The Law Offices of Mary N. Chaney, P.L.L.C.
The Cyber Security Law Firm of Texas

Mary's Blog

The Breach Whisperer

About Mary....

Mary N. Chaney, Esq., CISSP® is a former Special Agent for the FBI where she investigated cybercrime, a seasoned corporate executive that built and operated information security teams and now a cybersecurity attorney.

As a self-described “Breach Whisperer” our firm can train your company to properly prepare for your eventual breach!

The overall goal of our firm is to use our wealth of knowledge and expertise to help support, translate and advise, Boards of Directors, CIO's, CISO's and General Counsel's on how to legally protect their company from cyber related risk.

Blog Entries


 

Equifax... not just one thing but a theme...

See Article Here

The above article is a very good post mortem summary of what went wrong with the Equifax breach last year. I suggest you read through it, very enlightening. As I read through it I thought, wow, I wish I had some of these tools when I was fighting bad guys, of particular interest in some of my past lives would be the ability to inspect encrypted network traffic. But I digress. There are 5 (or 6) things the author of the article says went wrong.

  1. Apache Struts - Vulnerability (patch available)

  2. Network packet inspection - Digital Cert. expired 10 months previously

  3. No network segmentation of databases

  4. Unencrypted & shared administrator credentials across databases

  5. No query limit on databases

  6. The fact that they were using Apache Struts

I know there are some super technical folks out there who would say it is not this simple but the topic of hygiene and security basics screams to me when I read this. In fact, the only thing on this list that would be difficult, depending on environment, is network segmentation. The others are just a matter of paying attention and good governance. Although #4 is just horrible and unforgivable, it’s equivalent to writing your username and password on a post-it note and stick it on your computer monitor.

I have been complaining to folks lately that I am sick of talking about breaches because when you do the post mortem, i.e. root cause analysis, there are consistent themes that emerge. The theme of basics and hygiene still won’t go away.