Re NYTimes: Equifax Says Cyberattack May Have Affected 143 Million Customers

["Dave Farber" <farber () gmail com>]

Begin forwarded message:

> From: Peter Thoenen <peter.thoenen () yahoo com>
> Date: September 8, 2017 at 4:42:36 AM EDT
> To: "dave () farber net" <dave () farber net>
> Subject: Re: [IP] NYTimes: Equifax Says Cyberattack May Have Affected 143 Million Customers
> Reply-To: Peter Thoenen <peter.thoenen () yahoo com>
>
> Dave:
>
> From a private mailing list I'm on, I did not write this and I bcc'ed the author if he wishes attribution (he can 
> email you if so) but def a good take on this.
>
> -Peter
>
> ---------- Forwarded message ----------
> From: xxxxxx
> Date: Thu, Sep 7, 2017 at 6:48 PM
> Subject: Responding to the Equifax breach the right way
> To: xxxxx
>
> So as everyone's seen, there's a huge Equifax breach of 143M Americans:
>
> https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html
>
> Criminals gained access to certain files in the company’s system from mid-May to July by exploiting a weak point in a 
> website application, according to an investigation by Equifax.
>
> I'm getting pretty numb to "massive breach" headlines, but what I'm starting to care about more reach time is how we 
> (collectively) respond to such an event, and what happens to companies who undergo them.
>
> There's going to be strong pressure for people to abandon Equifax and to punish them for their breach. But regardless 
> of whether punishment is merited, it seems like the best outcome of this event would be for Equifax and the industry 
> (and the entire security community) to learn from this and just get better at security.
>
> I think it's also important not to just kneejerk destroy a company for admitting a breach, or companies will 
> (continue to) go to great lengths to avoid ever exposing that a breach has occurred. We should want to know about 
> these things, and we should want to learn what processes to change or defenses to prioritize.
>
> The ideal would be for Equifax to publish a full (public) root cause analysis and post-mortem of the event -- the 
> nature of the attack, a timeline of events, what problems and processes contributed to the vulnerability, and what 
> changes they've made (technically and procedurally) to fix it.
>
> That's the sort of thing that most large companies scream bloody murder about doing, and they would probably 
> need...incentives...to do it, but this is the approach that I see in the parts of the industry that are fixing things 
> the fastest.
>
> For a great recent-ish example of this, GitLab did a post-mortem of a fairly catastrophic outage event where they 
> lost a day's worth of data, and almost lost months' worth of data because all of their backup processes failed:
>
> https://about.gitlab.com/2017/02/10/postmortem-of-database-outage-of-january-31/
>
> That's a particularly engineering-focused writeup by an engineering-focused company. Another example is from the web 
> PKI, where certificate authorities who issue bad certificates are strongly encouraged by Mozilla to publish a public 
> root cause analysis and timeline of the issue.
>
> Here's one by PKIOverheid, which is the Dutch Government's PKI authority:
> https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/W1D4oZ__BwAJ
>
> That post by PKIOverheid engendered a lot of goodwill for them, by the technical community but also by their direct 
> overseers that are in control of their trust -- Mozilla, Google, and others.
>
> When companies experience technical failures, an important way of predicting whether they are likely to continue to 
> be trustworthy is to see how they handle explaining those failures, and how well they even understand what happened 
> to them and how to fix them.
>
> Demonstrating this publicly is key to maintaining public trust, which is certainly what certificate authorities need 
> to have, but also very much what a company with 143 million Americans' PII needs to have.
>
> So I hope we ... take this as an opportunity to change the norms around public disclosure and analysis of security 
> events, rather than just a public shaming.
>
> -- xxx
>
> From: Dave Farber <farber () gmail com>
>  To: ip <ip () listbox com>
> Sent: Thursday, September 7, 2017 9:43 PM
> Subject: [IP] NYTimes: Equifax Says Cyberattack May Have Affected 143 Million Customers
>
> https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html?smprod=nytcore-ipad&smid=nytcore-ipad-share
>
> Criminals gained access to certain files in the company’s system from mid-May to July, according to an investigation 
> by Equifax.



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170908074038:86DD28DE-948A-11E7-9638-E7B9E11E876D
Powered by Listbox: http://www.listbox.com