The fallout from the massive Equifax data breach continues.
On Friday last week, the beleaguered company announced that its chief information officer and chief security officer were “retiring” with immediate effect.
There has been a huge amount of focus, in the news and on social media, on the fact that Equifax’s outgoing CSO Susan Mauldin had a bachelor’s degree and a Master of Fine Arts degree in music composition, from the University of Georgia.
The insinuation is that Equifax was negligent in putting someone in charge of security with such a background.
I must admit, I feel very uncomfortable with this line of thinking. Criticise a head of security for making lousy decisions, for not doing their job properly… but not because they know their way around an oboe.
A lot of us in the industry, myself included, have no formal education in computer security. Many of us may have learnt about information technology outside of the classroom, have gained knowledge through experience in the field or through self-study. Education does not end at school.
Further than that, I feel uncomfortable with singling any member of the IT department out for blame when a serious breach like the one which hit Equifax occurs, when we simply don’t know the full facts. Sometimes the problem might lie elsewhere – at the board level even, which may not have given the IT team enough resources to ensure that security was being properly maintained.
Shoot me if you like, but I can’t help but think that the vitriol being poured on Equifax’s former CISO wouldn’t be quite so intense if she had been male.
Equifax retire bitch https://t.co/bVtjgqxgcp
— Adam Sigel (@adamsigel) September 15, 2017
— badmem_x86 (@badmem_x86) September 9, 2017
Interesting how everyone's questioning Equifax ex-CSO Susan Mauldin's music degree, while Uber ex-CEO Travis Kalanick dropped out of UCLA.
— John Feminella 🌠 (@jxxf) September 16, 2017
One thing is clearer now, however, and that is just how the hackers managed to break into Equifax’s systems.
Equifax says that the attacker breached its online dispute web portal through a vulnerability in Apache Struts (CVE-2017-5638), enabling unauthorised access to files containing personal information from May 13 through to July 30 2017.
That is obviously an embarrassing revelation for Equifax, as that particular vulnerability was identified and disclosed by US CERT in early March 2017. Equifax admits that it knew about the vulnerability at that time, but for some reason appears to have failed to patch its vulnerable systems.
Of course, the public was only made aware that Equifax had suffered a massive breach on September 7. Many people are probably still completely oblivious that personal information such as social security numbers, dates of birth, names and email addresses have fallen into the hands of online criminals.