More Questions Raised After Equifax CIO, CSO 'Retire'Some Security Professionals Blast Criticism of Outgoing CSO Over Her Music Degrees
In the wake of revealing a massive data breach, Equifax has announced that its CIO and CSO "are retiring" immediately.
See Also: A Fresh Look at API Security
On Friday, Equifax issued a statement saying that "effective immediately" it has appointed Mark Rohrwasser, who joined the company last year as its head of international IT operations, as interim CIO, and Russ Ayres, a vice president in its IT group, as interim CSO, reporting to Rohrwasser.
Equifax's curious choice of language - spinning the removal of its key technology officials as a retirement, rather than saying they had been fired - has led some observers to question whether the credit reporting agency was taking its breach seriously enough.
The company has warned that 143 million U.S. consumers' names, Social Security numbers, birthdates, addresses and in some instances driver's license numbers were exposed, as well as 209,000 of their credit card numbers and additional personal information relating to 182,000 consumers. An estimated 400,000 British residents were also affected, as well as an unspecified number of Canadian consumers.
Equifax faces numerous class-action lawsuits in the United States and Canada, Congressional probes and a Federal Trade Commission investigation as a result of its breach (see Top Democrat Likens Equifax to Enron as FTC Launches Probe).
In response, Equifax CEO Richard Smith last week took to USA Today, where he wrote a column promising to do better (see Equifax CEO: 'We Will Make Changes').
On Monday, the Justice Department announced that it has opened an investigation into the timing of stock sales by senior Equifax executives, Bloomberg reports, adding that the U.S. Securities and Exchange Commission and the U.S. Attorney in Atlanta are also participating in the probe. The three executives, including the CFO, collectively sold Equifax stock worth almost $1.8 million in early August after the breach was discovered but before the company issued a public breach notification. Equifax has claimed the executives did not know about the breach at the time of their stock sale.
New Breach Details Disclosed
Equifax on Friday released more details about the breach, which it believes began May 13 and continued unchecked for 77 days.
On Saturday, July 29, according to the update, "Equifax's security team observed suspicious network traffic associated with its U.S. online dispute portal web application," prompting the team to block the suspicious traffic and investigate further. It says the security team found "additional suspicious activity" the next day, at which point it took the web application offline.
"The company's internal review of the incident continued," according to Equifax. "Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online."
On Aug. 2, Equifax hired FireEye's incident response group Mandiant to conduct a digital forensic review.
Equifax acknowledged that the exploited flaw in its open source Apache Struts software had been patched by Apache in early March, at which time Apache issued security alerts, urging all users to upgrade immediately in the face of in-the-wild attacks. But the company has suggested that the portal in question somehow fell through the cracks (see Equifax's Colossal Error: Not Patching Apache Struts Flaw).
"Equifax's security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure," Equifax says. "While Equifax fully understands the intense focus on patching efforts, the company's review of the facts is still ongoing. The company will release additional information when available."
To help with damage control, Equifax has hired press relations firm Edelman, part of DJE Holdings. "As has been reported publicly, Equifax has engaged a subsidiary of DJE Holdings to support the communications response to the recently announced cybersecurity incident," Wyatt Jefferies, senior director of PR for one of Equifax's divisions, told PR Week on Thursday. "Outside of that, we do not disclose specific details of agency partnerships."
Crisis management experts recommend that all organizations put in place a data breach response plan in advance of any incident so that they can respond more quickly. Equifax did not immediately respond to a request for comment about whether it had an incident response plan, or external incident response and crisis management relationships, prepared in advance of its breach.
Security Experts Slam CSO's Critics
Meanwhile, now-former CSO Susan Maudlin has come under fire from many observers because she did not hold a technical degree - for example, in computer science - but rather music composition degrees.
"Equifax hired a music major as chief security officer and she has just retired," read the title of an opinion column by journalist Brett Arends, published by Marketwatch. He asks "if anyone at the company has been involved in efforts to cover up Susan Mauldin's lack of educational qualifications since the data breach became public." Curiously, his column levels no such criticism at outgoing Equifax CIO Webb, who holds a degree in Russian as well as an MBA. Arends, meanwhile, could not be immediately reached for comment about whether he holds degrees in journalism or finance.
Many information security experts swiftly denounced any attempts to tar and feather a security or technology professional on the basis of his or her degrees or certifications.
"For the last few days I have witnessed the unabashed trashing of Susan Maudlin ... of Equifax," Jerry Archer, the CSO at consumer banking giant Sallie Mae, says in a LinkedIn post. "I don't know Susan, but as security professionals, we should push back against the unfounded [criticism] of Susan's bona fides simply because she has a degree in music. That has no bearing on her skills and abilities. By all accounts she has had a stellar career. And at this point there are no facts to support that she was directly to blame. She deserves a fair investigation."
Archer says that having a degree in a science, technology, engineering or mathematics discipline does not prove anything, including if someone has the critical thinking skills or "experience and judgment" required to be a top-notch CISO position.
Speaking as a self-described first-generation CISO, he notes that he and his peers became chief information security officers at a time when there were no cybersecurity degrees. Along the way, he adds, they learned that as executives, they could manage risk, but not eliminate it.
"We all know that tools are imperfect, that patching sometimes is faulty, that a hiccup can miss something," Archer writes. "That's why we layer defenses and caveat what we do. We are fighting smart adversaries who are well resourced. Last I checked, nobody has ever won all the battles."
Infosec Pros: Look Beyond Degrees
Other security experts have also criticized anyone who attempts to critique a CISO or CSO on the basis of their degrees.
"Amount of times I've asked folks what their degrees were in before hiring them: 0," says industrial control system expert Robert M. Lee via Twitter (see Power Grid Malware: Don't Freak Out, But Do Prepare).
Incident response expert Matthieu Suiche conducted an informal poll via Twitter, asking if having an information-security-related degree was a good or bad thing, and found that 7 out of 10 respondents don't think it's necessary.
Do you have an InfoSec related academic degree (not certifications) ?— Matthieu Suiche (@msuiche) September 16, 2017
"Attackers surely don't care," Suiche says.