What Went Wrong at Equifax? We Have Good AnswersSecurity Researcher Adrian Sanabria Describes Defense Lessons to Learn
What missteps led to hackers stealing details on 145 million Americans from Equifax in 2017?
The answer to that question can be found in numerous reports, including those from the U.S. Government Accountability Office, House and Senate committees, and Britain's privacy watchdog - plus a recently unsealed U.S. Justice Department indictment charging four officers of the Chinese People's Liberation Army with the intrusion (see: No Surprise: China Blamed for 'Big Data' Hack of Equifax).
"I wish we got this level of detail more often; it really helps to solidify some of the best practices and recommendations we give," security researcher Adrian Sanabria says in an interview with Information Security Media Group. The deep-dive reports into Equifax's data breach are mandatory reading for anyone whose responsibilities touch on cybersecurity, he stresses (see: Learn From How Others Get Breached: Equifax Edition).
"People need to spend more time really digging into case studies like this where we actually have all the details, because it's incredibly rare that we get the level of detail that we've gotten from Equifax," he says. "Defenders should be jumping on this opportunity and just digging through these documents with a fine-toothed comb and seeing where they can apply some of these lessons to their own environments."
In this interview (see audio link below photo), Sanabria also discusses:
- Top lessons to be learned from the Equifax breach and the credit reporting giant's security missteps;
- The risk of focusing on tools at the expense of leadership, people and processes;
- The challenge of continuing to successfully do the security basics at scale.
Sanabria is an advocate at honeypot vendor Thinkst Applied Research, as well as an adviser to OpCode 41 Security. He previously served as vice president of strategy and product marketing at NopSec, director of research at Savage Security, director of research at Threatcare, and a senior analyst in the enterprise security practice at 451 Research, among other roles.