What I learned from the Equifax hack

Full disclosure: I hate Equifax and its ilk for many, many reasons, but my thoughts here will focus on the breach. I also wrote some of this before the congressional testimony and after, so it’s a little disjointed

There’s enough blame to go around

Since the breach was announced, it seems both everybody, and nobody are to blame. I’ve seen threads condemning the appointment of a CSO because she didn’t have a degree in teh cybers. I’ve seen threads sticking up for her despite the lack of a cyber-related degree, and in the same thread blaming the cyber community for not checking their privilege, Of course during congressional testimony, the ex-CEO blamed all of it on a single person. I’ve even seen blame being placed on special treatment and advancement of women in teh Cybers. Was the CSO qualified? I don’t know, so I won’t speculate (I know, right? speculation w/o facts seems to be the norm these days).

Why weren’t the web shells caught (Seriously! 30+ web shells!)? Why wasn’t a mass exodus of data not noticed? Why didn’t Equifax take down their website to patch the critical vulnerability on the server(s) connected to the goddamned internet? Who knew about the critical vulnerability in the server(s) connected to the goddamned internet? Who made the decision not to take down the web server(s) for patching? Was this a decision based solely on the monetary losses that would be incurred, or was a risk analysis done before determining not to patch the critical vulnerability in the server(s) connected to the goddamned internet? Who is responsible for the breach? What were they after? What was the working relationship between Equifax and it’s 3rd party security advisers? Was there any oversight, by auditors, government, or other?

These are all relatively simple questions that many have guessed at answers for — some are very educated guesses by experts, backed by years of experience in teh cybers. Sadly, as this organization that is responsible for the credit history of the vast majority of American adults is/was not mandated to have any oversight, we (the collective “we”) will probably never get a straight answer. So, as most things these days seem to go, we’ll have to go on speculation from the same people who ask “Who is that 4chan guy?”

Or maybe we’ll begin to see real change in how we protect our information. One could have thought that after the OPM breach we would have started to see real change, but that only affected a mere 20 or so million people. Maybe the silver lining to this is that those in Congress actually begin to listen to what the cyber/infosec/hacker community has been screaming about for decades. Maybe the blame doesn’t fall completely with Equifax. Maybe there are others. Like I said. There’s enough blame to go around. Like Congress. Sure, Congress. They’ve failed to pass any legislation that begins to protect our data — and I mean legislation with teeth — like “you effed up, you’re going to jail” legislation. They’ve failed to see the inherent problem with connecting critical infrastructure to the goddamned internet. Maybe the ex-CEO blaming a single employee for not patching points to a much bigger problem.

Or maybe, we as a community share some of that blame. We’ve been screaming for decades that “shit’s broke,” right? Maybe our message isn’t on point. Maybe we’ve been screaming so loud that we’ve been tuned out. Maybe our “shit’s broke” message has come across as “you suck.” Maybe we need to change our tune a bit. I know I hated getting owned as a sys admin — being shown that I made a mistake. Maybe being an infosec/cyber/hacker person is more than just screaming “LOL! shit’s broke.” Huge strides have been made when it comes to responsible and coordinated disclosure and getting bugs fixed, but obviously that’s not the only problem, nor is it enough.

It’s still about the basics

admin/admin. Really!? When we go into high schools to teach, we’re all about the basics. We try to ‘fun’ it up, and most of the work is hands-on-keyboard, but we’ve got to get to a point where the low hanging fruit isn’t admin/admin. We work on basic CLI and networking exercises, e.g. “Here a pcap of an ftp connection. Oh, look a password. Is it a good password? Why not a passphrase? Why shouldn’t we use FTP?” And this year we’ll even be throwing some exploits at tomcat boxes with, you guessed it, admin/admin because basic shit is still out there, and folks entering the workforce, be they cyber analyst or developer, need to understand the basics. There’s no point in teaching how to perform an audit of your code, or how to write a proper function if your app is protected by admin/admin.

Compliance != Security. . .

But as a colleague once told me, “But they’re most certainly related.” Some of us (me included) in the cyber field tend to downplay compliance as merely an exercise in checking a box, and not really having an impact on security. I know as a pen tester, my main concern is real world impact, that root@db# screenshot, because that’s my job. And I know when I was a sys admin, I sometimes brushed off compliance and box checking as having no tangible effect on the actual security of a system — mostly because it made my job harder and I’m (read, people) are lazy. But there’s a reason for that checkbox. At some point somewhere in infosec history, someone said “This is so important we should probably check for it on ALL. THE. THINGS!” Others agreed, and now it’s a checkbox.

Whether or not you believe the CEO in his testimony before congress, it’s a safe bet a comprehensive IT governance and compliance policy would have helped if not mitigated the breach completely. Do I know for certain? Nope. But if your company is following almost any IT governance or risk management framework (ISO, COBIT, whatevs) You will certainly have policies, standards, and procedures in place to ensure that gaping holes in your infrastructure and/or your communications channels are closed. And if a company handling this much sensitive data isn’t following an IT governance or risk management framework, then the blame most certainly does not fall on a single sys admin. I see this breach more as a failure in compliance and process rather than a failure of technology. But that’s just from the viewpoint of a lowly noobhaxor, not the CEO of a multi-billion dollar company responsible for the credit history of a nation.