More on the saga of Equifax, or, "How not to do IT".
So, more has come out on how the debacle that is Equifax IT came about. First, what went wrong, and then the who.
The chronology can be read here. In addition to that, the basic problem is noted:
"The software problem was detected in March and a recommended software patch was released shortly afterward. Equifax said the database intrusion began in May and continued until July.
Security experts said Equifax had more than enough opportunity to block intruders by sealing the security hole. “There is no excuse for not following basic cybersecurity hygiene,” said Nate Fick, CEO of the security firm Endgame. “Some heads should definitely roll for this; it’s only a question of how many.” - Sweet and Liedtke, AP.
The Apache Strut defect was noted in 3/17, and a patch was made available.
"The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application." - Equifax
That is simply unforgivable. Pretty much anyone with a reasonable knowledge base in IT - and quite a few without that know to update their apps and OSs.
Now the "who" and probable "why".
Two people were 'resigned' very quickly after all this had become known this past week: Equifax's CTO and their Chief Security Officer.
The latter, it turns out (Susan Mauldin), was a Music major in college, without any IT training on her CV at LinkdIn. Her internet presence is being assiduously scrubbed, also. Maybe she had post grad training in IT. Maybe not. The 'criteria' for her employment should be interesting, when and if they ever come out.
So, the financial security of 143 million people depended on a n00b? Seriously? Now you know the why of regulation. You wouldn't want DeBakey as a composer, nor as the Conductor of the New York Philharmonic, and you wouldn't want Joe the Plumber as your Neurosurgeon.
But, that's what you got. Now, are things so horrible that you have to run in circles while screaming and shouting? No. Why? Because your Social Security number is basically on every form you ever filled out, along with lots of other data, already out there - this is breach number 23, just this year. Think about the forms in your Doctor's office...
So as a reasonable guide, with alternatives...this: https://qz.com/1079253/the-complete-guide-to-the-equifax-breach/ - You shouldn't "do nothing". Certainly credit monitoring, a good password manager with local storage, and switching passwords.
As for credit freezes? That's a lot of work. The phone call is simple. The mailing of the necessary documents is a lot more cumbersome, and you have to do it for the three agencies. Separately. And it lasts all of three months, then all over again, id you want to continue it.
Also, if you apply for monitoring from Equifax (a one year deal for "free" [lol]), you are agreeing you cannot sue for any damage from the breach (lawyers moved fast). And there are bigtime suits in the works (see last linked source below).
Any of our mavens from the Dark Side are more than welcome to add thoughts.
Oh yes...watch out for phishing as a result of this newest gift from "N00bs R Us".
Sources:
https://apnews.com/d81f731e423a470a8d6252720dccfe7e?utm_campaign=SocialFlow&utm_source=Twitter&utm_medium=AP
https://www.equifaxsecurity2017.com/
http://www.marketwatch.com/story/equifax-ceo-hired-a-music-major-as-the-companys-chief-security-officer-2017-09-15
https://qz.com/1079253/the-complete-guide-to-the-equifax-breach/
http://www.chicagotribune.com/business/ct-equifax-data-breach-0917-biz-20170915-story.html