EQUIFAX – WHAT HAPPENED?
The Equifax data breach incident began in May 2017 and was reported to the public in September. A timeline of the events can be found here (US House, p.2). It is being touted as one of the most significant hacks of all time because of the large number of people affected.
The personal information of 143 million people from the United States and other countries may have been exposed to unauthorized access during the incident. The information held by the Equifax credit reporting company includes names, dates of birth, social security numbers, addresses and in some instances, driver’s license numbers, (Liedtke, 2017) and credit card information (Smith, 2017). In the hands of Ne'er-do-wells, the information could be used to create false identities, fake credit cards, bogus tax returns, fake loans, mortgages, and other crimes; including but not limited to harassment, stalking, and cyberbullying.
The personal information of 143 million people from the United States and other countries may have been exposed to unauthorized access during the incident. The information held by the Equifax credit reporting company includes names, dates of birth, social security numbers, addresses and in some instances, driver’s license numbers, (Liedtke, 2017) and credit card information (Smith, 2017). In the hands of Ne'er-do-wells, the information could be used to create false identities, fake credit cards, bogus tax returns, fake loans, mortgages, and other crimes; including but not limited to harassment, stalking, and cyberbullying.
WHO DID IT?
Those responsible for the hack have not yet been identified, and the investigation continues. The Equifax CEO, to his credit, is accepting responsibility for the crisis, and the company is doing what it can to remediate this difficult situation.
Some sources attribute the breach to a possible nation-state attack, but such attributions are difficult to confirm (Riley M., Robertson J., & Sharpe E., Sept. 29, 2017). Compounding the intricacies of assigning blame is the ever-present possibility of a "false-flag" operation.
Some sources attribute the breach to a possible nation-state attack, but such attributions are difficult to confirm (Riley M., Robertson J., & Sharpe E., Sept. 29, 2017). Compounding the intricacies of assigning blame is the ever-present possibility of a "false-flag" operation.
WHO IS NOW IN THE CORPORATE DOG-HOUSE...BUT IRONICALLY...IS ALSO A WINNER?
Equifax is predictably being vilified on several levels and ironically, is also expected to make money as the result of the situation:
- Critics are wondering why Equifax hired a person with a college music degree, and no background in information technology, as their chief security officer (Arends, 2017).
- Equifax failed to apply a patch to their vulnerable Apache Struts software in March 2017 that would have prevented the May 2017 breach (Sharwood, 2017).
- Three Equifax executives curiously sold nearly two million dollars worth of their company stock just before the story of the data breach broke (La Monica, 2017).
- Equifax initially included forced arbitration clauses in their terms of use that customers must sign in order to obtain post-exploit free credit monitoring and identity theft services. After protests by members of the U.S. Senate Banking Committee the arbitration clause was removed (U.S. Senate, 2017).
- In the wake of the scandal, at least three executives; including the music major, and the CEO, Richard F. Smith, have resigned (Perlroth and Metz, 2017).
- Twisted irony number one: Equifax is financially associated with Lifelock - a credit protection agency. Equifax will benefit financially from consumers' increased use of Lifelock because Lifelock pays Equifax for credit-checking services that Lifelock obtains from Equifax (Weiczner, October 4, 2017).
- Twisted irony number two: Equifax sells products to government agencies to help them with identity verification, something that could be more important if the breach leads to greater identity theft, as expected. For example, the IRS just signed a new $7.25 million contract with Equifax in September, after the breach was announced (Weiczner, October 4, 2017).
- Senator Elizabeth Warren summed it up this way; “Consumers will spend the rest of their lives worrying about identity theft, but Equifax will be just fine—heck, it could actually come out ahead” (Weiczner, October 4, 2017).
POLITICS, LEGISLATION & LOBBYING
TransUnion is another credit reporting business whose services are similar to those of Equifax. While TransUnion was not a victim of the data breach that befell Equifax, TransUnion is now lumped in with their fellow credit reporting agencies for the purposes of increased scrutiny; with legislators eyeing additional oversight and regulation for all of the credit reporting industry.
To combat the threat of additional regulation, TransUnion is hiring additional Washington D.C. lobbyists. According to Tony Romm of Recode:
A spokesman for TransUnion said in an email that it had “engaged additional lobbyists to help us monitor and respond to legislative and regulatory reaction to the Equifax breach announcement” (Romm, October 8, 2017).
=-=-=-=-=-=
Update from the Sans Institute - September 2018:
GAO Report on Equifax Breach (SANS NewsBites. 2018)
A report from the US Government Accountability Office (GAO) found that the company had to look at the attackers’ database queries to determine exactly what information had been compromised. The report found that...
“While Equifax had installed a device to inspect network traffic for evidence of malicious activity, a misconfiguration allowed encrypted traffic to pass through the network without being inspected.”
The misconfiguration was due to an expired certificate.
Sans Institute Editor's Notes (SANS NewsBites. 2018):
[Pescatore]
The GAO report rehashes old news about the Equifax breach, but in the section about looking at the reactions of government agencies who are Equifax customers had a telling quote:
“Representatives of IRS, SSA, and USPS noted that they responded to the breach independently of other agencies, because they said it was unclear whether any single federal agency had responsibility for coordinating government actions in response to a breach of this type in the private sector.”
This points out a hole in the US Federal Government approach to supply chain security – didn’t anyone at DHS or NIST read the news and say “We need to proactively find out all government customers of Equifax and have a coordinated response”??
[Murray]
This report simply supports the conclusions already reached that this breach was caused by the failure of Equifax to adhere to what should be essential practices, not to say basic hygiene, to protect sensitive personal information about its subjects. This information represented the “stock in trade” of Equifax and its competitors. Moreover, its compromise was bound to result in an increase in credit application fraud. That said, Equifax and its two competitors have figured out a way to increase their revenues from the breach (SANS NewsBites. 2018).
[Williams]
... a case can be made that the Equifax breach was a supply chain issue. Equifax didn't add a systems admin to an email list about Struts vulnerabilities, but it also failed to identify the vulnerability in its vulnerability scans, even after the attackers had compromised the system. But if Struts is not deployed in the web root, an analyst must configure the scanner to the Struts URLs to be successful. This combination of failures would seem to imply that Equifax was unaware that this system was using Struts at all (SANS NewsBites. 2018).
[Neely]
Renewing certificates is easy to overlook, particularly in a large enterprise, without an active process watching and alerting on those about to expire (SANS NewsBites. 2018).
Read more in:
- www.theregister.co.uk: Equifax IT staff had to rerun hackers' database queries to work out what was nicked – audit
- www.gao.gov: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach (PDF)
=-=-=-=-=-=
Update from the Sans Institute - September 2018:
GAO Report on Equifax Breach (SANS NewsBites. 2018)
A report from the US Government Accountability Office (GAO) found that the company had to look at the attackers’ database queries to determine exactly what information had been compromised. The report found that...
“While Equifax had installed a device to inspect network traffic for evidence of malicious activity, a misconfiguration allowed encrypted traffic to pass through the network without being inspected.”
The misconfiguration was due to an expired certificate.
Sans Institute Editor's Notes (SANS NewsBites. 2018):
[Pescatore]
The GAO report rehashes old news about the Equifax breach, but in the section about looking at the reactions of government agencies who are Equifax customers had a telling quote:
“Representatives of IRS, SSA, and USPS noted that they responded to the breach independently of other agencies, because they said it was unclear whether any single federal agency had responsibility for coordinating government actions in response to a breach of this type in the private sector.”
This points out a hole in the US Federal Government approach to supply chain security – didn’t anyone at DHS or NIST read the news and say “We need to proactively find out all government customers of Equifax and have a coordinated response”??
[Murray]
This report simply supports the conclusions already reached that this breach was caused by the failure of Equifax to adhere to what should be essential practices, not to say basic hygiene, to protect sensitive personal information about its subjects. This information represented the “stock in trade” of Equifax and its competitors. Moreover, its compromise was bound to result in an increase in credit application fraud. That said, Equifax and its two competitors have figured out a way to increase their revenues from the breach (SANS NewsBites. 2018).
[Williams]
... a case can be made that the Equifax breach was a supply chain issue. Equifax didn't add a systems admin to an email list about Struts vulnerabilities, but it also failed to identify the vulnerability in its vulnerability scans, even after the attackers had compromised the system. But if Struts is not deployed in the web root, an analyst must configure the scanner to the Struts URLs to be successful. This combination of failures would seem to imply that Equifax was unaware that this system was using Struts at all (SANS NewsBites. 2018).
[Neely]
Renewing certificates is easy to overlook, particularly in a large enterprise, without an active process watching and alerting on those about to expire (SANS NewsBites. 2018).
Read more in:
- www.theregister.co.uk: Equifax IT staff had to rerun hackers' database queries to work out what was nicked – audit
- www.gao.gov: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach (PDF)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
WHAT CAN YOU DO?
The administrative, criminal and political blame-game related to this disturbing drama can be expected to drag out over the coming months and years. Meanwhile, here are recommendations from some experts regarding steps that you should consider in response to the breach:
1. Freeze your credit.
A credit freeze allows you to seal your credit reports using a personal identification number (PIN) known only to you. You can later “thaw” your credit when processing legitimate credit applications. Credit freeze means that criminals cannot establish new credit in your name even if they are able to obtain your personal information (Howard, 2017). Visit this site to learn more about credit freeze: http://clark.com/personal-finance-credit/credit-freeze-and-thaw-guide/
2. Check your credit reports.
Pursuant to the Fair Credit Reporting Act (15 U.S.C. § 1681), the US government guarantees everyone a free annual credit report from the three major bureaus; Equifax, Experian and TransUnion. You may review your credit reports for signs of suspicious activity. Visit this site to learn more about obtaining your credit reports: https://www.annualcreditreport.com/index.action
3. Beware of fake “credit-repair” services and other scams.
You should expect to receive solicitations, phone calls and emails from cyber-predators phishing for your information by imposters claiming to be representatives of Equifax or some other bogus credit-repair agency. Beware of those scammers and be wary about releasing personal information. Hang up on those unsolicited phone calls and do not open attachments to unsolicited emails.
4. Consider free credit monitoring from CreditKarma.com
Creditkarma.com is a free service that provides credit reports from two major credit bureaus along with credit monitoring and other services. Visit this site to learn more about obtaining free credit monitoring: https://www.creditkarma.com/about/terms
5. Establish a fraud alert with each of the credit agencies
A fraud alert is a free service that notifies you when an account is opened using your identity. The alert asks potential creditors to verify your identity before approving the credit. Fraud alerts last for 90 days but may be extended upon request.
6. If your identity is stolen, make a police report
If you discover that your identity was stolen, file a police report and obtain a report number. Save the police report number because you may need it in the future to help establish your credibility.
5. Establish a fraud alert with each of the credit agencies
A fraud alert is a free service that notifies you when an account is opened using your identity. The alert asks potential creditors to verify your identity before approving the credit. Fraud alerts last for 90 days but may be extended upon request.
6. If your identity is stolen, make a police report
If you discover that your identity was stolen, file a police report and obtain a report number. Save the police report number because you may need it in the future to help establish your credibility.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
WHAT IS THE EQUIFAX EXPLANATION?
The Equifax website (2017) describes the situation as follows:
Specific Details of the Incident - from the Equifax website:
- On July 29, 2017, Equifax’s Security team observed suspicious network traffic associated with its U.S. online dispute portal web application. In response, the Security team investigated and blocked the suspicious traffic that was identified.
- The Security team continued to monitor network traffic and observed additional suspicious activity on July 30, 2017. In response, the company took offline the affected web application that day.
- The company’s internal review of the incident continued. Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online.
- On August 2, 2017, Equifax contacted a leading, independent cybersecurity firm, Mandiant, to assist in conducting a privileged, comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted.
- Over several weeks, Mandiant analyzed available forensic data to identify unauthorized activity on the network.
- The incident potentially impacts personal information relating to 143 million U.S. consumers – primarily names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.
- In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.
- Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents and is working with regulators in those countries.
- With respect to the company’s security posture, Equifax has taken short-term remediation steps, and Equifax continues to implement and accelerate long-term security improvements (Equifax, 2017).
Questions Regarding Apache Struts - also from the Equifax website:
- The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application.
- Based on the company’s investigation, Equifax believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.
- The particular vulnerability in Apache Struts was identified and disclosed by U.S. CERT in early March 2017.
- Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure.
- While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing. The company will release additional information when available (Equifax, 2017).
STATEMENT OF FORMER EQUIFAX CEO RICHARD F. SMITH
In his October 3, 2017, Mea culpa statement to a Congressional Sub-Committee, former CEO Richard F. Smith provided the following insights:
- We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification to (Equifax) information technology personnel.
- ...the vulnerability remained in an Equifax web application much longer than it should have.
- ...Equifax’s security tools did not detect this (the attackers) illegal access (Smith, p.3).
Going forward and into the future, for the purpose of preventing repeat occurrences, Mr. Smith stated that his successors at Equifax are taking the following actions:
- ...vulnerability scanning and patch management processes and procedures were enhanced.
- The scope of sensitive data retained in backend databases has been reduced so as to minimize the risk of loss.
- Restrictions and controls for accessing data housed within critical databases have been strengthened.
- Network segmentation has been increased to restrict access from internet facing systems to backend databases and data stores.
- Additional web application firewalls have been deployed, and tuning signatures designed to block attacks have been added.
- Deployment of file integrity monitoring technologies on application and web servers has been accelerated.
- The company is also implementing additional network, application, database, and system-level logging (Smith, p.7).
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
WHAT IS THE APACHE STRUTS WEB APPLICATION?
Apache Struts is a free and open-source software framework for developing Java Web applications (Apache Software Foundation, 2016). Java has been frequently attacked and often found to have weaknesses. Many expert programmers are moving away from creating or servicing Java-based applications.
CVE-2017-5638 is the designator given to the vulnerability that was subsequently found in the software. The vulnerability is described by the National Institute of Standards and Technology (NIST) as follows:
CVE-2017-5638 is the designator given to the vulnerability that was subsequently found in the software. The vulnerability is described by the National Institute of Standards and Technology (NIST) as follows:
- The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.
The Apache Struts vulnerability is listed as "critical" with a score of "10" (the most severe). The access complexity is listed as "low" meaning that the exploit could be completed by a relatively unsophisticated attacker. The NIST web page also provided links to software patches that should be used to mitigate the vulnerability.
A search of YouTube videos using the keywords "Apache Struts" revealed several videos by researchers and hackers that demonstrate how to employ the exploit for the purpose of remotely accessing a computer. Some of those videos appear to have been produced shortly after the vulnerability was first publicized. It is possible that the attacker could have watched one of the YouTube videos and then used those newly-learned skills to access Equifax.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
References
Apache Software Foundation. (2016). Apache Struts. Download page. Retrieved September 17, 2017 from http://struts.apache.org/
Arends, B. (September 15, 2017). Opinion: Equifax hired a music major as chief security officer and she has just retired. Market Watch. Retrieved September 16, 2017 from
Arends, B. (September 15, 2017). Opinion: Equifax hired a music major as chief security officer and she has just retired. Market Watch. Retrieved September 16, 2017 from
http://www.marketwatch.com/story/equifax-ceo-hired-a-music-major-as-the-companys-chief-security-officer-2017-09-15
Consumer Financial Protection Bureau. (June 7, 2017). How do I get a copy of my credit reports? US Government Consumer Financial Protection Bureau. Retrieved September 16, 2017 from https://www.consumerfinance.gov/ask-cfpb/how-do-i-get-a-copy-of-my-credit-reports-en-5/
CreditKarma.com. (2017). Terms of Service. Credit Karma Inc. Retrieved from https://www.creditkarma.com/about/terms
Equifax. (2017). Cybersecurity Incident & Important Consumer Information. Equifax Inc. Retrieved September 16, 2017 from https://www.equifaxsecurity2017.com/
Fair Credit Reporting Act. 15 U.S.C. § 1681. Retrieved September 16, 2017 from https://www.ecfr.gov/cgi-bin/text-idx?SID=2b1fab8de5438fc52f2a326fc6592874&mc=true&tpl=/ecfrbrowse/Title16/16CIsubchapF.tpl
Federal Trade Commission. (n.d.). Fair Credit Reporting Act. 15 U.S.C. §§ 1681-1681x Retrieved from https://www.ftc.gov/enforcement/statutes/fair-credit-reporting-act
Federal Trade Commission. (n.d.). Fair Credit Reporting Act. 15 U.S.C. §§ 1681-1681x Retrieved from https://www.ftc.gov/enforcement/statutes/fair-credit-reporting-act
Howard, C. (September, 2017). Credit Freeze Guide: The best way to protect yourself against identity theft. Retrieved September 16, 2017 from http://clark.com/personal-finance-credit/credit-freeze-and-thaw-guide/
La Monica, P. (September 8, 2017). Equifax execs sold stock before hack was disclosed. CNN Money. The Buzz. Retrieved September 16, 2017 from http://money.cnn.com/2017/09/08/investing/equifax-stock-insider-sales-hack-data-breach/index.html
Liedtke, M. (September 8, 2017). Equifax Breach Exposes 143 Million People to Identity Theft. Associated Press. Retrieved September 16, 2017 from https://www.edgemedianetwork.com/technology/personal_tech/248687
National Institute of Standards & Technology. (March 10, 2017). CVE-2017-5638 Detail. U.S. Dept. of Commerce. National Vulnerability Database. Retrieved September 17, 2017 from https://nvd.nist.gov/vuln/detail/CVE-2017-5638#vulnDescriptionTitle
National Institute of Standards & Technology. (March 10, 2017). CVE-2017-5638 Detail. U.S. Dept. of Commerce. National Vulnerability Database. Retrieved September 17, 2017 from https://nvd.nist.gov/vuln/detail/CVE-2017-5638#vulnDescriptionTitle
Perlroth, N. and Metz, C. (September 16, 2017). Equifax Breach: Two Executives Step Down as Investigation Continues. Business Day. Retrieved September 16, 2017 from https://www.nytimes.com/2017/09/14/business/equifax-hack-what-we-know.html
Riley M., Robertson J., & Sharpe E. (September 29, 2017). The Equifax Hack Has the Hallmarks of State-Sponsored Pros: Investigations into the massive breach aren't complete, but the intruders used techniques that have been linked to nation-state hackers in the past. Bloomberg Business Week. Retrieved from https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros
Romm, T. (October 8, 2017). Equifax rival TransUnion has hired cybersecurity lobbyists in Washington, D.C.: It fears regulation after the major cyber intrusion at Equifax, revealed this September. Recode. Retrieved from https://www.recode.net/2017/10/8/16441368/equifax-transunion-cyber-security-hack-congress-lobbyists-regulation
SANS NewsBites. (September 18, 2018). GAO Report on Equifax Breach. Sans Institute. Vol. 20 Num. 074. Retrieved from https://www.sans.org/newsletters/newsbites/xx/74
Sharwood, S. (September 14, 2017). Missed Patch Caused Equifax Data Breach. The Register. Retrieved September 17, 2017 from https://www.theregister.co.uk/2017/09/14/missed_patch_caused_equifax_data_breach/
Smith, R.F. (October 3, 2017). Prepared Testimony of Richard F. Smith before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection. Retrieved from file:///Volumes/Segate1TB/equifax%20smith%20testimony%20HHRG-115-IF17-Wstate-SmithR-20171003.pdf
U.S. House of Representatives. (October 1, 2017). Hearing entitled “Oversight of Equifax Data Breach: Answers for Consumers”. U.S. House of Representatives Committee on Energy and Commerce. Retrieved from http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-20171003-SD002.pdf
U.S. Senate Committee on Banking, Housing, & Urban Affairs. (September 11, 2017). Following Brown's Urging, Equifax Removes Forced Arbitration From Credit Monitoring, Further Action Needed. Minority Press Releases. Retrieved September 17, 2017 from https://www.banking.senate.gov/public/index.cfm/democratic-press-releases?ID=09C27219-8125-4FD1-A27F-A991E9EAD0BB
Weiczner, J. (October 4, 2017). How Equifax is Making Millions of Dollars off its own Screwup. Fortune. Retrieved from http://fortune.com/2017/10/04/equifax-breach-elizabeth-warren/
Riley M., Robertson J., & Sharpe E. (September 29, 2017). The Equifax Hack Has the Hallmarks of State-Sponsored Pros: Investigations into the massive breach aren't complete, but the intruders used techniques that have been linked to nation-state hackers in the past. Bloomberg Business Week. Retrieved from https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros
Romm, T. (October 8, 2017). Equifax rival TransUnion has hired cybersecurity lobbyists in Washington, D.C.: It fears regulation after the major cyber intrusion at Equifax, revealed this September. Recode. Retrieved from https://www.recode.net/2017/10/8/16441368/equifax-transunion-cyber-security-hack-congress-lobbyists-regulation
SANS NewsBites. (September 18, 2018). GAO Report on Equifax Breach. Sans Institute. Vol. 20 Num. 074. Retrieved from https://www.sans.org/newsletters/newsbites/xx/74
Sharwood, S. (September 14, 2017). Missed Patch Caused Equifax Data Breach. The Register. Retrieved September 17, 2017 from https://www.theregister.co.uk/2017/09/14/missed_patch_caused_equifax_data_breach/
Smith, R.F. (October 3, 2017). Prepared Testimony of Richard F. Smith before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection. Retrieved from file:///Volumes/Segate1TB/equifax%20smith%20testimony%20HHRG-115-IF17-Wstate-SmithR-20171003.pdf
U.S. House of Representatives. (October 1, 2017). Hearing entitled “Oversight of Equifax Data Breach: Answers for Consumers”. U.S. House of Representatives Committee on Energy and Commerce. Retrieved from http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-20171003-SD002.pdf
U.S. Senate Committee on Banking, Housing, & Urban Affairs. (September 11, 2017). Following Brown's Urging, Equifax Removes Forced Arbitration From Credit Monitoring, Further Action Needed. Minority Press Releases. Retrieved September 17, 2017 from https://www.banking.senate.gov/public/index.cfm/democratic-press-releases?ID=09C27219-8125-4FD1-A27F-A991E9EAD0BB
Weiczner, J. (October 4, 2017). How Equifax is Making Millions of Dollars off its own Screwup. Fortune. Retrieved from http://fortune.com/2017/10/04/equifax-breach-elizabeth-warren/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Questions for cybersecurity students to consider:
- What consumer protection laws apply in this situation?
- What is the Computer Fraud and Abuse Act and does the Act apply in this situation?
- What is the Fair Credit Reporting Act, 16 CFR § 314, and how does it apply in this situation? See also: 15 USC Chapter 41, Subchapter III: Credit Reporting Agencies.
- Did violations occur that are improper under the Financial Services Modernization Act of 1999 (the Gramm-Leach-Bliley Act), Pub. L. 106-102, enacted Nov. 12, 1999?
- Is there a requirement to notify law enforcement of the data breach and what is that law?
- What are the Payment Card Industry (PCI) Compliance standards and how do they apply to this situation?
- What new laws and regulations should be implemented to prevent future incidents?
- Former Equifax CEO Richard Smith accepted ultimate responsibility for the breach but also assigned blame to a single (unnamed) person who failed to apply the patch to Apache Struts that might have prevented the breach. As a supervisor and/or CEO, what oversight systems should you have in place to ensure that the work gets done?
- How should a CEO handle the public-relations part of this situation?
- What is vulnerability scanning?
- What is a "backend database"?
- What is network segmentation and how does it help to prevent problems like the one that occurred at Equifax?
- Former Equifax CEO Richard Smith stated, "Additional web application firewalls have been deployed, and tuning signatures designed to block attacks have been added." What does he mean by "tuning signatures"?
- How do file integrity monitoring technologies help to protect systems?
- How does additional network, application, database, and system-level logging help to protect a system?
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
