Is the Equifax CEO really blaming one person on their IT security team of 225 for the recent breaches? That’s like blaming a single defender’s own goal for the failure of the US Men’s Soccer Team to make the World Cup for the first time since 1986.

Let’s explore this statement and question its validity while noting some methods that could be employed to prevent this from happening. IT security defense requires an organization to be better than the attackers, and employ multiple layers of protection so that if one layer is breached, the attacker will be caught in the others. Security in layers. There must also be a process in place that defines workflow within an organization, and security is no exception.

Every IT member will agree that having redundancy for your systems is important. An often overlooked aspect is staff redundancy. Staff redundancy, basic cross-training, or a team-based approach to system management can easily eliminate these issues. Should one person be responsible for all the patching in a 225 person team? Obviously not. Should there be a process? Obviously yes. Was there a process? Yes, but clearly it wasn’t followed or wasn’t designed well. This is just another layer of protection.

What was Equifax’s risk “management” policy? When we “manage” risk we acknowledge “we can’t be 100% secure, so we’ll put resources where they are most important.”. Equifax, based on the type of data they store, improperly managed risk by not having a process. Did they wait several days without patching and was that an acceptable risk? Did the responsible engineer decide to wait a few days? Decisions like these should never be left up to individuals when the stakes are astronomically high. A process would not allow an individual to make such decisions. And was it indeed a single person who make a single decision? Doubtful.

In an effective layered security design, the failure to patch alone should not have created such a large breach. Zero-day and known exploit protection systems are affordable (though for Equifax money should be no object) and new technology exists to protect against unpatched systems. We will likely never know the true depth of the breach, but it may very well be that if a company failed to secure a critical vulnerability, they may not have the most advanced technology installed.

For example, a properly configured Web Application Firewall (WAF) that does Deep Packet Inspection (DPI) to preform intrusion detection or intrusion prevention would have stopped this hack in its tracks. These powerful systems scan all traffic going to a web based application for known exploits and simply toss out the packets if the data in the packets matches those of known exploits. A properly configured WAF could have provided an extra layer of security here that could have stopped the attack. But I digress with the technology.

Does Equifax have just about every piece of data about me? A recent check of my credit report brought me back to my very first car loan, and my very first bank account. All my past addresses are there too. Some I had even forgotten. The memories. What’s scary is that they have more data about me than I have about me.

We all recall those odd-ball questions asked when you are requesting your own credit report or other critical financial applications: for example, did you have a car loan with one of these four different banks – which one (if any of them) was it? We can usually get them right but sometimes I cannot remember. The hackers now have that data in as granular form as possible and can easily answer those questions, right? This is the gift that keeps on giving – to the hackers.

This data will be used for YEARS to come, and well after Equifax’s stock price settles, the issues will continue for the unlucky. I trust the credit reporting agencies will correct their process and look at their layers. I am counting on it.

As for the US Men’s Soccer Team, there is always 2022. I guess I am rooting for Leo Messi and Argentina to bring one home.