+ Reply to Thread
Page 1 of 4 1 234 Last
Results 1 to 25 of 97
  1. Member
    Join Date
    Aug 2016
    Posts
    98
    #1

    Default Is this why Equifax was hacked?

    Reply With Quote Quote  

  2. SS -->
  3. Senior Member scaredoftests's Avatar
    Join Date
    Dec 2013
    Location
    behind you!
    Posts
    2,002

    Certifications
    ACAS,Comp TIA Security +, Novell CNE, HDI Customer Service, ITIL Foundation, MTA
    #2
    Could be...
    Never let your fear decide your fate....
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    May 2016
    Posts
    1,647
    #3
    Bizarre to say the least.
    Reply With Quote Quote  

  5. Senior Member mikey88's Avatar
    Join Date
    Jul 2017
    Location
    Seattle, WA
    Posts
    151

    Certifications
    Security+, Network+, Server+
    #4
    Wow is this a bad joke or something because it's ridiculous.
    2017 Goals: Security+ [] Server+ []
    2018 Goals: CCNA R/S, Security [ ]
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    May 2016
    Posts
    1,647
    #5
    Band teacher heading the security department at a fortune 500. How the hell did that happen?

    I'll be the first to rip on certifications, but if there ever was a person who need the CISSP it's this one.....
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Apr 2013
    Posts
    1,919
    #6
    Yeah I know some stupid subreddits were passing this around, absolutely silly. You think someone got to a CISO level at a company that big and doesn't have tons of proper experience and that them not having a CS degree means anything? Come on.

    Also, imagine a company that large, do you think the CISO is patching servers? They can put all the policies in the world in place, if someone stands up a server that has a vuln, forget even a zero day, things can get by.
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Jan 2015
    Location
    Chicago, IL
    Posts
    973

    Certifications
    Too many MCPs and MCTS, MCSA: Security, MCSE: Security, MCSA: 2003, 2008, 2012, MCITP: EA, CISSP-ISSAP, SCS DLP, GREM
    #7
    There is a JD out there for a VP of cyber position that reports to her that requires having CISSP or CISM or have them in progress. She doesn't seem to have it.

    To be fair, what she labels as "Professional" were all senior positions, like a director of this and that in HP, some bank and whatever else.

    I watched two of video interviews with her and she sounded meh, but the interviewer didn't grill her on anything so it's hard to judge.

    She also has given 9 recommendations on linkedin to other people and IMO they are all ridiculous. Like, she recommends a guy who helped her in designing her bath and/or kitchen, some real estate specialist, some HR specialist. Only 2 recs are to the same cybersecurity guy, but nothing specific, general blah-blah.

    I say we have tons of folks here on TE whose resumes are better. The question is, how come they aren't Equifax CISOs? Was this breach in part because they hired too managerial (for a lack of a better term, can't tell if her managerial skills are proven) type of person?

    In my experience if a CISO lets things slide and doesn't fight for security and isn't technical enough to understand what their team is doing or capable of leads to a poor overall team quality and top-notch specialists prefer not to work in such places. No surprise this can lead to a breach.

    Overall doesn't look good.

    Hard to tell though if she had proper budgets and power to insist on secure solutions, etc. because not everything depends on CISO.
    Last edited by gespenstern; 09-12-2017 at 12:58 AM.
    Reply With Quote Quote  

  9. Senior Member 636-555-3226's Avatar
    Join Date
    Jul 2015
    Posts
    872

    Certifications
    Lots of security certifications, yet the more I learn, the further I have to go...
    #8
    Ah my young brethren. In time you shall come to the truth. Many, many companies, especially the big ones that haven't modernized to the threats of 2017 and beyond, still live in the old days. In the old days the role of CISO was a joke and something you needed to check that compliance checkbox or put forth a "good faith" effort of this or that. Those old school companies get someone who knows someone, probably the CEO's old piano teacher in this case, and throws her a bone because she's the CFO's golf buddy's wife who doesnt want to retire yet but doesn't want a job where she has to do much, either. I see this all the time. Totally inappropriate person for the security position who is there just because someone needs to be and they're the quickest, easiest, and best pushover for the job.

    Disclaimer - I have no idea who the CISO of equifax is, if that person indicated above is even real, etc. Just generally stating what i've seen across many, many large global companies...
    Reply With Quote Quote  

  10. Went to the dark side.... Moderator networker050184's Avatar
    Join Date
    Jul 2007
    Posts
    11,665

    Certifications
    CCNA, CCNP, CCIP, JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, MCA200
    #9
    You think they were teaching how to defeat modern security threats back when she was in college anyway?
    An expert is a man who has made all the mistakes which can be made.
    Reply With Quote Quote  

  11. Cyber Donkey slinuxuzer's Avatar
    Join Date
    Jul 2003
    Location
    East Texas
    Posts
    617

    Certifications
    VCDX:NV - A+ Net+ Sec+ MCSA08 CISSP CCNA B.S. IT/WGU
    #10
    143 Million records exposed - 300 million people in the US and not all of them have applied for credit, so virtually, almost everyone who has ever filled out a credit application was exposed. WOW! Something at this level can't be attributed to any one person, but is more than likely the product of poor leadership across the board. Sadly, in my experience a lot of the break downs occur at the engineering level, team building just isn't something that happens magically.
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    May 2016
    Posts
    1,647
    #11
    Quote Originally Posted by 636-555-3226 View Post
    Ah my young brethren. In time you shall come to the truth. Many, many companies, especially the big ones that haven't modernized to the threats of 2017 and beyond, still live in the old days. In the old days the role of CISO was a joke and something you needed to check that compliance checkbox or put forth a "good faith" effort of this or that. Those old school companies get someone who knows someone, probably the CEO's old piano teacher in this case, and throws her a bone because she's the CFO's golf buddy's wife who doesnt want to retire yet but doesn't want a job where she has to do much, either. I see this all the time. Totally inappropriate person for the security position who is there just because someone needs to be and they're the quickest, easiest, and best pushover for the job.

    Disclaimer - I have no idea who the CISO of equifax is, if that person indicated above is even real, etc. Just generally stating what i've seen across many, many large global companies...
    I love this post.
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    May 2016
    Posts
    1,647
    #12
    Quote Originally Posted by slinuxuzer View Post
    143 Million records exposed - 300 million people in the US and not all of them have applied for credit, so virtually, almost everyone who has ever filled out a credit application was exposed. WOW! Something at this level can't be attributed to any one person, but is more than likely the product of poor leadership across the board. Sadly, in my experience a lot of the break downs occur at the engineering level, team building just isn't something that happens magically.
    Does she fall on the sword or does she live to see another day.
    Reply With Quote Quote  

  14. Senior Member stryder144's Avatar
    Join Date
    Nov 2012
    Location
    Denver, CO
    Posts
    1,279

    Certifications
    CompTIA A+, Network+, Security+, Server+, Linux+ and CSA+; MCSA: Windows 7, ITIL Foundations
    #13
    equifax.jpg

    I love that the person whose picture is above hers looks like he is shaking his head wondering how it all happened...
    The easiest thing to be in the world is you. The most difficult thing to be is what other people want you to be. Don't let them put you in that position. ~ Leo Buscaglia

    Connect With Me || My Blog Site || Follow Me
    Reply With Quote Quote  

  15. Senior Member mbarrett's Avatar
    Join Date
    Apr 2016
    Location
    DC
    Posts
    352

    Certifications
    CISSP CEH CCNP Security
    #14
    Quote Originally Posted by DatabaseHead View Post
    Does she fall on the sword or does she live to see another day.
    I think she has to be gone, one way or the other.
    To the OP's point, I've met plenty of smart IT people without certs or CS degrees. It doesn't take a few college courses to be good at what you do.
    Reply With Quote Quote  

  16. Senior Member shochan's Avatar
    Join Date
    Sep 2016
    Location
    AR
    Posts
    424

    Certifications
    A+, Network+, i-Net+, Server+, Security+, MCP 70-210, Novell CNA 5.0
    #15
    Quote Originally Posted by daneil3144 View Post
    Attachment 8646

    you decide?
    dammit dammit SOB!

    https://www.youtube.com/watch?v=fTWvEgb3Egw
    2017 -> Chillaxing & (reading C|EH - Matt Walker)
    2018 -> CCNA CyberOps (July Cohort)
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    May 2016
    Posts
    1,647
    #16
    Quote Originally Posted by stryder144 View Post
    Attachment 8647

    I love that the person whose picture is above hers looks like he is shaking his head wondering how it all happened...
    Well played!
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    May 2016
    Posts
    1,647
    #17
    Quote Originally Posted by mbarrett View Post
    I think she has to be gone, one way or the other.
    To the OP's point, I've met plenty of smart IT people without certs or CS degrees. It doesn't take a few college courses to be good at what you do.
    I don't think it's too much to ask to require your chief security officer to have some formalized education in their specific field. You wouldn't want a cardiologist with a hospitality degree working on your heart, even if they went and received their masters......
    Reply With Quote Quote  

  19. Senior Member shochan's Avatar
    Join Date
    Sep 2016
    Location
    AR
    Posts
    424

    Certifications
    A+, Network+, i-Net+, Server+, Security+, MCP 70-210, Novell CNA 5.0
    #18
    2017 -> Chillaxing & (reading C|EH - Matt Walker)
    2018 -> CCNA CyberOps (July Cohort)
    Reply With Quote Quote  

  20. Senior Member
    Join Date
    Mar 2017
    Location
    Hampton, VA
    Posts
    314
    #19
    Quote Originally Posted by shochan View Post
    Its variable by state. The limit is whatever small claims limit applies in your state.
    Reply With Quote Quote  

  21. Senior Member cyberguypr's Avatar
    Join Date
    May 2007
    Location
    Chicago, IL
    Posts
    5,816

    Certifications
    GCFE, GCED, GCIH, CISSP, CCSP, and others that should never be mentioned
    #20
    This story is making the Target breach look like child's play.

    Up until a few days ago they were pulling this:
    OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415. Verified PIN format w/ several people who froze today. And I got my PIN in 2007—same exact format. Equifax has been doing this for A DECADE.
    It's fixed now and they are allegedly providing "random" PINs, but clearly indicative of of a massive lack of common Infosec sense.
    Reply With Quote Quote  

  22. Senior Member cshkuru's Avatar
    Join Date
    Jul 2011
    Location
    Vancouver, WA
    Posts
    158

    Certifications
    My puny list of certifications made me feel inadequate so now you have to guess :-)
    #21
    SANS Data Breach Summit and Training - https://www.sans.org/event/data-breach-summit-2017 - maybe we should all chip in and buy a couple seats for Equifax #justsaying
    Reply With Quote Quote  

  23. Senior Member
    Join Date
    Mar 2011
    Location
    Chicago
    Posts
    1,310

    Certifications
    CISSP-ISSAP, HCISPP GPEN, GSEC, GSNA, GCIH, E|CH, ECSA, Security+
    #22
    I learned that much of my time pounding silly technical details, and endless number of reasonably difficult exams an MBA and a multi-discipline undergraduate consisting of Computer Science, Mathematics ("minor" with 46 full semester hours and psychology major) could easily be usurped simply going the music path straight to a Fortune 500 CSO position!

    Also enjoy all those "professional" titles in the background. Now, if that doesn't lend some credibility to the career cover up I don't know what does!

    Music school here I come!

    - b/eads
    Reply With Quote Quote  

  24. Senior Member cyberguypr's Avatar
    Join Date
    May 2007
    Location
    Chicago, IL
    Posts
    5,816

    Certifications
    GCFE, GCED, GCIH, CISSP, CCSP, and others that should never be mentioned
    #23
    In her defense, the degree does hold a lot of value. After all she will now have to face the music. Ba dum tsssss!
    Reply With Quote Quote  

  25. Cyber Donkey slinuxuzer's Avatar
    Join Date
    Jul 2003
    Location
    East Texas
    Posts
    617

    Certifications
    VCDX:NV - A+ Net+ Sec+ MCSA08 CISSP CCNA B.S. IT/WGU
    #24
    I don't think she is the one to focus on here, she has an honest resume and profile out there, the CEO is the one at fault.
    Reply With Quote Quote  

  26. Senior Member
    Join Date
    Mar 2017
    Location
    Hampton, VA
    Posts
    314
    #25
    Quote Originally Posted by slinuxuzer View Post
    I don't think she is the one to focus on here, she has an honest resume and profile out there, the CEO is the one at fault.
    I think we will find quite a few people at fault. Mistakes at this scale are rarely the fault of one person. I am interested to hear the results of conversations with the auditors. There are quite a few PCI/DSS red flags alone.
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 4 1 234 Last

Social Networking & Bookmarks