Heads roll, as it's revealed Equifax's IT team knew about web app vulnerability

Music-loving CSO is being unfairly vilified.

Heads roll, as it's revealed Equifax's IT team knew it hadn't patched web app vulnerability

The fallout from the massive Equifax data breach continues.

On Friday last week, the beleaguered company announced that its chief information officer and chief security officer were "retiring" with immediate effect.

There has been a huge amount of focus, in the news and on social media, on the fact that Equifax's outgoing CSO Susan Mauldin had a bachelor's degree and a Master of Fine Arts degree in music composition, from the University of Georgia.

The insinuation is that Equifax was negligent in putting someone in charge of security with such a background.

I must admit, I feel very uncomfortable with this line of thinking. Criticise a head of security for making lousy decisions, for not doing their job properly... but not because they know their way around an oboe.

A lot of us in the industry, myself included, have no formal education in computer security. Many of us may have learnt about information technology outside of the classroom, have gained knowledge through experience in the field or through self-study. Education does not end at school.

Further than that, I feel uncomfortable with singling any member of the IT department out for blame when a serious breach like the one which hit Equifax occurs, when we simply don't know the full facts. Sometimes the problem might lie elsewhere - at the board level even, which may not have given the IT team enough resources to ensure that security was being properly maintained.

Shoot me if you like, but I can't help but think that the vitriol being poured on Equifax's former CISO wouldn't be quite so intense if she had been male.

One thing is clearer now, however, and that is just how the hackers managed to break into Equifax's systems.

Equifax says that the attacker breached its online dispute web portal through a vulnerability in Apache Struts (CVE-2017-5638), enabling unauthorised access to files containing personal information from May 13 through to July 30 2017.

Struts vuln

That is obviously an embarrassing revelation for Equifax, as that particular vulnerability was identified and disclosed by US CERT in early March 2017. Equifax admits that it knew about the vulnerability at that time, but for some reason appears to have failed to patch its vulnerable systems.

Of course, the public was only made aware that Equifax had suffered a massive breach on September 7. Many people are probably still completely oblivious that personal information such as social security numbers, dates of birth, names and email addresses have fallen into the hands of online criminals.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

20 Responses

  1. Etaoin Shrdlu

    September 19, 2017 at 10:55 am #

    One of the best modem control programs, back before broadband or the web, was written (in assembler) by a classical oboist, Malcolm Messiter – http://www.messiter.com/

    • Graham Cluley in reply to Etaoin Shrdlu.

      September 19, 2017 at 12:48 pm #

      May I be the first to quip…

      more power to his oboe!

    • Tom Chantler in reply to Etaoin Shrdlu.

      September 20, 2017 at 10:16 am #

      How bizarre to see reference to Malcolm Messiter here, of all places. I remember being astounded (in a good way) by his rendition of Pasculli's La Favorita. Go to his website and listen to it. And, of course, his father Ian is responsible for Just A Minute on Radio 4.

  2. Claire Annette Reed

    September 19, 2017 at 11:46 am #

    Agree that it's silly to focus on the CSO's music background. Many of us in this field are old enough to know that information security was hardly a "thing" when we were high school and college age. I meet lots of IT security professionals with marketing, sales, communications, even lending backgrounds.

    On the other hand – many professionals, myself included, long ago eliminated gender as a difference in determining ability. I'm only commenting on it now because you made an equally silly sexist statement.

    • Graham Cluley in reply to Claire Annette Reed.

      September 19, 2017 at 12:04 pm #

      Hi Claire.

      Some of the commentary on social networks about the former CSO has been pretty sexist in my opinion. That's what I was commenting on. Maybe you haven't been seen it as much as I have. I have inserted a couple of examples into the article to provide context.

      • Christopher Budd in reply to Graham Cluley.

        September 19, 2017 at 10:11 pm #

        Thanks for posting this. I've said that focus on the music composition BA and MFA is bogus a likely a code for what are really sexist comments.

  3. Mike

    September 19, 2017 at 12:40 pm #

    Infosec strategy and implementation ultimately boils down to one thing. How much risk from a breach is acceptable from board level employees. If, as a CSO you deem your information to be not that valuable or important then you tailor your response and solution accordingly. Ultimately, it's the board who are responsible. Whether you are director of HR, Finance or whatever. You are all as culpable as each other not just the CSO.

    • Matthew Parkes in reply to Mike.

      September 20, 2017 at 10:42 am #

      Absolutely agree. I am in a similar position, I am in a Infosec role coming from a brief period as a code developer and before that a web designer. My education is also in art and design and not IT apart from a couple of NVQ's and yes I know what most people say these stand for but have no formal qualifications in Information Security.

      I have learnt on the job over several years and am happy that I know enough to convey to decision makers what needs to happen when I uncover a risk or vulnerability or when suggesting solutions for meeting regulations or framework requirements, the organisation has no wish to put me through training due to cost and fear of me moving on once qualified so stuck between a rock and a hard place.

      Ultimately if the decision makers choose not to act on information or suggestions I provide I am powerless to change this and simply have to record this in a risk register. Ultimately it is most likely that Directors and C-Suite level individuals are less technical and even less in the know and unless you are really good at putting infosec matters across in a manner they do understand then bad decisions are ultimately going to be made or no action is going to be taken at all. I sympathise with others in this position.

  4. Pete

    September 19, 2017 at 5:56 pm #

    College degrees are a form of certification, but they say nothing about a person’s actual qualifications. Anyone can get certified for anything.

    By contrast, being qualified means you’re able to deliver what you’re being paid to do. Usually, that means having sufficient competence, motivation, creativity, imagination, integrity, and comprehension of fundamental principles to get the job done.

    People are slaves to labels, and the belief that your college degree determines your qualifications and capabilities is part of the institutionalization of that kind of mental slavery.

  5. Brian Teeter

    September 19, 2017 at 8:32 pm #

    I am not a computer security expert, although I play one on television. As such, I defer to you and others who possess real know,edge and experience in this challenging field. As a mere carbon-based life-form (AKA, consumer) with enough computer knowledge to be dangerous, I have to ask some questions beyond the obvious dereliction of duty about the Equifax fustercluck:

    1. Why was the entire database not sandboxes into individual walled gardens so that a hack would not have been able to scoop up all the records?
    2. Why was the data not encrypted and hashed so that without an encryption key, the database could not be viewed as plaintext data?
    3. Why has Equifax (and for that matter, the other three credit bureaus, including Innova) not utilized two-factor authentication on individual accounts to prevent the hacking of the entire database?

    It strikes me that this was not simply an issue of a lazy IT staff failing to apply necessary patches to the Apache Struts servers in a timely basis (i.e., immediately). The breadth of this hack, not to mention the discovery that Equifax had also been hacked in March of this year suggests not just who,easel dereliction of management, but also fundamental flaws in the entire architecture and security of the system and database. This is not merely gross incompetence. It's criminal negligence.

    Add to this that three executives who would have been in a position to have inside information about the hack selling large quantities of stock prior to the public disclosure of the breach, and you have a portrait of a company infested with ethical rot all the way to the very top.

    Yet, the major credit bureaus remain opaque and unaccoutable. They are trusted by default with our most important personal information, data that decides whether you get a job, a mortgage, a loan, a car a credit card, or for that matter whether the FBI places you on a terrorist watch list (and denies you the rig to board a plane) based on the actions of someone impersonating your identity. And don't get me started on what this could do to distort the electoral process by our enemies or even those in government with an agenda to deny us the right to vote.

    Expect the consolidated lawsuit to stretch on for a decade, and even then, may result in nothing. Given the power of Equifax and its ability to buy politicians, I sadly expect nothing more than a few show hearings in Congress and a hand slap the equivalent of being made to sit in the corner during noon recess.

    I would love your thought on this. The impact and damage to our identity, credit, and more will stretch on for at least a decade or longer. As long as business and government depend on the credit bureaus and archaic identifiers such as a Social Security number, we are totally screwed.

    • Mark Jacobs in reply to Brian Teeter.

      September 20, 2017 at 10:37 am #

      I was going to post something, but you have said what I would have said and more. Plus, you put it more eloquently! Hear, hear! I couldn't agree more. As soon as I heard about the Apache Struts vuln in March, I went straight to my servers and made sure I wasn't using any of that technology, or else patch it immediately. Why didn't they? This makes me even more concerned about the state of play with IoT security http://jacobsm.com/techgripe.htm (first article)

    • mdg in reply to Brian Teeter.

      September 20, 2017 at 12:30 pm #

      1. Why was the entire database not sandboxes into individual walled gardens so that a hack would not have been able to scoop up all the records?
      This is a good question, keeping the data separate would probably have been a good idea.

      2. Why was the data not encrypted and hashed so that without an encryption key, the database could not be viewed as plaintext data?
      Encryption is not an answer. Encryption keeps data secure at rest. When it is live it needs to be usable so you can perform queries against it. Hashing is strictly one way, you should not be able to work backwards from a well designed hash to get the original data.

      3. Why has Equifax (and for that matter, the other three credit bureaus, including Innova) not utilized two-factor authentication on individual accounts to prevent the hacking of the entire database?
      2fa won't protect you from everything. If there is a file traversal flaw, it may be accessible without a login. If it does require a login, you only need one login. That's easy enough to acquire.

  6. Eisfalken

    September 20, 2017 at 2:14 am #

    You know what? No. Let's just stop this right here.

    Saying that it's unfair to hold any person accountable for their lack of formal education in a top executive position is just stupid at the onset, but even more so because of the highly technical nature of the IT security sector. Would you expect a doctor to have a bachelor's in botany? Or for a nuclear plant engineer to have an associate degree in food service? Of course not.

    Perhaps the little frat-bros running around with MBAs are as interchangeable (and frankly disposable) as dirty socks and underwear. Certainly nobody managing a fast food joint has to be some economics guru. But that's not really what we are talking about here, is it, Cluley?

    No, we're talking about one of the nation's (well, really, the world's) top credit agencies. In a modern society in which credit is of MASSIVE importance, this agency controls vast and unthinkable levels of influence in our financial matters. The data they have on hand is as critical as one's health data. This is a highly technical field that requires at least a moderate amount of background in it to understand the unique and very tricky issues arising in it (unless someone is truly stupid enough to actually suggest that security for Equifax is no different from register security for some t-shirt store, in which case I can't even begin to inform such people as to just how stupid a sentiment that really is).

    But you want to sit here and say that the CSO of this company shouldn't be held to maybe a slightly higher standard than peons who install cyber-nanny software at the local elementary school? Or that any criticism of such a failure is just bashing on a woman?

    No, just… stop, please. This was a screw-up from start to finish. If Mauldin had been a man, I'd be equally critical of such a stupid lack of professionalism, and deflecting that with some limp-wristed handwaving about how we shouldn't hold this position to some kind of standard is beyond foolish. This position does NOT require you to be some one-off genius in the field of IT security: it requires you to assign jobs to your minions to find security vulnerabilities, close them up, test them, report findings up the chain of command, etc.

    Mauldin wasn't programming squat, she wasn't having to actually install the updates, her job was simply to find the problems, diagnose them correctly, and fix them with the utmost speed and accuracy. She failed at doing her job, and that is why she is being shown the door.

    She isn't even being fired, which should be the case. You think if any ground-level IT workers compromise a company's system with a lack of care that they'd be given the grace of leaving on their own? Please. She's getting a parachute, and it may not be golden, but it sure isn't a pile of nothing, either. Retirement means she keeps her benefits and other stuff.

    Stop sawing at this violin acting like it's such a crime people are critical of the security team who fumbled this whole mess. The buck has to effing stop somewhere. Guess what? You wear the title of CSO, the buck stops with you when there's a breech.

    Mauldin wore the crown, so off with her head. Next person in line will take this as an object lesson in why if you want to be CSO of a huge, important, critical financial agency, you better bring your A+ game to the table.

    This isn't about education or gender. This is about meeting a standard of professionalism or competency.

    • M. Sirell in reply to Eisfalken.

      September 20, 2017 at 10:58 am #

      How many hospital CEOs have medical degrees? (Hint: a medical degree isn't much use running a huge business.)

  7. LH

    September 20, 2017 at 5:52 am #

    While I agree that having a degree doesn't automatically make you (regardless of profession) an expert, it certainly helps to weed out some of the bad apples. Don't get me wrong, I'd certainly take the IT Admin with 20 yrs experience and no degree over the kid straight out of college in a help desk role. At the same time, I'd much rather have a seasoned professional with a combination of years of experience, a formal degree and maybe a cert or two. Degrees and certifications are ultimately baselines for demonstrating your knowledge for the field.

    Although there are some rare exceptions, I personally would not be comfortable putting a person with a music arts degree in charge of my Information Security division especially when my company is charged with handling the personal information of millions of Americans. I've been in the IT industry now for quite some time and this story also reminded me of a troubling trend I've noticed. More and more employees with little to no IT experience are being promoted into these director roles. It doesn't matter if it's the public or private sector, it's happening and it is very disturbing. Many of these pretend IT people talk the talk and are usually only outed when a major incident (pretty much like this one) occurs.

    • M. Sirell in reply to LH.

      September 20, 2017 at 12:51 pm #

      I don't know if you've tried recruiting infosec talent in the last few years, but we cannot afford to be throwing out good candidates with bad at ANY filtering stage, purely because they don't have a CS degree, or any degree at all. (Full disclosure — I'm a university dropout myself, and working as global head of security at a large financial services firm.) I've met plenty of idiots in security and indeed IT generally with certificates and degrees, and plenty of good people with none. When the hiring problem is "too many good candidates"… we can start looking for artificial criteria to reduce the shortlist, but until then, I'll at least read the CV of any applicant, regardless of educational background.

      • LH in reply to M. Sirell.

        September 20, 2017 at 5:25 pm #

        I'm not sure why but you seem to have taken my post personally. If you've excelled in your career to get in the position you're in despite dropping out, then that's great for you. However you seem to missing my point. Although important, I've never once believed that a degree or certification is an end-all. All you have to do is look at the 90's fiasco of certification boot camps. It was unnerving to watch people who had barely ever turned on a PC get put into $70,000+ positions and walk into the office with a deer in the headlights look. The same can be said for those who were duped into attending sketchy schools where the degree wasn't worth the paper it's written on.

        Having said that I still stand by my statements on undeserving people who have been promoted. I've seen people (most with no IT degree) who are complete buffoons put in charge of IT departments just because they were a friend of so and so or because the company didn't want to invest in the proper staff. Regardless of the reason, each instance ended in disaster. At the same time, I've seen guys who looked good with paper credentials nearly blow up environments. The other problem with this debate is that all degrees aren't created equal. I personally had 50% book time and 50% actual hands on lab work to earn my degree. It was precise enough to allow me to walk into an office and be completely comfortable with the technology in front of me. That college experience combined with work experience and certs has allowed me to keep up with an industry that evolves faster than you can blink.

        Finally just so you know, I have nothing against IT professionals with no degree as long as they can do the job. Some of my closest friends and colleagues have no degree but have been around since the machine code programming days.

        • Thomas D Dial in reply to LH.

          September 20, 2017 at 6:59 pm #

          Above the level of supervisor-of-direct-labor-employees the skills increasingly diverge toward management skills that depend less and less on detailed knowledge of techniques and equipment and more and more on skill in planning and organizing systems and work; communicating with peers and superiors about what is to be done; obtaining and allocating resources and personnel to do it; and monitoring it to ensure it is done, identify deviations from planned execution, and adjust resource allocation as necessary. Susan Mauldin's CV as excerpted in the body of the article suggests she is quite good at all of that.

          The CSO in a large organization very likely four or five levels above anyplace actual work is done, far beyond where any detailed technical knowledge comes into play. She also is subject to incomplete, incorrect, and misleading reports, sometimes intentionally so.

          Systems supporting large organizations, especially those like Equifax where the primary mission is data management, are likely to be quite complex and involve many different machines, both physical and virtual, as well as a great deal of software, both commercial and locally developed. Each comes with its own set of vulnerabilities. Absent detailed knowledge of Equifax internal network. data system, and application software environments and deployment, solutions proposed are very likely, to quote H.L. Mencken, to be "neat, simple, and wrong."

          I have seen, for instance, that the exfiltrated data should not have been exposed on the system compromised using the Struts vulnerability, but not that it actually was. It is possible that one or several additional vulnerabilities, maybe even zero-day vulnerabilities, were exploited to elevate privileges and gain access to other machines that actually stored the data. It also is said that the data should have been encrypted, an action that might or might not have protected it, depending on exactly how the perpetrators gained access to it.

          Again, much is made of the fact that the vulnerability was not timely patched, a matter that looks bad but in a large organization with many systems and limited IT resources may not be unreasonable. All organizations (should) test changes to critical systems before deploying them, and depending on system complexity that may take a fair amount of time, especially if there is a defined and enforced process for change management and deployment. Hindsight teaches us that in this case process should have been discarded and the affected system taken off line immediately and not returned to service until patched and tested against the attack. That would not have been nearly as clear on March 7, when the patch was issued, or March 10, when the vulnerability was announced publicly.

          • LH in reply to Thomas D Dial.

            September 21, 2017 at 1:25 am #

            I hear what you're saying Thomas but are you sure you're replying to the right post? Any IT director in a large organization can be given inaccurate info. However that doesn't completely absolve them of any responsibility which is why they get paid the big bucks.

            As for testing critical system patch testing and not having sufficient IT resources well that sounds like a organizational and management problem. I'm sorry but although the fault isn't entirely on Susan Mauldin, she certainly shares in it. What isn't mentioned on this site is her boss the former CIO Dave Webb also got canned. He's yet another level up and also shares the blame. Again this is a management problem and I wouldn't be surprised if the CEO follows.

  8. John Lewis

    September 20, 2017 at 10:40 am #

    There seem to be four issues

    1 Mauldin is a woman – totally irrelevant

    2 Mauldin has a music degree – irrelevant. Music is a very academic subject and intellect (+ some other personal attributes) are more important.

    3 The problems occurred on Mauldin's watch. Relevant but you have to ask, "did she have adequate resources – people/tools?" Computer Security requires a huge "Body of Knowledge" – at least 10k hours in any one area and I doubt that any CSO would claim to have real expertise in all areas of security. If she didn't have the resources she needed (it doesn't sound as if she did) and didn't flag that, to the extent that she was prepared to resign if she didn't get them, then she is culpable. But then so too are those that didn't make the resources available and that is where the real blame lies.

    Certification in security is an illusion – it is too broad and certificates are frequently not worth the paper they are written on.

    4 The unaccountable power that companies like Equifax, Experian and other credit rating companies have over the likes of millions of people. In the UK, the UK Government is subcontracting vital Identity Management function to them – gov.uk verify – see http://wp.me/p7MvnT-5

Leave a Reply