Last week the U.S. House of Representatives Committee on Oversight and Government Reform released their official report on the 2017 Equifax Data Breach. To be honest, so few people seem to be talking about this and I am stunned. In the over twenty years I’ve spent in the cybersecurity industry, this report is one of the most detailed accounts I have ever seen on a breach at this scale.
For years, we the security community have been complaining that there is so little visibility in past breaches and lessons learned. Wouldn’t it be great if we had a detailed report similar to what the US FAA produces after every major airline crash? How can we improve if we cannot learn from the mistakes of the past?
I highly recommend that if you are involved in cybersecurity, especially from a senior or management level, read the report. The Executive Summary itself is worth the time, but the detailed timeline, root cause analysis, how Equifax (and Mandiant) responded, and ultimately lessons learned are a gold mine of information.
My key take-away? The Equifax hack was ultimately a people / structure issue. When you bring up the Equifax breach, most people respond that it was a patching issue, the bad guys exploited a Struts vulnerability that Equifax knew about and should have patched. But why wasn’t it patched? And why did it take them two months to identify the breach? The ultimate reason was because the CSO, Susan Mauldin did not report to the CIO, but was buried underneath the Chief Legal Officer. IT was siloed from security; the two rarely communicated or coordinated, leaving gaping holes in the organization.
The reason for this split? Ten years prior, the CSO reported to the CIO, however they had strong personality conflicts. Since the two could not work together, the CSO was moved under legal. However, when Equifax’s new CIO David Webb and new CSO Susan Mauldin came on board, this split was never resolved. (Full details of this strategic failure start on page 55 of the report. I feel this is one of the most critical findings.) As a result, the new CSO of Equifax is actually called the CISO and that individual now reports directly to the CEO.
Far too often, when we look at incidents like these, we take a very tactical approach; X was not patched or Y was not monitored. But what the Equifax report shows us is a strong need to take a step back and ask WHY that was the case and what was the root cause analysis? I would like to commend the efforts of Congress on this amazing report, and hope we will have more reports like these in the future.
UPDATE: Renowned security blogger Brian Krebs has posted a fantastic follow-up on this blog and the Equifax report. He researched how Fortune 100 prioritize the CSO/CISO position. His finding? They don't. Less than 5% even list such individuals on their website. More at his blog post. https://krebsonsecurity.com/2018/12/a-chief-security-concern-for-executive-teams/