Schumer wants to hold Equifax accountable

  • Thread starter Deleted member 159002
  • Start date
I've got no problem with this, I hope they hold their feet to the fire over fucking up people's lives with no justification.
 
https://www.wired.com/story/equifax-breach-no-excuse/

This article tells a pretty good take on it. Bottom line, Equifax didn't patch their servers to close a known vulnerability for about 2 months. That's a pretty egregious error, so the CIO/CISO should both get fired for sure. A class action lawsuit will emerge, and Equifax will probably need to provide identity fraud protection services for everyone affected for a number of years, much like after the OPM breach a few years ago. It will hurt Equifax's bottom line in a pretty significant way, and that should incentivize them to get their heads out of their asses in regards to information security. That's probably all that needs to happen here.
 
sub_thug said:
https://www.wired.com/story/equifax-breach-no-excuse/

This article tells a pretty good take on it. Bottom line, Equifax didn't patch their servers to close a known vulnerability for about 2 months. That's a pretty egregious error, so the CIO/CISO should both get fired for sure. A class action lawsuit will emerge, and Equifax will probably need to provide identity fraud protection services for everyone affected for a number of years, much like after the OPM breach a few years ago. It will hurt Equifax's bottom line in a pretty significant way, and that should incentivize them to get their heads out of their asses in regards to information security. That's probably all that needs to happen here.
Click to expand...

A bad violation, but not egregious. Most organizations have a 60-90 day remediation timeline for non zero-day vulnerabilities (if that, some of these mooks do quarterly remediation). It's an unfortunate byproduct of change management procedures, that's why we put so much emphasis on server hardening and depth of controls. Ideally an IPS/IDS and DLP would be implemented to guard against vulnerabilities like this, but without seeing their architecture, you can't really make a statement on the posture of their organization.

A more egregious issue to me is their lobbying to prevent the rule killing arbitration clauses. Especially considering the fuckery with their little checking site.
 
Falsedawn said:
A bad violation, but not egregious. Most organizations have a 60-90 day remediation timeline for non zero-day vulnerabilities (if that, some of these mooks do quarterly remediation). It's an unfortunate byproduct of change management procedures, that's why we put so much emphasis on server hardening and depth of controls. Ideally an IPS/IDS and DLP would be implemented to guard against vulnerabilities like this, but without seeing their architecture, you can't really make a statement on the posture of their organization.

A more egregious issue to me is their lobbying to prevent the rule killing arbitration clauses. Especially considering the fuckery with their little checking site.
Click to expand...
I'm all for a good Change Management Process (as outlined in NIST ;) ), but this shit should be managed on a monthly basis. 60-90 days is no beuno, particularly in regards to known vulnerabilities. We all know the drill when you're poking around on a network: ping swing, port scan, banner grab, and check to see the vulnerabilities in NVD. Apply, and then see if you're a step further in the process. Remediating known vulnerabilities should be an easy win for most shops, and it's sad that they let bureaucracy get in the way of good security. And you definitely can't rely on automation. The IDS/IPS/SIEMs can't do it all! ;)
 
Last edited:
PainIsLIfe said:
Yeah, it's exactly like Enron - where the company cooked the books to inflate profit and bilk investors. Let's compare a hacking to that.

Schumer didn't liken the govt data breech to Enron a few years back.
Click to expand...
The OPM breach was the poster child of incompetence. That was a much worse showing of how stupid people can be, although neither is good.
 
Not surprised. The do-nothing, lefty, Marxist takers will always try to tear down the hard working capitalist makers. Comrade Chuck needs to move back to Venezuela.
 
I guess my favorite part of this thread is seeing who the shills are. If you are trying to make this into a partisan issue, great. You're showing the rest of us that you have no idea what the fuck you're talking about. Thanks for clearing it up.
 
sub_thug said:
The OPM breach was the poster child of incompetence. That was a much worse showing of how stupid people can be, although neither is good.
Click to expand...

I suppose it doesn't get as much attention since there were few identities involved, but it didn't make me feel any better to get my letter saying they may have my fingerprints.

I know/don't think they can use them in any way, but a few years down the road who knows.
 
sub_thug said:
The OPM breach was the poster child of incompetence. That was a much worse showing of how stupid people can be, although neither is good.
Click to expand...
I still get letters mailed to me all the time about that..

im like 'thanks?'
 
PainIsLIfe said:
I suppose it doesn't get as much attention since there were few identities involved, but it didn't make me feel any better to get my letter saying they may have my fingerprints.

I know/don't think they can use them in any way, but a few years down the road who knows.
Click to expand...
They got a lot more than that. It was everything relating to any security clearance that you've had. Names, addresses, SSNs, findings, and everything. Huge shit show...
 
HunterSdVa29 said:
I still get letters mailed to me all the time about that..

im like 'thanks?'
Click to expand...
It's a big deal. If your identity is ever compromised, call OPM. They will need to take care of that for you.
 
sub_thug said:
It's a big deal. If your identity is ever compromised, call OPM. They will need to take care of that for you.
Click to expand...
oh I know, I still work for the DoD as a civilian

perhaps even worse, even after getting out the Army I still have to do annual Anti Terrorism, Sexual Harassment Assault Response Prevention, Suicide Prevention, Information Assurance Awareness, Anti Phishing, etc... to keep my job.

So I have to keep doing that absurd training (that apparently Hilary skipped?), and then on top of that my identity is likely compromised. Good times
 
sub_thug said:
I'm all for a good Change Management Process (as outlined in NIST ;) ), but this shit should be managed on a monthly basis. 60-90 days is no beuno, particularly in regards to known vulnerabilities. We all know the drill when you're poking around on a network: ping swing, port scan, banner grab, and check to see the vulnerabilities in NVD. Apply, and then see if you're a step further in the process. Remediating known vulnerabilities should be an easy win for most shops, and it's sad that they let bureaucracy get in the way of good security. And you definitely can't rely on automation. The IDS/IPS/SIEMs can't do it all! ;)
Click to expand...

Good points for sure, I just give a little leeway on timelines when it comes to actual use cases. I'm sure we'd all love to have infrastructure get off their asses and patch some servers, but you know that pushback lol.

On a related note, I have some vendors you'd absolutely love. One stores sensitive information in a central repository and had no idea what controls they had in place. Like, total blank face. Apparently they thought Norton and an old ass stateless firewall was an acceptable fix for protecting their data. I almost cried tears of blood.
 
I used Equifax in the past. According to their website, my info was likely compromised.

Their solution is to provide their premier credit / monitoring program for free, which I signed up for.

So now I'm stuck between a rock and a hard place. Although there is a service monitoring my information for free, it's being monitored by the same dumb ass company that allowed my info to be leaked in the first place.
 
Falsedawn said:
Good points for sure, I just give a little leeway on timelines when it comes to actual use cases. I'm sure we'd all love to have infrastructure get off their asses and patch some servers, but you know that pushback lol.

On a related note, I have some vendors you'd absolutely love. One stores sensitive information in a central repository and had no idea what controls they had in place. Like, total blank face. Apparently they thought Norton and an old ass stateless firewall was an acceptable fix for protecting their data. I almost cried tears of blood.
Click to expand...
This is just a management thing. Your infrastructure and infosec shops need to be more integrated. The whole of IT services needs to be integrated instead of stove-piped, and that's what management should be doing. But trying to get a bunch of introverts like IT people to want to talk to each other is a tall task, haha.

Oh, lovely. Shops like this are the reason that Admiral Mike Rogers has said, "There are two types of companies in the United States. Those that have been hacked, and those that don't know they've been hacked."
 
You must log in or register to reply here.

Latest posts

Forum statistics

Threads
1,236,616
Messages
55,430,681
Members
174,776
Latest member
kilgorevontrouty

Share this page

Back
Top