In 2017, it was widely reported that the credit reporting agency Equifax had been breached. The personal information of 147 million people was exposed. Among the data accessed were credit card numbers for approximately 209,000 U.S. consumers. This was a substantial breach. The event occurred in mid-May through July and was discovered July 29, 2017. What later became known was that in several instances, Equifax used default usernames and passwords—specifically, “admin” and “admin”. These discoveries were made after the major breach; they were not the cause of the breach. Researchers at a cybersecurity firm found that they were able to uncover personal employee information housed on Equifax’s South American site, including names, emails, and Social Security equivalents of over 100 individuals.

This is an example of failure to enforce security policies. Almost all organizations, particularly sizable ones, have specific policies against using default passwords. The Payment Card Industry Data Security Standard (PCI DSS) specifically warns against having any default accounts or passwords. However, this was clearly not enforced at Equifax.

In January 2019, it was discovered that the Oklahoma Department of Securities had been exposed for nearly a week before a breach was discovered by a research firm. Three terabytes of data were unprotected. The data included files on sensitive criminal investigations.

The department handles all securities-related data for the State of Oklahoma. The data revealed included investigations related to securities issues. It was also found that email archives going back 17 years as well as Social Security numbers were in the exposed data. Passwords for remote access to agency computers were also exposed. The data involved spanned from 1986 to 2016. The breach was due to an open rsync server. Rsync is often used for backups, thus backup data was exposed. It appears it was not secured.

This is an example of poor policy enforcement. The rsync server should have had much more robust security. Furthermore, having that much data exposed via the breach of a single server is itself disconcerting. This indicates a lack of the basic principle of defense in depth.

This is an older case but one that still is relevant. In July 2013, the U.S. Department of Energy system suffered a data breach. It resulted in unauthorized access to more than 104,000 individual personal records. The records included Social Security numbers, birthdates and locations, bank account numbers, and security questions and answers.

According to the Department of Energy Inspector General’s report, there were “early warning signs” that personnel-related information systems were at risk. Yet no actions were taken to improve security. The Inspector General’s report went on to identify “a number of technical and management issues” that were root causes. Additionally, the report cited “numerous contributing factors related to inadequate management processes.”

Although the details of the breach were not made public, it’s clear from the language and tone of the report that a lack of management process led to the security breach. Given that this agency is governed by the National Institute of Standards and Technology (NIST) standards, adequate security policies were most likely not the issue. That suggests the problem was lack of governance or management process to enforce the NIST standards.

It is interesting that the report indicates there were “early warning signs” of the security risks. In the absence of specifics, here are a couple of possibilities, among many, to consider:

First, the management processes may have failed to identify the security control weaknesses. This could happen if the breach was the result of a management process that did not adequately rate risks. For example, patch management processes must identify critical patches for issues that could lead to a breach. If this process fails to properly risk-rank a patch, then applying the patch could be significantly delayed and needlessly expose the systems to the risk. Regardless, management processes must enforce both ranking and installing patches to prevent data breaches.

A second possibility to consider is a lack of effective governance and management oversight. Had the risk been properly identified and raised with management, the lack of action could have been an indication that management was not enforcing policies. Given that lack of management action is cited as a cause, then lack of policy enforcement as required by NIST standards might be a root cause.