Posted on 09/16/2017 8:01:50 PM PDT by grundle
Following a security breach that exposed the credit information of 143 million people to hackers, it was revealed that Equifax Chief Information Security Officer Susan Mauldin was a music major in college.
Equifax, which is a credit reporting agency, hired Mauldin as their Chief Information Security Officer in 2013. Previously, Mauldin was the Senior Vice President and Chief Security Officer at First Data Corporation until 2013. Prior to that, she was also SunTrust Banks’ Group Vice President from 2007 to 2009.
How she got any of these positions, or the skillset required for them, is still an open question considering her educational background. According to her LinkedIn Mauldin did not have any technology or security credentials. Instead, she got a bachelor’s degree and a Master of Fine Art’s degree in music composition from the University of Georgia.
There’s been virtually no coverage of Mauldin’s credentials following the security breach but, as ZeroHedge has pointed out, Equifax scrubbed Mauldin’s LinkedIn and took down videos and podcasts with her. Since then, Mauldin has resigned from her position as Equifax’s CISO.
Could this all have been done in an attempt to hide that the individual that Equifax put in charge of protecting 143 million American’s credit information was an affirmative action hire meant to meet some quota?
That still remains to be seen, though we do know that Equifax, like most other major corporations, has diversity programs in place – indicating that their hiring process may also put a premium on women and racial minorities over white men. This is supported by the fact that the security breach and the handling of it since then both indicate that Susan Mauldin had no idea what she was doing.
As Lily Hay Newman at Wired and security journalist Brian Krebs have documented, Equifax committed an embarrassing series of mistakes that led to the security breach and then left multiple vulnerabilities in the following months.
The breach itself happened because Equifax was using an old web application that had not been updated – despite the fact that a security update that would have prevented the breach was made available two months prior to the incident. Following the breach, Equifax took six weeks to notify the public that it had occurred. Then, they set up a web portal for handling credit disputes with the username of “admin” and the password of… you guessed it, also “admin.”
But hey – diversity is our greatest strength, right?
> Where do you work?
That would be a damn fool thing for me to tell you.
Read my other posts. I am primarily talking about how Apache Struts should be implemented in a enterprise programming environment.
> Kind of like telling me and everyone else on the web that your employer currently has unpatched web servers :)
Why ask me then? Do you enjoy causing people grief?
>Maybe to get you thinking about what you did when you outed your employer’s web servers so you don’t do it again...
I haven’t outed anyone. You on other hand tried bait me into it. Which I consider a malicious act.
>You can thank me later.
I tell you what, why don’t you post your home address so I can come over and personally thank you. I’ll bring a bottle of 12 year old single malt and some cigars. Which I’ll consume after I get done “thanking” you good and proper.
Just in time for the season premier of Mr. Robot.
Major fail of the open source community. Typically they are very good at self policing.
Sweet music—to hacker’s ears!
Equifax said they knew of the patch, but haven't mentioned why it wasn't applied. They are still investigating. One theory I've read is the programing code needed to be tested before applying the patch to the live server. Maybe they couldn't get the code to work with the new patch and made a business decision to keep it online. It unbelievable they would do this with an internet facing server.
Yes, and in the first instance, there must be a desire, to be on guard, to have a defensive attitude. Maintenance of the status quo failed.
BTW...... if you make it to abington, call me and we’ll have lunch
You have to understand how Struts is used in a J2EE environment in order to understand what difficulties they may have been facing. If you don’t know which applications use Struts, or which version of Struts was built into each application, then updating the Struts jars in all the impacted applications is very difficult.
If you run a happy-go-lucky environment, this is how things will end up.
The 90's called, and they want their "flame war" back.
“I’m sure if you asked a high-level manager: “Do your systems use Struts?” he would have answered “I don’t know; what is Struts?” Thus these problems....”
It’s usually covered by the questions “when was the last time our code was patched and updated? Are we running old software with open vulnerabilities?” Two questions which are entirely in the purview and responsibility of a CSO.
I’ve been retired for a few years, but I remember what a headache Java can be. You have a multi million dollar vendor platform running Java. We couldn’t just update client desktops with the latest version of Java because it often wouldn’t work. We had to wait for the go ahead which was often several weeks. In the mean time you now have an active threat vector in the organization.
The company I work for is an IT vendor (VAR) for a major, international US-based bank, and you know their name, it's in the news a lot. We sell and deploy them infrastructure, primarily servers and storage. Several times each year, we get security bulletins from their "Risk Management" team. In this case, the vulnerability was discovered on March 7th, 2017. On March 14th, we received a security bulletin notifying us (and all of their IT vendors) of the ASF Struts vulnerability, and asking us to certify if our equipment and software contained this vulnerability, and if so, we needed to detail the our plan to assist them with patching the vulnerability when a fix was published and available.
They do the same thing internally across all development teams. And you are correct, this is an operational issue. This kind of process, or something similar, should've been in place at Equifax, and I'm speculating that there was nothing of the sort. It is not unreasonable to expect that the CISO at a Equifax would ensure operational processes like this are in place. It's her responsibility to do so, and if she learns those processes are not being followed, heads roll. That's leadership, and it's not specific to IT Security.
These type of problems, lack of procedures and sound policy, are why auditors exist. I'd be curious to learn the frequency and results of recent IT Security audits. She came from First Data, where there are constant internal and external IT Security Audits taking place for SOX and PCI compliance. Those should've been happening at Equifax as well, and they damn sure should've covered the operational topic of "Patching Application Servers".
Others in this thread have indicated their belief that this CISO is being treated unfairly. I disagree. Ultimately this was a failure of leadership, which was her primary responsibility and which she failed to provide. She was there 4 years, and that's plenty of time to understand what is happening, operationally, within the organization she was tasked to lead.
While we can rest assured that government, on all levels, is operationally indifferent and unaccountable for security the personal data of the public, hopefully members of the Board of Directors at every other organization (credit bureaus, banks, healthcare orgs, online merchants) storing consumer/customer data is now wondering what's on their CISO's resume, and will be asking their CEO next week if that person is, as Gunny Hartman says, "fit to pack the gear and serve in my beloved Corps".
Bingo. Also unbelievable is that shortly following their "discovery" of the problem on July 29th, three of their executives sold almost $2 million dollars worth of their Equifax stock holdings, now known because of the required SEC filings for insider transactions.
I personally find that much more egregious than a CISO who was a music major in college. But, maybe the guy who would hire an unqualified CISO is the same kind of guy who would sell his stock before he knew it was going to tank because of this kind of crap.
It’s not been good for the last few years, far too many major security flaws in OSS. The whole arguments of “security through transparency” is basically trash at this point (imho). It seems good security practices coupled with “security through obscurity” wins - Apple being a good example, even Microsoft has been far better lately.
It is hard to believe that corporate officers wouldn't be told about the hack. It was 3 days between the hack and when the first sale occurred. Two of them appear to be officers for IT related businesses . It is hard to believe the CFO wouldn't be told either.
Yep - this smells, looks, walks, and quacks like a duck.
If I’m investigating, a subpoena for emails going back to March 7th, 2017 for the entire C-suite.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.