One person responsible for the security of the enterprise.
If there is truly one person for a company this large, then he was setup to fail from the beginning. The management is negligent and incompetent for not creating a system for this. That's his job.
I think more likely, the CEO is full of shit and they're scape goating some poor person. But even if that's not the case, this is a terrible thing for him to admit. If he's really that incompetent, he has no business in management. Hopefully he never works in management again. Kiddo needs to go back to school, he's clearly forgotten all of his training.
Well, this is what happens when people call for jail time. The moment someone goes to jail for something like this, it will change security issues forever: People will stop reporting breaches, and developers themselves will be at risk of going to jail.
Also, if you try to kill Equifax, companies will stop reporting breaches.
I don't know what the ultimate outcome of all of this will be, but it's important to keep perspective. People are out for blood, and it's both scary to watch and unsettling to think of the precedents it might set.
> Also, if you try to kill Equifax, companies will stop reporting breaches.
Equifax is a special case though. It isn't Equifax that needs to be killed, it's the concept of credit reporting agencies in general -- they inherently constitute systemic risk. The more private information is concentrated in one place, the more attractive a target it creates for attackers and the more severe the consequences of a breach.
We need to figure out a way to make data warehousing operations like this impractical so these dangerous targets no longer exist.
One good step would be to prohibit the use of social security numbers for anything other than social security.
> Also, if you try to kill Equifax, companies will stop reporting breaches.
The breach is not why I want the Equifax CEO (and everyone on the board) to go to prison. I want them to go to prison because of what they did and didn't do after the breach. The CEO is at best incompetent but that is a very generous reading of what took place.
Many reasonable people seem to believe that the backlash and horror inm response to the US government killing of Arthur Andersen and the subsequent job losses were what led to the later toothless reactions by the DoJ to subsequent corporate scandals:
Do you have any problem with the concept of credit bureaus, and is it possible that it's influencing your reaction?
edit: also, so this is topical, the CEO is clearly incorrect. Even if one employee were somehow responsible for the unpatched version of struts being present on a particular system, there is guilt by omission/neglect for at least 1) poor secure enclave design (attackers getting access to the system, degree of access that system had, lack of partitioning of sensitive data) 2) lack/deficiency of red team/pen testing 3) lack of process in static scanning of deployed code.. it goes on. As someone noted, seems like negligent process given the degree they were a target. Granted, I'm going off the publicly disclosed information, so who knows..
No problem with the concept, only the execution. If you can't secure the data, you don't get the data (by law). That simple.
This is Econ 101 (incentives matter). If you do not penalize negative behavior, there is no reason for it not to continue.
Those security vulnerability notifications should've gone into a tool to be actioned by a team (JIRA, PagerDuty, whatever) with follow up and verification (audit logs from their CICD pipeline confirming a patched version had been deployed to all environments dev through prod); that's an organizational and leadership failure, which should have consequences.
Disclaimer: I work in the financial services industry in security, but not CRAs.
EDIT: Agree with your assessment edit, its a total failure of risk management within the org. Again, you need dire consequences when that occurs.
I think someone else commenting on this story correctly noted that penalties create a reverse incentive for disclosure, and there could be negative externalities in that incentive structure (to riff on the Econ 101 them). Since you are in the field, have you heard if it was confirmed vector of CVE-2017-5638? I have heard so little confirmation/attribution here... it's really hard to attribute how much was negligence without knowing how long the attackers were present, how many systems were compromised. I added a comment (I think) before your reply that generally agrees that this had to be a systemic failure on several levels. I still struggle with the fact that on some level Equifax were the victims of a criminal action, though.
EDIT: hoping to do this quickly to avoid comment/edit race conditions, but I wish I knew the right answer in re. penalties. Think about the system that exists with doctors, malpractice insurance industry, medical liability, review boards and the benefits society gets from transparent disclosure from reviews of medical errors. Honestly, short of jailing people, it's hard to see how criminal liability in this case could be worse than potential civil liability.
Maybe or maybe not. What if employees could blow the whistle on negligent handling of user's data, and even get some kind of whistle-blower reward for it? This would strongly encourage companies to keep their houses in order, I imagine.
That's an interesting point. My other comment suggested one way we could give employees a vested interest in reporting negligence in security and the handling of users' data. You're saying the shareholders (or at least the large ones) should realize this is a risk to their money and act accordingly. Something of a two-pronged approach to keeping a company honest.
Of course. Stock prices tank, dividends disappear to pay fines and restitution, and the board calls an emergency meeting and sends that half-wit packing amidst a cloud of words like "malus" and "clawback".
It goes entirely without saying that a CEO with a failure of that magnitude in his wake is lucky to get a job managing a pizza joint after this.
In my experience, a lot of corporate entities have bad rules like "30 days to review patches before they go live", or "no patches not reviewed by team X" that slow down changes. These sorts of caveats are both hard to change, and even harder to circumvent, because big companies make change difficult as they usually have more to lose than to gain.
If you look at the article, it matches this idea:
> ... Mr. Smith referred to an “individual” in Equifax’s technology department who had failed to heed security warnings and did not ensure the implementation of software fixes that would have prevented the breach.
I doubt one individual is responsible for every patch in the organisation, and I reckon that Equifax likely has many individuals each responsible for different systems, all of whom have to deal with a central security department before they can, well, patch their system. I further bet the internal politics are off the chart, and the security team is a "no, you can't do that" department who makes things worse.
I put money on there being plenty of "individuals" who are each responsible for patching different systems at Equifax, and while this particular breach was in system X, A-W might, at another time, have been the epicentre of a breach for similar reasons related to internal processes that make moving fast nigh on impossible.
Now, while that's no excuse, I think the fault is likely not the individual who missed the patch, but the interaction between departments with different goals (political and practical) combined with an internal structure that makes changes glacially slow, and this sort of breach inevitable.
One person responsible for the security of the enterprise.
If there is truly one person for a company this large, then he was setup to fail from the beginning. The management is negligent and incompetent for not creating a system for this. That's his job.
I think more likely, the CEO is full of shit and they're scape goating some poor person. But even if that's not the case, this is a terrible thing for him to admit. If he's really that incompetent, he has no business in management. Hopefully he never works in management again. Kiddo needs to go back to school, he's clearly forgotten all of his training.