Re: Equitablefax

["Steve R. Smith" <steve_smith1999 () yahoo com>]

Was this predictable: probably
I would be surprised if the PCI assessors (and therefore leadership) didn't know about some of the control environment 
deficiencies. Typically you get - "that's not a priority", "it was designed that way", "we need to update to the next 
version first", or even "we don't have the budget to fix that". In some cases, if you think it's an issue - you have to 
rationalize, push, and play politics to get it addressed. Maybe even threaten to escalate the issue. I've had IT VPs 
that I worked with refuse to fix something because it was a revenue generating system and they didn't want to risk 
business objectives.    
Was it preventable: unlikely
I think based on historical trends and what we see in the wild, we can predict with confidence that many companies are 
and/or will be at risk for compromise. IT environments were complicated 18 years ago when I first got into security and 
they've become even more complicated with the evolution of technology.      Do we know who did it: maybe 
Mandiant is very good at what they do but sometimes attribution just isn't possible because of all the hops the 
attackers may have taken to get to their final target. The other compromised systems sometimes live in countries that 
won't help us investigate cyber crimes.  
Did they do anything to new to attack or defend: unlikely
As you point out above, there are many vulnerabilities that go unpatched and unaddressed. Combine that with IT 
operational mistakes and you may have have a large environment susceptible to compromise. This could be a 
misconfiguration (TFTP with / access, world readable/writeable cron scripts owned by root), purposeful change that 
introduces a weakness (open NFS shares combined with availability of r-services, open X display), trust relationships, 
shared passwords across the environment- you name it.  
My rule is if all you're doing are the bare minimums and/or you have leadership pushing back in the form of not 
providing executive level support, determining your strategy or tactics, or limiting your budget - you are unlikely to 
have an effective security program.

By the way - I think you're right. We focus way too much on claiming these compromises are caused by nation states. It 
very well could be one person or a small team of opportunists. 
No, I have no clue how or the frequency of their penetration testing. Considering that it's been reported that web 
portals with easily guessable usernames/passwords were used for data exfiltration, their competence is questionable. 
Kind regards, ~steve 
 

    On Wednesday, September 27, 2017, 10:15:12 AM CDT, dave aitel <dave () immunityinc com> wrote:  
 
  
So I assume most people skim any news reports of big breaches in the same way these days. Was this predictable? Was it 
preventable? Do we know who did it? Did they do anything new to attack or defend?
 
In Equifax's case, the reportable information clearly is the alleged trading anomalies, rather than the hack itself. 
But the third question is interesting to a point. I've been trying to write a keynote for T2 for the past few weeks, 
and while my muse is clearly on an extended vacation, there are some interesting generational changes afoot with 
regards to these questions.
 
At some level, in a world where vulnerabilities are super rare, governments dominate the discussion of malicious 
actors. I think there's a lot of news chaff about every little 20-something hacker or aspiring malware businessman who 
gets caught. Filtering those out, there are relatively few reports of hacking groups with high skills levels. And 
because of our assumptions that "Governments" are behind everything now, I think we naturally err towards flinching at 
boogeymen who...wield SQLi and Phishing with .jar files. 
 
 
But when you look at the accomplishments of truly skilled hackers, they're amazing. And the environment we live in is 
not one where major vulnerabilities are rare. The environment is such that any specialized extremophile can penetrate 
and persist all of cyberspace. In a sense, the entire bug bounty market is a breeding ground for a species that can 
collect extremely low impact web vulnerabilities into a life sustaining nutrient cycle, like the crabs on volcanic 
plumes in the depths of the Pacific. Likewise, learning everything about RMI is enough to be everywhere, or .Net 
serialization, or CCleaner. In cyber, where there's a way there's a will. 
 
 
It used to be we would be more afraid if it was China or Russia or Iran or whoever. But these days I like to annoy 
people by asking what if it's not? 
 
 
Also, does anyone know how often Equifax did their penetration testing? My new rule is that if you only do it in Q4 you 
are unlikely to have a mature security program. :)
 
 
-dave
 

 
 _______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave