Equifax Hired a Music Major as Chief Security Officer

Discussion in 'HardForum Tech News' started by Megalith, Sep 17, 2017.

  1. If I send you a letter with a subject that says, "Potential Security Issue With XYZ" and then provide sources for information, you better make it your job to delegate it out to somebody to investigate further and assess impact.

    Like I said, I'm a grunt. (Chief problem solving grunt, but a grunt) And I don't know all our products in a company of 100,000+ people, or how they are developed and used. It's not my place to give that assessment. I can only make you aware of how it might affect us. (ie: I know we have products that use JAVA and there is a new exploit for JAVA versions X Y Z that we may use.) The rest is up to you.
     
    Last edited by a moderator: Sep 18, 2017
  2. kydsid

    kydsid [H]ardness Supreme

    Messages:
    4,939
    Joined:
    Mar 9, 2006
    All this over what her LinkedIn profile says? Maybe she didn't give a shit what it said and ignored it after starting it. Good god. Mine doesn't even list me graduating high school.
     
  3. ccmfreak2

    ccmfreak2 Limp Gawd

    Messages:
    318
    Joined:
    Jul 27, 2009
    Quite possibly the best post in this entire thread.
     
  4. kju1

    kju1 2[H]4U

    Messages:
    3,036
    Joined:
    Mar 27, 2002
    I'm just telling you how to get your point across better and trying to explain why you might not be getting the desired response. I get your a grunt, but when you say "upper level" like where I sit we are not involved in tactical decisions like patching a vulnerability. We are in strategic mode. I sometimes reach down to tactical level, but I usually try not to because my lower level managers dont need me meddling in their teams.

    You send me an email with that subject you have a few sentences to convince me its something *I* at the strategic level need to worry about. Not your tactical level, corporate strategy level. If you dont do that quickly I will run it down the chain and find out why the heck you came to me directly instead of raising it through your management and having it addressed with proper procedures. You might not like that attention.

    Put another way sending senior leadership that kind of email is akin to yelling bomb in an airport. There damn well better be a bomb AND a reason why you didnt just go over to security and tell them.
     
    jtmcclain likes this.
  5. I'll acquiesce the point that it shouldn't go straight to the top. I made the mistake of saying upper level management in my first post. I agree such information should be worked up from the bottom.

    But as a whole, IT organizations don't do near enough. There are no IT safety bulletins relating to general issues that I have ever seen other than "Secure your laptop and information. Don't load it with software we don't approve of. Don't click on suspicious emails. etc etc..."

    Yet every heavy manufacturing plant puts out regular safety bulletins. There is training. There is safety equipment. There are standards for equipment. Dangerous situations are illustrated. There is a safety foreman you can report to about concerns. Near accidents are listed and reported. They also list remediation. The irony in this is so much concern is taken to protect a few individuals. Yet when it comes to the most valuable asset of companies (their data and secrets and the millions of people they might affect) they often think of it as 20:20 hindsight.
     
    Last edited by a moderator: Sep 18, 2017
    Spartacus likes this.
  6. kju1

    kju1 2[H]4U

    Messages:
    3,036
    Joined:
    Mar 27, 2002
    I will agree with that. Its not that way for me. I have a few mandatory things that I wont budge on to include:

    • All critical security vulnerabilities are addressed immediately (i.e. patched, mitigated, or proven not applicable)
    • All customer facing operational issues are addressed immediately (see above).

    Everyone knows if I find out one of those wasn't done there will be problems. Not that we are perfect, certainly not, but we do a lot better than most shops.

    I will also agree that if the level just above you isn't addressing those issues then they are not doing their jobs. And anyone who is not doing their job should be removed in my opinion. I dont suffer dead weight.

    I could go on for quite a while about what I think most IT shops should be doing for IT security...the answer would be a hell of a lot more than they are doing today. But most corps wont want to hear it because to them IT is an expense not a revenue generator.
     
  7. Spartacus

    Spartacus [H]ard|Gawd

    Messages:
    1,949
    Joined:
    Apr 29, 2005

    >>But most corps wont want to hear it because to them IT is an expense not a revenue generator.


    Absolutely true.

    I just picked up a new customer, and as the business owner was shaking my hand and smiling, he told me
    "Just to be clear, I don't like you or your kind.". I laughed and I told him I understand.

    I joked back that, "If you get tired of paying me to do your IT work, we can always just sit back and watch it burn."
    He wasn't expecting that but he also understood my point.

    As you say, many corps see IT as a big hole in the ground to throw money into. And when that attitude sets in,
    that's when the big trouble starts.

    .
     
    Last edited: Sep 18, 2017
  8. magnetik

    magnetik Moderator Staff Member

    Messages:
    5,799
    Joined:
    Jun 6, 2000
    The security officer at our work reminds me of this lady... I was in a high level meeting regarding security and sat behind her as she was googling terms as they came up... one was ARP cache poisoning IIRC. Don't give a shit that she is a woman or minority but makes me wonder if I'm selling myself short on my resume. LOL
     
    Master_shake_ likes this.
  9. Master_shake_

    Master_shake_ [H]ardForum Junkie

    Messages:
    10,419
    Joined:
    Apr 9, 2012
    identify as a woman and sue if you don't get hired.

    that's current year for you.
     
    Dahkoht, Spartacus and magnetik like this.
  10. Burticus

    Burticus [H]ardness Supreme

    Messages:
    4,146
    Joined:
    Nov 7, 2005
    TLDR - I read an article that said one or more of their web accessible gateways used "admin/admin". I hope heads roll big time for this.
     
    Spartacus likes this.
  11. JL6speed

    JL6speed Limp Gawd

    Messages:
    340
    Joined:
    Jul 20, 2006
    The admin/admin should have been a no brainer that easily could have been caught had Equifax had a mediocre audit shop. How they missed that, makes me wonder about how they view security as an entity. Also, looking at her LinkedIn profile, she just listed herself as a Professional at all of the previous companies, with no mention of what specific role she was in. Also, being in an executive, I would at least have a few certifications behind my name. It's very common for people today working in security to have a CISSP, CISA, etc... There were no mentions of any security certifications on her profile either.
     
  12. kju1

    kju1 2[H]4U

    Messages:
    3,036
    Joined:
    Mar 27, 2002
    Yeah clearly they dont give two shits about security if admin/admin was on there for any length of time.

    I am not sure I agree with the exec requires certifications part though. Nobody has ever been willing to pay for certifications for me and I have made it there just fine...
     
  13. JL6speed

    JL6speed Limp Gawd

    Messages:
    340
    Joined:
    Jul 20, 2006
    I work in audit and I'm currently an IT Audit Manager. My colleagues in higher ranking positions all have at least 1 cert of some sort. I would think my staff below me would question me being in my current position if I had no certs behind my name while they have certs. Gotta lead by example. Especially in security, where the certs show an extra effort taken to get immersed in the field and to stay up to date on security matters. Also, companies usually reimburse for obtaining a cert since it is beneficial to have from an appearance standpoint and also being knowledgeable in the field, and she was an exec at a pretty big company with a lot behind the name. I would think Equifax wouldn't mind reimbursing an exec (that has been around for quite some time) to obtain a security cert.
     
    Spartacus likes this.
  14. kju1

    kju1 2[H]4U

    Messages:
    3,036
    Joined:
    Mar 27, 2002

    Well I am not in audit but the only cert I have is an out of date developer one. I dont assume certs mean much these days, I have met far more people who are more knowledgeable without than with.
     
  15. mope54

    mope54 [H]ardness Supreme

    Messages:
    7,437
    Joined:
    Oct 2, 2004
    Regardless, whether one has certs is a separate issue from listing them on LinkedIn.
     
  16. ChoGGi

    ChoGGi [H]ard|Gawd

    Messages:
    1,477
    Joined:
    May 7, 2005
    and more fun, looks like Equifax was also hacked back in March as well :)
    https://www.bloomberg.com/news/arti...suffer-a-hack-earlier-than-the-date-disclosed

    The article also has this cute little tidbit:
    "The new timeline is also likely to focus scrutiny on an earlier sale by Gamble of 14,000 shares on May 23. According to a regulatory filing, which didn’t indicate that the sale was part of a scheduled trading plan, the value of that transaction was $1.91 million, more than twice the size of his Aug. 1 disposal of 6,500 shares for $946,374."
     
  17. kinjo

    kinjo [H]ard|Gawd

    Messages:
    1,053
    Joined:
    Dec 17, 2010

    Yeah because clearly since this is a tech site the forum members here only read tech news and thus only use that information as a point of reference.
     
  18. Romale23

    Romale23 Gawd

    Messages:
    866
    Joined:
    Dec 12, 2006
    Eh, i get your point but high level is supposed to set policy and spend resources.I'm just as critical of her as most, just for different reasons (the policy clearly sucked). But if someone doesn't know a specific attack vector at that point (although in fairness to your statement it sounds like this person knew none of them, which means she probably doesn't understand the problem set), its not that big a deal that is what the technical people are for. What she should be doing is assessing risk. So ask tech people what arp cache poisoning do, and maybe still tech people on how much does it cost to mitigate, how much would an attack cost in best and worst case scenarios, what insurance policies are available and deciding if mitigating x threat is worth the expense (as far as an individual attack goes). What makes the Equifax one so egregious from a business standpoint is it was an attack on their core business that will cause massive financial damage to the company that a stricter patching policy would of prevented. The risk assessment on this one is easy and was clearly done wrong.
     
  19. michalrz

    michalrz 2[H]4U

    Messages:
    2,730
    Joined:
    Jun 4, 2012
    Hehe. Should have responded with something along the 'well your mom likes me' joke. You know, professionally.
     
    Spartacus likes this.
  20. Elios

    Elios [H]ardness Supreme

    Messages:
    7,207
    Joined:
    Aug 12, 2004
    better question who did she fuck for that job
     
    Master_shake_ likes this.
  21. Master_shake_

    Master_shake_ [H]ardForum Junkie

    Messages:
    10,419
    Joined:
    Apr 9, 2012
    Good thing she's a music major.

    She can fiddle while Equifax burns.
     
    Spartacus likes this.
  22. Jagger100

    Jagger100 [H]ardness Supreme

    Messages:
    7,552
    Joined:
    Oct 31, 2004
    Looking at that photo probably not anyone recently. She filled a checkbox in a position which the management felt was non-critical (ie not directly involved in profit generation).
     
  23. Spidey329

    Spidey329 [H]ardForum Junkie

    Messages:
    8,676
    Joined:
    Dec 15, 2003
    Apparently they also got their (Equifax HQ) districts Congressmen (Barry Loudermilk) to sponsor a bill to limit liability before this all released. I'm curious if Barry did any shorting on Equifax stock, since I think Congress/Senate are exempt from insider trading laws.

    from H.R. 2359:

    This is serious corruption (from the non-disclosure and insider trading, to the backdoor politics)
     
    ChoGGi likes this.
  24. Creig

    Creig Gawd

    Messages:
    786
    Joined:
    Sep 24, 2004
    "I'm not an actual internet security professional, but I did stay at a Holiday Inn Express last night!"
     
    scojer likes this.
  25. Design1stcode2nd

    Design1stcode2nd Gawd

    Messages:
    704
    Joined:
    Aug 17, 2016
    Many people in management positions don't really know a thing about the fields they manage. They know how to manage a project and people and the people who work for you have the technical expertise to do the job at hand.

    Also when has it always been the most qualified individual gets the job? Betsy Devos, Ben Carson, Rick Perry, none of which are qualified for the positions they are in now. Same goes with private companies, someone knows someone else's cousin, etc.
     
  26. lcpiper

    lcpiper [H]ardForum Junkie

    Messages:
    10,579
    Joined:
    Jul 16, 2008

    My IT world and your IT world are different.

    In mine, we have many many controls. It's not enough to STIG and Patch, all the documentation must be maintained, software must go before a CCB before it gets approval to install, this is by release version so if v2.1 was the lat version approved, 2.2 will have to go to CCB before approval as well. Outside agencies must inspect and confer accreditation or we can be shut down until we meet the standards/requirements. Scans must be done, procedures in place to react to the findings of the scans, etc.

    And then the reality sets in. Bureaucracy with a capitol B, managers with no experience in the IT areas they manage, companies hiring unskilled people, did I say that I work for a company that works for the government? Yea.

    A perfect plan is useless in the face of insurmountable red tape and miss-management (y)