New Consulting Site: www.Abstractforward.com Is Up

My new website, updated and stylistic, is up at: https://www.abstractforward.com/
AbstractForward New WebsiteThe site will serve as my corporate site going forward while the old site: https://www.jeremy-swenson.com/ will serve as a more personal blog.

If we can be of service to you in any way please contact us here.

Respectfully,

Jeremy Swenson, MBA, MSST
CEO & Principal Consultant: Abstract Forward Consulting, LLC
Speaker / Writer / Futurist

5 Things Equifax Could Have Improved to Prevent Their Data Breach

Equifax_breach_exposes_143_million_peopl_0_4110363_ver1.0_640_360Minneapolis, MN – 11/22/17. The recent Equifax data breach impacted one-third of the U.S. population with more than 143.5 million records exposed.  This epic hack started on 05/13/2017 and lasted until 07/29/2017, all the while the company was clueless.  As a result, the threat actors trolled around Equifax’s network, staging and exfiltrating data undetected for 2.5 months.  It is one of the biggest data breaches in U.S. history but clearly not the biggest.  Going forward, breaches are likely to be bigger, given the threat actors risk vs. reward tradeoff, and the increasing capabilities of cloud computing and botnets thereby enabling anonymity.

Equifax 1Yet this breach may be one of the most negatively impactful because of the comprehensive sensitive data lost in it including social security numbers, full names, addresses, birth dates, and even drivers licenses and credit card numbers for some.  “This information is the kind that several businesses like financial companies, insurance companies, and other security-sensitive businesses use to identify a customer accessing their accounts from online, by phone, or even in person” (Pelisson, Anaele; & Villas-Boas, Antonio, 09/08/17).

Therefore, this breach lends itself perfectly to future identity theft.  To date, hundreds of fraudulent loan applications, credit card charges, student loans, and insurance claims have been documented and it’s not likely to stop anytime soon.  All of this has inspired negligence lawsuits and regulatory reviews across most states.  If there is one thing you would expect from a credit monitoring company claiming to protect the accuracy of your data, it is that they would at least have above average information security standards.  Yet they clearly did not.  Below are the things that went wrong at Equifax to enable and exacerbate the breach:

1) Equifax’s first problem was that they failed to take a recent critical update notice seriously:
NIST (The National Institute of Standards in Technology) via CERT (critical emergency readiness team) issued an update alert for the Apache Struts platform on 03/08/17, CVE (critical vulnerability exploit) 5638 (Fig 2) which Equifax ignored or gave low priority.  Apache Struts is a free, open-source, MVC (model view controller) framework for creating nice, new Java web applications.  At Equifax, the Apache Struts platform was used for multiple applications and thus the risk associated with failing to patch the vulnerably was exponentially large and complex.

Apache Struts
Negatively, the Apache Struts vulnerability allowed remote code execution via a cmd string upload in the HTTP header.  Both versions of this vulnerability were listed as being highly severe by the CVE alert.  There is no way Equifax did not know this to a considerable degree.  Lesson learned: solidify your security baseline and update and patch based on likely impact and ease of execution.

2) Equifax had a history of poor security culture back to 2014 and failed to make key improvements:
“In April 2017, cyber-risk analysis firm Cyence rated the probability of a security breach at Equifax at 50 percent in the next 12 months.  Credit analytics firm FICO gave Equifax low marks on data protection — an enterprise security score around 550 on a scale of 300 to 850.  In 2014, Equifax “left private encryption keys on its server,” potentially allowing hackers to decrypt sensitive data, according to a recent breach related lawsuit.” (Harney, Kenneth; 11/21/2017).  Thus, Equifax had poor security long before the recent breach and they have been warned.

a) Creating a culture of security where rank and title do not suppress valid evidence and reason, and outside vendors are vetted and listened to in a timely order concerning security risks would improve their security posture.  Yet this requires cross-departmental collaboration, openness, and it requires firing those insulating themselves in fiefdoms of “yes sayers”.

3) Executives had more concern for short-term profit than long-term security:
On 08/01/17 and 08/02/17 three top executives from Equifax sold nearly $2 million worth of company stock at a high price but maintain that they had no knowledge of the breach that was discovered by the company on 07/29/17. Allegedly these trades were placed before August 2017. Although these may be innocent well-earned stock trades, the totality of the circumstances warrants further validation even though Equifax’s attorneys reviewed the trades at the time. Trades like these should not just be reviewed by the legal department but also by the P.R. department when a disaster is near, likely, or present. Most importantly, long-term security should be on the mind of executives, not short-term profits – implicates a huge culture issue.

4) They have business products that create conflicts of interest that incent data breaches and identity theft:
This is because Equifax sells credit monitoring services at about $17 per month per customer.  They also partner to sell identity theft monitoring via LifeLock.  LifeLock has a direct copy of most of Equifax’s data so they can accurately monitor for fraud indicators.  LifeLock cost about $30 per month per customer and a part of that profit is shared with Equifax via a prearranged deal inked in 2015.  Sen. Elizabeth Warren described it in the video below.

5) Equifax used stunningly simple PIN numbers that were composed of date
and time:

This was corroborated by Wes Moehlenbruck, MS, CISSP, CEH, CHFI, a California-based senior cybersecurity engineer with a master of science degree in cybersecurity.  He stated, “The PINs used to lock and unlock credit files were simply based on the time and date – nothing more complicated than that.  Absolutely yes, this is a rookie mistake” (Hembree, Diana, 11/15/17).  Obviously, in using such a simplistic approach in PIN generation, a user’s PIN could easily be guessed or brute-forced by testing every possible combination using a computer program.  PINs should be more complex, completely confidential, and there should be a policy mandating that they change often (every six months for example).

If you want to talk more about these and related concepts applied to my consulting and speaking, please contact me here.

The Danger of Thinking Title Makes You A Leader (expanded)

socrates_fiorina_kodak

Leadership is about enabling the potential in others and getting out of the way so their dreams can enable something bigger. Having people paid to report to you does not mean you are a leader but more likely a manager, which is a very respectable and worthwhile career path but it is not leadership. It is not even close to leadership! When people choose to follow you without money or title, that is leadership. In this context, the title is derived from results and action first. As a leader, you are responsible for incubating synergies to get three out of two. Leadership is about influence, not title. Title is a mostly meaningless word that constantly changes in todays amorphous corporate culture.

Title without great external influence is not title at all. How can you move someone’s cheese when you can’t even move your community. Leadership STARTS at the community level and its nuclear power resides there. Community based leadership has overthrown a lot of ruthless dictators, leading scammers, and corporate bullies. Real leaders understand the value of academic inquiry (formal or informal), history, change, and that these things together are the precursor to innovation. They also understand that innovation is a team thing and they don’t seek to steal the spotlight.

Former H.P. CEO and Presidential candidate Carly Fiorina said it best this way, “leadership is about changing the order of things”. Changing the order of things is dangerous because it has many unknowns and it ruffles the feathers of those presently holding power. If you are truly a leader or aspire to be one, get ready to be attacked multiple times. All TRUE leaders are different and DO NOT FIT IN with most people or the status quo, and they are bullied, harassed and attacked, and that is the life they know. They can lead in times of great stress and controversy while the vast vast majority of people in the world could never even get close, and would break like a generic toothpick at the sign of light criticism.

Carly Fiorina On  Management Vs. Leadership – Stanford Univ. 2007.

Although a lot of executives say or believe they are leaders, their actions contradict that. All too often, they can’t handle the criticism that comes with true leadership and they are very often afraid of change, or people with abstract cultural personas. In many parts of their personal lives, they could not even pass the simplest leadership test of helping someone less fortunate than them when nobody else will in a disaster situation. Very often they insulate themselves with simple minded yes-sayers, fire people who question them, and are more often concerned with the superficial status that comes with being wined and dined by vendors that serve their vertical. Types like these are fools masquerading as leaders but there is plenty of them.

The real life of a leader is lonely and some think you’re crazy. The people (mostly fools) who think you’re crazy don’t understand diversity, the evolution of culture, true creativity, and they most likely could never connect the dots to realize any type of noteworthy synergy.  Yet they often hype up all kinds of useless nonsense to promote their fallacious status:

1) You can’t argue with me, I am a Director, therefore I am right. Truth: Delusional.
2) I am a VP, therefore, my ideas are innovative. Truth: No one credible declares innovation.
3) I am a 27-year-old director and won’t make time for you because I am in a leader development program. Truth: Leader development programs have next to no track record and teach corporate conformity. A leader development program would not have helped Bill Gates, Martin Luther King Jr., or Mark Zuckerberg.

With great respect for everyone, in my experience, the people making these types of arguments are the biggest fools of all and they are usually one trick ponies – good at one or two things only and for a short period of time. If you fall for them you have been scammed.

Examples of true leaders include Billy Corgan (alternative rock music pioneer), The Wright Brothers (building and flying the first airplane) William Kunstler (landmark civil rights attorney), John McAfee (anti-virus pioneer), and Steve Jobs (computer pioneer). These people were all criticized in their early years and pushed many people away from their inner circle. Although this criticism and isolation may have broken some people it did not break them.

Most often, real leaders don’t fit in with most people and unless they get fame or money they are ostracized. So many in our society are overly focused on fame, media hype, and money. Yet real leaders are not distracted by these immoral fallacies for they have nothing to do with life satisfaction, moral progress, or any type of synergy. Real leaders undeniably inspire movements, better people, processes, and with their vision and advocacy – society, business, and/or technology gets to heights never dreamed possible. Very few people see this at the time, though many are happy to jump on the bandwagon decades after its validated as cool by the masses.

Martin Luther King Jr. was one such leader and he paid the ultimate price but inspired a civil rights revolution that redefined America – William Kunstler defended him. Philosopher and teacher Socrates was unjustly condemned to death for questioning the current status quo of Athenian politics and society and for teaching students to do the same thing for a better world. Today his ideologies and approach have proven to be the foundation for much of Western philosophy and education. His name is associated with the Socratic Method, which means questioning everything. It is the hallmark of how law schools teach students throughout most of the world and it is a methodology that has proven to save the lives of thousands.

Yet some corporate leaders do not like to be questioned by even the most validated intellectuals. Case in point, when credible writer and analyst Bethany Mclean was questioning Enron CEO Jeff Skilling in 2001 about Enron’s public financials, he blew her off and created a smoke screen to cover up large scale fraud. It’s no surprise that Enron is now defunct, Skilling is in prison, and Mclean has been proven as the real leader. Having met her, having read her works, and having correspondence with her, I know she is everything that makes up a great leader. Great leaders have no problem taking questions from validated individuals of all walks and ranks because they have nothing to hide (including insecurities) and they can use the dialogue to advance their innovative mission. In the data-centric democracy of the United States, business and technology fads come and go, and now is about the new – false leadership will be short lived.

Socrates Condemned to Death Speech – 399 B.C.

I will take the person with the best ideas and passionate followers over someone who gloats about how prior titles prove anything. Titles by themselves and even with experience do not prove much at all. In the evolving and constantly changing landscape of technology, titles, for the most part, do not matter. Results, creativity, and inspirational empathetic leadership are what matter – emphasis added!!

If you focus too much on title, the guy or girl with the right idea will run you out of business and you and your whole team with be left with little money and no title. Please think long and hard about this, if you are claiming to be a leader. You don’t want to be like Kodak and fail to see digital cameras are the future, and you don’t want to be the leader who failed to see a data breach. You don’t want to be an overconfident leader who self-declares your morality over subordinate objections but who years and perhaps decades later is deemed as greatly immoral. You don’t want to be that executive whose peers support you only because they are paid to but really don’t respect you, and are not at all inspired by you. This happens a lot and this faulty leadership under good governance will be short lived.

Lastly, to that person who gloats about their V.P., Director, SVP title, or the like, ask them how many people would follow them passionately without money in times of great challenge while others criticize them. Likely, they will be confused, because most leaders are below the surface working to make the world a better place while the above fakers seek status and “yes” cliques. They know nothing about leadership or moral courage. To think that titles are a right-of-passage to leadership is one of the most dangerous fallacies in society to date. It has caused wars to be lost, inspired political violence, caused elections to be lost, technologies to be missed, and it is a solvable irony for a society as advanced and gifted as the human race. What are you doing to be your own best leader for the greater good of others? I assure you it has nothing to do with title.

If you want to talk more about these and related concepts, please contact me here.