User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
Nothing rings more true than point #4 from the Apache Software Foundation Blog:

"4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources." 

It's been a few days now since we all have been informed of the breach.   The enormity of this really is just hard to fathom.  Of course, there is not a lot of specific detail about the data that was obtained.   Maybe Equifax is taking the high road and assuming that since access was gained the information was too.   A lot of this depends on how the hack occurred.   Was one record pulled at a time or was there full access?  If it was one record at a time then maybe there is some hope for some of us.

There is no other way to look at this than to see it as bad.  Bad all around.  My first reaction to the news was anger to be honest.  After spending much of my life administrating databases in both the financial and medical industries, this is not acceptable.  Spent some time gathering more details.  Should be posting this up in a day or two.

As much as I hate saying this without actually being part of the company, I am not sure they are responsible enough for the data they have.  Their check impact site looks like a phishing site.  It had generic certificates, asks for most of your social security number and a last name,  low level Wordpress (no offense to Wordpress meant) site that was quick to put up, returns different results with the same inputs, not on the Equifax domain, etc.  It just doesn't look good.  I paid to have Equifax freeze my credit and my pin was returned in a mmddyyhhmm format which absolutely floored me.  The list goes on.

In the back of my mind I am picturing a company with a pretty rough culture where get-it-out-the-door is a priority and those that try to enforce standards are a nuisance.   I have nothing to back that up, just what I imagine it to be.

Have read a lot on Social Media about getting rid of the Credit Reporting companies.  Personally do not think that is a great idea.  I believe they do add value.  Maybe they shouldn't be as powerful as they are.  That I can see.  And algorithms never give a complete picture.  They just categorize people.  Human factors do exist.  I also believe there needs to be a better way as good ernest people who bump into hard times are judged for what can be an eternity; making their situation even harder to get out of.

From a public relations standpoint I can only imagine the Executives and Directors are pulling a <facepalm>.  Not much more they could have done to make this worse.   They appeared to have hired Edleman which is a global public relations firm.  Not 100% certain of this, but there were indicators on the site they are using for us to check if we are impacted or not.

Rep. Ted Lieu is requesting a House hearing over the breach.  

“In light of recent events, I request the Committee call upon representatives from the “Big Three” credit reporting agencies – Experian, TransUnion, and Equifax – to testify not only on the breach that occurred in May 2017, but also to identify how each company is taking proactive, defensive steps to prevent such breaches in the future.”

Well, "isn't that special" as the Church Lady would say.  I get the sense this will not be more than a bunch of fluff.  In some circles this is also called lip service.  Calling on representatives of the credit reporting agencies?   I think he should be calling upon Security experts in the industry instead.  These representatives will surely give boardroom level feel good sales pitches about their practices.  Here are my questions I would like to have answered if given the opportunity:
  • What government regulations regarding data/information are you required to enforce?
  • Do you consider the people who's information you store as customers, consumers, or products?
  • How was the data stored?  Was it in files, a relational database, nosql database, xml, etc.  If it was a relational database, was it Oracle, DB2, Sybase, SQL Server, MySqly, etc.?  Yeah, the type of relational database matters to me.  If it was a file, what format?
  • Was the PII (Personally Identifiable Information) and PCI(Payment Card Industry) data encrypted?  If so how, and if not why?
  • Equifax stated it was an application vulnerability.   I have to assume the attack was through their website.   Was it an Apache Struts vulnerability?
  • Was this XXS vulnerability fixed? (someone posted recently with screenshots that it was not).
  • Why is non-customer data accessible via a website?
  • Why is my and everyone else's data accessible via a website?
  • Is the web server and data in the same domain and zone?  What infrastructure protections are in place?
  • How is the data accessed via the application?  Direct access, stored procedures, views, etc.
  • If the data is stored in a relational database, what are the permissions for the application user?  What authentication type does it use?
  • Who has access to the data?
  • How often do you run penetration tests?
  • Can you provide the results of all of your audits?  Including Sarbanes Oxley.
  • What security training do you provide your employees?  
  • How are security violations handled?
  • Separately describe Social Engineering and Phishing, if possible?  (Trick question to see if the person who is answering knows the basics about security).  

........More to come.

Add comment

Security code