response 2 655
100 word response 1 reference due 1/13/2023
In March 2017, one of the largest credit reporting companies “Equifax” was impacted by a data breach. Hackers infiltrated the systems and transferred millions of (PII) personally identifiable information and credit card account numbers. The data breach affected approximately 143 million US citizens. In addition, the breach cost the company billions of dollars in losses, a loss of public trust, and a permanent effect on its reputation.
How did the breach take place? Hackers exploited a vulnerability of the company consumer complaint portal. Eventually, they were able to infiltrate into other systems and servers, connect to the database, extract the data, and transfer terabytes of data without any detection.
The failure to patch a known vulnerability on a public website exposed the entire internal systems to hackers, furthermore, the failure to create multiple security layers between systems allowed direct access to the data. In addition, failure to renew the encryption certification allowed the hackers to read and export the data without decryption. Finally, their lack of monitoring allowed the hackers to transfer vast amounts of data without any detection.
Failure of system security governance failed several principles, such as.
1. Failure of proper assignments of roles and responsibilities.
2. Ineffective assignments of ownership of information assets.
3. Poor and ineffective testing controls.
4. Absence of system/network monitoring
Negligence in patching a known vulnerability could have been prevented by having additional personnel oversee, verify and validate that the patch was updated. Usually, patches are applied to the test system, pass quality control, documented, and applied to production operations. The oversight on renewing the encryption certificate could have been prevented if control processes and ownership were implemented and documented, while monitoring of network traffic should have detected the volume of data moving outside the internal network