SlideShare a Scribd company logo

HD - @uncl3dumby - Anatomy of a Megabreach: Equifax Report

B
Bronson Peto

The Equifax breach was one of the most severe compromises of PII in history. The scope and sensitivity of data lost was beyond what many organizations had ever experienced. Congress investigated and released an incredible, detailed report. I have thoroughly reviewed the content of the report, and created a presentation of my findings and specific points of interest. It provides a timeline of the breach and organizational response, as well as information about organizational and policy structure.

Technology
1 of 39
Download to read offline
Anatomy of a Megabreach A review of Equifax’s organizational failures, and how it led to one of today’s most severe compromises of PII “Failure to maintain an accurate inventory undermines all attempts at securing OPM’s information systems” - Office of Personnel Management Inspector General @uncl3dumby
Sources ▶ Vast majority of information is pulled from the U.S. House of Representatives Committee on Oversight and Government Reform report on the Equifax Data Breach ▶ Released December 2018 ▶ Contains references and official sources for most of the information included in this presentation ▶ This report is AMAZING. I have provided a thorough representation of the information it contains, but I highly recommend that you review the full 97 page report if you get the chance https://republicans-oversight.house.gov/wp-content/uploads/2018/12/Equifa x-Report.pdf ▶ A few corroborating documents that I failed to record, but are public record Who Am I? dumby - Blue teamer, security nerd @uncl3dumby - Twitter https://securedumby.science
Report Composition Sections: 1. Consumer Reporting Agency Business Model 2. Regulations for Consumer Reporting Agencies 3. Anatomy of the Equifax Data Breach 4. Equifax Notifies the Public 5. Specific Points of Failure 6. Equifax Remediation Efforts 7. Recommendations Sources: ▶ Internal Emails ▶ Congress Testimony ▶ Mandiant Report ▶ Equifax Disclosures / Situational Updates ▶ Investor Releases ▶ Public Speaking Appearences ▶ Government Consent Order
Why this talk?
A Brief Timeline
Marching Blind
Let’s Talk Patching
ACIS - May 13
July 29 - Breach Detected
Incident Investigation July 30 - August 01 ▶ July 30 - Potential Incident Reviewed ▶ Vulnerability tests ▶ 12:41 PM - ACIS is shutdown, ending the direct cyberattack ▶ Executives informed ▶ July 31 – Equifax Initiates Incident Response ▶ Assigns a code name Project Sierra to the IR efforts ▶ ACIS developers provide WAR, vulnerable Struts confirmed ▶ August 1 – CIO is provided a brief update on Project Sierra. ▶ CIO leaves on vacation 08/02, and doesn’t return until 08/16.
Incident Response Begins
Public Notification THIS IS INFORMING THE PUBLIC! ● 1,500 call center employees
● 1,500 call center employees EQUIFAXSECURITY2017.COM * everybody in the US wondering if they’re 1 of the 143 million people affected
Forensic Investigation Completed
Data Element Columns Analyzed Approximate # of Impacted Consumers Name First, Last, Middle, Suffix, Full Name 146.6 Million Date of Birth Full DOB 146.6 Million Social Security Number Full SSN 145.5 Million Address Address, Address 2, City, State, Zip 99 Million Gender Gender 27.3 Million Phone Number Phone, Phone2 27.3 Million Driver’s License # Full # 17.6 Million Email Address Full Email 1.8 Million Payment Card Info CC Number, Exp Date 209,000 TaxID Full ID 97,500 Driver’s License Info Issuing State 27,000 Online Dispute Portal Uploaded Images 182,000
Organizational Structure - Dynamics & Issues
Structure of Patch Management
Patch Management Policy
Certificate Management Process
Wait, more on ACIS? REALLY? Yes.
Hall of “What?” Quotes
But wait… THERE’S MORE!
Forced Action – Mandiant
Mandiant Recommendations ▶ [QUICK REVIEW] Attacker Access Duration (Time To Dwell) - 05/13/2017 – 07/30/2017 ▶ Mandiant Recommendations – 09/19/2017 ▶ 1. Enhance vulnerability scanning and patch management processes and procedures ▶ 2. Reduce the scope of sensitive data retained in backend databases ▶ 3. Increase restrictions and controls for accessing data housed within critical databases ▶ 4. Enhance network segmentation, to restrict access from internet facing systems to backend databases and data stores ▶ 5. Deploy additional web application firewalls and tuning signatures to block attacks ▶ 6. Accelerate the deployment of file integrity monitoring technologies on application and web servers ▶ 7. Enforce additional network, application, database, and system-level logging; ▶ 8. Accelerate deployment of a privileged account management solution ▶ 9. Enhance visibility for encrypted traffic by deploying additional inline network traffic decryption capabilities ▶ 10. Deploy additional endpoint detection and response agent technologies ▶ 11. Deploy additional email protection and monitoring technologies
Forced Action (Cont.) ▶ Former CEO Testifies On Progress of Recommendation Implementation – 10/03/2017 ▶ Mandiant and Equifax confirm all eleven remedial recommendations had been implemented – 08/2018 ▶ 09/19/2017 – 08/2018 - Time from Recommended to Implemented
Forced Action (Cont.)
Forced Action - Consent Order Government Mandates
Consent Order – Effective 06/25/2018 ▶ 90 days for the following: ▶ Written risk assessment that addresses: ▶ Foreseeable threats to confidentiality of PII ▶ Potential damage to company’s business operations ▶ Safeguards and mitigating controls to address each threat and vulnerability ▶ Board and Management Oversight: ▶ Approve a consolidated written information security program and policy that can be updated annually ▶ Review annual report from management on adequacy of IS program ▶ Enhance level of detail within board minutes ▶ Review and approve standard IS policies to ensure they are up-to-date and applicable ▶ Ensure IR procedure guides are up-to-date and clarify roles and relationships of groups involved in IR
Consent Order (Cont.) ▶ Vendor Management ▶ Monitor management’s documentation of efforts to comply with PCI DSS ▶ Review and approve policy/procedure for outsourcing management ▶ Oversee management’s development of a definition of “cloud service” ▶ Development of policies that provide guidance for when the use of cloud-based services is permissible ▶ Patch Management ▶ Identify a comprehensive IT asset inventory that includes hardware, software, and location of assets ▶ Formalize an identification process for patches that need to be installed ▶ Develop action plan for decommissioning legacy systems, including compensating controls until systems are removed ▶ Formalize patch management policy ▶ IT Operations ▶ Ensure key processes of business continuity plans are independently reviewed at least annually ▶ Formalize emergency change standards
Consent Order (Cont.) ▶ 30 days to improve oversight of auditing ▶ A formal risk analysis process used to set scope and frequency of IT audits ▶ An audit schedule prepared on a multi-year basis ▶ Audit of critical and high-risk areas (at least) annually ▶ Issue tracking report and issue aging report submit quarterly to an Audit Committee ▶ Validation via internal audit that severe issues are resolved on a timely basis ▶ Guidelines for ensuring the internal audit is not involved in daily operations of enterprise risk management ▶ By July 31 (Approximately 1 month) ▶ Submit to Multi-State regulatory Agencies a list of all remediation projects planned, in process, or implemented in response to the breach ▶ Written reports outlining progress toward complying with each provision of the consent order. These then must be submit every quarter.
Consent Order (Cont.) ▶ By December 31 (Approximately 6 months) ▶ Formalize a process to routinely identify what patches need to be updated and installed ▶ Populate current metrics and data into a dynamic patch dashboard ▶ Prioritize and address outstanding critical, high, and medium-risk patch management audit findings ▶ Provide programmers job-specific training covering secure coding ▶ Conclude process of removing system access of development staff to production environments ▶ Equifax Board will require management to have an independent party test controls relating to all remediation projects, and reported to Multi-State Agencies whether controls are functioning effectively
Tallying Up The Damage As of Q3 2018 – Report Release Timeframe
Tallying Up The Damage (As of Q3 2018)
What Can We Learn?
What Can We Learn?
What Can We Learn? (Cont.)
Tim never got the memo. THANKS!!!

Recommended

@uncl3dumby - Anatomy of a Megabreach: Equifax Report
@uncl3dumby - Anatomy of a Megabreach: Equifax Report@uncl3dumby - Anatomy of a Megabreach: Equifax Report
@uncl3dumby - Anatomy of a Megabreach: Equifax ReportBronson Peto
 
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M RizviGeneral Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M RizviSharique Rizvi
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Schellman & Company
 
Does Your Organization Have A Privacy Incident Response Plan?
Does Your Organization Have A Privacy Incident Response Plan?Does Your Organization Have A Privacy Incident Response Plan?
Does Your Organization Have A Privacy Incident Response Plan?bdana68
 
A comprehensive program for preventing and detecting computer viruses is needed
A comprehensive program for preventing and detecting computer viruses is neededA comprehensive program for preventing and detecting computer viruses is needed
A comprehensive program for preventing and detecting computer viruses is neededUltraUploader
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework SummaryJason Rusch - CISSP CGEIT CISM CISA GNSA
 
20170112 Working Group Assessment Mandate Presentation DRAFT V1[2]
20170112 Working Group Assessment Mandate Presentation DRAFT V1[2]20170112 Working Group Assessment Mandate Presentation DRAFT V1[2]
20170112 Working Group Assessment Mandate Presentation DRAFT V1[2]Walter Richard Sweeney
 

Recommended

@uncl3dumby - Anatomy of a Megabreach: Equifax Report
@uncl3dumby - Anatomy of a Megabreach: Equifax Report@uncl3dumby - Anatomy of a Megabreach: Equifax Report
@uncl3dumby - Anatomy of a Megabreach: Equifax ReportBronson Peto
 
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M RizviGeneral Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M RizviSharique Rizvi
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Schellman & Company
 
Does Your Organization Have A Privacy Incident Response Plan?
Does Your Organization Have A Privacy Incident Response Plan?Does Your Organization Have A Privacy Incident Response Plan?
Does Your Organization Have A Privacy Incident Response Plan?bdana68
 
A comprehensive program for preventing and detecting computer viruses is needed
A comprehensive program for preventing and detecting computer viruses is neededA comprehensive program for preventing and detecting computer viruses is needed
A comprehensive program for preventing and detecting computer viruses is neededUltraUploader
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework SummaryJason Rusch - CISSP CGEIT CISM CISA GNSA
 
20170112 Working Group Assessment Mandate Presentation DRAFT V1[2]
20170112 Working Group Assessment Mandate Presentation DRAFT V1[2]20170112 Working Group Assessment Mandate Presentation DRAFT V1[2]
20170112 Working Group Assessment Mandate Presentation DRAFT V1[2]Walter Richard Sweeney
 
HCS 533 Week 6 Administrative Structure Power Point
HCS 533 Week 6 Administrative Structure Power PointHCS 533 Week 6 Administrative Structure Power Point
HCS 533 Week 6 Administrative Structure Power PointJulie Bentley
 
Information Governance Checklist and Privacy Impact Ass.docx
Information Governance Checklist and Privacy Impact Ass.docxInformation Governance Checklist and Privacy Impact Ass.docx
Information Governance Checklist and Privacy Impact Ass.docxcarliotwaycave
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxshantayjewison
 
Qestions1) a) Using the IT audit report for the Cancer Prevention.pdf
Qestions1) a) Using the IT audit report for the Cancer Prevention.pdfQestions1) a) Using the IT audit report for the Cancer Prevention.pdf
Qestions1) a) Using the IT audit report for the Cancer Prevention.pdfarihantstoneart
 
Delivering mobile analytics
Delivering mobile analyticsDelivering mobile analytics
Delivering mobile analyticsDoug Melville
 
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docxITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docxvrickens
 
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...IFG Network marcus evans
 
Sample audit plan
Sample audit planSample audit plan
Sample audit planMaher Manan
 
State of GovTech Market Briefing.pptx
State of GovTech Market Briefing.pptxState of GovTech Market Briefing.pptx
State of GovTech Market Briefing.pptxDustin Haisler
 
Ict governance
Ict governanceIct governance
Ict governanceZablon Peter
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxmydrynan
 
IASA ey deck presentation
IASA ey deck presentationIASA ey deck presentation
IASA ey deck presentationKenneth Dorado, CISA, HCISPP
 
Security as a Strategy
Security as a Strategy Security as a Strategy
Security as a Strategy James Deiotte
 
US State Government Case Study
US State Government Case StudyUS State Government Case Study
US State Government Case StudyMark S. Mahre
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsSkoda Minotti
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceLumension
 
Navigating the expanding compliance perimeter smarsh 2016_notes_20 04 16_video
Navigating the expanding compliance perimeter smarsh 2016_notes_20 04 16_videoNavigating the expanding compliance perimeter smarsh 2016_notes_20 04 16_video
Navigating the expanding compliance perimeter smarsh 2016_notes_20 04 16_videoSmarsh
 
Ffiec cat may_2017
Ffiec cat may_2017Ffiec cat may_2017
Ffiec cat may_2017Josef Sulca Cueva
 
Developing a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action PlanDeveloping a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action PlanTripwire
 
SUMMER INTERNSHIP REPORT FOR 3RD YEAR STUDENT
SUMMER INTERNSHIP REPORT FOR 3RD YEAR STUDENT SUMMER INTERNSHIP REPORT FOR 3RD YEAR STUDENT
SUMMER INTERNSHIP REPORT FOR 3RD YEAR STUDENT Irfan Quraishi
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

More Related Content

Similar to HD - @uncl3dumby - Anatomy of a Megabreach: Equifax Report

HCS 533 Week 6 Administrative Structure Power Point
HCS 533 Week 6 Administrative Structure Power PointHCS 533 Week 6 Administrative Structure Power Point
HCS 533 Week 6 Administrative Structure Power PointJulie Bentley
 
Information Governance Checklist and Privacy Impact Ass.docx
Information Governance Checklist and Privacy Impact Ass.docxInformation Governance Checklist and Privacy Impact Ass.docx
Information Governance Checklist and Privacy Impact Ass.docxcarliotwaycave
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxshantayjewison
 
Qestions1) a) Using the IT audit report for the Cancer Prevention.pdf
Qestions1) a) Using the IT audit report for the Cancer Prevention.pdfQestions1) a) Using the IT audit report for the Cancer Prevention.pdf
Qestions1) a) Using the IT audit report for the Cancer Prevention.pdfarihantstoneart
 
Delivering mobile analytics
Delivering mobile analyticsDelivering mobile analytics
Delivering mobile analyticsDoug Melville
 
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docxITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docxvrickens
 
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...IFG Network marcus evans
 
Sample audit plan
Sample audit planSample audit plan
Sample audit planMaher Manan
 
State of GovTech Market Briefing.pptx
State of GovTech Market Briefing.pptxState of GovTech Market Briefing.pptx
State of GovTech Market Briefing.pptxDustin Haisler
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxmydrynan
 
Security as a Strategy
Security as a Strategy Security as a Strategy
Security as a Strategy James Deiotte
 
US State Government Case Study
US State Government Case StudyUS State Government Case Study
US State Government Case StudyMark S. Mahre
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsSkoda Minotti
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceLumension
 
Navigating the expanding compliance perimeter smarsh 2016_notes_20 04 16_video
Navigating the expanding compliance perimeter smarsh 2016_notes_20 04 16_videoNavigating the expanding compliance perimeter smarsh 2016_notes_20 04 16_video
Navigating the expanding compliance perimeter smarsh 2016_notes_20 04 16_videoSmarsh
 
Developing a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action PlanDeveloping a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action PlanTripwire
 
SUMMER INTERNSHIP REPORT FOR 3RD YEAR STUDENT
SUMMER INTERNSHIP REPORT FOR 3RD YEAR STUDENT SUMMER INTERNSHIP REPORT FOR 3RD YEAR STUDENT
SUMMER INTERNSHIP REPORT FOR 3RD YEAR STUDENT Irfan Quraishi
 

Similar to HD - @uncl3dumby - Anatomy of a Megabreach: Equifax Report (20)

HCS 533 Week 6 Administrative Structure Power Point
HCS 533 Week 6 Administrative Structure Power PointHCS 533 Week 6 Administrative Structure Power Point
HCS 533 Week 6 Administrative Structure Power Point
 
Information Governance Checklist and Privacy Impact Ass.docx
Information Governance Checklist and Privacy Impact Ass.docxInformation Governance Checklist and Privacy Impact Ass.docx
Information Governance Checklist and Privacy Impact Ass.docx
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
 
Qestions1) a) Using the IT audit report for the Cancer Prevention.pdf
Qestions1) a) Using the IT audit report for the Cancer Prevention.pdfQestions1) a) Using the IT audit report for the Cancer Prevention.pdf
Qestions1) a) Using the IT audit report for the Cancer Prevention.pdf
 
Delivering mobile analytics
Delivering mobile analyticsDelivering mobile analytics
Delivering mobile analytics
 
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docxITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
 
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...
 
Sample audit plan
Sample audit planSample audit plan
Sample audit plan
 
State of GovTech Market Briefing.pptx
State of GovTech Market Briefing.pptxState of GovTech Market Briefing.pptx
State of GovTech Market Briefing.pptx
 
Ict governance
Ict governanceIct governance
Ict governance
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docx
 
IASA ey deck presentation
IASA ey deck presentationIASA ey deck presentation
IASA ey deck presentation
 
Security as a Strategy
Security as a Strategy Security as a Strategy
Security as a Strategy
 
US State Government Case Study
US State Government Case StudyUS State Government Case Study
US State Government Case Study
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC Compliance
 
Navigating the expanding compliance perimeter smarsh 2016_notes_20 04 16_video
Navigating the expanding compliance perimeter smarsh 2016_notes_20 04 16_videoNavigating the expanding compliance perimeter smarsh 2016_notes_20 04 16_video
Navigating the expanding compliance perimeter smarsh 2016_notes_20 04 16_video
 
Ffiec cat may_2017
Ffiec cat may_2017Ffiec cat may_2017
Ffiec cat may_2017
 
Developing a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action PlanDeveloping a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action Plan
 
SUMMER INTERNSHIP REPORT FOR 3RD YEAR STUDENT
SUMMER INTERNSHIP REPORT FOR 3RD YEAR STUDENT SUMMER INTERNSHIP REPORT FOR 3RD YEAR STUDENT
SUMMER INTERNSHIP REPORT FOR 3RD YEAR STUDENT
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

HD - @uncl3dumby - Anatomy of a Megabreach: Equifax Report

  • 1. Anatomy of a Megabreach A review of Equifax’s organizational failures, and how it led to one of today’s most severe compromises of PII “Failure to maintain an accurate inventory undermines all attempts at securing OPM’s information systems” - Office of Personnel Management Inspector General @uncl3dumby
  • 2. Sources ▶ Vast majority of information is pulled from the U.S. House of Representatives Committee on Oversight and Government Reform report on the Equifax Data Breach ▶ Released December 2018 ▶ Contains references and official sources for most of the information included in this presentation ▶ This report is AMAZING. I have provided a thorough representation of the information it contains, but I highly recommend that you review the full 97 page report if you get the chance https://republicans-oversight.house.gov/wp-content/uploads/2018/12/Equifa x-Report.pdf ▶ A few corroborating documents that I failed to record, but are public record Who Am I? dumby - Blue teamer, security nerd @uncl3dumby - Twitter https://securedumby.science
  • 3. Report Composition Sections: 1. Consumer Reporting Agency Business Model 2. Regulations for Consumer Reporting Agencies 3. Anatomy of the Equifax Data Breach 4. Equifax Notifies the Public 5. Specific Points of Failure 6. Equifax Remediation Efforts 7. Recommendations Sources: ▶ Internal Emails ▶ Congress Testimony ▶ Mandiant Report ▶ Equifax Disclosures / Situational Updates ▶ Investor Releases ▶ Public Speaking Appearences ▶ Government Consent Order
  • 9. July 29 - Breach Detected
  • 10. Incident Investigation July 30 - August 01 ▶ July 30 - Potential Incident Reviewed ▶ Vulnerability tests ▶ 12:41 PM - ACIS is shutdown, ending the direct cyberattack ▶ Executives informed ▶ July 31 – Equifax Initiates Incident Response ▶ Assigns a code name Project Sierra to the IR efforts ▶ ACIS developers provide WAR, vulnerable Struts confirmed ▶ August 1 – CIO is provided a brief update on Project Sierra. ▶ CIO leaves on vacation 08/02, and doesn’t return until 08/16.
  • 12. Public Notification THIS IS INFORMING THE PUBLIC! ● 1,500 call center employees
  • 13. ● 1,500 call center employees EQUIFAXSECURITY2017.COM * everybody in the US wondering if they’re 1 of the 143 million people affected
  • 15. Data Element Columns Analyzed Approximate # of Impacted Consumers Name First, Last, Middle, Suffix, Full Name 146.6 Million Date of Birth Full DOB 146.6 Million Social Security Number Full SSN 145.5 Million Address Address, Address 2, City, State, Zip 99 Million Gender Gender 27.3 Million Phone Number Phone, Phone2 27.3 Million Driver’s License # Full # 17.6 Million Email Address Full Email 1.8 Million Payment Card Info CC Number, Exp Date 209,000 TaxID Full ID 97,500 Driver’s License Info Issuing State 27,000 Online Dispute Portal Uploaded Images 182,000
  • 16. Organizational Structure - Dynamics & Issues
  • 17.
  • 20.
  • 22. Wait, more on ACIS? REALLY? Yes.
  • 25. Forced Action – Mandiant
  • 26. Mandiant Recommendations ▶ [QUICK REVIEW] Attacker Access Duration (Time To Dwell) - 05/13/2017 – 07/30/2017 ▶ Mandiant Recommendations – 09/19/2017 ▶ 1. Enhance vulnerability scanning and patch management processes and procedures ▶ 2. Reduce the scope of sensitive data retained in backend databases ▶ 3. Increase restrictions and controls for accessing data housed within critical databases ▶ 4. Enhance network segmentation, to restrict access from internet facing systems to backend databases and data stores ▶ 5. Deploy additional web application firewalls and tuning signatures to block attacks ▶ 6. Accelerate the deployment of file integrity monitoring technologies on application and web servers ▶ 7. Enforce additional network, application, database, and system-level logging; ▶ 8. Accelerate deployment of a privileged account management solution ▶ 9. Enhance visibility for encrypted traffic by deploying additional inline network traffic decryption capabilities ▶ 10. Deploy additional endpoint detection and response agent technologies ▶ 11. Deploy additional email protection and monitoring technologies
  • 27. Forced Action (Cont.) ▶ Former CEO Testifies On Progress of Recommendation Implementation – 10/03/2017 ▶ Mandiant and Equifax confirm all eleven remedial recommendations had been implemented – 08/2018 ▶ 09/19/2017 – 08/2018 - Time from Recommended to Implemented
  • 29. Forced Action - Consent Order Government Mandates
  • 30. Consent Order – Effective 06/25/2018 ▶ 90 days for the following: ▶ Written risk assessment that addresses: ▶ Foreseeable threats to confidentiality of PII ▶ Potential damage to company’s business operations ▶ Safeguards and mitigating controls to address each threat and vulnerability ▶ Board and Management Oversight: ▶ Approve a consolidated written information security program and policy that can be updated annually ▶ Review annual report from management on adequacy of IS program ▶ Enhance level of detail within board minutes ▶ Review and approve standard IS policies to ensure they are up-to-date and applicable ▶ Ensure IR procedure guides are up-to-date and clarify roles and relationships of groups involved in IR
  • 31. Consent Order (Cont.) ▶ Vendor Management ▶ Monitor management’s documentation of efforts to comply with PCI DSS ▶ Review and approve policy/procedure for outsourcing management ▶ Oversee management’s development of a definition of “cloud service” ▶ Development of policies that provide guidance for when the use of cloud-based services is permissible ▶ Patch Management ▶ Identify a comprehensive IT asset inventory that includes hardware, software, and location of assets ▶ Formalize an identification process for patches that need to be installed ▶ Develop action plan for decommissioning legacy systems, including compensating controls until systems are removed ▶ Formalize patch management policy ▶ IT Operations ▶ Ensure key processes of business continuity plans are independently reviewed at least annually ▶ Formalize emergency change standards
  • 32. Consent Order (Cont.) ▶ 30 days to improve oversight of auditing ▶ A formal risk analysis process used to set scope and frequency of IT audits ▶ An audit schedule prepared on a multi-year basis ▶ Audit of critical and high-risk areas (at least) annually ▶ Issue tracking report and issue aging report submit quarterly to an Audit Committee ▶ Validation via internal audit that severe issues are resolved on a timely basis ▶ Guidelines for ensuring the internal audit is not involved in daily operations of enterprise risk management ▶ By July 31 (Approximately 1 month) ▶ Submit to Multi-State regulatory Agencies a list of all remediation projects planned, in process, or implemented in response to the breach ▶ Written reports outlining progress toward complying with each provision of the consent order. These then must be submit every quarter.
  • 33. Consent Order (Cont.) ▶ By December 31 (Approximately 6 months) ▶ Formalize a process to routinely identify what patches need to be updated and installed ▶ Populate current metrics and data into a dynamic patch dashboard ▶ Prioritize and address outstanding critical, high, and medium-risk patch management audit findings ▶ Provide programmers job-specific training covering secure coding ▶ Conclude process of removing system access of development staff to production environments ▶ Equifax Board will require management to have an independent party test controls relating to all remediation projects, and reported to Multi-State Agencies whether controls are functioning effectively
  • 34. Tallying Up The Damage As of Q3 2018 – Report Release Timeframe
  • 35. Tallying Up The Damage (As of Q3 2018)
  • 36. What Can We Learn?
  • 37. What Can We Learn?
  • 38. What Can We Learn? (Cont.)
  • 39. Tim never got the memo. THANKS!!!