Lincoln Memorial as seen from the WWII Memorial (11/8/2016)

My Take on the Equifax Report

Earlier this month the US House Oversight and Government Reform Committee released a report on the Equifax breach.

You can read the whole thing here

Things I liked about the report

This is one of the most detailed an interesting reports I’ve seen from a Congressional Committee (second probably to the report of the 9-11 Commission)

The usage of the Attack Chain to describe the attacker’s activities during the May 13th to July 30th time frame was very well done (pg31). As this is a report to Congress, I’m glad that the committee staffers took the time to educate the members on this aspect of information security. Additionally, the committee didn’t hand-wave over technical details and dove into WebShells, SQLi and what a JSP file does.

The report dove deep into Equifax’s Patch Management Policy and the procedures around vulnerability management. No one has a healthy patching process. The best you can be is the leper with the most fingers.

I do like that they highlighted Equifax’s lack of a software inventory was a “key factor” (pg74). While they don’t explicitly call it out, SANS/CIS Critical Controls #1 and #2 are: have a hardware inventory and have a software inventory.

Technical inaccuracy, misrepresentation or omissions

Numerous times they mention the ACIS system was developed in the 1970s (pg3, pg31), yet the report neglects to mention that Apache Struts was initially developed in 2000 and Struts 2 was initially released in 2006. I think this is misleading and implies the ACIS hasn’t been updated since before I was born.

The report neglected to mention the name of the inspection tool that had an expired SSL Cert. I assume it was Snort (pg30).

Much was said about the “Highly Complex IT Infrastructure” (pg71) that resulted from CEO Richard Smith’s “ambitious growth strategy”. I call BS on that. Political BS at that. All large IT environments are complex. They all have lots of interconnecting parts. Fear rules when it comes to making changes to complex systems because you never know what sort of outage will be caused. This was not an Equifax problem. This is a problem for any IT organization more than a few years old.

The biggest omission was around how, prior to the breach, Equifax budgeted for replacement technology & cybersecurity. Several times it was mentioned that Equifax employees were aware of the issues, but nowhere does it really state what was done with that awareness. Was the 19-month-old expired SSL cert due to the incompetence of the security organization, or was the security organization chronically underfunded and understaffed? When Equifax Audit issued its report about issues with the patching process (pg 68) was funding approved to remediate the audit findings?

Finally please, referring to Sun as “the now-defunct company Sun Microsystems” (pg73) totally lets Oracle off the hook for the shoddy acquisition and support processes in place for the company Oracle bought and then shutdown.

Organizational Structure

Several people were “retired” or let-go as a result, however the one negligent (incompetent?) party who escaped was their Chief Legal Officer: John Kelley. CSO Susan Mauldin reported to Kelley (pg55), and it was Kelley who was a member of the CEO’s senior leadership team, not Mauldin. As the report stated:

The information he [CEO Richard Smith] did receive was presented by Kelley – the head of the legal department who did not have any background in IT or security – rather than Mauldin, the company’s IT security expert (pg61).

Information Security is about managing risk, something every attorney should be an expert in. The only reason you’d ever engage someone in a legal role is to defend you in court or to help manage your risk. That Kelley wasn’t competent or interested enough to understand the CyberSecurity Risk, and to present that risk to the CEO and SLT, makes him the guilty party that got off scott-free.

The report and others make a semi-big deal over the fact the CSO didn’t report to the CIO, and cites industry surveys around where a CSO/CISO should report (pg 61). I disagree with the assessment that the CSO/CISO has to report to the CIO. As I said, CyberSecurity is about managing risk. While there is a heavy technical function to security, that is not what it is all about. At the end of the day the CIO’s role is to deliver features and business value for each IT dollar spend. CISO’s role is to protect and manage the risk. For the CISO to be subordinate to the CIO puts risk management subordinate to delivering features/business value. Neither CSO/CISO reporting structures are necessarily wrong (however if your Chief Legal Officer can’t be bothered to care about managing risk you have a problem).

I’m skeptical how effective having the new Equifax CISO reporting to the CEO will be. That seems more like a PR Stunt than an effective place for a CISO to report long-term.

US Government’s Role

I like how the report several times states:

The United States Computer Emergency Readiness Team (US-CERT) sends Equifax an alert to patch the particular vulnerability in Apache Struts software (pg6, pg29)

In reality what happened was some folks at Equifax were subscribed to a public mailing list, and everyone got the notice about the Struts 2 vulnerability. DHS & the US-CERT didn’t seek out Equifax to personally inform them of this issue.

Scapegoating of Graeme Payne

I feel for this guy. As an SVP his role was hardly technical. He “was a highly-rated Equifax employee for seven years prior to the data breach (pg50)”. He was fired for failing to forward the US-CERT email. Payne testified in the report (in relation to CEO Smith’s testimony to Congress on 10/3/17):

[For Smith] To assert that a senior vice president in the organization should be forwarding vulnerability alert information to people … sort of three or four layers down in the organization on every alert just doesn’t hold water, doesn’t make any sense. If that’s the process that the company has to rely on, then that’s a problem.

The report further states:

Payne said he did not have a specific role or responsibility to patch the ACIS system as a senior executive, stating he was a “manager of managers who managed teams that would fulfill roles laid out in the policy.”(pg66)

I cannot agree more. I’ve worked with a lot of SVPs. I rely on them to secure budget, develop strategy, and provide leadership. I would never rely on them to read and forward any emails in a timely fashion. To think that Equifax’s patching strategy relied on Payne to understand and forward an email like that is ludicrous. Even the congressional report agrees (emphasis mine):

A senior Equifax official was terminated for failing to forward an email – an action he was not directed to do – the day before former CEO Richard Smith testified in front of Congress. This type of public relations-motivated maneuver seems gratuitous against the back drop of all the facts (pg 52).

Report’s recommendations

Most of the report’s recommendations focus on policy fixes around the Credit Reporting Agency business model and places where Congress or Agencies could use this as an excuse to make government even bigger.

Recommendation 6 is the most interesting. It states:

The executive branch should work with the private sector to reduce reliance on Social Security numbers. Social Security numbers are widely used by the public and private sector to both identify and authenticate individuals. Authenticators are only useful if they are kept confidential. Attackers stole the Social Security numbers of an estimated 145 million consumers from Equifax. As a result of this breach, nearly half of the country’s Social Security numbers are no longer confidential. To better protect consumers from identity theft, OMB and other relevant federal agencies should pursue emerging technology solutions as an alternative to Social Security number use.

This is a long time coming. SSNs are an identifier, not an authenticator. That the public and private sector treats SSN as an authenticator should be criminal.

The report closed with this line:

Private sector companies, especially those holding sensitive consumer data like Equifax, must prioritize investment in modernized tools and technologies.

This is a no-brainer to anyone in IT. However, there is no economic incentive for organizations to replace things that are working with the “new shiny” just for the sake of replacing it.

Equifax allowed the personal data for half of America to get stolen, probably by a foreign government, and the stock price recovered within a year (pg 16). In my opinion the entire $11-billion-dollar enterprise should have been seized, the shareholders wiped out, and the proceeds used to replace the antiquated SSN-as-authentication system. The Shareholders would then have been in a position to go after the CEO and the Board for failing their fiduciary duty. Instead, all that happened was the CEO and a few underlings lost their job.

Until these sorts of data breaches become existential threats to companies, shareholders, and executives, you will not see a meaningful improvement in information security hygiene.