On September 7, 2017, Equifax issued a breach notification. What was breached? Personal records for a staggering 145 million Americans, including Social Security Numbers, birth dates, addresses, and more. Before the end of the month, Equifax’s CEO, CIO and CSO had all left the company. Eventually, the company would pay a $575 million fine to the Federal Trade Commission, $38 million to settle lawsuits filed by Massachusetts and Indiana, and $1.38 billion to settle a class-action lawsuit. That nearly $2 billion in fines and settlements doesn’t even count damage to their brand reputation, lost business, and other internal costs related to the breach.
Just a few months after the breach, Jamil Farshchi took the unfilled CISO position at Equifax, and has spent the last 3 years shoring up the company’s
cybersecurity posture. So, what has changed in the last 3 years?
In a recent interview, Farshchi pointed to 3 key areas:
Improving systems monitoring
Enhancing the security team’s communication with the C-suite
Changing corporate culture by getting employees to recognize the importance of cybersecurity
In order to understand the drivers behind these 3 initiatives, it’s important to understand how the breach occurred. Earlier in 2017, Equifax was notified of the
Apache Struts vulnerability, which allowed attackers to remotely execute code on a target system. Unfortunately, despite a tight 48 hour internal SLA for patching such critical vulnerabilities, the Equifax team was unable to find all of the vulnerable systems. Confounding the issue was the fact that Equifax had let a digital certificate for a
vulnerability scanning tool expire nearly a year earlier. The result? The team had no ability to decrypt traffic to ..
Support the originator by clicking the read the rest link below.
