Community Archive

🧵 View Thread

🧵 Thread (27 tweets)

Placeholder
Patrick McKenzie@patio11• almost 8 years ago

The Equifax ex-CEO throwing an unnamed technician under the bus for the Equifax breach is positively maddening. Some thoughts:

2.2K 1.4K
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

There is never a single person at fault for a poor engineering decision. That isn't me as an engineer talking; that is Management 101.

719 210
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

We would laugh out of the room a CEO who said "The reason that we didn't file our taxes last year was an employee forgot to buy a stamp."

684 239
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

"And you didn't notice?" "No, we just assume that the Tax Stamp Buyer always buys stamps." "And who do they report to?" "Uh no one."

311 49
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

Think how much you can deduce about Equifax's security posture from the complaint that a single email getting not read enables this.

366 100
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

There is no ticketing system employed, because a ticketing system would (unlike email) show evidence of work being requested but not done.

286 56
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

There is no two-man rule for changes to critical systems, because that would produce another person with direct knowledge of this issue.

252 41
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

There is no culture of follow-through in the org, because the person reporting the vulnerability thought tossing over transom was "OK, done"

230 36
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

There is no centralized list, anywhere, of what software is deployed and what version it is. There is no process run against that list.

216 25
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

There are either no automated scans of deployed systems or they are severely deficient.

180 21
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

Management, up to and including the CEO, was aware of these deficiencies in controls and did not correct them, for years.

255 49
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

This is the sort of situation in which a Japanese CEO would resign while taking the blame for a lax managerial environment. That is correct.

334 42
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

Speaking of failures in leadership: if your immediate instinct as a leader is not to protect your team then what leader are you?

520 128
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

Congress is filled with idiots who can't insert a floppy disk correctly, and they want their pound of flesh. Alright, sucks. OFFER YOURS.

200 23
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

Equifax is entertaining questions on the employment status of the employee they blamed for this, because they blamed an employee for this.

146 19
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

At least they're saying "No comment" on that, but comment should never have been asked for, because CEO/CTO/etc should have jumped on this.

142 14
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

Also, since security is a process rather than a single binary event, there were numerous opportunities to improve even if compromised.

202 43
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

Banks expect to get robbed! They don't expect to get robbed of Literally All Of The Money because it was kept in a single unlocked room.

272 48
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

Equifax had terabytes of data exfiltrated off of their network. "And did we notice it?" "Nope." "And whose job was it to notice?" "..."

215 37
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

You would hope that a company with critical information would have wargamed out breach scenarios years ago and put in layers of defense.

201 30
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

"OK, if they pop a server, what do we do?" "An alarm is raised; we push the Madagascar button." "The what?" "Shut. Down. Everything."

189 32
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

I will bet at 100 to 1 odds that Equifax has no Madagascar button, the utility of which is obvious years before any particular breach.

125 16
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

I would also bet that Equifax did not think of the question "Who has the authority to push the Big Red Button?", which serious orgs do.

122 14
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

Here's another win for Japanese mgmt (we do get *some* things right): https://t.co/SlFkxi9UTe Literally anyone can push the Big Red Button.

177 30
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

There is a large car company that you're aware of which begins its training about Big Red Buttons with reasons why janitors have pushed it.

152 27
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

"But why would you let a janitor cost the company millions of dollars?" Because we made a considered decision about tolerances and quality.

175 26
10/4/2017
Placeholder
Patrick McKenzie@patio11• almost 8 years ago
Replying to @patio11

Equifax has apparently not made that considered decision, which is the same thing as making a considered decision... they chose this outcome

169 30
10/4/2017