Equifax Blames One IT Guy for Not Patching

Former Equifax CEO Blames One Employee for Massive Hack

After over a year of investigation, the U.S. House of Representatives Oversight and Government Reform Committee have released their report on the Equifax data breach. Their report is scathing, drawing immediate attention to massive failures.

The report calls the hack “entirely preventable” and states that there was “lack of accountability and management structure…complex and outdated IT systems…failure to implement responsible security measurements… unprepared to support affected consumers.”Last year the Apache Struts vulnerability, that had been exploited in the wild for months, was used to gain access to corporate systems. Equifax was even warned about the vulnerability, but failed to properly patch it. The critical Apache Struts vulnerability was publicly disclosed on 7th March last year, and the Department of Homeland Security alerted Equifax on this security flaw the next day.

After a high profile and massive data breach, there were repercussions. From simply not patching their systems, the CEO, CIO, and CISO all lost their jobs. This can be just one of many consequences for not keeping patches up to date. On every level, patching is critical for continued security of businesses.The company confirmed they sent the alert to over 400 internal staff, instructing them to apply the necessary patch, and also held a meeting on 16th March about the vulnerability.  Unfortunately to their great regret, it was too late and the rest is history – 148 million customer details were stolen and distributed over the internet.

As the report was released, the former CEO of Equifax Richard Smith tried to apologize, but threw a single unnamed IT person under the bus. Smith did state that he was “ultimately responsible,” but also said, “An individual did not ensure communication got to the right person to manually patch the application.”Equifax have since confirmed they implemented outdated perimeter protection to reduce the risk of exposure. Robert Brown, Director of Services at Verismic Software said, “Unfortunately this kind of solution does not protect endpoints outside the network and greatly increases the chances of estate wide exposure on the first infection inside the network.”

The House report, and the CEO’s own admissions, illustrate that even a simple patching strategy would have likely prevented this disaster.

If device scans are run at night when devices are offline, hidden behind a firewall or roaming, security and IT teams have an incomplete view of their environment. Realtime Security eliminates blind spots enabling teams to manage their environment with 100% visibility.

With no steep learning curve, Realtime Security’s simple to learn web interface leverages AI, and empowers teams with the information and skill to act instantly.

Why juggle multiple consoles for device and security management? In a single place, security and IT operations can understand their exposed security risk, patch, deploy software, stop security breaches, satisfy compliance agencies and more.Whether organizations are looking for endpoint security or IT management capabilities, including patch management, software distribution and remote control, Syxsense is the only cloud-based approach to security and systems management which enables 10-second endpoint visibility and control thousands of devices.

Get started with Syxsense and manage your entire IT environment with a simple and powerful solution.