A recent conversation with a colleague about information security got me to thinking about the Equifax breach; and namely, the controversy over Susan Mauldin’s college major.
Quite a bit of ado has been made about Mauldin having college degrees in music composition, rather than computer science. Add me to the chorus that notes people with far more useless degrees — for example, broadcast journalism — have made successful careers in computer science.
No, Mauldin’s problem isn’t that she was a music major. Her problem is that she failed in every meaningful way to plan, implement and audit infosec at Equifax.
If you’re going to draw the chief security officer’s paycheck for an organization that holds personally identifiable information for pretty much every adult in America, you can’t screw up as badly as she did.
No System Is Safe … From Ourselves
I want to address, early, one other irrelevancy mentioned any time people talk about security breaches: The idea that no system is safe from a determined attacker.
That is absolutely true. Out there are people with the skills and equipment to get into anything that’s connected to the Internet, and you can’t stop them if they decide you’re next. Just ask Hillary Clinton and Donald Trump.
But that’s not relevant to the Equifax breach. Its security team let a public-facing webserver with direct access to personally identifiable information and a known critical vulnerability sit unpatched for two months before it was exploited, and for four months after that.
That has nothing to do with “no system is safe from exploit.” That has everything to do with “our security practices are hot garbage.” And that is Mauldin’s fault.
Bad Or Worse
Mauldin failed to ensure that even the most fundamental security principles were in play at Equifax. I can determine that just from reading Equifax’s own statements on the matter.
Let’s go to Equifax’s Sept. 15 statement about the incident:
- The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application. …
- The particular vulnerability in Apache Struts was identified and disclosed by U.S. CERT in early March 2017.
- Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.
- While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing. The company will release additional information when available.
The online credit dispute portal isn’t some obscure, seldom-visited website that someone stood up for marketing on a whim and then forgot about. It’s clearly one of their most-accessed public-facing assets. At the very least, it’s the obvious place to start looking for exploits, since it accepts form inputs — and file uploads, for Pete’s sake — and clearly has access to data of value.
Thus, if I am to believe Equifax, I have to believe that the security team either did not know that this mission-critical, public-facing resource was using a vulnerable version of Apache Struts, or could not patch the servers in that application.
tl;dr: She Failed
To believe the former, I have to believe that Equifax does not have any sort of governance, management, orchestration or auditing around the assets used to serve the credit dispute portal. Given the level of failures in play here, that’s possible.
But I prefer to believe the latter, because it’s more probable. Sometimes, you can’t immediately apply a patch because it breaks your software.
What you don’t do in that case is ignore the need to patch. You fix the software ASAP. Not patching the server because it’s too hard to fix the software is not an option. But again, if I take Equifax’s statement at face value, and apply the most likely interpretation to it, that appears to be the option Equifax chose.
Mauldin wasn’t responsible for patching individual servers. But she sure was responsible for ensuring they get patched.
It’s possible that within Equifax, security was marginalized. That is, she wanted to create a security-first mindset, but the organization wasn’t willing or able to do so. If so, I think the only reasonable response would be to resign. If you can’t do the job you’re hired to do, don’t stay with that company.
Mauldin instead managed a culture that at best allowed a critical vulnerability in a significant public-facing application to knowingly go unpatched out of operational convenience.
At worst, she had zero control over a mission-critical, highly privileged and public-facing system — a place where every script kiddie on Earth would start an attack.
It’s the CSO’s job to ensure neither of those things are ever the case. Susan Mauldin failed on both fronts.
That’s the problem. Not her college major.