back to article Sole Equifax security worker at fault for failed patch, says former CEO

Recently-and-forcibly-retired Equifax CEO Rick Smith has laid the blame for his credit-check biz's IT security breach on a single member of the company's security team. In testimony on Tuesday before a US House subcommittee on consumer protection, Smith explained that Equifax has a protocol whereby news of important software …

Page:

  1. Anonymous Blowhard
    FAIL

    And what about the management team who set up a "system" that would break if one person forgot to do something?

    When you have fallible components, like humans, then the systems that include them have to have redundancy (not firing them) and resilience; usually at least two people involved to ensure that the check-lists are followed correctly, maybe a third person to test and sign off the updates. If these things aren't in place it's because the "system" is deemed to be of low importance and not worth spending money on to get it right.

    Putting the blame on a single person is just scape-goating of the worst kind.

    1. Bill Stewart
      FAIL

      "Human Error" is bogus in airplane safety too.

      Sorry, one guy who misses something is not much different from one guy being on vacation, or out sick. One manager saying "we can't do the update this week, because X" might have the ability to delay it, but if your system doesn't keep track of that PENDING SECURITY-CRITICAL UPDATE WHEN YOU'RE A FINANCIAL COMPANY, your system is broken by design.

      1. Mark 85

        Re: "Human Error" is bogus in airplane safety too.

        Spot on. Single point of failure here. Was the guy not there? Was he being pushed by manglement to do something they considered more important? Or was he someone sitting in some outsource shop perhaps in India? This is a fail at so many levels from top level manglement all the way to the poor schmuck who'll take the blame.

  2. Anonymous Coward
    Anonymous Coward

    One individual my arse. Where's the governance?

    1. Anonymous Coward
      Anonymous Coward

      Came here to say exactly this.

      In my company, we have oversight. We have a security function. Governance. We have dev-ops. Governance. We have a CR process that involves sign off from anyone affected by the possible changes. Governance. We have testing of patches before CRs. Governance.

      What we don't have is leaders that lack a spine and should be involved in freak yachting accidents.

    2. FlamingDeath Silver badge
      Trollface

      Out playing golf, doing secret handshakes

      where else?

  3. Banksy

    What a load of rubbish...

    So their IT team doesn't know a patch is available without someone sending an e-mail about it? They don't have patch management software? Individual software packages don't alert IT about patch availability?

    More likely scenario is someone was told not to apply the patch for one reason or another.

    1. Adam 52 Silver badge

      Re: What a load of rubbish...

      I think you are over estimating the effectiveness of patch management software.

      I can't, for the moment, think of any server side frameworks that notify about patches. Vulnerability scanners (and Equifax had one) can only scan what they know about, which is inevitably less than everything.

      1. Alan Brown Silver badge

        Re: What a load of rubbish...

        "I think you are over estimating the effectiveness of patch management software."

        And underestimating the effectiveness of decent trouble ticketing/inventory systems.

        Once systems have been flagged as requiring updates, a decent system will flag a warning if it's not done inside X time limit, which means that the team can look into why it didn't happen - and if someone's ordered it not be updated, there would be an audit trail on that too.

        trouble tickets aren't just for the endlusers and helldesk.

    2. phuzz Silver badge
      FAIL

      Re: What a load of rubbish...

      It's worse than that! Their IT team clearly don't even read The Register!

      Or any other IT publication that reported the Struts vulnerability come to that.

  4. JerseyDaveC

    Anyone got their auditor's phone number?

    I'd love to be a fly on the wall at their next ISO 27001 audit. Auditor: "You rely on one person for some of your critical patching, and there is globally known evidence that you demonstrably don't have a robust process. That'll be a Major Nonconformity, then ... I'll be back this time next month for you to show me evidence of improvement that convinces me not to take away your accreditation."

    1. smudge

      Re: Anyone got their auditor's phone number?

      Except, of course, that they will have that evidence ready long before the auditor rocks up.

      Now, if a previous audit had identied the problem and told them to deal with the risk, that would be more useful. Especially if they decided to accept the risk :)

      1. Naselus

        Re: Anyone got their auditor's phone number?

        That would be Deloitte...

  5. Dabooka

    What about intrusion detection

    Okay, even assuming his utterly bollocks excuse about 'Gerry in IT forgetting to insert floppy #2' holds some merit, I can't help but think that they clearly lacked in other areas.

    140m people. Think about that for a minute, that's lot of people. Someone needs to go the slammer for this but it's mire likely to be 'Gerry' than anyone with Chief in their title

  6. Andy E

    Double failure

    If you take Smith's words at face value then there was a double failure here. One guy failed to notify others to apply the patch and their vulnerability scanning software failed to pick it up. While the human element is fairly easy to fix I'm at a loss to see why their vulnerability scans didn't pick up on the known issue in the months following the release of the patch. Perhaps they aren't updating this software either? Would that make it a triple failure.

    If someone did mess up as Smith says then kudos to him for telling the truth about what happened without naming the individual and taking personal responsibility for it.

    1. netminder

      Re: Double failure

      There is a third failure. They failed to have prevention systems in place. WAFs, properly configured would have stopped the attack since it used known strings.

      But lets all ruin Gerry from securities life and career because we dropped a billion and still couldn't stop the simple stuff.

      1. Anonymous Coward
        Anonymous Coward

        Quadruple failure!

        They failed to detect the data being ex-filtrated. Upper management blaming this on one person? No failures there.

    2. Morten Bjoernsvik

      Re: Double failure

      As CEO your main job is to be responible. You are paid to be there when the shit hits the fan. Kicking downwards definitely not. No respect.

  7. Redstone
    Devil

    Hackers Take Note:

    Every year, when IT Bob is on his two week vacation, Equifax will have no updates and is wide open!

    1. Gustavo Fring

      Re: Hackers Take Note:

      No dumbass ... they get Jillian from reception to step in and fill his shoes. Like when hes off over xmas?

  8. LaFin

    Mgmt investment in multple layers of security

    In which case this entire chain of questioning has missed the fundamental point of having multiple layers of security so that patching of one competent being late/missed does not open all mass data breaches......if this was a small business one might understand, but this is meant to be enterprise architecture and enterprise calls IT. Stinks of years of chronic under investment, and lack of understanding (or care) of basic security principles. CEO and CIO asses should be hung out to try, and stop blaming it on the little guy.

  9. fnusnu

    Where have I heard this before?

    Management exonorated, tech(ies) thrown under a bus.

    Oh yes, after every breach.

  10. chivo243 Silver badge
    WTF?

    If I'm ever a CEO

    I will remember this quote:

    Smith's reply was: “That is my understanding, sir.” (My handlers spoon fed me this canned response)

    So, Smith really had no knowledge of the issue, but preceded to dodge the question's intent, and then shift blame.

    That's a proper corporate screwing...

  11. Potemkine! Silver badge

    Bloody underling!

    I guess that blaming an intern would lack of credibility, so the CEO found another scapegoat to try to hide the real scandal about this story: Equifax owns zillions of personal data on people who have neither way to know about what these data are nor any mean to stop Equifax owning them.

    Talking about scapegoat, I would like to thank the EU for the GPRD!

  12. Will Godfrey Silver badge
    FAIL

    A sort of inverted honesty

    He has just proved beyond all possible doubt that he is a lying weasel.

    I doubt even a 5 year old would try to pull something like that and expect to be believed.

    1. Version 1.0 Silver badge

      Re: A sort of inverted honesty

      Typo alert: "He has just proved beyond all possible doubt that he is a lying weasel." should have read "He has just proved beyond all possible doubt that he is a candidate for promotion to upper management."

      1. hplasm
        Holmes

        Re: A sort of inverted honesty

        Typo alert: "He has just proved beyond all possible doubt that he is a lying weasel." should have read "He has just proved beyond all possible doubt that he is a lying weasel AND THEREFORE that he is a candidate for promotion to upper management."

        FTFY

  13. Amorous Cowherder
    Thumb Up

    Yep it was all Fred's fault, no denying!

    Fine, blame that one person, make an example of them, drag them through the courts for as long as they live just to punish them for what they did but know this, it will happen again. I will stake my house on that bet because the management teams allowed themselves to be in a position that made them reliant on just one person, one single point of failure. In IT we live and die trying to avoid the "single point of failure", this is exactly what happens when that is allowed to happen and it goes catastrophically bad.

  14. Anonymous Coward
    Anonymous Coward

    I wonder if this is even true

    This sounds like a system they developed after the fact to insure it wouldn't happen again. Have someone responsible for notifying the right people about the patch, with the sanity check of automated scanning following up in case something goes wrong in the manual process.

    Let's say Bob the sysadmin did notify people that 'struts needs to be patched', along with dozens of other patches that were required that same week, not to mention all the ones that came before, and came after. Knowing what you need to patch isn't the hard part, it is having a process down that lets you actually do it in a timely manner.

    This is a patch that's critical in hindsight, but at the time it wouldn't have looked very important compared to some. There are SO MANY patches coming out from so many sources, I wouldn't be surprised if this was considered lower priority and was in some stage of application (maybe had been applied on a QA system and was sitting in a CR for eventual application in production) but they don't want to admit that because it makes them look bad.

  15. steviebuk Silver badge

    I call bullshit...

    ...and did they question (I haven't watched the video) on why there was that single point of failure? That engineer, if the story is actually true. What would of happened if that person was off sick?

    1. chivo243 Silver badge
      Devil

      Re: I call bullshit...

      @steviebuk

      Or hit by a bus? Or thrown under one!

    2. Cynic_999

      Re: I call bullshit...

      Most companies have a plan in place to deal with the times when an employee is absent from work for whatever reason. What they usually don't have is a way of detecting when an employee is at their desk but suddenly failing to do their job. Perhaps his dog died. Perhaps he was just informed that his wife has terminal cancer. There are many reasons why a good & reliable employee can suddenly drop some major balls. Which is why you need at least one person shadowing every vital position.

      One pilot can easily fly a modern airliner but airlines pay for twice as many pilots than are needed to do the job. The other pilot's job is to ensure that the pilot flying the aircraft is doing it correctly.

      1. Anonymous C0ward

        Re: I call bullshit...

        And do you think the likes of Ryanair would continue to do so if regulators didn't insist on it?

  16. streaky

    So..

    1. Run Nessus

    2. ????

    3. Profit!!!

    This can't possibly be how a fortune 1000 company and one of the world's largest holders of critically private personal information secures data. Where's your fucking red team?

    Shit is cultural from the CEO down.

    1. wheelybird

      Re: So..

      Run OpenVAS. It's free and so EVEN MORE PROFIT!!!

  17. Christoph

    Patch checking - initial basic scheme

    All incoming patch notifications shall be logged in a database.

    All applications of that patch shall be logged against that notification.

    All un-applied patches shall be listed, and notifications with increasing levels of urgency shall be sent out the longer the patch is un-applied.

    Hardly rocket science.

    1. Brewster's Angle Grinder Silver badge

      Re: Patch checking - initial basic scheme

      If the first step fails to happen, then the remainder aren't worth the time they took to type.

      1. Christoph

        Re: Patch checking - initial basic scheme

        Yes, it obviously needs more detail - that's why I said initial basic scheme. There's all sorts of bits that need adding to get it resilient, but they don't seem to have managed even that very basic initial setup.

    2. Anonymous C0ward

      Re: Patch checking - initial basic scheme

      It also assumes you have an up-to-date inventory.

  18. Nimby
    Unhappy

    It's 2017 and NO ONE practices basic security yet.

    It's sad, but like every breach before it (and undoubtedly every breach after) by every major company and/or government agency, basic concepts of security that are industry-known were just plain ignored. Every single one has been and will be a "WTF?!" moment, and this one is no exception to that by any means.

    Of course with limited-to-no accountability, is this really a surprise? Expect much more of the same in the future. As long as the government does so little, so will the children it herds. We have ridiculously complex building codes for planning/building a house to keep people safe, but we have next-to-nothing for critical life-impacting data storage.

    What makes this one worse than all of the others is that it did not even involve "customers", as that would imply people signed up to something. No, this is a company that you can't even opt out of. They nom nom nom all your data to provide a questionable "service" and too bad to you.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's 2017 and NO ONE practices basic security yet.

      At least their details will be out there too.

    2. Rasslin ' in the mud

      Re: It's 2017 and NO ONE practices basic security yet.

      Speaking from many years' experience with building codes and building inspectors, I assure you those aren't useful as models for how to manage anything unless you propose to cite them as bad examples.

  19. wolfetone Silver badge

    I wonder if the sole Equifax employee thats "to blame" for this has also been forced in to retirement or is still on the payroll waiting for his P45?

    Capitalism is a wonderous thing when the CEO gets to retire, wipe his hands of the whole sorry mess on a lovely pension while he throws the staff under him under the Pirelli's of a bus.

    1. Anonymous Coward
      Anonymous Coward

      I hope he has kept all the passwords secret, maybe he will do us a favour and shut all the servers down before he leaves.

  20. DainB Bronze badge

    Not plausible

    If they have in-house admins looking after such a critical piece of infrastructure as externally facing website I do not believe for a second that those people would miss a patch for a systems they know and care about. Just not possible.

    Now if we consider that there might be someone in India, Romania or other proverbial Mongolia who is supposed to be looking after web farm but would not give two shits (or simply not allowed to do anything) without SR and CR which was never logged it makes much more sense.

  21. Chairo
    FAIL

    He laid the blame

    how lame!

  22. Anonymous Coward
    Anonymous Coward

    Responsibility

    I always thought the logic for directors being paid so much was that they were responsible.

    Therefore he was acting fraudulently and should repay everything he earned.

  23. Anonymous Coward
    Anonymous Coward

    Only one

    Of course there was only one person responsible, the rest were outsourced a long time ago.

  24. 0laf
    Trollface

    Yes it was one "Lone Wolf"! His CV was so good as well, he'd been working previously on security for Talk Talk, wireless infrastructure for TK Max and before that designed diesel emission systems for VW.

    It's almost like this guy is a professional blame hound.

  25. Richard Pennington 1
    Pirate

    Next question

    OK, how do I go about cutting all links with any company who sends my data to Equifax?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon