Interesting People mailing list archives
Re NYTimes: Equifax Says Cyberattack May Have Affected 143 Million Customers
From: "Dave Farber" <farber () gmail com>
Date: Fri, 8 Sep 2017 07:40:27 -0400
Begin forwarded message:
From: Peter Thoenen <peter.thoenen () yahoo com> Date: September 8, 2017 at 4:42:36 AM EDT To: "dave () farber net" <dave () farber net> Subject: Re: [IP] NYTimes: Equifax Says Cyberattack May Have Affected 143 Million Customers Reply-To: Peter Thoenen <peter.thoenen () yahoo com> Dave: From a private mailing list I'm on, I did not write this and I bcc'ed the author if he wishes attribution (he can email you if so) but def a good take on this. -Peter ---------- Forwarded message ---------- From: xxxxxx Date: Thu, Sep 7, 2017 at 6:48 PM Subject: Responding to the Equifax breach the right way To: xxxxx So as everyone's seen, there's a huge Equifax breach of 143M Americans: https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html Criminals gained access to certain files in the company’s system from mid-May to July by exploiting a weak point in a website application, according to an investigation by Equifax. I'm getting pretty numb to "massive breach" headlines, but what I'm starting to care about more reach time is how we (collectively) respond to such an event, and what happens to companies who undergo them. There's going to be strong pressure for people to abandon Equifax and to punish them for their breach. But regardless of whether punishment is merited, it seems like the best outcome of this event would be for Equifax and the industry (and the entire security community) to learn from this and just get better at security. I think it's also important not to just kneejerk destroy a company for admitting a breach, or companies will (continue to) go to great lengths to avoid ever exposing that a breach has occurred. We should want to know about these things, and we should want to learn what processes to change or defenses to prioritize. The ideal would be for Equifax to publish a full (public) root cause analysis and post-mortem of the event -- the nature of the attack, a timeline of events, what problems and processes contributed to the vulnerability, and what changes they've made (technically and procedurally) to fix it. That's the sort of thing that most large companies scream bloody murder about doing, and they would probably need...incentives...to do it, but this is the approach that I see in the parts of the industry that are fixing things the fastest. For a great recent-ish example of this, GitLab did a post-mortem of a fairly catastrophic outage event where they lost a day's worth of data, and almost lost months' worth of data because all of their backup processes failed: https://about.gitlab.com/2017/02/10/postmortem-of-database-outage-of-january-31/ That's a particularly engineering-focused writeup by an engineering-focused company. Another example is from the web PKI, where certificate authorities who issue bad certificates are strongly encouraged by Mozilla to publish a public root cause analysis and timeline of the issue. Here's one by PKIOverheid, which is the Dutch Government's PKI authority: https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/W1D4oZ__BwAJ That post by PKIOverheid engendered a lot of goodwill for them, by the technical community but also by their direct overseers that are in control of their trust -- Mozilla, Google, and others. When companies experience technical failures, an important way of predicting whether they are likely to continue to be trustworthy is to see how they handle explaining those failures, and how well they even understand what happened to them and how to fix them. Demonstrating this publicly is key to maintaining public trust, which is certainly what certificate authorities need to have, but also very much what a company with 143 million Americans' PII needs to have. So I hope we ... take this as an opportunity to change the norms around public disclosure and analysis of security events, rather than just a public shaming. -- xxx From: Dave Farber <farber () gmail com> To: ip <ip () listbox com> Sent: Thursday, September 7, 2017 9:43 PM Subject: [IP] NYTimes: Equifax Says Cyberattack May Have Affected 143 Million Customers https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html?smprod=nytcore-ipad&smid=nytcore-ipad-share Criminals gained access to certain files in the company’s system from mid-May to July, according to an investigation by Equifax.
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580 Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125 Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170908074038:86DD28DE-948A-11E7-9638-E7B9E11E876D Powered by Listbox: http://www.listbox.com
Current thread:
- Re NYTimes: Equifax Says Cyberattack May Have Affected 143 Million Customers Dave Farber (Sep 08)