Posted on 09/16/2017 8:01:50 PM PDT by grundle
Following a security breach that exposed the credit information of 143 million people to hackers, it was revealed that Equifax Chief Information Security Officer Susan Mauldin was a music major in college.
Equifax, which is a credit reporting agency, hired Mauldin as their Chief Information Security Officer in 2013. Previously, Mauldin was the Senior Vice President and Chief Security Officer at First Data Corporation until 2013. Prior to that, she was also SunTrust Banks’ Group Vice President from 2007 to 2009.
How she got any of these positions, or the skillset required for them, is still an open question considering her educational background. According to her LinkedIn Mauldin did not have any technology or security credentials. Instead, she got a bachelor’s degree and a Master of Fine Art’s degree in music composition from the University of Georgia.
There’s been virtually no coverage of Mauldin’s credentials following the security breach but, as ZeroHedge has pointed out, Equifax scrubbed Mauldin’s LinkedIn and took down videos and podcasts with her. Since then, Mauldin has resigned from her position as Equifax’s CISO.
Could this all have been done in an attempt to hide that the individual that Equifax put in charge of protecting 143 million American’s credit information was an affirmative action hire meant to meet some quota?
That still remains to be seen, though we do know that Equifax, like most other major corporations, has diversity programs in place – indicating that their hiring process may also put a premium on women and racial minorities over white men. This is supported by the fact that the security breach and the handling of it since then both indicate that Susan Mauldin had no idea what she was doing.
As Lily Hay Newman at Wired and security journalist Brian Krebs have documented, Equifax committed an embarrassing series of mistakes that led to the security breach and then left multiple vulnerabilities in the following months.
The breach itself happened because Equifax was using an old web application that had not been updated – despite the fact that a security update that would have prevented the breach was made available two months prior to the incident. Following the breach, Equifax took six weeks to notify the public that it had occurred. Then, they set up a web portal for handling credit disputes with the username of “admin” and the password of… you guessed it, also “admin.”
But hey – diversity is our greatest strength, right?
I suspect the subpoenas would go much further back in time.
Agreed, because apparently this was their 3rd hack in nearly 16 months.
While it is true that the Struts jars can (and should!) reside in a central directory on the appserver, that is not necessarily the case. If the programmers are allowed to download whatever software they like, and build these jars into their .war files, then they really don’t know what they have and aren’t in a position to fix it.
This is how everything started with J2EE programming and Open Source at most shops. The necessary controls came later. But if you have a lot of legacy applications, you may have a wide variety of open source releases stuffed into your applications, and not even know it.
The only way the auditors can find out what is going on is by taking all the production .war files, unjarring them, and seeing what is inside. This sort of audit is unlikely to happen. Most auditors will just interview developers, asking what their practices and procedures are, and believe what they say. What they say may even be true right now, but will not reflect all the apps that have been moved to production in the past ten or fifteen years.
There are probably automated application scanning tools that will help. But first you have to find all the production servers and the applications - many places can’t even do that.
Come to think of it, all three Obamas were affirmative action hires.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.