Profile picture
Jake Williams @MalwareJake
, 8 tweets, 2 min read Read on Twitter
Equifax moved the IT security team out from under IT due to "fundamental disagreements." This is highlighted as a shortcoming in the report, but infosec shouldn't be under IT. Imagine if your internal audit group were subordinate to the group it was auditing. 1/n
The report goes on to discuss moving infosec back under IT. Again, in the vast majority of cases this is the wrong answer. If we are all holding hands around the campfire, then maybe this works. In the real world, it only works when the right personalities are in place. 2/n
This is why we need subject matter experts writing these reports. During the testimony, Committee members became fixated on the fact that IT and infosec were in different orgs. They then drew inferences from the fact that IT referred to infosec for answers (and vice versa) 3/n
But shouldn't we expect this? Infosec performs two major work roles for an organization: architecture and audit. Architecture helps IT design secure systems and audit helps find issues (both through periodic testing and real time monitoring). 4/n
The whole Enron event went down because Enron was in bed with their auditors. It's hard to not see where the corporate organizational structure recommended in this report can go very wrong. I've seen it first hand (repeatedly). 5/n
This portion of the report claims that separating IT and infosec created an "accountability gap." It created a distribution of work, but each team was "accountable" for its own work roles. Obviously communication between groups was a serious issue. We shouldn't downplay that. 6/n
What I read here is that Equifax, like so many other firms we've worked with for incident response, had a toxic relationship between IT and infosec. Combining the groups does nothing to fix your culture problems. I've seen it tried - without replacing leadership, it fails. 7/n
There's a lot of great information in the report that's never been publicly available (at least not in this format). But there are big misunderstandings in this report too. I believe the root cause is that non-SMEs are interpreting complex topics without true understanding. 8/8
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jake Williams
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @MalwareJake see all

Profile picture
Twas the night before Christmas and all over the ‘net,
Not a creature was stirring except China hacking Tibet.

The IPS were strung by the egress with care,
In hopes that St WannaCry soon would be stopped there.
1/n
The children were nestled all snug in their beds,
While IoT devices mined the dreams from their heads.

Mama with her EDR and I with my IDS
Were ready to tackle an infosec mess.

Down in the SOC there arose such a clatter,
I logged into my dashboard to see what was the matter 2/
This thing had better work, it cost so much cash.
But gosh darnit, I can’t use it until I update Adobe Flash…

Pondering the alarms I thought “Oh heck no!”
That’s because the threshold for alerting was configured so low.
3/n
Read 14 tweets
Profile picture
I certainly don't agree with everything in this thread, but it is very thought provoking nonetheless. I tell clients regularly that cyber security IS warfare if APT is in your threat model. We often fight nation state hackers with nearly infinite resources by deploying a CEH. 1/n
This obviously doesn't work. When you step back and look at resources that APT groups have, it's obvious they can comrpomise almost any organization. My favorite example is the China/Bit9 example. Picture being an attacker who can't get into a top tier target. 2/n
Now imagine that you think "Bit 9 is standing in our way, so we'll 'just' go comrpomise them." Um, that's a moonshot. Ask yourself:
1. What kind of organization dedicates resources to moonshots?
2. How many moonshots do we not know about?
3. How valuable was that target?
3/n
Read 7 tweets
Profile picture
I'm writing a new blog post but I need some help. We have a problem in the tech industry with consent vs. informed consent. Problems with confusing the two are not unique to infosec. Medicine has been practiced for millennia, but informed consent is at best ~50 years old. 1/n
Legalese terms of service can't be comprehended by a large percentage of a user base. Even if you understand what is being collected, do you understand how it will be used? A patient can't give informed consent without a discussion of risk. 2/n
Doctors don't routinely downplay risk in a procedure. This comes from two sources:
1. Liability
2. In most cases (electives are a counter-example), the doctor has a product (the procedure) the patient needs

These do not hold true in the technology field. 3/n
Read 7 tweets

Related threads

Profile picture
Equifax report megathread while I'm on lunch! oversight.house.gov/wp-content/upl…
Within 3 days of Apache Struts vuln being announced, Equifax used unknown open source code to scan their infrastructure for Struts vuln, using an IP sweep. This didn't work as they needed to know the URL of the Struts webapp. A day later, somebody ran 'whoami' against servers.
4 days later, they installed Snort rules for detection of exploitation. Unfortunately as they later discovered, the SSL/TLS reverse decryption certificate had expired long ago so the IDS didn't scan any traffic.
Read 27 tweets
Profile picture
Alright, today is the day we get to find out if I was right or wrong about the level of dysfunction necessary for the failures that allowed the #Equifax breach to occur.

Why today? Because the House Oversight report has been released. Merry Christmas! oversight.house.gov/wp-content/upl…
Feel free to download a copy and read with me as I go through the report. I predicted 30 failed controls? I'm sure that was just a random number I threw out, but let's see how close I was. #Equifax
Also, for a refresher, this was my blog post about the breach. blog.savagesec.com/equifax-breach…

I also made a prediction that the breach would be financially lucrative for Equifax - that it was effectively the best lead gen event for the company EVER.
Read 42 tweets
Profile picture
#Report #Thread
1/5
 This young man is Muhammad Sharif Badwan. He was killed East of #Gaza City at the Karni crossing after being shot in the chest by #IDF gunfire on Friday afternoon. #Israel
2/5
 Many news sites refer to Badwan as either a protestor or a demonstrator who was shot and killed by the #IDF. The photo on the left, from the DailyMail, states Badwan is a protestor. The photo on the right from CGTN states Badwan is a protestor as well.
3/5
 The problem is Badwan wasn’t there to protest in the way most people think. This video was taken Friday afternoon at the Karni crossing where Palestinians were clashing w/ #IDF soldiers. At the end, you can see Badwan being evacuated after getting shot by the #IDF.
Read 5 tweets
Profile picture
A thread on being a so-called “Security expert”.

I cringe at how much sincere, well-meaning, yet ultimately WRONG #infosec advice I gave out while working as the founder/VP Eng of a major security vendor.

When I left at IPO, I knew I needed a broader perspective. (1/N)
It’s too easy for someone in #infosec to call themselves an “expert” or (god forbid) a “thought leader”. Very few of us so-called experts have a rigorous background in security. My background is software. Most of us just jumped in early and learned as we went.
#SecurityExperts
#infosec is so broad, it covers so many technical and non-technical disciplines, that most of us who were experts in ONE area (like vulnerability mgmt in my case) have very deep expertise in that ONE area, but we’re amateurs in most other areas. #SecurityExperts
Read 25 tweets
Profile picture
#KeepFamiliesTogether #WashingtonDC In Lafayette Park. Come on out and join everyone of find a sister protest in your AO.
A local indigenous drum group wrote a song for today. I believe the words are in a Bolivian area dialect but correct me if I’m wrong. #KeepFamiliesTogether
Read 16 tweets
Profile picture
#infosec moment:

1/ Met a gentleman this morning outside our agency building today. Enjoyed some small talk; turns out he just got picked up for a dream infosec job. His first actually. Had joined the USAF in aircraft maintenance, pushed himself to learn IT after hours.
2/ You could tell within the first 30 seconds how passionate he is about this field, and how his intelligence and drive would take him far. By 60 seconds, you could also see his self-doubt & tendencies towards Impostor Syndrome.
3/ Ended up spending nearly 30 minutes just mentoring. He had seen me around in cyber (new here myself), and heard my honestly undeserved nickname “MegaMind”. Turns out it wasn’t entirely a chance encounter.
Read 8 tweets

Trending hashtags

#dc #KremlinAnnex #Iraq #Senators #WHPDaily #KeepFamilesTogether #Barack #InfoSec #Freedoms #WTF #Arizona #america #kleptocracy #Colorado #Wyoming #infosec #PacificCoast #EquifaxBreach #Campaign #cannabispolicy #haha #IMAGine #D #Israel #ScottPruitt

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!