+ Reply to Thread
Page 2 of 4 First 12 34 Last
Results 26 to 50 of 94
  1. Senior Member
    Join Date
    May 2016
    Posts
    1,560

    Certifications
    ITIL V3 F, ITIL OSA, ITIL ST
    #26
    Quote Originally Posted by beads View Post
    I learned that much of my time pounding silly technical details, and endless number of reasonably difficult exams an MBA and a multi-discipline undergraduate consisting of Computer Science, Mathematics ("minor" with 46 full semester hours and psychology major) could easily be usurped simply going the music path straight to a Fortune 500 CSO position!

    Also enjoy all those "professional" titles in the background. Now, if that doesn't lend some credibility to the career cover up I don't know what does!

    Music school here I come!

    - b/eads
    Great post. Pig snorted at my desk after reading this. Then Cyber followed it up with that beauty.

    Good day..... Good day indeed....

    I sent her a friend invite on LinkedIn. I am going to recommend Security + if she accepts.
    Position: Data Junky
    Reformed Cert Addict.
    Reply With Quote Quote  

  2. SS -->
  3. There is no spoon. p@r0tuXus's Avatar
    Join Date
    Nov 2016
    Location
    KCMO
    Posts
    506

    Certifications
    ITIL-F, A+, S+, CCNA
    #27
    Think this CISO was one of the 3 executives that sold part of the $1.8 million in shares just a couple days before the announcement? And they say "they" were not aware of the hack. If she's in that position, she sure better have known of it.

    Completed: ITIL-F, A+, S+, CCENT, CCNA R|S
    In Progress: Linux+/LPIC-1, Python, Bash
    Upcoming: eJPT, C|EH, CSA+, CCNA-Sec, PA-ACE
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Mar 2017
    Location
    Hampton, VA
    Posts
    256
    #28
    Quote Originally Posted by p@r0tuXus View Post
    Think this CISO was one of the 3 executives that sold part of the $1.8 million in shares just a couple days before the announcement? And they say "they" were not aware of the hack. If she's in that position, she sure better have known of it.
    Speaking of which.... how is that NOT insider trading?
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    May 2016
    Posts
    1,560

    Certifications
    ITIL V3 F, ITIL OSA, ITIL ST
    #29
    Quote Originally Posted by p@r0tuXus View Post
    Think this CISO was one of the 3 executives that sold part of the $1.8 million in shares just a couple days before the announcement? And they say "they" were not aware of the hack. If she's in that position, she sure better have known of it.
    She sounds like an honest person.......
    Position: Data Junky
    Reformed Cert Addict.
    Reply With Quote Quote  

  6. Junior Member
    Join Date
    Jun 2017
    Posts
    29
    #30
    Quote Originally Posted by jibtech View Post
    Speaking of which.... how is that NOT insider trading?
    Insider trading is defined as buying or selling with knowledge of events/whathaveyou which the buyer/seller/pubic is unaware. If these people didnt know about the hack, they arent guilty, if they did know, they are guilty.
    Reply With Quote Quote  

  7. Junior Member Registered Member
    Join Date
    Aug 2017
    Posts
    1
    #31
    I'd imagine that even if her university credentials weren't up to snuff, there's something else that got her into that position. Maybe her heart is really in IT but she'd already started that degree path?

    Either way, that looks sketch...
    Reply With Quote Quote  

  8. "Too many routers"? Heh. darkerz's Avatar
    Join Date
    Oct 2009
    Location
    WA
    Posts
    427

    Certifications
    CCIE R&S, CCIE Security, Some SAN's Stuff
    #32
    I feel like some of the responses on here are in part tied to her being, well, a her. On reddit, and on here, particularly unconstructive commentary... Before you get ready to type out your angst and rebuttal, to utterly destroy me on the internet, continue below.

    Some of the brightest people I've met in IT at all levels had as little as a GED and 10-20 years of experience, as much as a degree in an unrelated field.

    End of the day, it's easy to **** on someone because they don't have a Security + or a degree in Comp Sci. However, consider why multiple companies would then interview, vet, reference check and finally hire a person on their path to CISO, particularly due to their lack of certs, for example. The negative, pessimistic mind will assume and/or infer "nepotism, corruption and/or paddling unqualified to the top", however the realist has to understand a company won't prop up, hire and compensate someone 6-8 figures because they are bad at what they do.

    These vulnerabilities and breaches could, and do, happen to plenty (TONS) of companies every day. The adversary will always outpace and out innovate you. Assume breach, develop a security post-breach lifecycle thereafter. As the 21st century continues, this will only get worse.
    Last edited by darkerz; 09-13-2017 at 03:35 AM.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Mar 2017
    Location
    Hampton, VA
    Posts
    256
    #33
    I can't (and will never try to) speak for Reddit. That said, I don't think the issue has anything to do with gender. I don't even think it has to do with the fact that Equifax was breached.

    For many people, and certainly for me, the problem is the systemic lack of disregard for data security, given the sensitivity of the information they possess. Even worse, these were conscious decisions.

    Information being stored in plaintext. That was a design decision. Where was the due diligence? Where was the code review?

    A freeze PIN that is nothing more than a time stamp? That is patently ridiculous. If it had been a unix time stamp that was generated, I could chalk it up to incompetence. But someone made that decision, coded it and Equifax signed off on it at some level.

    The fact that whether you were affected is purely random, with differing answers given even when the same data is entered. That is a particularly egregious act of jackassery.

    None of these were unknown vulnerabilities, or even failures to patch in a timely manner. The hole may have been outside of their control, but what the hole revealed was an organization with little to no regard for the security of data that can adversely affect the lives of millions of people.

    This wasn't a CISO who had been in place for 60 days when this happened. She had been there for plenty of time to address these glaring flaws, and didn't. Either she was ineffective as a CISO, or she was incompetent. All of these issues fall well within the scope of a CISO at a large enterprise, and every CISO knows that they will be held accountable in this kind of a situation. This was negligent at best. Criminally so, in my opinion.

    For the record, 20+ years in IT, with a high school diploma. I judge people based on what they do, not what their degree is. What she did was a poor job.
    Reply With Quote Quote  

  10. Senior Member stryder144's Avatar
    Join Date
    Nov 2012
    Location
    Denver, CO
    Posts
    1,225

    Certifications
    CompTIA A+, Network+, Security+, Server+, Linux+ and CSA+; MCSA: Windows 7, ITIL Foundations
    #34
    Well said, jibtech. It isn't a matter of gender, education, or what color their car is. It is plainly a matter of incompetence on many different levels. I have 22 years of leadership experience in the military. As such, even if I had taken over the CSO job at Equifax the day before the breech was announced, I would take responsibility for it and responsibility for a solution. Plain and simple. And that is how I view the whole mess. How are they responding to the situation? So far, several have sold off stocks (insider trading, a felony), provided inadequate freeze PIN security (not criminal but not intelligent, either), and saving PII data in plain text...I can't even comment on that one, you know, since often times full-disk encryption and file encryption are built into the operating systems (thus, free!!! Think BitLocker and EFS for Windows Servers) and many databases come with encryption builtin or at a very afford price.

    Thankfully, they are providing some enterprising author (Brian Krebs, for instance) a self-writing best seller on what the heck not to do to secure sensitive information. A treasure that will be mined by comedians, politicians, and security professionals for decades to come. Heck, I'm going to label it the new "Data Breach of the Century".

    Sadly, it is the American people who can least afford such a data breach that will ultimately pay the price for their negligence.
    The easiest thing to be in the world is you. The most difficult thing to be is what other people want you to be. Don't let them put you in that position. ~ Leo Buscaglia

    Connect With Me || My Blog Site || Follow Me
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Apr 2013
    Posts
    1,857
    #35
    Quote Originally Posted by jibtech View Post

    Information being stored in plaintext. That was a design decision. Where was the due diligence? Where was the code review?

    A freeze PIN that is nothing more than a time stamp? That is patently ridiculous. If it had been a unix time stamp that was generated, I could chalk it up to incompetence. But someone made that decision, coded it and Equifax signed off on it at some level.

    The fact that whether you were affected is purely random, with differing answers given even when the same data is entered. That is a particularly egregious act of jackassery.

    None of these were unknown vulnerabilities, or even failures to patch in a timely manner. The hole may have been outside of their control, but what the hole revealed was an organization with little to no regard for the security of data that can adversely affect the lives of millions of people.
    Outside of the time stamp PIN, which yes, is dumb, is any of this other info even known? There is speculation that it used a strut2 vuln for the breach, even the struts foundation said they don't know which one and it might be a zero day. Put most other security folks in that position, even at a high management layer. Even scan, pen test, code review, etc, all comes up clean and someone finds a new unknown bug and takes advantage of that, would you have seen it ahead of time? We don't even know how much data each record takes. They could be all pretty short text records and queried out slowly, even for 143 million, over a period of time as regular web traffic doesn't have to look like very much at all. I know everyone wants to roast one person but it's really not that cut and dry, and I doubt has anything at all to do with what school majors someone had 20 years ago.
    Reply With Quote Quote  

  12. Member
    Join Date
    Aug 2016
    Posts
    88
    #36
    Quote Originally Posted by jibtech View Post
    The fact that whether you were affected is purely random, with differing answers given even when the same data is entered. That is a particularly egregious act of jackassery.
    Explain?
    Reply With Quote Quote  

  13. Senior Member stryder144's Avatar
    Join Date
    Nov 2012
    Location
    Denver, CO
    Posts
    1,225

    Certifications
    CompTIA A+, Network+, Security+, Server+, Linux+ and CSA+; MCSA: Windows 7, ITIL Foundations
    #37
    Krebs On Security mentioned that an Argentinian Equifax employee portal had a user name of admin and a password of admin. If that is the type of jackassery that Equifax allowed then it is no wonder a vulnerability may have been exploited. Heck, the hackers may have broken down an already unlocked door, for pete's sake. Personally, someone's major doesn't really matter, in my opinion. This isn't a case of one person being at fault but as more of the story unfolds it seems that there were multilevel, systemic issues with the entire organization worldwide. Naturally, even the breaking news isn't necessarily accurate, what with editorial slat coming into play (everyone wants to roast a credit reporting agency because of what their core job is). We can armchair quarterback this to death and still not focus on the right thing: making sure that our Rome isn't burning while we fiddle a ditty in honor of Equifax!
    The easiest thing to be in the world is you. The most difficult thing to be is what other people want you to be. Don't let them put you in that position. ~ Leo Buscaglia

    Connect With Me || My Blog Site || Follow Me
    Reply With Quote Quote  

  14. Senior Member mbarrett's Avatar
    Join Date
    Apr 2016
    Location
    DC
    Posts
    332

    Certifications
    CISSP CEH CCNP Security
    #38
    Quote Originally Posted by p@r0tuXus View Post
    Think this CISO was one of the 3 executives that sold part of the $1.8 million in shares just a couple days before the announcement? And they say "they" were not aware of the hack. If she's in that position, she sure better have known of it.
    No.
    Not according to the information that was published.
    https://www.bloomberg.com/news/artic...ing-cyber-hack

    I doubt they actually didn't know - something of this magnitude, and senior executives don't know what's going on? Something smells...
    Reply With Quote Quote  

  15. Junior Member
    Join Date
    Jun 2017
    Posts
    29
    #39
    Quote Originally Posted by darkerz View Post
    however the realist has to understand a company won't prop up, hire and compensate someone 6-8 figures because they are bad at what they do.
    You must be new here, and by here I mean the business world... Here is a link to get you started on the topic.


    http://abcnews.go.com/Business/story?id=2859246

    Those lucky devils epitomize the concept of failing upward -- when incompetence is inexplicably rewarded.
    The phenomenon is most common in the business world, where the typical scenario plays out like this: A high-paid CEO does a poor job running a company, takes an enormous severance, and lands on his feet with a better job at a bigger corporation.





    Try Googling the term fail upwards, and welcome to the business world!
    Last edited by infosec123; 09-13-2017 at 12:22 PM.
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Sep 2016
    Location
    VA
    Posts
    353

    Certifications
    CISSP, PMP, CCNP, FITSP-M
    #40
    Quote Originally Posted by darkerz View Post
    I feel like some of the responses on here are in part tied to her being, well, a her. On reddit, and on here, particularly unconstructive commentary... Before you get ready to type out your angst and rebuttal, to utterly destroy me on the internet, continue below.
    No gender bias here, someone is good at what they do or they aren't. She wasn't. Defending a woman because of their gender won't get you any dates, stop being an apologist and focus on the facts:

    She was the CISO
    Equifax was hacked

    She had a fiduciary duty to the shareholders and she failed in that role.
    2017: CCNP (done), FITSI-M (done) CCIE Written
    2018: CCIE R/S
    2019: VCP (DCV/NV), OSCP
    2020-1: MBA
    Reply With Quote Quote  

  17. Senior Member scaredoftests's Avatar
    Join Date
    Dec 2013
    Location
    behind you!
    Posts
    1,890

    Certifications
    ACAS,Comp TIA Security +, Novell CNE, HDI Customer Service, ITIL Foundation, MTA
    #41
    Exactly! @EANx.
    Never let your fear decide your fate....
    Reply With Quote Quote  

  18. IOCs? What IOCs???!! jcundiff's Avatar
    Join Date
    Jan 2016
    Location
    Morehead, KY
    Posts
    401

    Certifications
    CISSP, CRISC, ITILFv3, PCIP, RSA Archer, MSCE Win2000, A+, N+, Server+, Proj+, eBiz+,iNet+
    #42
    You want me to believe that the CFO ( one of the 3 who sold stocks days after the breach...WEEKS before the announcement) didnt get the message they had been breached? If you believe that, then please contact me offline as I have some hurricane proof ocean front property in Kentucky I would like to sell

    This is going to be the textbook case study of how not to handle a breach/notification for years to come.
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    May 2016
    Posts
    1,560

    Certifications
    ITIL V3 F, ITIL OSA, ITIL ST
    #43
    Quote Originally Posted by EANx View Post
    No gender bias here, someone is good at what they do or they aren't. She wasn't. Defending a woman because of their gender won't get you any dates, stop being an apologist and focus on the facts:

    She was the CISO
    Equifax was hacked

    She had a fiduciary duty to the shareholders and she failed in that role.
    +1 good post.
    Position: Data Junky
    Reformed Cert Addict.
    Reply With Quote Quote  

  20. Senior Member cyberguypr's Avatar
    Join Date
    May 2007
    Location
    Chicago, IL
    Posts
    5,737

    Certifications
    GCFE, GCED, GCIH, CISSP, CCSP, and others that should never be mentioned
    #44
    Quote Originally Posted by jcundiff View Post
    This is going to be the textbook case study of how not to handle a breach/notification for years to come.
    Tell me about it! We are actually starting to incorporate this debacle and the the aftermath in our BC/DR tabletop exercises under "do not do this or be these peeps".
    Reply With Quote Quote  

  21. There is no spoon. p@r0tuXus's Avatar
    Join Date
    Nov 2016
    Location
    KCMO
    Posts
    506

    Certifications
    ITIL-F, A+, S+, CCNA
    #45
    "Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374.. Gamble sold more than 13 percent of his stake in Equifax.. Equifax shares tumbled 13 percent to $123.81..."


    Using at least 13% for calculation purposes and the other two values we know for certain...
    I figured... 51,155 shares at $142.31/ea. = $7,279,868.05
    13% of those 51,155 shares was 6,650 @ $142.31/ea = 946,361.5 (~$946,374 gains)


    Were he not to have sold them that day, then after the 13% devaluation,
    those 51,155 shares @ $123.81/ea = $6,333,500.55
    The CFO would have lost a whopping $946,367.50, instead he essentially lost nothing.


    Since his shares dropped in value (~$823,336.5), those 6,650 shares would have been devalued by ~$123,025, had he kept them through the devaluation. One could argue he profited ~$123,025.

    But where is evidence of guilt and intent? How could he have known it would go down roughly 13% and that selling 13% would stym his losses? Well... I don't know. But I would think a CFO of one of the largest credit agencies is no mathematical slouch and his timing and the amounts are very suspicious. How does a company detect a data breach and the CFO of the company not know, anyway?
    Last edited by p@r0tuXus; 09-13-2017 at 04:35 PM. Reason: Editing - Typo

    Completed: ITIL-F, A+, S+, CCENT, CCNA R|S
    In Progress: Linux+/LPIC-1, Python, Bash
    Upcoming: eJPT, C|EH, CSA+, CCNA-Sec, PA-ACE
    Reply With Quote Quote  

  22. Senior Member
    Join Date
    Mar 2017
    Location
    Hampton, VA
    Posts
    256
    #46
    Quote Originally Posted by Danielm7 View Post
    Outside of the time stamp PIN, which yes, is dumb, is any of this other info even known? There is speculation that it used a strut2 vuln for the breach, even the struts foundation said they don't know which one and it might be a zero day. Put most other security folks in that position, even at a high management layer. Even scan, pen test, code review, etc, all comes up clean and someone finds a new unknown bug and takes advantage of that, would you have seen it ahead of time? We don't even know how much data each record takes. They could be all pretty short text records and queried out slowly, even for 143 million, over a period of time as regular web traffic doesn't have to look like very much at all. I know everyone wants to roast one person but it's really not that cut and dry, and I doubt has anything at all to do with what school majors someone had 20 years ago.
    For me, it is less about the vulnerability that led to the hack, and more about the shoddy security practices that the hack revealed.

    Storing passwords in plaintext is asinine, and isn't something that just happens. It was designed by someone and Management signed off on it.

    The freeze PIN structure was also ridiculous. It isn't a naturally occurring string that was used. Someone took the time stamp and then formatted it to reflect that structure. It was then dropped into the database. There are numerous design and implementation steps that had to have occurred before the PIN implementation went live.

    The final insult was the page to identify whether you have been breached, which has numerous flaws.

    The arbitration language was ridiculous. Equifax claims it was a mistake, because it came from a boilerplate statement. Once again, a failure to review the code and content prior to implementation.

    Next was the requirement for six digits of the SSN. With six digits and the date of birth, the first three digits are trivial to identify. A company that has just suffered a massive data breach, whose core business model includes the ability to discern between two consumers is now asking for more detailed sensitive information to be entered on a web site that is already known to have flaws in its design.

    Finally, the randomness of the results. When users enter their information, they are receiving conflicting answers on whether their data is breached. In fact, when resting the accuracy of the system, a last name of Test and SSN last six of 123456 reported back as having been breached. All evidence indicates that the website for checking whether you have been breached is in fact only security theater with no real effect.

    Combined, these examples point to a fundamentally flawed data security mindset at Equifax. As the CISO, responsibility for that data security falls directly on her shoulders. This isn't about gender. This isn't about her educational background. It boils down to ineffectiveness, incompetence or willful negligence.

    Whichever of these applies, it certainly is deserving of scorn from the technology community as a whole, and the security community in particular.
    Reply With Quote Quote  

  23. IOCs? What IOCs???!! jcundiff's Avatar
    Join Date
    Jan 2016
    Location
    Morehead, KY
    Posts
    401

    Certifications
    CISSP, CRISC, ITILFv3, PCIP, RSA Archer, MSCE Win2000, A+, N+, Server+, Proj+, eBiz+,iNet+
    #47
    Quote Originally Posted by p@r0tuXus View Post
    "Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374.. Gamble sold more than 13 percent of his stake in Equifax.. Equifax shares tumbled 13 percent to $123.81..."


    Using at least 13% for calculation purposes and the other two values we know for certain...
    I figured... 51,155 shares at $142.31/ea. = $7,279,868.05
    13% of those 51,155 shares was 6,650 @ $142.31/ea = 946,361.5 (~$946,374 gains)


    Were he not to have sold them that day, then after the 13% devaluation,
    those 51,155 shares @ $123.81/ea = $6,333,500.55
    The CFO would have lost a whopping $946,367.50, instead he essentially lost nothing.


    Since his shares dropped in value (~$823,336.5), those 6,650 shares would have been devalued by ~$123,025, had he kept them through the devaluation. One could argue he profited ~$123,025.

    But where is evidence of guilt and intent? How could he have known it would go down roughly 13% and that selling 13% would stym his losses? Well... I don't know. But I would think a CFO of one of the largest credit agencies is no mathematical slouch and his timing and the amounts are very suspicious. How does a company detect a data breach and the CFO of the company not know, anyway?
    All math aside, the CFO ( and other 2 senior leaders) had access to material nonpublic information regarding the breach, and sold stock very rapidly after they learned they were breached. Textbook case of insider training. A high power lawfirm ( dont remember the name) has already filed motions on these sell offs, so hopefully the SEC throws the book at them. I see a CFO position open as well as the CSO role in the near future
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
    Reply With Quote Quote  

  24. Senior Member
    Join Date
    Mar 2011
    Location
    Chicago
    Posts
    1,246

    Certifications
    CISSP-ISSAP, HCISPP GPEN, GSEC, GSNA, GCIH, E|CH, ECSA, Security+
    #48
    Public facing website accessible database(s) "secured" with secret squirrel credentials like: admin/admin and people are concerned with the gender of the CSO? Really? How about just plain allowing incredibly lax security.

    Please, if your going to remain a public entity, just fire everyone in security and start over from scratch.

    Simply unforgivable.

    - b/eads
    Reply With Quote Quote  

  25. Senior Member
    Join Date
    Aug 2003
    Location
    Norristown,, PA
    Posts
    454

    Certifications
    CCENT
    #49
    Quote Originally Posted by jcundiff View Post
    All math aside, the CFO ( and other 2 senior leaders) had access to material nonpublic information regarding the breach, and sold stock very rapidly after they learned they were breached. Textbook case of insider training. A high power lawfirm ( dont remember the name) has already filed motions on these sell offs, so hopefully the SEC throws the book at them. I see a CFO position open as well as the CSO role in the near future
    None of Senior Management will spend a day in Prison. I only know of one CEO in recent memory who went to prison and that was Stewart Parnell. The only reason he went to prison was because people died from the tainted peanut butter scandal of 2009. Since this is a Financial crime and and it's wall street the most these guys will get is a slap on the wrist and pay a fine. I even doubt congress will force Equifax and companies like them to shore up there security or business practices .
    "A lot of fellows nowadays have a B.A., M.D., or Ph.D. Unfortunately, they don't have a J.O.B."

    Fats Domino
    Reply With Quote Quote  

  26. Senior Member
    Join Date
    Aug 2003
    Location
    Norristown,, PA
    Posts
    454

    Certifications
    CCENT
    #50
    Quote Originally Posted by Daneil3144 View Post
    Attachment 8646

    You decide?

    Wow, In case anyone was wondering this screenshot is correct. I thought it may be a gag but it's real I checked it my-self. The above is correct
    "A lot of fellows nowadays have a B.A., M.D., or Ph.D. Unfortunately, they don't have a J.O.B."

    Fats Domino
    Reply With Quote Quote  

+ Reply to Thread
Page 2 of 4 First 12 34 Last

Social Networking & Bookmarks