Contributed by SecureWorld
Congress has issued the most detailed report yet on the Equifax data breach, and it is full of lessons for IT security teams.
The report is 96 pages long, and here are the top highlights.
5 key Equifax failures, according to Congress
- Overall failure at cybersecurity: “Entirely preventable. Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues, the data breach could have been prevented.”
- IT management failure: “Lack of accountability and management structure. Equifax failed to implement clear lines of authority within their internal IT management structure, leading to an execution gap between IT policy development and operation. Ultimately, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner.”
- Big data and legacy systems failure: “Complex and outdated IT systems. Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Both the complexity and antiquated nature of Equifax’s custom-built legacy systems made IT security especially challenging.”
- Failure to maintain visibility across networks: “Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business-critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.”
- Failure at internal and external incident response: “A list of Equifax database owners did not exist. Therefore, Mandiant had to identify and verify database ownership before it was able to begin its analysis… After Equifax informed the public of the data breach, they were unprepared to identify, alert and support affected consumers. The breach website and call centers were immediately overwhelmed.”
Here is the complete report: https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf
The opinions expressed within this article are the personal opinions of the author. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.