Friday, December 21, 2018

For Christmas, don't be Equifax or Donald Trump

All I want for Christmas is to not be an Equifax.  That should be the chant of any VP of IT or even any CEO.

But in the current period of humanity we are in, where diehard claimed christians support an orange lunatic that builds walls instead of protecting refugees, feeding the homeless, or taking care of the countries veterans pretty much violating anything that any version of any bible says.  We must obviously face the facts that humans are mostly hypocrites.   

The Donald after all has been confirmed to have made over 6000 false claims over the last 600 days (link here) including locking down the government because he is not getting the funding to pay for that great wall the Mexicans where supposed to pay for.  Yet the diehard Trump supporters are all behind him, because no one needs to be telling the truth, no one needs to be accountable, and no one needs to be a decent human being because America is great, we are all hypocrites and only care about ourselves.    After all, almost not a week goes by that I cross a company that mentions security a dozen times yet have absolutely no security in place.  So lies are now the golden standard.


Take a look at the latest claim from Equifax:


They are blaming a single person for every single one of their failures !

We should call this the Donald from this point forward.  It is a pretty bold move to blame that one IT guy for a long list of failures that cannot possibly be attached to this one poor soul.

Sure, a patch was mis-applied...  but the architecture still remains terrible, nothing is checking their systems for exposed and exploitable vulnerabilities, no lateral movement detection or advanced threat detection is in place, and for this single security issue... no one noticed for months.....

Lets not mention that some of the other divisions of Equifax had open databases visible on the Internet that a chimpanzee could access and see PII data for an entire countries population.

And here is the real kicker, after the breach, Equifax reviewed their security posture and immediately made changes and added technology to the tune of over 100 million dollars to bring their current cyber security posture to what they declared as "modern" and "Acceptable".  

What this means is that they realized that everything they had in place was far behind and needed to have 100 million $ injected to bring it up to "acceptable".

How the heck can that be blamed on that one IT guy.

Equifax, you continue to prove that you are a terrible company and that you only exist because of the strong lobby that is in place combined with the lack of spine from both your corporate customers (The banks) and our government.

So in this holiday period, am I disappointed in Equifax, indeed however the failure remains bigger for the banks and our government including our privacy commissioners who play the big boy game of politics and look the other way.

That is my holiday gift to you, the sad realization that our banks and government suck more then Equifax.  As for all my other friends who are not Equifax, the ones who provides quality and secure systems, I wish you all a merry Christmas.

And for 2019, may we see less Equifax, and lets remain wishful that senior executives who act willfully blind get some real fines that are paid out of their own pockets and not their share holders, and some jail time to serve as an attitude adjustment.

Hey, we can all wish for things under the tree.

Now for some positive comments ;-)

The private sector is booming and much more secure.  I have on-boarded several new clients, all privately owned and all of them listen to suggestions of optimisation based on risks.  So faith in human kind is restored.

So I guess my real wish for Christmas is simple.  Lets all work together to accurately describe risks in business terms and getting risk acceptance performed at the appropriate management level.  Lets call fat...fat... lets call something blue... blue.... stick to the facts, and work to be better as each day goes by.


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

----- ENGLISH FOLLOWS Un cas intéressant d'exposition de données à l'UDA. Le site web comprenait une seule ligne de texte qui pouvai...