The role of the CISO and the Equifax Breach

CISOs don’t eliminate risk- they help companies manage it. Equifax made poor choices as a company. The CISO was ineffective.

 

I do not know Susan Mauldin, the now-former Chief Security Officer of Equifax, nor can I even tell you what her job was.  That is because the role of Chief Information Security Officer (CISO) remains ill-defined: each company implements the role in different ways and has different expectations.  It may well be that this person did not have the authority to implement policies that would have prevented the breach that revealed records of over 143 million US consumers.

What I can say is this:

The only way you can entirely secure a computer is to destroy it and melt down its components beyond the point that any recovery tool can glean information.  Otherwise, there is always some security risk.  You might be able to sufficiently secure a system such that the risk is so low as to be almost negligible, but to do that usually requires more resources than it will cost to mitigate a breach.

The goal of a CISO is to reduce the expected loss of a security breach to a level acceptable to the management.  Expected loss has many components.  It can include direct financial losses, losses in sales, reputation loss (and thereby future sales losses), stolen IPR, thus impacting product differentiation, and liability associated with stolen customer and partner information.  In a world where information is worth its weight in gold, holding any information secret means that there is a risk it will be revealed.  The decisions of a CISO or her management do not amount to loss due to a single event, but may be recurring losses, either due to expenses to mitigate risk or due to losses from breaches.

Equifax’s business is information about consumers.  That means that they must retain the information necessary to report their findings to their customers, such as banks or employers who are assessing the trustworthiness of an individual.  That can be a lot of information, such as credit card, mortgage, and utility payment histories.  Equifax is a big fat target for information thieves, much the same way the US Office of Personnel Management is (they were breached in 2014).

It has been reported that the information thieves in this case made use of a vulnerability in Apache Struts that had been announced in March.  Equifax stated that they detected anomalous behavior on the 29th of July.  That left a period of roughly four months of exposure. In the grand scheme of things, this is not a long long time for an exposure.  However, because the value of information that was at risk was actually quite high, and because the vulnerability in question was exploitable on the open Internet, there should have been a process in place to rapidly close the bug.  There exist any number of patch management tools that spot open source software updates, and alert the customer.

Should Susan Mauldin have known all of this?  Yes.  Did she?  I don’t know.  Did she have the authority to effect change?  I don’t know, but to be sure she was ineffective because the necessary processes were not in place.  Will this sort of failure happen again?  You can bet on it, but when and how much the loss will be is where CISOs make their money.

Our Nightmare at Newark: TSA was a threat to our security

As you may already know, Newark Airport was in chaos on January 3rd due to a person walking through the exit of the so-called strerile area.  The incident occurred around 5:20pm, around the time that we were sitting down for a dinner snack inside.  Good thing.  We were not to eat on the plane, which was scheduled to leave at 6:50pm.  We boarded the plane, the door was closed but we didn’t go anywhere.  After a time we were told of the breach.  I packed our stuff up.  Anyone who read the accidentally released TSA manual as I did would have known that this would happen once we learned that someone had gotten through.  Sure enough that’s exactly what happened, which led to the scene depicted to the right, because everyone else was doing exactly the same thing.

This led to thousands of people being crammed into the outside normally insecure areas of Terminal C (I say “normally”) because all passenger areas within the terminal were at this moment insecure), an event for which the airport is unprepared.  For one, there aren’t so many bathrooms outside of security.  At Terminal C there are no restaurants.  Furthermore, it was difficult to move about.  Smart and lucky people might have made their way to the AirTrain and perhaps have gotten to Terminal A, where such conveniences could be found.

There were a lot of mistakes made, and many of them have been acknowledged.  However, the biggest one has not.  By evacuating the terminal in the way that they did, the TSA actually created a huge risk to many thousands of people by concentrating them in a small area.  Had a small group of bombers walked into that area, with backpacks, not only could they have killed many people, but they also could have done so and survived.  It would be the height of irony if the only portion of that terminal left intact was the secure part, while thousands were injured or worse.

They might even have been able to get away unscathed. Instead of avoiding the threat, the TSA magnified it by their actions.  Doing nothing would have been less risky.

“But,” you say, “they had to reclear everyone, didn’t they?”  My answer would be that it’s a seemingly nice idea, but it may not be practical.  Here are some things the TSA could have done differently:

  • Use teams of people to clear people at their flights by their gates.  This is human intensive and not particularly easy, but it would have at least kept people from having to leave the secured area, and thus contributing to the risk.  The interesting thing is that the TSA had a whole lot of staff doing a whole lot of nothing while the passengers were exiting the sterile area.  And so they could have implemented this measure in some limited way for flights that were ready to go, where all passengers are accounted for.
  • Work with the airline to cancel flights.  Nobody thought to do this because apparently they didn’t understand the threat.  In fact, Continental representatives contributed to the risk by encouraging people to wait and not rebook (more on this some other time).  Continental needed to position a lot of planes anyway in order to avoid utter chaos in the coming days.
  • Use other terminals and/or buses.  That is, get people to areas that haven’t been compromised, and then move them to planes.  This requires a fair amount of coordination with both the airline and the port authority.  Those buses may not even exist at Newark.

But ultimately, there is no perfect answer to the question because each of these solutions costs money, and that requires that someone measure risk. The risk of letting one person through is at most one plane of several hundred people.  This is so because the cockpit doors are reinforced.  A terrorist might be able to get an explosive on board, but it would be unlikely that he could use it to direct a plane into a population center, which is what Newark Airport Terminal C’s outer areas became.  And there is the risk equation.

Terminal C: Thousands of us were squashed into a small area outside those red marks
Terminal C: Thousands of us were squashed into two levels outside those red marks.

Now you may say that I contributed to the risk by not leaving the area.  True, I did.  Indefensible.  My wife and daughter should be quite upset with me, especially since I work in the business.  Now it’s time for the TSA to own up.  Oh, and it’s not just some local TSA guy who they can hoist this one on.  Once security was breached, the local teams followed procedures in the manual.

Financial Institutions and Passwords

You would think that financial institutions would want individuals to choose really strong passwords that are difficult to guess.  But in at least one very big case, you would be wrong.  What makes a strong password?  Several things:

  • A lot of characters.  The more the merrier.  The only limitation on this is that you have to remember All of That.
  • A lot of randomness.  That is, words in a dictionary are bad, because attackers will often go through dictionaries to attempt to guess passwords.
  • Characters that are not letters or numbers.  This increases the search space, given a certain sized password.

Now let’s review the actual guidance given by a very popular broker:

Your new password must:

  • Include 6-8 characters AND numbers
  • Include at least one number BETWEEN the first and last characters
  • Contain no symbols (!,%,# etc.)
  • Cannot match or be a subset of your Login ID

Examples of valid passwords: kev6in, 2be111, wil1iam

In other words, they’re violating two very big rules.  The 6-8 character rule means that they are limiting the search space, and people cannot put together phrases, which are actually easier to remember than passwords.  Removal of symbols from the search space makes it easier for attackers to perform a dictionary attack.

This site is not alone.  Many sites have the same problem, and it is likely a problem with what their security professionals think is the industry standard.  Well it’s a bad standard.  Who takes on the risk?  In the brokerage world, the chances are that you are assuming at least some risk.