hack
In his testimony before the Congressional committee, Smith says there are changes that cannot be shared but he wanted to address others:
- "In recent weeks, vulnerability scanning and patch management processes and procedures were enhanced."
- "The scope of sensitive data retained in backend databases has been reduced so as to minimize the risk of loss."
- "Restrictions and controls for accessing data housed within critical databases have been strengthened."
- "Network segmentation has been increased to restrict access from internet facing systems to backend databases and data stores."
- "Additional web application firewalls have been deployed, and tuning signatures designed to block attacks have been added."
- Deployment of file integrity monitoring technologies on application and web servers has been accelerated.
- Importantly, Equifax’s forensic consultants have recommended a series of improvements that are being installed over the next 30, 60, and 90 day periods, which the company was in the process of implementing at the time of my retirement.
- In addition, at my direction, a well-known, independent expert consulting firm (in addition to and different from Mandiant) has been retained to perform a top-to-bottom assessment of the company’s information security systems.
Now that is quite a laundry list of upgrades, reviews, and security upgrades. Two questions remain: how did a member of the InfoSec team fail to take action on the Apache Struts patch? And how did scans miss the vulnerability afterward--was that a potential implementation problem, as well?
SecureWorld welcomes your comments on this story.
There is more to come on the Equifax mega breach, so follow SecureWorld on LinkedIn, Twitter, or Facebook.
