Equifax ex-CEO Richard Smith asserts that a single employee's failure to heed a security alert led to the company failing to install a patch on a critical system, which was subsequently exploited by hackers. But his claim calls into question whether poor patch practices and management failures were the norm.
Security programs fail because of too much emphasis on protection and not enough on detection and response, says Ira Winkler, president of Secure Mentem, who calls on CISOs to help change their organization's security priorities.
At the first of three Congressional hearings slated this week to examine the Equifax mega-breach, one Republican said of the company's delay in detecting the breach: "It's like the guards of Fort Knox forgot to lock the doors and failed to notice the thieves were emptying the vaults."
The latest edition of the ISMG Security Report is devoted to a special report on how enterprises around the world should prepare for the European Union's General Data Protection Regulation, which starts being enforced in May.
Former Equifax CEO Richard Smith this week heads to Capitol Hill to testify about the massive breach suffered by the credit bureau. Lawmakers will likely focus on breach detection and response, information security practices and the suspicious timing of three executives' stock sales.
The recent Equifax mega-breach demonstrates how essential it is to have a robust, well-tested incident response plan in place that includes a strong public relations component, says Heath Renfrow, CISO at U.S. Army Medicine
Leading the latest edition of the ISMG Security Report: an interview with NIST's Ron Ross about revised guidance on how to get C-suite executives to help shape information risk management. Also, DHS, FBI leaders outline goals for protecting the U.S. election system.
French competitive beard-grower Gal Vallerius was arrested in Atlanta while traveling to the World Beard and Moustache Championships in Texas on charges that he's a darknet marketplace administrator and vendor of controlled substances known as "OxyMonster."
Attackers are increasingly hacking into banks' networks to gain access to the IT infrastructure connected to their ATMs, security experts warn. Attackers push malware onto ATMs that's designed to allow money mules to "jackpot" or "cash out" the machines, then delete itself.
The chairman of the Securities and Exchange Commission, Jay Clayton, promised the Senate banking committee Tuesday that his agency is pursuing numerous cybersecurity improvements in the wake of a May 2016 breach.
Aetna will move from passwords to continuous behavioral authentication next year on its consumer mobile and web applications for better security and end-user experience, says Jim Routh, the health insurer's CISO.
"Big four" accounting firm Deloitte suffered a breach last year that may have exposed 5 million internal emails as well as usernames and passwords, client information and health details, the Guardian reports.
Organizations that must comply with Europe's GDPR need to identify gaps in their ability to meet various requirements, including making prompt breach notifications and gaining consumers' consent to store their data, says Sunil Chand of Grant Thornton.