Equifax Data Breach

Almost 2 years from the time we all witnessed the Experian Data Breach, we are at the stage where we all are informed about the Equifax Data Breach. Now, with almost half of the US Consumers are probably hit by this breach, Equifax made a statement that not all information was compromised. Well, if Name, SSN, Driving License details (though not in all cases) are compromised and the hackers have those details, what is Equifax trying to convey? More so, with where Equifax stands, does it have any way to explain the attack that was carried out over 2 months (May - June 2017) and Equifax could only uncover it somewhere in July? Doesn't this highlight the level of security measures or the loopholes that exist in the overall system configurations and more so in monitoring the traffic as well as transactions? Didn't Equifax CISO review the Experian Hack and the ways he could have directed the team to act swiftly to ensure that they don't fall in the similar trap? Sad, but true, they indeed fell in that sinkhole that was waiting for them and no one else can be blamed but for their Not So Productive approach.

So, where do we go from here? Should we accept the registration with Equifax's "Trusted ID Premier" service for Next Year "Free"? Would that be enough for them to prove their commitment to protect consumer from any sort of fraud? or wait, isn't this in itself a cony capitalism step by Equifax to exploit the situation from there to charge us $19.95 a months there after until we cancel the service? It is important to note that the hackers wouldn't use that information on immediate basis for they would also know that just like "Experian's Protect My ID" service for free, Equifax may also float that service free (which they indeed did). In most probability, the hackers may sell the database at a premium to the fraudsters and the, the fraudsters at a convenient time exploit the vulnerable. Probably the Theft Protection cover being offered free for one year would be blown away by then. More so, I would not recommend you to sign for Equifax's free service as if you do that you would surrender your right to join a Class Action Suite should that happen. 

Consider the specific situation where the frauds that would happen few months down the line during the tax filing period when the information hacked could actually be used for impersonation and tax filing "AS". That is the type of fraud that an ID Protection service would not be able to prevent and the consumer would be just left in a situation running from pillar to post to get the situation corrected. 

The impact of this breach on consumers can only be estimated at this time. There is no confirmed way to identify the long term impact on any of the consumer with compromised identity; until the compromise makes a landfall on that consumer's account.

This however is not the first breach at Equifax or a group company, thanks to the horses blinds that they have put up assuming that the Data Security is prime for them. If we are horrified with the news that this data breach lasted two months and they uncovered this only after 2 months and waited another 4 to 6 weeks to make the disclosure, please search about the TALX breach that was reported to have started back in April 2016 and continued for almost a year. Quite a number of W2 data was compromised then too. Equifax didn't learn a lesson from that either.

Now, that's a sad story from the Organization that is tasked to store our data, but is not sincere enough to really secure that data. Certainly, the business of the Organization is to compile and store the data to be used for marketing and cross selling purpose. The accessibility of data needs to be maintained by them to be able to make more money than ever. But, shouldn't the federal and state legislators ensure that the organizations or kind are regulated and made responsible for such breach? Shouldn't there be a commitment by the US legislatures to have a regulations in the lines of GDPR and ensure that the requirement to disclose have a stringent deadline (72 hrs in case of GDPR). What most of the US states have is "reasonable time period" or at the max 30 to 90 days. Gracious God that's a lot of time for the hackers to misuse the data leaving hardly any space for the consumer to step up and protect their interest.

From a consumer point of view what can be done? Most of the consumers would think the same and am sure most of them would sign in to the Trusted ID Premier for one year thinking that is the best step forward. But, as mentioned above that would just prove to be another marketing stunt for Equifax rather than a permanent fix. After 1 year (or the time period they offer for...may be 2 years), even if half of who sign in for the service sign out, Equifax would make millions per month charging them the fee. 

Am sure once the news spreads further, most of the consumers would start wondering or what should be done now? I would suggest to visit https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do#comment-256824 and consider the following steps that are detailed there - 

1. Place a Credit Freeze with your Bankers. This will make it hard for the hackers to act as you, but they can still misuse your credit cards
2. Limit and Monitor your Credit Card statement
3. Monitor your Credit Scores and reports on a regular basis. There are a few that may provide free service and updates; Evaluate them and make a decision. Alternatively, obtain your 3 bureau credit report from annualcreditreport.com (limited once a year though)
4. Consider placing a Fraud Alert on your files if you chose not to go for Credit Freeze. This would indicate to the institutions to verify that it indeed is you who is requesting for account opening or for credit services
5. Ensure that you file your taxes promptly as soon as you get your W2 in hand. You shouldn't delay filing your returns as that may be a costly delay should a fraudster file them as you. And ensure that this step is repeated every year as you never know when your information may be misused.

-----------------------

P.S. - Would Transunion pick a cue from the Experian and Equifax Hacks to ensure that they are up-to the mark with the measures to Secure our Data? 

Cyber Security Program - Need for All Inclusive Approach

Cyber Security Program the way I have often observed in various organization over the years, is lead with piecemeal approach. There is no holistic view or review of the same and the Cyber Security team, often to be counted on fingers, is left to fend the entire organization's Information and Information Technology establishments. The other teams from IT as well as Business just shun off their responsibilities to be participative in the overall Cyber Security Program.

The main culprit for the piecemeal approach as I have see is the Business alignment to the overall Information Security aspects. The biggest misconception that Managers at various levels in a Business carry is - "Business to Run as Usual, doesn't need to be secure and if anything needs to be secured, then the Information Security Team has been hired for the purpose." In one of my interactions with one of the Client IT Manager, when I highlighted that there is acute need for them to focus on the Information Security aspects, I was told to submit my detailed Information Security Assessment Report and they will see what they would have to do. The IT Manager also had additional responsibility of handling Information Security Domains and was a influence in the Office of CIO. 

There are many such instances that I have waded through in the industry where organizations take piecemeal approach rather than holistic view for implementing Information Security measures. For instance, in one of the case a Senior Information Security Architect was forcing us to include two layers of Security even to reach DMZ. I was not able to understand that logic of having two layers of firewall from same make and model and same set of rule-base. May be I was ignorant as I always believe Firewalls are the Dumbest Security Device because they can't differentiate between legitimate and illegitimate traffic on the ports they are supposed to let the traffic flow. It certainly is good to have layered Perimeter Security, but only when we look at the holistic view of the overall Perimeter layer security and not just a small dumb appliance called Firewall. It is important that we also consider the other layers of IPS/IDS, Anti-malware, Anti-virus, Deep Inspectors, Threat Monitors etc at that layer rather than just relying on the Firewall. Even if we are looking at two layers of Firewall, please consider two different make and models and technologies rather than what I explained in my example above.

Another aspect of Information Security that take piecemeal approach is to address & report compliance requirements as may be applicable from Industry to Industry. For instance it is indeed a very good practice to have Risk Based Internal Audit (RBIA) practice, but then the practice must cover an inclusive scope of audit rather than exclusive. What I mean here is rather than focusing on a particular standard and then covering the Risk Assessment to the requirements of the particular standard to define Audit Program for next year would limit overall Audit Scope. It would be a better aspect to cover the Risk Assessment with an holistic approach and based on the Control Domains applicable to the Business as well as IT functions. This Risk Assessment would provide with a wider aspects that must be audited on a regular basis as this would provide with whole lot of more situations to audit and assess from the Risk Management perspective. These audit activities then can feed into the residual Risk assessment and helping with a better RBIA result than the micro-results achieved with previous approach of what I call Need Based Audit and not a true RBIA.

Even though today the Compliance Assertion and Risk Management has been branched out from the earlier Information Security initiative to now Governance, Risk and Compliance function; the base still remains the same. Information Security initiatives drive the overall Risk and Compliance posture of an organization. It is in fact imperative that Information Security should be driven with a Bottom up approach with Information sitting at the bottom of the pyramid and the overall Governance at the top. Certainly this would help drive the Holistic view and review with the Information at the bottom getting shielded with the Controls deployed at the technology and process levels; and the Controls providing inputs to the compliance assertion requirements flowing into Risk Management and Governance piece. The overall system needs to be deployed in a fashion that would say "All Inclusive" rather than "Exclusive PCI" or "Exclusive HIPAA" or "Exclusive FIPS". Though the industry has been talking about Unified Compliance Framework from ages now, but that term has still not been adopted by most of the organizations and I do not see a major breakthrough there, unless organizations first see at Macro level for All Inclusive Approach rather than the current Piecemeal Approach by technology or by security or by compliance need.