This document provides a case study analysis of the 2017 Equifax data breach which compromised the personal information of 148 million US citizens. Key factors that contributed to the breach included Equifax failing to patch its systems for a known vulnerability (Apache Struts CVE-2017-5638) despite being notified by multiple organizations. Equifax also mishandled its response to the breach, directing victims to fake settlement sites and using easily guessable PINs, drawing widespread criticism. The breach highlighted issues with credit reporting agencies and incident response processes.
The Equifax Data Breach Case Page 1 of 4 Equifax, alo.docxtodd701
Â
The Equifax Data Breach Case
Page 1 of 4
Equifax, along with Experian and TransUnion, is one of the "Big Three" credit reporting agencies
in the United States. All three companies offer credit monitoring services as their core business.
There are many regulations and restrictions governing the collection and use of credit data, but
these companies have enjoyed stable sales and profits for many years. Equifax is based in
Atlanta and its long history traces back to 1913. It employs over 10,400 employees worldwide
and maintains data on 820 million consumers.
All three agencies exchange data with banks and other financial companyâs that extend credit.
They develop "credit scores" for how well consumer has handled his or her credit and debt
obligations. This score and the accompanying credit report detailing a person's credit history are
then sold to banks, credit unions, retail credit card Issuers, auto lenders, mortgage lenders, and
others who rely on this information when they make loans, issue credit cards, or offer
consumers mortgages and home equity loans. It Is also used by banks to check this information
before issuing bank credit cards such as Visa or MasterCard. Equifax, Experian, and TransUnion
have most likely compiled credit histories for nearly every adult U.S. citizen.53
In early September 2017, Equifax announced that hackers had gained illicit access to the
personal information of 143 million people. The data included social security numbers, birth
dates, phone numbers, email addresses, driving license numbers, and, in some cases, credit card
numbers. The total number expanded to 148 million by March 201ij. The pilfering of social
security numbers was particularly worrisome since that number in the wrong hands creates
opportunities for identity theft and other types of fraud.
The Equifax data breach is one of the three worst data breaches- in U.S. history along with
Yahoo and Marriott. The Marriott data h ck of 2018 affected 500 million users. In September
2016, Yahoo revealed a serious data security breach that had occurred 2 years earlier when
500,000 million records were compromised. Several months later, in December, 2016, Yahoo
informed its users of another newly discovered data breach. That breach occurred in 2013 and
affected more than 1 billion Yahoo users. However, despite the magnitude of the Yahoo and
Marriott breaches, the Equifax data breach is considered more damaging because social security
numbers and birth dates were involved. As one security expert observed, "This data is the key to
everyone's files and interactions with financial services, government, and health care."
After the announcement was made, the credit reporting agency was heavily criticized for
waiting until September 7th to reveal this data breach to the public. This breach took place in
March 2017 and went undetected for. almost 3 months. It was discovered in late July, but the
company decided to withhold.
The Equifax Data Breach Case Page 1 of 4 Equifax, alo.docxarnoldmeredith47041
Â
The Equifax Data Breach Case
Page 1 of 4
Equifax, along with Experian and TransUnion, is one of the "Big Three" credit reporting agencies
in the United States. All three companies offer credit monitoring services as their core business.
There are many regulations and restrictions governing the collection and use of credit data, but
these companies have enjoyed stable sales and profits for many years. Equifax is based in
Atlanta and its long history traces back to 1913. It employs over 10,400 employees worldwide
and maintains data on 820 million consumers.
All three agencies exchange data with banks and other financial companyâs that extend credit.
They develop "credit scores" for how well consumer has handled his or her credit and debt
obligations. This score and the accompanying credit report detailing a person's credit history are
then sold to banks, credit unions, retail credit card Issuers, auto lenders, mortgage lenders, and
others who rely on this information when they make loans, issue credit cards, or offer
consumers mortgages and home equity loans. It Is also used by banks to check this information
before issuing bank credit cards such as Visa or MasterCard. Equifax, Experian, and TransUnion
have most likely compiled credit histories for nearly every adult U.S. citizen.53
In early September 2017, Equifax announced that hackers had gained illicit access to the
personal information of 143 million people. The data included social security numbers, birth
dates, phone numbers, email addresses, driving license numbers, and, in some cases, credit card
numbers. The total number expanded to 148 million by March 201ij. The pilfering of social
security numbers was particularly worrisome since that number in the wrong hands creates
opportunities for identity theft and other types of fraud.
The Equifax data breach is one of the three worst data breaches- in U.S. history along with
Yahoo and Marriott. The Marriott data h ck of 2018 affected 500 million users. In September
2016, Yahoo revealed a serious data security breach that had occurred 2 years earlier when
500,000 million records were compromised. Several months later, in December, 2016, Yahoo
informed its users of another newly discovered data breach. That breach occurred in 2013 and
affected more than 1 billion Yahoo users. However, despite the magnitude of the Yahoo and
Marriott breaches, the Equifax data breach is considered more damaging because social security
numbers and birth dates were involved. As one security expert observed, "This data is the key to
everyone's files and interactions with financial services, government, and health care."
After the announcement was made, the credit reporting agency was heavily criticized for
waiting until September 7th to reveal this data breach to the public. This breach took place in
March 2017 and went undetected for. almost 3 months. It was discovered in late July, but the
company decided to withhold.
U.S. House of Representatives Committee on Oversight and G.docxouldparis
Â
U.S. House of Representatives
Committee on Oversight and Government Reform
The Equifax Data Breach
Majority Staff Report
115th Congress
December 2018
2
Executive Summary
On September 7, 2017, Equifax announced a cybersecurity incident affecting 143 million
consumers. This number eventually grew to 148 millionânearly half the U.S. population and 56
percent of American adults. This staff report explains the circumstances of the cyberattack
against Equifax, one of the largest consumer reporting agencies (CRA) in the world.
Equifax is one of several large CRAs in the United States. CRAs gather consumer data,
analyze it to create credit scores and detailed reports, and then sell the reports to third parties.
Consumers do not voluntarily provide information to CRAs, nor do they have the ability to opt
out of this information collection process. Though CRAs provide a service in facilitating
information sharing for financial transactions, they do so by amassing large amounts of sensitive
personal dataâa high-value target for cyber criminals.1 Consequently, CRAs have a heightened
responsibility to protect consumer data by providing best-in-class data security.
In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an
aggressive growth strategy, leading to the acquisition of multiple companies, information
technology (IT) systems, and data. While the acquisition strategy was successful for Equifaxâs
bottom line and stock price, this growth brought increasing complexity to Equifaxâs IT systems,
and expanded data security risks. In August 2017, three weeks before Equifax publicly
announced the breach, Smith boasted Equifax was managing âalmost 1,200 timesâ the amount of
data held in the Library of Congress every day.2
Equifax, however, failed to implement an adequate security program to protect this
sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such
a breach was entirely preventable.
On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly
disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems.
The following day, the Department of Homeland Security alerted Equifax to this critical
vulnerability. Equifaxâs Global Threat and Vulnerability Management (GTVM) team emailed
this alert to over 400 people on March 9, instructing anyone who had Apache Struts running on
their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a
March 16 meeting about this vulnerability.
Equifax, however, did not fully patch its systems. Equifaxâs Automated Consumer
Interview System (ACIS), a custom-built internet-facing consumer dispute portal developed in
1 After the Breach: The Monetization and Illicit Use of Stolen Data: Hearing Before the Subcomm. on T ...
¡  Identify the stakeholders and how they were affected by Heene.docxodiliagilby
Â
¡  Identify the stakeholders and how they were affected by Heene's actions?
¡ 2. What stage of moral reasoning is exhibited by Richard Heene's actions? Do you believe the punishment fit the crime? Why or why not?
¡ 3. Explain how the cognitive-developmental approach influences one's ability to make ethical judgments.
4. How do you assess at what stage of moral development in Kohlberg's model you reason at in making decisions? Are you satisfied with that stage? Do you believe there are factors or forces preventing you from reasoning at a higher level? If so, what are they?
U.S. House of Representatives
Committee on Oversight and Government Reform
The Equifax Data Breach
Majority Staff Report
115th Congress
December 2018
2
Executive Summary
On September 7, 2017, Equifax announced a cybersecurity incident affecting 143 million
consumers. This number eventually grew to 148 millionânearly half the U.S. population and 56
percent of American adults. This staff report explains the circumstances of the cyberattack
against Equifax, one of the largest consumer reporting agencies (CRA) in the world.
Equifax is one of several large CRAs in the United States. CRAs gather consumer data,
analyze it to create credit scores and detailed reports, and then sell the reports to third parties.
Consumers do not voluntarily provide information to CRAs, nor do they have the ability to opt
out of this information collection process. Though CRAs provide a service in facilitating
information sharing for financial transactions, they do so by amassing large amounts of sensitive
personal dataâa high-value target for cyber criminals.1 Consequently, CRAs have a heightened
responsibility to protect consumer data by providing best-in-class data security.
In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an
aggressive growth strategy, leading to the acquisition of multiple companies, information
technology (IT) systems, and data. While the acquisition strategy was successful for Equifaxâs
bottom line and stock price, this growth brought increasing complexity to Equifaxâs IT systems,
and expanded data security risks. In August 2017, three weeks before Equifax publicly
announced the breach, Smith boasted Equifax was managing âalmost 1,200 timesâ the amount of
data held in the Library of Congress every day.2
Equifax, however, failed to implement an adequate security program to protect this
sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such
a breach was entirely preventable.
On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly
disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems.
The following day, the Department of Homeland Security alerted Equifax to this critical
vulnerability. Equifaxâs Global Threat and Vulnerability Management (GTVM) ...
Data Security Read the article below and answer the following questi.pdfinfo48697
Â
Data Security Read the article below and answer the following questions: Answer the following
questions: Identify and describe the security and control weaknesses discussed in this case. What
management, organization, and technology factors contributed to these problems? Discuss the
impact of the Equifax hack. How can future data breaches like this one be prevented? Is the
Equifax Hack the Worst Everand Why? Equifax (along with TransUnion and Experian) is one of
the three main U.S. credit bureaus, which maintain vast repositories of personal and financial
data used by lenders to determine credit-worthiness when consumers apply for a credit card,
mortgage, or other loans. The company handles data on more than 820 million consumers and
more than 91 million businesses worldwide and manages a database with employee information
from more than 7,100 employers, according to its website. These data are provided by banks and
other companies directly to Equifax and the other credit bureaus. Consumers have little choice
over how credit bureaus collect and store their personal and financial data. Equifax has more data
on you than just about anyone else. If any company needs airtight security for its information
systems, it should be credit reporting bureaus such as Equifax. Unfortunately, this has not been
the case. On September 7, 2017 Equifax reported that from mid-May through July 2017 hackers
had gained access to some of its systems and potentially the personal information of about 143
million U.S. consumers, including Social Security numbers and driver's license numbers. Credit
card numbers for 209,000 consumers and personal information used in disputes for 182,000
people were also compromised. Equifax reported the breach to law enforcement and also hired a
cybersecurity firm to investigate. The size of the breach, importance, and quantity of personal
information compromised by this breach are considered unprecedented. Immediately after
Equifax discovered the breach, three top executives, including Chief Financial Officer John
Gamble, sold shares worth a combined $1.8 million, according to Securities and Exchange
Commission filings. A company spokesman claimed the three executives had no knowledge that
an intrusion had occurred at the time they sold their shares on August 1 and August 2.
Bloomberg reported that the share sales were not planned in advance. On October 4, 2017
Equifax CEO Richard Smith testified before Congress and apologized for the breach. The size of
the Equifax data breach was second only to the Yahoo breach of 2013, which affected data of all
of Yahoo's 3 billion customers. The Equifax breach was especially damaging because of the
amount of sensitive personal and financial data stored by Equifax that was stolen, and the role
such data play in securing consumers' bank accounts, medical histories, and access to financing.
In one swoop the hackers gained access to several essential pieces of personal information that
could help attac.
Primer on cybersecurity for boards of directorsDavid X Martin
Â
From Hughes, Hubbard & Reed partner and former SEC commissioner Roel C. Campos, and longtime risk manager and cybXsecure managing partner David X Martin, âA Practical Primer for Boards of Directors in the Age of Uber, Equifax et al
The Equifax Data Breach Case Page 1 of 4 Equifax, alo.docxtodd701
Â
The Equifax Data Breach Case
Page 1 of 4
Equifax, along with Experian and TransUnion, is one of the "Big Three" credit reporting agencies
in the United States. All three companies offer credit monitoring services as their core business.
There are many regulations and restrictions governing the collection and use of credit data, but
these companies have enjoyed stable sales and profits for many years. Equifax is based in
Atlanta and its long history traces back to 1913. It employs over 10,400 employees worldwide
and maintains data on 820 million consumers.
All three agencies exchange data with banks and other financial companyâs that extend credit.
They develop "credit scores" for how well consumer has handled his or her credit and debt
obligations. This score and the accompanying credit report detailing a person's credit history are
then sold to banks, credit unions, retail credit card Issuers, auto lenders, mortgage lenders, and
others who rely on this information when they make loans, issue credit cards, or offer
consumers mortgages and home equity loans. It Is also used by banks to check this information
before issuing bank credit cards such as Visa or MasterCard. Equifax, Experian, and TransUnion
have most likely compiled credit histories for nearly every adult U.S. citizen.53
In early September 2017, Equifax announced that hackers had gained illicit access to the
personal information of 143 million people. The data included social security numbers, birth
dates, phone numbers, email addresses, driving license numbers, and, in some cases, credit card
numbers. The total number expanded to 148 million by March 201ij. The pilfering of social
security numbers was particularly worrisome since that number in the wrong hands creates
opportunities for identity theft and other types of fraud.
The Equifax data breach is one of the three worst data breaches- in U.S. history along with
Yahoo and Marriott. The Marriott data h ck of 2018 affected 500 million users. In September
2016, Yahoo revealed a serious data security breach that had occurred 2 years earlier when
500,000 million records were compromised. Several months later, in December, 2016, Yahoo
informed its users of another newly discovered data breach. That breach occurred in 2013 and
affected more than 1 billion Yahoo users. However, despite the magnitude of the Yahoo and
Marriott breaches, the Equifax data breach is considered more damaging because social security
numbers and birth dates were involved. As one security expert observed, "This data is the key to
everyone's files and interactions with financial services, government, and health care."
After the announcement was made, the credit reporting agency was heavily criticized for
waiting until September 7th to reveal this data breach to the public. This breach took place in
March 2017 and went undetected for. almost 3 months. It was discovered in late July, but the
company decided to withhold.
The Equifax Data Breach Case Page 1 of 4 Equifax, alo.docxarnoldmeredith47041
Â
The Equifax Data Breach Case
Page 1 of 4
Equifax, along with Experian and TransUnion, is one of the "Big Three" credit reporting agencies
in the United States. All three companies offer credit monitoring services as their core business.
There are many regulations and restrictions governing the collection and use of credit data, but
these companies have enjoyed stable sales and profits for many years. Equifax is based in
Atlanta and its long history traces back to 1913. It employs over 10,400 employees worldwide
and maintains data on 820 million consumers.
All three agencies exchange data with banks and other financial companyâs that extend credit.
They develop "credit scores" for how well consumer has handled his or her credit and debt
obligations. This score and the accompanying credit report detailing a person's credit history are
then sold to banks, credit unions, retail credit card Issuers, auto lenders, mortgage lenders, and
others who rely on this information when they make loans, issue credit cards, or offer
consumers mortgages and home equity loans. It Is also used by banks to check this information
before issuing bank credit cards such as Visa or MasterCard. Equifax, Experian, and TransUnion
have most likely compiled credit histories for nearly every adult U.S. citizen.53
In early September 2017, Equifax announced that hackers had gained illicit access to the
personal information of 143 million people. The data included social security numbers, birth
dates, phone numbers, email addresses, driving license numbers, and, in some cases, credit card
numbers. The total number expanded to 148 million by March 201ij. The pilfering of social
security numbers was particularly worrisome since that number in the wrong hands creates
opportunities for identity theft and other types of fraud.
The Equifax data breach is one of the three worst data breaches- in U.S. history along with
Yahoo and Marriott. The Marriott data h ck of 2018 affected 500 million users. In September
2016, Yahoo revealed a serious data security breach that had occurred 2 years earlier when
500,000 million records were compromised. Several months later, in December, 2016, Yahoo
informed its users of another newly discovered data breach. That breach occurred in 2013 and
affected more than 1 billion Yahoo users. However, despite the magnitude of the Yahoo and
Marriott breaches, the Equifax data breach is considered more damaging because social security
numbers and birth dates were involved. As one security expert observed, "This data is the key to
everyone's files and interactions with financial services, government, and health care."
After the announcement was made, the credit reporting agency was heavily criticized for
waiting until September 7th to reveal this data breach to the public. This breach took place in
March 2017 and went undetected for. almost 3 months. It was discovered in late July, but the
company decided to withhold.
U.S. House of Representatives Committee on Oversight and G.docxouldparis
Â
U.S. House of Representatives
Committee on Oversight and Government Reform
The Equifax Data Breach
Majority Staff Report
115th Congress
December 2018
2
Executive Summary
On September 7, 2017, Equifax announced a cybersecurity incident affecting 143 million
consumers. This number eventually grew to 148 millionânearly half the U.S. population and 56
percent of American adults. This staff report explains the circumstances of the cyberattack
against Equifax, one of the largest consumer reporting agencies (CRA) in the world.
Equifax is one of several large CRAs in the United States. CRAs gather consumer data,
analyze it to create credit scores and detailed reports, and then sell the reports to third parties.
Consumers do not voluntarily provide information to CRAs, nor do they have the ability to opt
out of this information collection process. Though CRAs provide a service in facilitating
information sharing for financial transactions, they do so by amassing large amounts of sensitive
personal dataâa high-value target for cyber criminals.1 Consequently, CRAs have a heightened
responsibility to protect consumer data by providing best-in-class data security.
In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an
aggressive growth strategy, leading to the acquisition of multiple companies, information
technology (IT) systems, and data. While the acquisition strategy was successful for Equifaxâs
bottom line and stock price, this growth brought increasing complexity to Equifaxâs IT systems,
and expanded data security risks. In August 2017, three weeks before Equifax publicly
announced the breach, Smith boasted Equifax was managing âalmost 1,200 timesâ the amount of
data held in the Library of Congress every day.2
Equifax, however, failed to implement an adequate security program to protect this
sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such
a breach was entirely preventable.
On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly
disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems.
The following day, the Department of Homeland Security alerted Equifax to this critical
vulnerability. Equifaxâs Global Threat and Vulnerability Management (GTVM) team emailed
this alert to over 400 people on March 9, instructing anyone who had Apache Struts running on
their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a
March 16 meeting about this vulnerability.
Equifax, however, did not fully patch its systems. Equifaxâs Automated Consumer
Interview System (ACIS), a custom-built internet-facing consumer dispute portal developed in
1 After the Breach: The Monetization and Illicit Use of Stolen Data: Hearing Before the Subcomm. on T ...
¡  Identify the stakeholders and how they were affected by Heene.docxodiliagilby
Â
¡  Identify the stakeholders and how they were affected by Heene's actions?
¡ 2. What stage of moral reasoning is exhibited by Richard Heene's actions? Do you believe the punishment fit the crime? Why or why not?
¡ 3. Explain how the cognitive-developmental approach influences one's ability to make ethical judgments.
4. How do you assess at what stage of moral development in Kohlberg's model you reason at in making decisions? Are you satisfied with that stage? Do you believe there are factors or forces preventing you from reasoning at a higher level? If so, what are they?
U.S. House of Representatives
Committee on Oversight and Government Reform
The Equifax Data Breach
Majority Staff Report
115th Congress
December 2018
2
Executive Summary
On September 7, 2017, Equifax announced a cybersecurity incident affecting 143 million
consumers. This number eventually grew to 148 millionânearly half the U.S. population and 56
percent of American adults. This staff report explains the circumstances of the cyberattack
against Equifax, one of the largest consumer reporting agencies (CRA) in the world.
Equifax is one of several large CRAs in the United States. CRAs gather consumer data,
analyze it to create credit scores and detailed reports, and then sell the reports to third parties.
Consumers do not voluntarily provide information to CRAs, nor do they have the ability to opt
out of this information collection process. Though CRAs provide a service in facilitating
information sharing for financial transactions, they do so by amassing large amounts of sensitive
personal dataâa high-value target for cyber criminals.1 Consequently, CRAs have a heightened
responsibility to protect consumer data by providing best-in-class data security.
In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an
aggressive growth strategy, leading to the acquisition of multiple companies, information
technology (IT) systems, and data. While the acquisition strategy was successful for Equifaxâs
bottom line and stock price, this growth brought increasing complexity to Equifaxâs IT systems,
and expanded data security risks. In August 2017, three weeks before Equifax publicly
announced the breach, Smith boasted Equifax was managing âalmost 1,200 timesâ the amount of
data held in the Library of Congress every day.2
Equifax, however, failed to implement an adequate security program to protect this
sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such
a breach was entirely preventable.
On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly
disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems.
The following day, the Department of Homeland Security alerted Equifax to this critical
vulnerability. Equifaxâs Global Threat and Vulnerability Management (GTVM) ...
Data Security Read the article below and answer the following questi.pdfinfo48697
Â
Data Security Read the article below and answer the following questions: Answer the following
questions: Identify and describe the security and control weaknesses discussed in this case. What
management, organization, and technology factors contributed to these problems? Discuss the
impact of the Equifax hack. How can future data breaches like this one be prevented? Is the
Equifax Hack the Worst Everand Why? Equifax (along with TransUnion and Experian) is one of
the three main U.S. credit bureaus, which maintain vast repositories of personal and financial
data used by lenders to determine credit-worthiness when consumers apply for a credit card,
mortgage, or other loans. The company handles data on more than 820 million consumers and
more than 91 million businesses worldwide and manages a database with employee information
from more than 7,100 employers, according to its website. These data are provided by banks and
other companies directly to Equifax and the other credit bureaus. Consumers have little choice
over how credit bureaus collect and store their personal and financial data. Equifax has more data
on you than just about anyone else. If any company needs airtight security for its information
systems, it should be credit reporting bureaus such as Equifax. Unfortunately, this has not been
the case. On September 7, 2017 Equifax reported that from mid-May through July 2017 hackers
had gained access to some of its systems and potentially the personal information of about 143
million U.S. consumers, including Social Security numbers and driver's license numbers. Credit
card numbers for 209,000 consumers and personal information used in disputes for 182,000
people were also compromised. Equifax reported the breach to law enforcement and also hired a
cybersecurity firm to investigate. The size of the breach, importance, and quantity of personal
information compromised by this breach are considered unprecedented. Immediately after
Equifax discovered the breach, three top executives, including Chief Financial Officer John
Gamble, sold shares worth a combined $1.8 million, according to Securities and Exchange
Commission filings. A company spokesman claimed the three executives had no knowledge that
an intrusion had occurred at the time they sold their shares on August 1 and August 2.
Bloomberg reported that the share sales were not planned in advance. On October 4, 2017
Equifax CEO Richard Smith testified before Congress and apologized for the breach. The size of
the Equifax data breach was second only to the Yahoo breach of 2013, which affected data of all
of Yahoo's 3 billion customers. The Equifax breach was especially damaging because of the
amount of sensitive personal and financial data stored by Equifax that was stolen, and the role
such data play in securing consumers' bank accounts, medical histories, and access to financing.
In one swoop the hackers gained access to several essential pieces of personal information that
could help attac.
Primer on cybersecurity for boards of directorsDavid X Martin
Â
From Hughes, Hubbard & Reed partner and former SEC commissioner Roel C. Campos, and longtime risk manager and cybXsecure managing partner David X Martin, âA Practical Primer for Boards of Directors in the Age of Uber, Equifax et al
Adjusting Your Security Controls: Itâs the New NormalPriyanka Aash
Â
Most of us learned cybersecurity practices based on the application of controls that were part of a framework. Once the framework was implemented then the controls didnât change often. Itâs time to adjust our thinking and recognize that on-going adjustment of controls may be a better indicator of cyber-maturity than adherence to any framework.
(Source: RSA USA 2016-San Francisco)
By David F. Larcker, Peter C. Reiss, and Brian Tayan
Stanford Closer Look Series, November 16, 2017
The board of directors is expected to ensure that management has identified and developed processes to mitigate risks facing the organization, including risks arising from data theft and the loss of information. Unfortunately, recent experience suggests that companies are not doing a sufficient job of securing this data. In this Closer Look, we examine they types of cyberattacks that occur and how companies respond to them.
We ask:
⢠What steps can the board take to prevent, monitor, and mitigate data theft?
⢠What data, metrics, and information should board members review to satisfy themselves that management has taken proper steps to minimize cyber risks?
⢠What qualifications should a board member have in order to constructively contribute to boardroom discussions on cybersecurity?
⢠How difficult is it to find board candidates with these skills?
We discuss the role software plays in information security and compare and contrast how many of the unique attributes of open source can present particular security challenges as opposed to proprietary/commercial software. We will examine the role open source has played in several high profile security incidents, drawing lessons learned from those incidents. We will also review the standards of âreasonablenessâ established by widely adopted security standards published by NIST and others and discuss the application of those standards to open source.
Open Source Insight: CVEâ2017-9805, Equifax Breach & Wacky Open Source LicensesBlack Duck by Synopsys
Â
Our vulnerability of the week is CVE-2017-9805, which resides in Apache Strutsâ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday the Apache Struts team released Apache Struts v2.5.13, which includes a fix for CVE-2017-9805. As always, the byword of the week is âpatch and update.â
Also looming large in this weekâs news is the massive cyber-break-in at Equifax, where highly sensitive personal and financial information for around 143 million U.S. consumers (the editor apparently being among those affected) was compromised.
In May 2017, it was revealed that Equifax has joined other high-prof.pdfiysh2
Â
In May 2017, it was revealed that Equifax has joined other high-profile companies including
Marriott, Home Depot Inc., Target Corporation, Anthem, Blue Cross, and Yahoo! as a victim of
cyberattacks. Equifax is one of the largest credit-rating companies in the United States and
operates or has investments in 24 countries and employs over 11,000 employees worldwide.
Hackers gained access to the Equifax network in mid-May 2017 and attacked the company for
76 days. In July 29, 2017, Equifax staff discovered the intrusion during routine checks of the
operating status and configuration of IT systems. This was 76 days after the initial attack.
Hackers accessed Social Security numbers, dates of birth, home addresses, and some driver's
license numbers and credit card numbers, which impacted over 148 million people. The security
system at the company did not keep up with the aggressive company growth and the company
failed to modernize its security system. According to the report the company did not take action
to address vulnerabilities that it was aware of prior to the attack. According to Equifax, hackers
exploited a software vulnerability known as Apache Struts CVE-2017-5638. This vulnerability
was disclosed back in March 2017. There were clear and simple instructions of how to fix the
problem from the software provider Apache. It was the responsibility of Equifax to follow the
recommendations offered by Apache right away. According to Apache, software patches were
made available in March two months before hackers began accessing Equifax data. In addition to
the previously mentioned vulnerability, the hackers found a file containing unencrypted
usernames and passwords. Hackers also found an expired security certificate on a device for
monitoring network traffic. This indicated that Equifax did not detect that data was being stolen.
The Government Accountability Office (GAO) report indicated that the hack took place because
Equifax failed to segment its databases into smaller networks. This, in turn, allowed the attackers
a direct and easy access to all of its customers data. As part of fixing the security issues the
company hired a new chief information security officer, Jamil Farshchi, and has invested $200
million on data security infrastructure.
Question:
What did Apache Struts have to do with this high profile hack of Equifax?
Think of other companies that recently dealt with the same issue (Target, Mastercard, Yahoo) -
what digital marketing efforts do/should companies make to regain customer trust and online
sales?.
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 VulnerabilityBlack Duck by Synopsys
Â
Itâs an all Equifax breach/Apache Struts/ CVE-2017-5638 issue of Open Source Insight this week as we examine how an unpatched open source flaw and an apparent lack of diligence exposed sensitive data for over 140 million US consumers. We look at what happened, how you can see if youâve been affected by the breach, and discuss whether you should replace Struts with another framework.
Cyberthreats broke new ground with mobile devices, while reaching deeper into social media. Online criminals also stepped up attacks via email, web and other traditional vectors.
The purpose of this article is to provide a quantitative analysis of privacy-compromising mechanisms on the top 1 million websites as determined by Alexa. It is demonstrated that nearly 9 in 10 websites leak user data to parties of which the user is likely unaware; more than 6 in 10 websites spawn third-party cookies; and more than 8 in 10 websites load Javascript code. Sites that leak user data contact an average of nine external domains. Most importantly, by tracing the flows of personal browsing histories on the Web, it is possible to discover the corporations that profit from tracking users. Although many companies track users online, the overall landscape is highly consolidated, with the top corporation, Google, tracking users on nearly 8 of 10 sites in the Alexa top 1 million. Finally, by consulting internal NSA documents leaked by Edward Snowden, it has been determined that roughly one in five websites are potentially vulnerable to known NSA spying techniques at the time of analysis.
SS236 Unit 8 Assignment Rubric Content 70 Points Do.docxaryan532920
Â
SS236 Unit 8 Assignment Rubric
Content 70 Points
Does the learner demonstrate an understanding of unit learning
outcomes and course material? The Unit 8 Project includes the
following/answers the following questions:
⢠Were you surprised by the political ideology to which you
belong? Why or why not?
⢠What are the origins of that political ideology?
⢠What are your ideologyâs prospects for future political
success? Do you anticipate that the percentage of adults/
registered voters aligned with the same political ideology as
you are likely to increase or decrease in the near future?
⢠How might this ideological group impact political parties
and elections?
⢠Support your answer(s) with information obtained from the
text and at least two academic sources.
⢠Does the paper meet the length requirement?
Style 15 Points
Does the learner express his or her thoughts and present his or her
own views in a reasoned manner? Does the learner include the
following components:
⢠An introductory paragraph with a thesis statement?
⢠Clearly written paragraphs with topic sentences, body of
evidence, a conclusion sentence?
⢠A conclusion paragraph?
Mechanics 15 Points
Does the writing show strong composition skills? Does the leaner
include the following components?
⢠An APA formatted paper that includes an APA reference
page?
⢠Are the sentences complete?
⢠Is the grammar correct?
⢠Is the spelling and punctuation correct? Is APA used
properly?
⢠Are there any typos?
Total 100 Points
Classification of Computer Crime
Defining computer crime sufficiently is a daunting and difficult task. Nevertheless there are, generally, four categories of computer crime, including (1) the computer as a target, (2) the computer as an instrument of the crime, (3) the computer as incidental to crime, and (4) crimes associated with the prevalence of computers. Definitions can become rapidly outdated, as new technology has consistently bred new offenses and victimizations.
1 The Computer as a Target
Crimes where the computer itself is the target include the denial of expected service or the alteration of data. In other words, the attack seeks to deny the legitimate user or owner of the system access to his or her data or computer. Network intruders target the server and may cause harm to the network owners or the operation of their business.
Data alteration and denial directly target the computer by attacking the useful information stored or processed by the computer. Altered data may affect business decisions made by the company or may directly impact individuals by altering their records. Furthermore, this activity, in some circumstances, results in the expenditure of great resources to recover the data. Although malicious network intruders may alter critical data, the most common source of such damage is an employee of the affected company. The primary difference between data alteration and network ...
Southwestern Business Administration JournalVolume 16 Is.docxrosemariebrayshaw
Â
Southwestern Business Administration Journal
Volume 16 | Issue 1 Article 1
2017
Leveraging Decision Making in Cyber Security
Analysis through Data Cleaning
Chen Zhong
Hong Liu
Awny Alnusair
Follow this and additional works at: https://digitalscholarship.tsu.edu/sbaj
Part of the Business Administration, Management, and Operations Commons, E-Commerce
Commons, Entrepreneurial and Small Business Operations Commons, Management Information
Systems Commons, Marketing Commons, Organizational Behavior and Theory Commons, and the
Real Estate Commons
This Article is brought to you for free and open access by Digital Scholarship @ Texas Southern University. It has been accepted for inclusion in
Southwestern Business Administration Journal by an authorized editor of Digital Scholarship @ Texas Southern University. For more information,
please contact [email protected]
Recommended Citation
Zhong, Chen; Liu, Hong; and Alnusair, Awny (2017) "Leveraging Decision Making in Cyber Security Analysis through Data
Cleaning," Southwestern Business Administration Journal: Vol. 16 : Iss. 1 , Article 1.
Available at: https://digitalscholarship.tsu.edu/sbaj/vol16/iss1/1
https://digitalscholarship.tsu.edu/sbaj?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
https://digitalscholarship.tsu.edu/sbaj/vol16?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
https://digitalscholarship.tsu.edu/sbaj/vol16/iss1?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
https://digitalscholarship.tsu.edu/sbaj/vol16/iss1/1?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
https://digitalscholarship.tsu.edu/sbaj?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
http://network.bepress.com/hgg/discipline/623?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
http://network.bepress.com/hgg/discipline/624?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
http://network.bepress.com/hgg/discipline/624?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
http://network.bepress.com/hgg/discipline/630?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
http://network.bepress.com/hgg/discipline/636?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
http://network.bepress.com/hgg/discipline/636?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
http://network.bepress.com/hgg/discipline/638?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
ht.
Etude PwC/CIO/CSO sur la seĚcuriteĚ de l'information (2014)PwC France
Â
http://bit.ly/Cybersecurite-sept14
Etude mondiale de PwC, CIO et CSO rĂŠalisĂŠe en ligne du 27 mars 2014 au 25 mai 2014. Les rĂŠsultats prĂŠsentĂŠs ici sont fondĂŠs sur les rĂŠponses de plus de 9700 CEO, CFO, CIO, RSSI, les OSC, les vice-prĂŠsidents et des directeurs de l'information et des pratiques de sĂŠcuritĂŠ de plus de 154 pays.
35 % des rĂŠpondants sont d'AmĂŠrique du Nord, 34 % d'Europe, 14 % d'Asie-Pacifique, 13 % en AmĂŠrique du Sud, et 4 % du Moyen-Orient et dâAfrique.
90% of data that exist today was created in the past 2 years. This massive amount of data allows organizations to take a
more qualitative approach to business and customer
service, but also makes them vulnerable to a continually
increasing number of threats.
Adjusting Your Security Controls: Itâs the New NormalPriyanka Aash
Â
Most of us learned cybersecurity practices based on the application of controls that were part of a framework. Once the framework was implemented then the controls didnât change often. Itâs time to adjust our thinking and recognize that on-going adjustment of controls may be a better indicator of cyber-maturity than adherence to any framework.
(Source: RSA USA 2016-San Francisco)
By David F. Larcker, Peter C. Reiss, and Brian Tayan
Stanford Closer Look Series, November 16, 2017
The board of directors is expected to ensure that management has identified and developed processes to mitigate risks facing the organization, including risks arising from data theft and the loss of information. Unfortunately, recent experience suggests that companies are not doing a sufficient job of securing this data. In this Closer Look, we examine they types of cyberattacks that occur and how companies respond to them.
We ask:
⢠What steps can the board take to prevent, monitor, and mitigate data theft?
⢠What data, metrics, and information should board members review to satisfy themselves that management has taken proper steps to minimize cyber risks?
⢠What qualifications should a board member have in order to constructively contribute to boardroom discussions on cybersecurity?
⢠How difficult is it to find board candidates with these skills?
We discuss the role software plays in information security and compare and contrast how many of the unique attributes of open source can present particular security challenges as opposed to proprietary/commercial software. We will examine the role open source has played in several high profile security incidents, drawing lessons learned from those incidents. We will also review the standards of âreasonablenessâ established by widely adopted security standards published by NIST and others and discuss the application of those standards to open source.
Open Source Insight: CVEâ2017-9805, Equifax Breach & Wacky Open Source LicensesBlack Duck by Synopsys
Â
Our vulnerability of the week is CVE-2017-9805, which resides in Apache Strutsâ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday the Apache Struts team released Apache Struts v2.5.13, which includes a fix for CVE-2017-9805. As always, the byword of the week is âpatch and update.â
Also looming large in this weekâs news is the massive cyber-break-in at Equifax, where highly sensitive personal and financial information for around 143 million U.S. consumers (the editor apparently being among those affected) was compromised.
In May 2017, it was revealed that Equifax has joined other high-prof.pdfiysh2
Â
In May 2017, it was revealed that Equifax has joined other high-profile companies including
Marriott, Home Depot Inc., Target Corporation, Anthem, Blue Cross, and Yahoo! as a victim of
cyberattacks. Equifax is one of the largest credit-rating companies in the United States and
operates or has investments in 24 countries and employs over 11,000 employees worldwide.
Hackers gained access to the Equifax network in mid-May 2017 and attacked the company for
76 days. In July 29, 2017, Equifax staff discovered the intrusion during routine checks of the
operating status and configuration of IT systems. This was 76 days after the initial attack.
Hackers accessed Social Security numbers, dates of birth, home addresses, and some driver's
license numbers and credit card numbers, which impacted over 148 million people. The security
system at the company did not keep up with the aggressive company growth and the company
failed to modernize its security system. According to the report the company did not take action
to address vulnerabilities that it was aware of prior to the attack. According to Equifax, hackers
exploited a software vulnerability known as Apache Struts CVE-2017-5638. This vulnerability
was disclosed back in March 2017. There were clear and simple instructions of how to fix the
problem from the software provider Apache. It was the responsibility of Equifax to follow the
recommendations offered by Apache right away. According to Apache, software patches were
made available in March two months before hackers began accessing Equifax data. In addition to
the previously mentioned vulnerability, the hackers found a file containing unencrypted
usernames and passwords. Hackers also found an expired security certificate on a device for
monitoring network traffic. This indicated that Equifax did not detect that data was being stolen.
The Government Accountability Office (GAO) report indicated that the hack took place because
Equifax failed to segment its databases into smaller networks. This, in turn, allowed the attackers
a direct and easy access to all of its customers data. As part of fixing the security issues the
company hired a new chief information security officer, Jamil Farshchi, and has invested $200
million on data security infrastructure.
Question:
What did Apache Struts have to do with this high profile hack of Equifax?
Think of other companies that recently dealt with the same issue (Target, Mastercard, Yahoo) -
what digital marketing efforts do/should companies make to regain customer trust and online
sales?.
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 VulnerabilityBlack Duck by Synopsys
Â
Itâs an all Equifax breach/Apache Struts/ CVE-2017-5638 issue of Open Source Insight this week as we examine how an unpatched open source flaw and an apparent lack of diligence exposed sensitive data for over 140 million US consumers. We look at what happened, how you can see if youâve been affected by the breach, and discuss whether you should replace Struts with another framework.
Cyberthreats broke new ground with mobile devices, while reaching deeper into social media. Online criminals also stepped up attacks via email, web and other traditional vectors.
The purpose of this article is to provide a quantitative analysis of privacy-compromising mechanisms on the top 1 million websites as determined by Alexa. It is demonstrated that nearly 9 in 10 websites leak user data to parties of which the user is likely unaware; more than 6 in 10 websites spawn third-party cookies; and more than 8 in 10 websites load Javascript code. Sites that leak user data contact an average of nine external domains. Most importantly, by tracing the flows of personal browsing histories on the Web, it is possible to discover the corporations that profit from tracking users. Although many companies track users online, the overall landscape is highly consolidated, with the top corporation, Google, tracking users on nearly 8 of 10 sites in the Alexa top 1 million. Finally, by consulting internal NSA documents leaked by Edward Snowden, it has been determined that roughly one in five websites are potentially vulnerable to known NSA spying techniques at the time of analysis.
SS236 Unit 8 Assignment Rubric Content 70 Points Do.docxaryan532920
Â
SS236 Unit 8 Assignment Rubric
Content 70 Points
Does the learner demonstrate an understanding of unit learning
outcomes and course material? The Unit 8 Project includes the
following/answers the following questions:
⢠Were you surprised by the political ideology to which you
belong? Why or why not?
⢠What are the origins of that political ideology?
⢠What are your ideologyâs prospects for future political
success? Do you anticipate that the percentage of adults/
registered voters aligned with the same political ideology as
you are likely to increase or decrease in the near future?
⢠How might this ideological group impact political parties
and elections?
⢠Support your answer(s) with information obtained from the
text and at least two academic sources.
⢠Does the paper meet the length requirement?
Style 15 Points
Does the learner express his or her thoughts and present his or her
own views in a reasoned manner? Does the learner include the
following components:
⢠An introductory paragraph with a thesis statement?
⢠Clearly written paragraphs with topic sentences, body of
evidence, a conclusion sentence?
⢠A conclusion paragraph?
Mechanics 15 Points
Does the writing show strong composition skills? Does the leaner
include the following components?
⢠An APA formatted paper that includes an APA reference
page?
⢠Are the sentences complete?
⢠Is the grammar correct?
⢠Is the spelling and punctuation correct? Is APA used
properly?
⢠Are there any typos?
Total 100 Points
Classification of Computer Crime
Defining computer crime sufficiently is a daunting and difficult task. Nevertheless there are, generally, four categories of computer crime, including (1) the computer as a target, (2) the computer as an instrument of the crime, (3) the computer as incidental to crime, and (4) crimes associated with the prevalence of computers. Definitions can become rapidly outdated, as new technology has consistently bred new offenses and victimizations.
1 The Computer as a Target
Crimes where the computer itself is the target include the denial of expected service or the alteration of data. In other words, the attack seeks to deny the legitimate user or owner of the system access to his or her data or computer. Network intruders target the server and may cause harm to the network owners or the operation of their business.
Data alteration and denial directly target the computer by attacking the useful information stored or processed by the computer. Altered data may affect business decisions made by the company or may directly impact individuals by altering their records. Furthermore, this activity, in some circumstances, results in the expenditure of great resources to recover the data. Although malicious network intruders may alter critical data, the most common source of such damage is an employee of the affected company. The primary difference between data alteration and network ...
Southwestern Business Administration JournalVolume 16 Is.docxrosemariebrayshaw
Â
Southwestern Business Administration Journal
Volume 16 | Issue 1 Article 1
2017
Leveraging Decision Making in Cyber Security
Analysis through Data Cleaning
Chen Zhong
Hong Liu
Awny Alnusair
Follow this and additional works at: https://digitalscholarship.tsu.edu/sbaj
Part of the Business Administration, Management, and Operations Commons, E-Commerce
Commons, Entrepreneurial and Small Business Operations Commons, Management Information
Systems Commons, Marketing Commons, Organizational Behavior and Theory Commons, and the
Real Estate Commons
This Article is brought to you for free and open access by Digital Scholarship @ Texas Southern University. It has been accepted for inclusion in
Southwestern Business Administration Journal by an authorized editor of Digital Scholarship @ Texas Southern University. For more information,
please contact [email protected]
Recommended Citation
Zhong, Chen; Liu, Hong; and Alnusair, Awny (2017) "Leveraging Decision Making in Cyber Security Analysis through Data
Cleaning," Southwestern Business Administration Journal: Vol. 16 : Iss. 1 , Article 1.
Available at: https://digitalscholarship.tsu.edu/sbaj/vol16/iss1/1
https://digitalscholarship.tsu.edu/sbaj?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
https://digitalscholarship.tsu.edu/sbaj/vol16?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
https://digitalscholarship.tsu.edu/sbaj/vol16/iss1?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
https://digitalscholarship.tsu.edu/sbaj/vol16/iss1/1?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
https://digitalscholarship.tsu.edu/sbaj?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
http://network.bepress.com/hgg/discipline/623?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
http://network.bepress.com/hgg/discipline/624?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
http://network.bepress.com/hgg/discipline/624?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
http://network.bepress.com/hgg/discipline/630?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
http://network.bepress.com/hgg/discipline/636?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
http://network.bepress.com/hgg/discipline/636?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
http://network.bepress.com/hgg/discipline/638?utm_source=digitalscholarship.tsu.edu%2Fsbaj%2Fvol16%2Fiss1%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages
ht.
Etude PwC/CIO/CSO sur la seĚcuriteĚ de l'information (2014)PwC France
Â
http://bit.ly/Cybersecurite-sept14
Etude mondiale de PwC, CIO et CSO rĂŠalisĂŠe en ligne du 27 mars 2014 au 25 mai 2014. Les rĂŠsultats prĂŠsentĂŠs ici sont fondĂŠs sur les rĂŠponses de plus de 9700 CEO, CFO, CIO, RSSI, les OSC, les vice-prĂŠsidents et des directeurs de l'information et des pratiques de sĂŠcuritĂŠ de plus de 154 pays.
35 % des rĂŠpondants sont d'AmĂŠrique du Nord, 34 % d'Europe, 14 % d'Asie-Pacifique, 13 % en AmĂŠrique du Sud, et 4 % du Moyen-Orient et dâAfrique.
90% of data that exist today was created in the past 2 years. This massive amount of data allows organizations to take a
more qualitative approach to business and customer
service, but also makes them vulnerable to a continually
increasing number of threats.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Â
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
⢠The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
⢠The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate âany matterâ at âany timeâ under House Rule X.
⢠The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Â
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Â
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Hanâs Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insiderâs LMA Course, this piece examines the courseâs effects via a variety of Tim Han LMA course reviews and Success Insider comments.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
Â
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
Â
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Unit 8 - Information and Communication Technology (Paper I).pdf
Â
A Case Study Analysis Of The Equifax Data Breach
1. Running head: A Case Study Analysis of the Equifax Data Breach 1
A Case Study Analysis of the Equifax Data Breach
Jason E. Thomas
2. A Case Study Analysis of the Equifax Data Breach 2
A Case Study Analysis of the Equifax Data Breach
The Equifax data breach was one of the most significant cyberattacks of 2017. The
attackâs effects were far-reaching, affecting millions of people and multiple businesses and
agencies. In fact, the attack was so concerning that the United States Government Accountability
Office was engaged to investigate the incident and create a report for Congress about how to
address the problem. This case study analysis will explore the facts and circumstances
surrounding this damaging cyberattack, and critically analyze the factors concerning the case to
draw conclusions about ways to mitigate future exposures. Lastly, a recent cyberattack will be
explored along and a brief comparison of consumer susceptibility to cybercrime versus
traditional crime.
Background
Equifax is one of the top three consumer credit reporting agencies. On September 8,
2017, Equifax released a statement that it had been a victim of a cyberattack resulting in a
massive data breach (Fruhlinger, 2019; Rajna, 2018). The world was shocked to learn that in this
data breach, some 148 million US citizensâ sensitive personal data were compromised including
names, dates of birth, Social Security numbers, and driverâs license numbers (Marinos &
Clements, 2018). In addition to personal information, some 209,000 credit card numbers were
also stolen (Perez, 2017). The severity and scope of the Equifax data breach were unprecedented
at the time. Though they had previously been larger breaches, the sensitivity and criticality of the
personal identifying information in the financial information in this breach created a problem
whose magnitude could barely be calculated at the time.
One of the issues that exacerbated the Equifax data breach was the fact that Equifaxâs
main product is essentially derived from a database containing many of the US populationâs
3. A Case Study Analysis of the Equifax Data Breach 3
personal and financial information. The data stored by Equifax contains each personâs personal
credit history, which includes personal identifying information, known addresses, and account
numbers. Further, the system is not an opt in system, as the data is gathered from businesses
rather than the individuals listed in the database. When a person borrows money, lending
institutions report the information about payment history, balances, and other key information
items. When someone wants to borrow money, the new lender checks this information to assess
the borrowers credit risk, which is used to make a lending decision.
Factors That Contributed to the Breach
In the initial announcement, Equifax stated that miscreants had infiltrated their systems
from May through July of 2017 (Gressin, 2017). The vulnerability that enabled miscreants to
enter the Equifax systems and effect the data breach was a vulnerability called Apache Struts
CVE-2017-5638. This vulnerability takes advantage of exception handling issues in the Jakarta
Multipart parser of the software when users go to upload files. This vulnerability allows enables
attackers from a remote location to execute arbitrary commands that can be created remotely by
means of crafted: Content-Disposition, Content-Type, or Content-Length HTTP header with a
Content-Type header containing the characters #cmd=string (NIST, 2018). Apache Struts is a
popular framework for creating streamlined Java applications (The Apache Software Foundation,
2018). This useful product is used by many organizations, thereby making it an exceptional
target for various cyber criminals because it can offer a potential entry point to a great number of
victims and their information.
The Apache Software Foundation discovered the potential vulnerability and made a patch
to correct it. Then they made an announcement to the world to inform them of the issue (Marinos
& Clements, 2018). The patch was released on March 7, 2017. On March 8, 2017, the
4. A Case Study Analysis of the Equifax Data Breach 4
Department of Homeland Security contacted Equifax as well as the other credit reporting
agencies to notifying them of the systemâs vulnerability and directed them to install the patch.
Equifax systems administrators were contacted on March 9, 2017 by the Apache Software
Foundation, who also directed them to install the patch.
On March 15, 2017 some eight days after the patch announcement, seven days after
notification from the Department of Homeland Security, and six days after notification from the
vendor, Equifax conducted a scan of its systems (Marinos & Clements, 2018). The scanner
report did not show a vulnerability to the Apache Struts issue. Consequently, the systems were
unpatched and unprotected until July 29, 2017. During this time, the security department at
Equifax noticed suspicious activity on the network. Equifax took the application off-line and
three days and later hired an external cybersecurity firm to conduct a forensic investigation. The
initial investigation indicated that many files were breached. Ultimately, this resulted in
announcements that the personal information of some 145 million Americans, 8,000 Canadians,
and 693,000 British citizensâ information had been compromised due to a data breach.
External Responses to the Data Breach
Equifaxâs lackluster response to the notification of the vulnerability and bumbled
handling of the notification of the breach was met with great criticism. Equifax had to create a
separate domain and webpage to deal with all of the information that needed to be disseminated
and to communicate with affected users and stakeholders (Equifax, 2019). This potentially
well-intentioned business maneuver demonstrates the complexity of dealing with the issue. Other
parties immediately initiated fake settlement sites and information sites creating additional
opportunities for fraud and cybercrime as well as additional public confusion (Atleson, 2019).
(Rajna, 2018)
5. A Case Study Analysis of the Equifax Data Breach 5
Adding accident injury, the site was flagged as a phishing threat. Worse, Equifax
customer service directed potential victims to one of the illicit phishing sites via their Twitter
feed (Deahl & Carman, 2017). As customers flocked to freeze their credit reports, they were
given PINs with naming conventions based on the date the accounts which were frozen. This
unfortunately made them easy for cyberattackers to intuit and attack â enabling once again
more potential and devastating attacks. Further, Equifax was criticized for offering free credit
monitoring while trying to remove consumersâ ability to sue them in the terms and conditions
during the process to register for the service.
As the situation continued to worsen and spiral out of control, governments at virtually
all levels begin to take notice and initiate inquiries and actions. Eventually, Equifax settled with
all 50 State Attorney Generals in the United States for some $600 million (Oregon Department
of Justice, 2019). The federal government also took notice. The Federal Trade Commission
conducted an investigation and Congress held several hearings to investigate Equifax and bills
were introduced in both the House and the Senate regarding business processes used by credit
reporting agencies and privacy (Marinos & Clements, 2018).
Analysis of the Case
This data breach brought many glaring issues to light about Equifaxâs handling of the
incident, the problems inherent with the credit reporting agencies, and the process of dealing
with incident response. Consequently, there are many lessons to be learned from this historic
cybercrime. These lessons will be discussed here.
Equifax Is Handling of the Incident
End-users are often cited as a primary vector for cyberattacks and cybersecurity experts
often recommend aggressive user training and awareness as well as programs with adult oriented
6. A Case Study Analysis of the Equifax Data Breach 6
training methodologies to prevent phishing attacks and identity theft (Jensen, Dinger, Wright, &
Thatcher, 2017; Thomas J. E., 2018; Thomas & Hornsey, 2014). However, in this case, it seems
the most significant contributing factors were systems management procedures. Specifically, the
Equifax IT team did not apply the patch when it came out. Even after being prompted by
multiple sources such as The Department of Homeland Security and the software vendor the IT
department failed to apply the patch eliminating the vulnerability (Marinos & Clements, 2018).
It is been noted that the security team at Equifax conducted a scan to see if the
vulnerability existed in the system (Marinos & Clements, 2018). It is also been reported that the
scan did not detect the vulnerability Apache Struts CVE-2017-5638. This points to other
potential IT systems management issues. One possibility is that the scanning software wasnât
updated are properly patched do its list of current vulnerabilities did not contain the appropriate
information to detect the vulnerability. As it is clearly known that the vulnerability did exist,
another possibility is that the software used for scanning was ineffective or broken. However, it
is more likely, in the authorâs opinion, that the scanning software wasnât updated and therefore
was unable to the detect the vulnerability.
It also appears there is possible negligence on the part of the Equifax IT and security
teams. Though a scan was conducted to see if the vulnerability was present. There specific
guidance given on multiple occasions to apply the patch. Clearly the patch was not applied. Why
did the team not simply look at the patches on the servers and verify that the patch was installed?
In general, this is an easy process to perform in wouldâve immediately indicated that the the
patch was not applied.
From both an ethical and legal perspective a at management level, Equifax had a
fiduciary duty to notify affected consumers that their information was compromised and to
7. A Case Study Analysis of the Equifax Data Breach 7
attempt to remediate this situation. Equifaxâs handling of the situation can only be classified as
subpar both before and after the incident. As stated above, Equifaxâs lack of patch management
diligence and lackluster response to directives to apply the patch to address a known
vulnerability was specifically responsible for the attack. Afterwards the firm seemed to act in a
manner that was not consistent with quickly putting information about the attack or resolving the
issue in an effective manner.
The firm tried to limit consumerâs ability to seek legal redress and damges (Marinos &
Clements, 2018) and three top-level executives sold some $1.8 million in company stock prior to
the breach being disclosed publicly (Melin, 2017), presumably to not lose value on these large
amount of stock shares. These actions certainly seem to indicate that there were potential profit
motives inherent in the responses of Equifax and its executive team members. Executive
incentives are commonly cited as motivators for executives to make decisions to preserve
individual bonsu pay and company stock prices, rather than to preserve the interest of their
customers or other stakeholders (Thomas J. E., 2017).
Problems Inherent with Credit Reporting Agencies
At the time of this attack there were many risks that were generated by the inherent
nature with the credit reporting agency process for the United States. Consumers are involuntary
members of the systems and did not and do not have the option to opt into the system, their
information is reported by companies they do business with. This creates an unapproved and
sometimes uninformed risk for most of the consumers in the United States. After the attack there
was much discussion about the need to be able to freeze credit reports. Since then credit reports
have moved from being able to be frozen for minor cost to being able to be frozen at no cost
(Frost, 2018).
8. A Case Study Analysis of the Equifax Data Breach 8
Government Response to the Incident
As previously discussed, governments at all major levels responded to the incident.
Responses varied from chastising Equifax to seeking damages to creating new regulations
regarding credit reporting agencies and privacy as well as specific sanctions against Equifax. In
addition to heightened awareness and security, the federal government spearheaded two specific
efforts to address future issues: an enhanced ability to freeze and unfreeze credit reports and
detailed scrutiny about the need for data holders to notify consumers of data breaches (Deahl &
Carman, 2017). One specific example of this is the passage of the Economic Growth, Regulatory
Relief, and Consumer Protection Act (115th Congress, 2018).
Conclusion
At the time, the Equifax data breach was unprecedented and represented the largest most
complex data breach known (Fruhlinger, 2019; Gressin, 2017; Marinos & Clements, 2018;
Oregon Department of Justice, 2019). The breach was caused due to a known vulnerability that
was published by the vendor and Equifax received several warnings to apply the patch that
would prevent the vulnerability. However, enterprise systems management and cybersecurity is
very complex and even though Equifax had a presumably large IT division, they were not able to
use standard digital forensic techniques of systems management practices to identify and track
the infiltration (Fruhlinger, 2019; Marinos & Clements, 2018; Thomas, Galligher, Thomas, &
Galligher, 2019). The utilized an outside security firm to conduct forensics investigations. The
simple act of failing to apply a patch and failing to check properly and to see if the patch was
installed enabled a devastating cybercrime with far-reaching ramifications.
Due to the evolving nature of technology and its increasing use in daily life and business
life new cybercrimes are being developed or committed on a frequent basis. These crimes range
9. A Case Study Analysis of the Equifax Data Breach 9
from totally new technologies to committing types of cybercrimes to applying previous
cybercrime methodologies to new targets as new technology is embraced. Cybercrime has
become so prevalent, that many people are more worried about cybercrimes such as identity theft
than home burglaries (hashedout, 2019). The complex nature and economies of scale for
committing cybercrimes combined with the reduced cost and risk of executing the crimes make
cybercrime the growingly popular choice of methology for committing criminal acts. Likewise.
because of this vast array of methods and touch points â people are more susceptible to
cybercrime than they are to traditional crimes.
10. A Case Study Analysis of the Equifax Data Breach 10
References
115th Congress. (2018, May 24th). S.2155 â Economic Growth, Regulatory Relief, and
Consumer Protection Act. Retrieved from Congress.gov:
https://www.congress.gov/bill/115th-congress/senate-bill/2155
Atleson, M. (2019, July 2019). Equifax data breach: beware of fake settlement sites. Retrieved
from Federal Trade Commission Consumer Information:
https://www.consumer.ftc.gov/blog/2019/07/equifax-data-breach-beware-fake-
settlement-websites
Deahl, D., & Carman, A. (2017, September 20). for weeks, Equifax customer service has been
directing victims to a fake phishing site. Retrieved from the verge:
https://www.theverge.com/2017/9/20/16339612/equifax-tweet-wrong-website-phishing-
identity-monitoring
Equifax. (2019). 2017 cybersecurity incident & important consumer information. Retrieved from
equifaxsecurity2017.com: https://www.equifaxsecurity2017.com
Frost, A. (2018, September 6). Equifax data breach: Still haven't frozen your credit since the
huge hack? Here's how. Retrieved from USA Today:
https://www.usatoday.com/story/money/2018/09/06/equifax-data-breach-how-freeze-
your-credit-report/1136955002/
Fruhlinger, J. (2019, October 14). Equifax data breach FAQ: what happened, who was affected,
was the impact? Retrieved from CSO:
https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-
who-was-affected-what-was-the-impact.html
11. A Case Study Analysis of the Equifax Data Breach 11
Gressin, S. (2017, September 8). The Equifax data breach: what to do. Retrieved from The
Federal Trade Commission Consumer Information:
https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do
hashedout. (2019, November 14). 33 Alarming Cybercrime Statistics You Should Know in 2019.
Retrieved from Hashedout.com: https://www.thesslstore.com/blog/33-alarming-
cybercrime-statistics-you-should-know/
Jensen, M. L., Dinger, M., Wright, R. T., & Thatcher, J. B. (2017). Training to mitigate phishing
attacks using mindfulness techniques. Journal of Management Information Systems,
34(2), 597-626. doi:10.1080/07421222.2017.1334499
Marinos, N., & Clements, M. (2018, August). Data Protection Actions Taken by Equifax and
Federal Agencies in Response to the 2017 Breach. Retrieved from Warren.senate.gov:
https://www.warren.senate.gov/imo/media/doc/2018.09.06%20GAO%20Equifax%20rep
ort.pdf
Melin, A. (2017, September seven). Three Equifax Manager Sold Stock before Cyber Hack
Revealed. Retrieved from Bloomberg: https://www.bloomberg.com/news/articles/2017-
09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack
NIST. (2018, March 3). CVE-2017-5638 Detail . Retrieved from National vulnerability database:
https://nvd.nist.gov/vuln/detail/CVE-2017-5638
Oregon Department of Justice. (2019, July 22). 50 State Attorney Secure 600 Million from
Equifax in the Largest Data Breach Settlement in History. Retrieved from Oregon
Department of Justice: https://www.doj.state.or.us/media-home/news-media-releases/50-
state-attorneys-general-secure-600-million-from-equifax-in-largest-data-breach-
settlement-in-history/
12. A Case Study Analysis of the Equifax Data Breach 12
Perez, L. (2017, September 8). 2019 Fed Meeting Predictions â A Fourth Fed Rate Cut Is
Unlikely . Retrieved from magnify money:
https://www.magnifymoney.com/blog/news/freaked-equifax-hack-heres-need-
know1475999910/
Rajna, G. (2018). Equifax Data Breach. viXra. Retrieved 12 7, 2019, from
http://vixra.org/pdf/1808.0215v1.pdf
The Apache Software Foundation. (2018). Apache Struts. Retrieved from apachestruts.org:
https://struts.apache.org/
Thomas, J. E. (2017). Lessons learned in management, marketing, sales, and finance incentive
practices a decade after the Subprime Mortgage Crisis. International Journal of Business
and Management, 12(3), 19-26. doi:10.5539/ijbm.v12n3p19
Thomas, J. E. (2018). Individual cyber security: Empowering employees to resist spear phishing
to prevent identity theft and ransomware attacks. International Journal of Business and
Management, 13(6), 1-24. doi:10.5539/ijbm.v13n6p1
Thomas, J. E., & Hornsey, P. E. (2014). Adding Rigor to classroom assessment techniuqes for
non-traditional adult programs: A liifecycle improvement approach. Journal of
Instructional Research, 3, 27-37. doi:10.9743/JIR.2014.3.20
Thomas, J., Galligher, R., Thomas, M., & Galligher, G. (2019). Enterprise Cybersecurity:
Investigating and Detecting Ransomware Infections Using Digital Forensic Techniques.
Computer and Information Science, 12(3), 72-80. doi:10.5539/cisv12n3p72