John Vincent Bauzon

BSIT3-BLK2
Sure, here is another case study on risk management and vulnerability assessment in
cybersecurity:

Case Study: The Equifax Data Breach

Background:

In September 2017, credit reporting giant Equifax announced that it had suffered a massive data
breach, exposing the personal information of 147 million people in the United States, as well as
15.2 million in the United Kingdom and 19,000 Canadians. The breach was caused by a
vulnerability in the Apache Struts software used by Equifax's online dispute portal.

Integration of Risk Management:

Equifax had a patch available for the Apache Struts vulnerability for two months before the
breach occurred, but failed to apply it in a timely manner. This highlights the importance of
integrating risk management into the Software Development Life Cycle (SDLC) and ensuring
that vulnerabilities are identified and addressed in a timely manner.

Key Roles in the Management Process:

Equifax's management team was heavily criticized for their handling of the breach, with many
pointing to a lack of accountability and transparency. The company's former CEO, Richard
Smith, was called to testify before Congress and faced tough questions about the company's
security practices and response to the breach.

Risk Assessment Methodologies:

Equifax's risk assessment methodologies were called into question following the breach, with
many experts pointing to a lack of focus on security and a failure to prioritize risks. The
company's security team had identified the Apache Struts vulnerability in March 2017, but failed
to take appropriate action to address it.

Vulnerability Assessment Tools:

Equifax's use of vulnerability assessment tools was also questioned following the breach. The
company had reportedly used a scanning tool to identify vulnerabilities, but had failed to detect
the Apache Struts vulnerability. This highlights the importance of using comprehensive
vulnerability assessment tools and ensuring that they are properly configured and maintained.

Mitigation Strategies:

To mitigate the risks associated with data breaches, organizations should consider implementing
a multi-layered security approach that includes:

1. Regular vulnerability assessments and penetration testing to identify and remediate

vulnerabilities in software and systems.
2. Employee training and awareness programs to help employees identify and report potential
security threats.
3. Implementing strong access controls and authentication measures to limit access to sensitive
data.
4. Encrypting sensitive data both in transit and at rest.
5. Implementing a comprehensive incident response plan to quickly and effectively respond to
security incidents.

Documentation:

The final report for this case study should include a detailed analysis of the Equifax data breach,
including the causes, impact, and response efforts. The report should also include
recommendations for improving risk management and vulnerability assessment processes, as
well as strategies for mitigating the risks associated with data breaches.

Presentation Preparation:

The presentation for this case study should include a clear and concise explanation of the
Equifax data breach, including the causes, impact, and response efforts. The presentation should
also include visuals, such as charts and diagrams, to help illustrate the key points.

Presentation Session:

During the presentation session, it is important to clearly explain the key findings of the case
study, including the causes of the breach, the impact on Equifax and its customers, and the
lessons learned from the experience. It is also important to be prepared to answer questions from
the audience and defend the recommendations made in the report.

Discussion and Feedback:

After the presentation, it is important to engage in a discussion with the class and solicit
feedback on the analysis and mitigation strategies presented. This can help identify potential
weaknesses or gaps in the analysis and provide valuable insights for improving the overall risk
management process.