• United States




Why the ‘Equifax’ breach could be the gift that keeps on giving

Oct 05, 20174 mins
CybercrimeData and Information SecurityData Breach

While there are many vendors and consultants trying to outdo each other on the how's and why's of the breach, for IT departments who are wondering if they're next, there's a strategy to use this breach to get ahead.

Yes, most (if not all of us) are going to be impacted one way or another because of the Equifax breach. And class action lawsuits, credit monitoring tools, individual credit freezes will escalate. But there is another important dimension to this calamity, that might yield some positive upside if approached properly. What am I talking about? I am talking about the chasm between the Infrastructure Ops, Security Ops and Compliance and Audit that exist in every enterprise today (and wrote about it here) and how that might have contributed to this fiasco.

But, this is not an Equifax issue I would hazard. Why can I state this confidently? Because I heard this loud and clear at #BlackHat and more recently at the #StructureSecurity conference in San Francisco. In fact, a comment by John ‘Four’ Flynn – CISO at Uber – really drove this home ‘The #1 risk most organizations face today is the Windows 2000 server sitting under Bob’s desk that needs to stay up and therefore is not patched, rebooted or changed in any manner as no one wants to assume the risk of it going down’. And this trumps any security hygiene or compliance dictate.

If you are in IT Operations, this presents an opportunity that does not come by very often. Most well run IT Ops teams may think they have a handle on security and may even be aware of ‘Bob’s server’ and other vulnerable systems in their environment (cloud adds another degree of complexity but let’s tackle that in the next article). But, the fear remains what if there are more systems than anticipated and maybe even to try a tool that exposes the risk they have. Actually not. They don’t want to hear it because if they do and then don’t act and there is an incident, heads will roll. So, they would rather play dumb and NOT EVEN entertain the dialog with a vendor or two. But, that does not reduce the risk and they do end up spending sleepless nights!

But with Equifax – and the un-patched Apache servers – the quantifiable cyber security risk that an organization faces is becoming a board level conversation. And I would argue that this is the time that IT Ops can actually go up to the CIO (or CISO) and make a case for ‘risk assessment’ tools that would materially expose, quantify and reduce the cyber risk any organization faces For instance in a recent GAO report the five identified areas of weaknesses were in the areas of ‘limited access controls, limited configuration management controls, limited to no segregation of duties, lack of contingency planning, siloed security management’. I would argue that no IT organization would be magically accorded budget to identify tools that would help expose the risks in these five areas and further take corrective action on any given day. But we are not talking about any given day. This is the day (or the week) that the largest and most impactful breach in US history has happened and attributed to poor patch management governance.

That is the opportunity. Don’t let this crisis goto waste my fellow IT brethren. With the CEO having to step down as a result of this, the budget will appear magically in most regulated industry verticals. One needs to know what to ask for and why.

So, let’s take advantage of what happened at Equifax and go and secure budget for the tasks that you always knew you had to (update Bob’s Win 2K server) and given the heightened awareness, there would also be more latitude toward any issues post-upgrade since the primary driver is to patch the systems.

On the contrary, if we pretend that this just yet another breach and sink into hubris, and god forbid if another attack were to happen, the tolerance for any kind of IT snafu would be very low. So, let’s ride this horse to the finish line and seek budget and deploy tools that

  1. Identify and expose risk
  2. Highlight the risk in a language upper management understands
  3. Apply the solutions reduce the risk to bring it to the acceptable level
  4. Constantly monitor the environment for any change

Rinse and repeat.

As someone one said – “Never let a crisis go to waste.”


Ashwin Krishnan is the COO of UberKnowledge, a cybersecurity knowledge sharing, training and compliance organization.

As a former vendor hi-tech executive in the cybersecurity and cloud domain he has turned writer, podcaster and speaker. His focus is on simplifying technology trends and complex topics such as security, artificial intelligence and ethics through enduring analogies which he shares on his blog and his talks. Ashwin is the author of “Mobile Security for Dummies,” and as a recognized thought-leader he contributes to a variety of publications, including Entrepreneur Magazine.

Ashwin is a regular host with CISOs on podcasts such as the Cyber Security Dispatch where he bridges the education gap between what the security practitioners need and what the vendors provide; as a tech ethics evangelist he is frequently on main stage at conferences educating and empowering consumers and vendors alike on the role of ethics in tech; his recent speaking engagements include the Smart Home Conference, Fog Computing Congress, and the Global AI Conference.

The opinions expressed in this blog are those of Ashwin Krishnan and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.