Results 51 to 75 of 97
  1. IOCs? What IOCs???!!
    Join Date
    Jan 2016
    Location
    Morehead, KY
    Posts
    408

    Certifications
    CISSP, CRISC, ITILFv3, PCIP, RSA Archer, MSCE Win2000, A+, N+, Server+, Proj+, eBiz+,iNet+
    #51
    Originally Posted by mgmguy1
    None of Senior Management will spend a day in Prison. I only know of one CEO in recent memory who went to prison and that was Stewart Parnell. The only reason he went to prison was because people died from the tainted peanut butter scandal of 2009. Since this is a Financial crime and and it's wall street the most these guys will get is a slap on the wrist and pay a fine. I even doubt congress will force Equifax and companies like them to shore up there security or business practices .
    Reading is comprehension... No where did I say anything about prison, simply that I hope the SEC throws the book at them, which as you stated would most likely be fines. :O which hits them where it hurts most. And as far as CEOs doing time, you ever heard of Bernie Ebbers?
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke

  2. -->
  3. Member
    Join Date
    Aug 2016
    Posts
    98
    #52
    Originally Posted by jibtech
    Finally, the randomness of the results. When users enter their information, they are receiving conflicting answers on whether their data is breached. In fact, when resting the accuracy of the system, a last name of Test and SSN last six of 123456 reported back as having been breached. All evidence indicates that the website for checking whether you have been breached is in fact only security theater with no real effect.
    Wow. I didn't think was true. Had to test it myself...how is this not public information?

  4. Are we having fun yet?
    Join Date
    Mar 2008
    Posts
    3,351

    Certifications
    GCFA, eJPT, RHCE, Solaris 10, SNIA SCSP, Security+, Server+, ITILv3, CCNA (Expired)
    #53
    Might as well have Kanye West as a CISO
    Goal: GCFA (DONE), GPEN

  5. Senior Member
    Join Date
    Mar 2017
    Location
    Hampton, VA
    Posts
    314
    #54
    Originally Posted by Daneil3144
    Wow. I didn't think was true. Had to test it myself...how is this not public information?
    It is public. Unfortunately, the sheer volume of material in this debacle means some things get overshadowed. Remember that most of this is well over the head of the general public who have proven fairly apathetic with regards to breaches. At some point, security researchers and news outlets that cover it start to sound a lot like Charlie Brown's teacher.

  6. Senior Member
    Join Date
    Mar 2017
    Location
    Hampton, VA
    Posts
    314
    #55
    I haven't confirmed it myself, but word is that the API used by the site has a default value when it receives an error. It defaults to saying your data was exposed.

    Fake data with no results = error = potential breach result.

    Server issues = error = potential breach result.

    Actual breached data = potential breach result.

    Basically, anything that is slightly off results in being told that your data is potentially at risk. But that has nothing to do with any actual insight into the breach.

  7. Senior Member
    Join Date
    Aug 2003
    Location
    Norristown,, PA
    Posts
    456

    Certifications
    CCENT
    #56
    My new question for the powers that be? What about the other credit agencies like TransUnion and Experian. Have they been hacked? What is their security looking like?

  8. Senior Member
    Join Date
    Mar 2017
    Location
    Hampton, VA
    Posts
    314
    #57
    Originally Posted by mgmguy1
    My new question for the powers that be? What about the other credit agencies like TransUnion and Experian. Have they been hacked? What is their security looking like?
    Experian was breached in 2015, exposing information belonging to about 15 million users who subscribed to T-Mobile. Not aware of any TU breaches, but take that with a grain of salt. The breach at Exp was associated with the theft of a single file that contained all of the data. It is hard to assess any particulars outside of that, since the scope was so limited. Either way, it is only a matter of time. These agencies are treasure troves of information, and will be targets for a long time to come.

  9. IOCs? What IOCs???!!
    Join Date
    Jan 2016
    Location
    Morehead, KY
    Posts
    408

    Certifications
    CISSP, CRISC, ITILFv3, PCIP, RSA Archer, MSCE Win2000, A+, N+, Server+, Proj+, eBiz+,iNet+
    #58
    Plain and simple, they failed to properly patch CVE-2017-5638. Patch was available in March, they had at minimum 8-9 weeks to patch this vuln and avoid the breach. A excellent example of failure to exercise due care and should be seen as gross negligence.
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke

  10. Senior Member
    Join Date
    May 2016
    Posts
    1,647
    #59
    Originally Posted by jcundiff
    Plain and simple, they failed to properly patch CVE-2017-5638. Patch was available in March, they had at minimum 8-9 weeks to patch this vuln and avoid the breach. A excellent example of failure to exercise due care and should be seen as gross negligence.
    Thanks for posting..... Informative.

  11. Senior Member
    Join Date
    May 2006
    Posts
    1,933

    Certifications
    CISSP, CCSP, eJPT, ITIL,PA ACE,Qualys Certified Specialist, A+
    #60
    Not to play devils advocate but people at that level rearly have much technical background and even if they did, they lose the edge once they move up the chain to those levels.

    To add to that, organizations of that size rearly have one CISO or CSO. They have multiple levels of them and all reporting to someone higher.

    At the CSO levels I'd expect other CISO's to be reporting and im turn the CSO to report to the CRO ( Chief Risk Officer). These types of roles dont necessarily only deal with Information Security but with all aspects of Security. Security is just part of the job, but its not the only job.

    Thus people at those roles usually have experience in different areas of the business and business decision process. Bottom line, they care about the bottom line and cost savings.

  12. IOCs? What IOCs???!!
    Join Date
    Jan 2016
    Location
    Morehead, KY
    Posts
    408

    Certifications
    CISSP, CRISC, ITILFv3, PCIP, RSA Archer, MSCE Win2000, A+, N+, Server+, Proj+, eBiz+,iNet+
    #61
    Originally Posted by TheFORCE
    Not to play devils advocate but people at that level rearly have much technical background and even if they did, they lose the edge once they move up the chain to those levels.

    To add to that, organizations of that size rearly have one CISO or CSO. They have multiple levels of them and all reporting to someone higher.

    At the CSO levels I'd expect other CISO's to be reporting and im turn the CSO to report to the CRO ( Chief Risk Officer). These types of roles dont necessarily only deal with Information Security but with all aspects of Security. Security is just part of the job, but its not the only job.

    Thus people at those roles usually have experience in different areas of the business and business decision process. Bottom line, they care about the bottom line and cost savings.
    Not from my experience ... I work for a very large financial sector player, we have one CSO, every bank we deal with has one CSO... all of whom are are technical, come from a security background and know what is going on in their environment... maybe I have just been lucky
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke

  13. Senior Member
    Join Date
    May 2016
    Posts
    1,647
    #62
    Originally Posted by jcundiff
    Not from my experience ... I work for a very large financial sector player, we have one CSO, every bank we deal with has one CSO... all of whom are are technical, come from a security background and know what is going on in their environment... maybe I have just been lucky
    +1 here as well and I have been an FTE and contractor in over 5 fortune 500's. I have never seen a resource model mapped out like the one Force just kicked out.

  14. Junior Member
    Join Date
    Jan 2017
    Posts
    22

    Certifications
    B.S. in Information Security & Forensics
    #63
    It will be interesting to see if the three executives who sold stock days after the discovery of the breach are convicted of insider trading. If the breach was communicated correctly internally (which I doubt), the information should be non-discoverable.

    In the event of a breach, all communication over email and phone should cease to avoid further compromise and, more importantly for these executives, e-discovery. Or, any communication is in the presence of a lawyer through Cc-ing or conference calling (attorney-client privileges). Given the handling of the breach so far, I doubt the competence of the leaders of Equifax to effectively protect themselves from legal action.

  15. IOCs? What IOCs???!!
    Join Date
    Jan 2016
    Location
    Morehead, KY
    Posts
    408

    Certifications
    CISSP, CRISC, ITILFv3, PCIP, RSA Archer, MSCE Win2000, A+, N+, Server+, Proj+, eBiz+,iNet+
    #64
    Originally Posted by jstock
    It will be interesting to see if the three executives who sold stock days after the discovery of the breach are convicted of insider trading. If the breach was communicated correctly internally (which I doubt), the information should be non-discoverable.

    In the event of a breach, all communication over email and phone should cease to avoid further compromise and, more importantly for these executives, e-discovery. Or, any communication is in the presence of a lawyer through Cc-ing or conference calling (attorney-client privileges). Given the handling of the breach so far, I doubt the competence of the leaders of Equifax to effectively protect themselves from legal action.
    A huge +1 here... if you know you are compromised, you don't give the bad guy the chance to read your battle plan.


    Here is another huge twist to all this from a stock market perspective... someone ( either insider trading or hackers) made millions

    https://www.cnbc.com/2017/09/08/susp...in-profit.html


    limited options trading ( 260 in July total) then August 21st, someone buys 2600 contracts to sell 260,000 shares in September for 135 a share, or $10 less than stock was currently trading... turning a $156,000 investment into possibly 11 million plus
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke

  16. Senior Member
    Join Date
    Dec 2013
    Location
    Austin, Texas
    Posts
    422

    Certifications
    GCIH, C|EH, Sec+, eJPT, SCCC
    #65
    Originally Posted by jstock
    It will be interesting to see if the three executives who sold stock days after the discovery of the breach are convicted of insider trading. If the breach was communicated correctly internally (which I doubt), the information should be non-discoverable.

    In the event of a breach, all communication over email and phone should cease to avoid further compromise and, more importantly for these executives, e-discovery. Or, any communication is in the presence of a lawyer through Cc-ing or conference calling (attorney-client privileges). Given the handling of the breach so far, I doubt the competence of the leaders of Equifax to effectively protect themselves from legal action.
    A lot of these companies have Legal Counsel to Technology positions. Their whole job is this and they train their c-suites to cc them and/or put the magic statement at the bottom of the emails. I do not see why they wouldn't consult before they sold their stocks. They might not know security, but they know how to stay rich lol.
    Studying: LFCS
    Reading
    : Python Crash Course
    Upcoming Exam: GWAPT

    https://realworlditsecurity.wordpress.com

  17. Senior Member
    Join Date
    May 2007
    Location
    Chicago, IL
    Posts
    5,815

    Certifications
    GCFE, GCED, GCIH, CISSP, CCSP, and others that should never be mentioned
    #66
    On the topic of reporting structure I would be curious to hear of any place that has multiple CISOs. My experience has also been as the others mentioned where the IT/IS risk function includes a bunch of directors, lower officers, managers, etc. yet they all answer to one main C-level.

  18. Junior Member
    Join Date
    Jan 2017
    Posts
    22

    Certifications
    B.S. in Information Security & Forensics
    #67
    Originally Posted by xxxkaliboyxxx
    A lot of these companies have Legal Counsel to Technology positions. Their whole job is this and they train their c-suites to cc them and/or put the magic statement at the bottom of the emails. I do not see why they wouldn't consult before they sold their stocks. They might not know security, but they know how to stay rich lol.
    Unfortunately, the training does not go past the c-suites. There are many cases where an email containing breach information is initiated by an analyst or manager. This is the email that would be proof of notification and would not be protected from e-discovery. Any incident responder and management in the IR process need to conduct breach training frequently to avoid disclosing information unnecessarily over discoverable mediums in the event of a breach.

    Also, confidentiality disclaimers at the bottom of emails serve no legal purpose and will not be protected during the e-discovery process.

  19. Senior Member
    Join Date
    Dec 2013
    Location
    Austin, Texas
    Posts
    422

    Certifications
    GCIH, C|EH, Sec+, eJPT, SCCC
    #68
    Originally Posted by jstock
    Unfortunately, the training does not go past the c-suites. There are many cases where an email containing breach information is initiated by an analyst or manager. This is the email that would be proof of notification and would not be protected from e-discovery. Any incident responder and management in the IR process need to conduct breach training frequently to avoid disclosing information unnecessarily over discoverable mediums in the event of a breach.

    Also, confidentiality disclaimers at the bottom of emails serve no legal purpose and will not be protected during the e-discovery process.
    Good point about the pawns in the game of chess, we are usually the backdoor to cases like that. I guess it depends how careful they are. I know from experience that Legal Counsel to the C-Suites strictly only advise the execs so that could leave an open door in the chain of custody. Now I'm no lawyer, so I wouldn't know anything about the disclaimer or statements, I just see them on emails. I'm sure there are all kinds of tricks and loopholes in the legal system, where these guys could get away free.
    Studying: LFCS
    Reading
    : Python Crash Course
    Upcoming Exam: GWAPT

    https://realworlditsecurity.wordpress.com

  20. Senior Member
    Join Date
    May 2006
    Posts
    1,933

    Certifications
    CISSP, CCSP, eJPT, ITIL,PA ACE,Qualys Certified Specialist, A+
    #69
    Originally Posted by cyberguypr
    On the topic of reporting structure I would be curious to hear of any place that has multiple CISOs. My experience has also been as the others mentioned where the IT/IS risk function includes a bunch of directors, lower officers, managers, etc. yet they all answer to one main C-level.
    Perfect example are the international companies with bramches and head offices in those countries and regions. In this case you would need regional CISO's because each country faces different regulations and compliance issues.

    Another example is companies that act as parent/holding companies of smaller companies in different verticals. Think of it as an organizational chart.

    From my experience and others I've talked to for example a big financial org has a CISO who reports to CRO who in turn reports to CEO. I've seen it also organized as VP or SVP of IT reporting to head of IT who in turn reports to COO who in turns repprts to CEO/Board.

    Companies are creating these roles for a reason, theres a lot of responsibility thay affects the bottom line and the $$$.
    Some acronyms that are not necessarily interchangeable are CTO- Chief Technology Officer, CIO- Chief Information Officer, CISO - Chief Information Security Officer, CSO -
    Chief Security Officer, CRO - Chief Risk Officer, ITSO - IT Security Officer, CCO - Chief Compliance Officer. You think all those people report to the CEO? In big orgs the person reporting to the CEO is the CSO with everyone else reportu g to him or someone else below them.

  21. IOCs? What IOCs???!!
    Join Date
    Jan 2016
    Location
    Morehead, KY
    Posts
    408

    Certifications
    CISSP, CRISC, ITILFv3, PCIP, RSA Archer, MSCE Win2000, A+, N+, Server+, Proj+, eBiz+,iNet+
    #70
    Actually Our COO, CRO, CLO, CFO all report to CEO... CIO and CSO report to COO... we have a CSO not a CISO due to physical security rolling up through CSO as well as infosec

    @TheForce: several of those titles are interchangeable... CIO/CTO, CSO/CISO/ISO, CCO/CPO/CRO from my experience
    Last edited by jcundiff; 09-14-2017 at 11:25 PM.
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke

  22. Senior Member
    Join Date
    Mar 2017
    Location
    Hampton, VA
    Posts
    314
    #71
    I have definitely seen multiple CISOs where there are independent subsidiaries. Also where geographic and regional differences warrant different treatment.

    In the community colleges here in Virginia, there is often an ISO at each school, who are independent, but also report data to the head office CISO. They are independent...but not.

    I have also seen a trend where risk, compliance and security are starting to report to the board, rather than the CEO.

  23. Senior Member
    Join Date
    Mar 2017
    Location
    Hampton, VA
    Posts
    314
    #72
    New phrase so just saw from Brian Krebs:

    Equif*cked.

    New favorite word.

  24. Senior Member
    Join Date
    Nov 2012
    Location
    Denver, CO
    Posts
    1,278

    Certifications
    CompTIA A+, Network+, Security+, Server+, Linux+ and CSA+; MCSA: Windows 7, ITIL Foundations
    #73
    Originally Posted by jibtech
    New phrase so just saw from Brian Krebs:

    Equif*cked.

    New favorite word.
    I like Equi-hacked myself...
    The easiest thing to be in the world is you. The most difficult thing to be is what other people want you to be. Don't let them put you in that position. ~ Leo Buscaglia

    Connect With Me || My Blog Site || Follow Me

  25. IOCs? What IOCs???!!
    Join Date
    Jan 2016
    Location
    Morehead, KY
    Posts
    408

    Certifications
    CISSP, CRISC, ITILFv3, PCIP, RSA Archer, MSCE Win2000, A+, N+, Server+, Proj+, eBiz+,iNet+
    #74
    equihax.com has already been registered ( fortunately by a researcher, not a threat actor)
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke

  26. Senior Member
    Join Date
    Nov 2012
    Location
    Denver, CO
    Posts
    1,278

    Certifications
    CompTIA A+, Network+, Security+, Server+, Linux+ and CSA+; MCSA: Windows 7, ITIL Foundations
    #75
    Nice! Kind of cheeky but I like it.
    The easiest thing to be in the world is you. The most difficult thing to be is what other people want you to be. Don't let them put you in that position. ~ Leo Buscaglia

    Connect With Me || My Blog Site || Follow Me


Social Networking & Bookmarks

best-it-exam-    | for-our-work-    | hottst-on-sale-    | it-sale-    | tast-dumps-us-    | test-king-number-    | pass-do-it-    | just-do-it-    | pass-with-us-    | passresults-everything-    | passtutor-our-dumps-    | realtests-us-exam-    | latest-update-source-for-    | cbtnuggets-sale-exam    | experts-revised-exam    | certguide-sale-exam    | test4actual-sale-exam    | get-well-prepared-    | certkiller-sale-exam    | buy-discount-dumps    | how-to-get-prepared-for-the    | in-an-easy-way    | brain-dumps-sale    | with-pass-exam-guarantee    | accurate-study-material    | at-first-try    | 100%-successful-rate    | get-certification-easily    | material-provider-exam    | real-exam-practice    | with-pass-score-guarantee    | certification-material-provider    | for-certification-professionals    | get-your-certification-successfully    | 100%-Pass-Rate    | in-pdf-file    | practice-exam-for    | it-study-guides    | study-material-sku    | study-guide-pdf    | prep-guide-demo    | certification-material-id    | actual-tests-demo    | brain-demos-test    | best-pdf-download    | our-certification-material    | best-practice-test    | leading-provider-on    | this-course-is-about    | the-most-reliable    | high-pass-rate-of    | money-back-guarantee    | high-pass-rate-demo    | recenty-updated-key    | only-for-students-free-download    | courseware-plus-kit-for    | accurate-answers-of    | the-most-reliable-id    | provide-training-for    | welcome-to-buy    | material-for-success-pass    | provide-free-support    | best-book-for-pass    | accuracy-of-the-answers    | pass-guarantee-id    |
http://forensics.sch.ac.kr/    | http://forensics.sch.ac.kr/    |