The former CEO of Equifax was grilled by Congress this week about the breach. During his testimony there were several reveals but the most shocking was the blame was placed on a single person. A scapegoat. A single point of failure. The person that was responsible for the team that patches, didn’t.
I am not buying it.
When Mr. Smith was grilled he said that Equifax has 225 security professionals and in the last three years it has spent $225 MILLION in security. A quarter of a BILLION dollars in security that was brought down by one point of failure, a lazy, naive, incompetent, forgetful employee? Really? Senators won’t buy this answer and the security professionals definitely will say B as in B, S as in S.
Let me break this down to try to figure out what Equifax’s security program looked like if this was from a simple failure of one guy.
For a company like Equifax, with 225 dedicated security folks, there should be a regular ingestion of security bulletins. Either through company channels or through a few of the 225 security professionals that would get these alerts in their own personal feeds. All security folks have hundreds to thousands of feeds, consuming security news, alerts, reports, and white papers to stay fresh and remain a professional. That Severity Level 10 Struts vulnerability would have been seen by more than one guy.
Equifax blamed their scanners not picking up the vulnerability. That may be. Maybe the scanner subscription didn’t pick up the new updates to know to look for that vulnerability. I highly doubt Equifax only has one scanner with a less than real-time subscription. However, if Equifax had 225 security professionals they should be more than mature in a comprehensive security program that would be able to cover something like the CIS Top 20. The second control, they are ordered by priority, is keep an inventory of authorized and unauthorized software.
Keeping an inventory for a company of that size is near impossible, BUT, your critical applications and systems should not be left out. A complete profile of all components of that application was known down to the version of the Apache components. The developers would need to know exactly what versions are deployed because Apache applications are very version specific. You don’t need a scanner to know if you are running a vulnerable component or not.
Here’s the struts alert –
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 126.96.36.199.
It’s not rocket science to tell if you are vulnerable when you know the exact version number and you don’t need a scanner. I could accept if it was a smaller, one off application, but this was the core portal that accessed 145 million records.
The Equifax exploit was a level 10. When you look up the details, everything is highlighted in red text, bold letter, it stands out. No one of the 225 security professionals lit a fire to address it? Had none of the 225 professionals worked through Heartbleed, Snapfish, NSA and CIA dumps or other past high profile vulnerabilities. Those past vulnerabilities were stop everything and get it patched immediately moments. The struts vulnerability was even easier to exploit than those. Was there no vulnerability management team to prioritize the response or was it the same patch team that skipped it?
Where was the CISO in all of this? The top security resource in the company should have been in the loop on these alerts and stopped everything. That is if she had the proper experience to know how to do that or just relied on professional management career and let her people worry about it, we may never know. Did she not at least subscribe herself to the US-CERT bulletins?
Equifax didn’t have any defense in depth. The CEO made a comment on a closed loop process but had it been truly a closed loop there would be other supporting checks to ensure nothing stopped or was passed over.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.