Rudolph Araujo, vice president of marketing at Awake Security, based in Sunnyvale, Calif., said the issue was likely a lack of “checks and balances to make sure the patch was actually successfully deployed, services restarted, etc.”
“They quite likely may have passed an audit for their patch management process by claiming they have that as a process, but this is a good example of why this process just would never work in any sizeable organization. For instance, were they even in a position to know all of the Apache servers in an environment as large and complex as Equifax?” Araujo said.
“As the report points out, the company under Richard Smith was growing rapidly and processing enormous amounts of data,” he continued. “This often leads to shadow IT, where developers, business units, etc., spin up their own infrastructure, and one wonders if the security team even had visibility into it.”