Tech,Space,Gaming, and Science Fiction News to wet your whistle
Conflicted External Auditors at Heart of Equifax Data Breach
The US House Committee on Government Oversight and Reform published the results of its investigation into the Equifax breach, calling it "entirely preventable." The report highlighted multiple problems, but two issues stand out: overall incompetence by Equifax's IT security staff, and a reliance on "legacy" systems literally from the 1970's.
What has not been discussed, however, is the fact that since 2011 Equifax held third party certification to ISO 27001, the international standard for information security management systems. Companies typically pursue this certification in order to prove the excellence of their cybersecurity systems, and with such a certificate in hand, companies can gain the right to bid on government and industry contracts. More and more, Federal agencies require ISO 27001 certification as a minimum qualifier.
It does not seem possible that Equifax could have achieved ISO 27001 certification, given that it requires annual third-party audits of not only their documented procedures, but also their hardware and facilities. It's not clear how auditors could have missed equipment from the 1970s and, as the House report indicated, procedures that were grossly inadequate.
It begins to make sense, however, when one examines the entire ISO certification scheme and the actors involved. Companies like Equifax pay a "certification body" (CB) to audit it every year against the given standard, in this case ISO 27001. The CB is authorized to conduct this activity on the basis of their own accreditation, granted by an "Accreditation Body" (AB). The ABs audit the CBs every year against another ISO standard, ISO 17021. The ABs get their authority through membership in the International Accreditation Forum (IAF), through which they are audited under a different standard, ISO 17011. This network of auditing bodies and standards exists to ensure the results are valid, and not corrupted by conflicts of interest.
The problem is that the scheme itself is built upon a conflict of interest: each party pays their auditor, so there's little incentive for any auditor to actually find problems. If a CB de-certifies a client, they lose that client. If an AB de-accredits a CB, they lose that CB. And so on. Those at the top have the most to lose financially, so have the least incentive to do their job. As a result, failing an audit is very, very rare.
In the case of Equifax, the arrangement was even more conflicted. Equifax's ISO 27001 certification body was CertifyPoint, a division of Ersnt & Young. According to CertifyPoint's public records, they issued Equifax its ISO 27001 certificate in 2011; it now lists the certificate as expired. According to Annual Reports published by Equifax, its ISO 27001 certificate was suspended in 2017, only after the data breach. This means that from 2011 through until the breach, CertifyPoint was conducting annual IT security audits on Equifax, and awarding them a certificate each year. The certificate was only pulled after the breach was reported by news outlets.
But it gets worse. According to reporting by Marketwatch, Equifax was using accounting auditors from the financial division of Ernst & Young. That article quoted Bentley University professor Dr. Rani Hoitash who explained that while financial accountants would not directly audit IT systems, "Auditors, however, are required to look at policies and practices related to financial reporting-related information technology systems and data early in the annual audit process."
This, then, raises serious concerns about Equifax's external auditors. EY financial auditors would be disincentivized to raise findings regarding the company's IT security systems because that would reflect poorly on EY's CertifyPoint auditors, who had otherwise blessed them. The conflict extends in the opposite direction as well, as CertifyPoint auditors would be hesitant to raise any issues that might impact poorly on EY's financial auditing team.
Ironically, Equifax hired EY after its prior auditing firm, Arthur Andersen, was indicted and eventually shut down because of auditor-related conflicts of interest discovered during the Enron scandal. That incident resulted in the Sarbanes-Oxley law, which provides legislation to control conflicts between financial auditors and financial consultants. There are currently no laws governing conflicts of interest in the ISO certification scheme, however.
To date, representatives of CertifyPoint and its accreditation body, Raad Voor Accreditatie (RvA), are not answering questions on why none of them raised any concerns regarding Equifax's poor controls and systems, which are now a matter of public record. Also silent is the IAF, which oversees the entire scheme.
It's likely, therefore, that more such incidents will occur despite companies holding ISO certificates that claim their systems are fully compliant to international standards. Until regulators start paying attention, or until the IAF is called before Congress to testify on just what is happening on its watch, these problems will only worsen.
About the Author: Christopher Paris is an aerospace quality management consultant, author and industry watchdog. His company, Oxebridge Quality Resources, provides independent reporting on the ISO certification scheme and its conflicts of interest.
By Liam McCabeThis post was done in partnership with Wirecutter. When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here. After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms.This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ERis a top choice for an office or den, and some people will find it quiet enough for a bedroom, too.If our main pick is sold out, grab the Frigidaire FFRE0833S1. It's a little bit louder and higher-pitched than our new pick, but it's an …