A A A

Welcome! Read this first! Then, feel free to introduce yourself here! If you need immediate, real-time support for the Oxebridge ISO 9001 or AS9100 Template Kits, click here to join our Slack chat channel.

Avatar
Please consider registering
Guest
Search
Forum Scope




Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Register Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Ernst and Young's Answer to the Equifax Breach Doesn't Pass Muster
sp_BlogLinkWhite Read the original blog post
Avatar
Christopher Paris
Admin
Forum Posts: 643
Member Since:
5 December, 2012
sp_UserOfflineSmall Offline
1
29 December, 2018 - 9:36 PM
sp_Permalink sp_Print

I reported on the fact that Ernst & Young’s financial auditors assessed systems and controls that had also been assessed by ISO 27001 auditors from another EY company, CertifyPoint. That article was then expanded in MarketWatch, who reached out to CertifyPoint for an explanation, as did I. They did not respond to either request, but Ernst & Youngs US office did respond back to MarketWatch. The explanation provided is lacking, though, and contradicts actual certification requirements and realities.

Apart from the apparent conflict of interest between two EY auditing bodies auditing each other, the other issue at hand was how EY CertifyPoint could have certified Equifax’s information security management system, if — as government regulators later found out — Equifax was using hardware from the 1970s and lacked basic security controls. In addition, it was found that Equifax had an SSL certificate that had lapsed for 10 months, but never noticed; this should not be possible under an ISO 27001 certified system. EY’s answer to MarketWatch doesn’t come close to answering these issues, but instead regurgitates a well-honed ISO script, trotted out by every registrar whenever such questions are asked:

A company is in compliance with ISO 27001 when there is reasonable assurance that it maintains designated processes around governance of information security, including processes to minimize the impact of information security events when they occur. ISO 27001 compliance is not assurance that a company is effectively protected against data security or data privacy breaches such as a cyberattack.

Ignoring yet another conflict of interest — why is EY’s financial wing answering questions about CertifyPoint? — the language is nearly identical to that used by ISO 9001 quality system certification bodies when asked why their certified clients release deadly products on the market, such as the Takata airbags or PIP breast implants. In those cases, the registrars emphasize that it’s not a “guarantee of product quality.” You’ve likely seen this excuse in many of the websites of registrars, like this one. Or this one. Or here.

(Occasionally, however, a registrar slips and says the opposite, claiming such certifications are guarantees, since there are no rules on what they can and cannot promise in their marketing.)

Because the scripted answer sounds credible, and because usually the person asking it isn’t aware of the full import of ISO certifications, they get away with it. But the claims are patently false. First, we have to understand which standards are in play.

The Three Tiers of Accreditation

Equifax was certified by EY CertifyPoint to ISO 27001 — pay attention that last digit — the standard that defines controls for information security management systems. That means CertifyPoint physically visited Equifax’s facilities and audited them to the requirements defined in the ISO 27001 document.

Meanwhile, in order to ensure its certificates can be trusted, CertifyPoint is “accredited” to another standard, ISO 17021-1. CertifyPoint is, itself, then audited annually by the Dutch accreditation body Raad voor Accreditatie (RvA) who physically visits the offices of CertifyPoint — and shadows them on actual audits — to ensure they comply with ISO 17021-1. If violations are found, RvA is supposed to de-accredit CertifyPoint. These two tiers are intentionally referred separately as “certification” and “accreditation” — bodies like CertifyPoint certify companies, but bodies like RvA accredit companies like CertifyPoint, who issue certificates.

In addition to all of this, in order to issue ISO 27001 certificates, CertifyPoint would also have to comply with ISO 27006 (last digit “6”), which defines specific rules for conducting ISO 27001 audits. Both those standards — ISO 17021-1 and ISO 27006 — are listed on CertifyPoint’s certificates issued to clients like Equifax:

Image Enlarger

RvA doesn’t escape oversight either; it must comply with yet another standard — ISO 17011 — which is then managed by the highest authority in the ISO certification scheme, the International Accreditation Forum (IAF). Theoretically, RvA is supposed to be peer-audited against ISO 17011 to ensure it’s holding CertifyPoint accountable, but the air is pretty thin at that high altitude, and things are flimsy.  Suffice it to say, the IAF is a shadowy organization comprised of a handful of self-appointed individuals, literally numbering in single digits, and managed day-to-day by a single Canadian consultant, even as it claims to police the entire ISO certification scheme, while generally doing the exact opposite.

This huge machine is intended to differentiate formal, officially-recognized, “accredited” ISO certificates from those of the internet-based “certificate mills.” These mills issue certificates without any controls at all, without complying to any standards, and often without actually conducting audits at all. They get their name due to their similarity to “diploma mills” which issue unaccredited university degrees. The entire purpose of the accredited ISO certification scheme is to ensure that such certificates are issued under internationally-accepted rules, which are often then embedded into national laws.

Examining Language

What this also means is that EY’s scripted reply to MarketWatch not only makes no sense, it can’t exist under the accredited certification scheme. The fact that so many ISO certification bodies repeat similar claims is irrelevant; mass repetition of a falsehood doesn’t make it fact.

Consider the actual language on the ISO 27001 certificates issued by CertifyPoint. Keep in mind, this certificate is what faces both the general public and Government Contract Officers. Those “GCOs” require ISO certifications as an assurance of quality or information security, and often disallow companies who lack such ISO certifications from even bidding on government contracts. It’s likely that the Internal Revenue Service (IRS) required Equifax to hold ISO 27001 certification in order to be considered for the controversial contract it was later awarded. I’m still researching this angle, but it’s possible that had Equifax never been granted an ISO certificate, it would have not been eligible to bid on the IRS contract. Government mandates are currently the number one driver for ISO certifications, as companies pursue them solely to gain access to bidding privileges.

If any company — never mind simply Equifax — was awarded an ISO certificate when it did not comply with the particular ISO standard, this would be seen as contract fraud under US Federal law. Given the number of laws that would be violated, it’s safe to say multiple felonies would likely be in play.

Certification bodies like CertifyPoint know this, which is why they have their scripted response ready when someone comes asking. If ever taken to court, the script would likely fall apart; but outside of court, it sounds perfectly reasonable. But the argument that “ISO 27001 compliance is not assurance that a company is effectively protected against data security or data privacy breaches such as a cyberattack” doesn’t hold up to CertifyPoint’s marketing, its certificates, nor its accreditation requirements.

The Certificate

The following language appears on an ISO 27001 certificate issued by CertifyPoint to Amazon Web Services, but is representative of all such certificates, and would be identical to that appearing on that of Equifax:

Based on the certification examination in conformity with defined requirements in ISO/IEC 17021:2015 and ISO/IEC 27006:2015, the Information Security Management System as defined and inmplemented by [the client] headquartered in [client’s location] is compliant with the requirements as stated in the standard ISO/IEC 27001:2013.

This certification is applicable for the assets, services and locations as described in the scoping section on the back of this certificate, with regard to the specific requirements for information security as stated in the Statement of Applicablity.

Notice how the certificate clearly states “the Information Security Management System… is compliant with the requirements [of] ISO/IEC 27001.” It goes further and insists this applies to the “assets, services and locations” applicable to the client. “Assets,” by the way, include hardware systems, and is an important word here.

There is nothing wishy-washy about this declaration. There are no caveats. The entirety of the company’s information security management system complies with the entirety of ISO 27001 (barring some scoping adjustments). Remember, this is the language what would be read by a Government Contracting Officer looking to grant bid access to any company holding the certificate.

Yet EY’s explanation to MarketWatch isn’t close to representing this same level of comprehensiveness that appears on the certificate. Suddenly, in a comment that will only be read by MarketWatch’s readers and not GCOs, EY says the certificate only provides “reasonable assurance.” That is dramatically different, and nearly contradictory, to the actual language on the certificate. You will not find the words “reasonable assurance” on the certificate itself, nor anywhere in CertifyPoint’s marketing.

Look at this part of EY’s statement, too: they claim the system will “minimize the impact of information security events when they occur.” This is a dramatic rewriting of the purpose of ISO 27001 certification, and spins it on its head. The purpose of an information security management system is to ensure the events never occur, not to yield to their inevitability and worry about them afterward. To any ISO professional, this wording is nothing less than stunning. Here EY is acknowledging it is accepting of what is called “escapes.” No serious professional would tolerate this.

Next, EY claims, out of the blue, that this certification “is not assurance that a company is effectively protected against data security or data privacy breaches such as a cyberattack.” Yet government regulators found that the hack was due, in large part, to “legacy systems.” Remember the certificate mentioned “assets”; this would include those “legacy systems.” Per the US House Committee on Oversight and Government Reform report:

Equifax ran a number of its most critical IT applications on custom-built legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging. Equifax recognized the inherent security risks of operating legacy IT systems because Equifax had begun a legacy infrastructure modernization effort. This effort, however, came too late to prevent the breach.

Furthermore, those “legacy systems” were physically located in the building where CertifyPoint’s auditors conducted their audit, in Alpharetta GA, the address shown on Equifax’s ISO 27001 certificate:

On May 13 [2017], attackers entered the Equifax network through the Apache Struts vulnerability located within the ACIS environment, an internet-facing business system individuals use to dispute incorrect information found within their credit file. Equifax originally built this system in the 1970s to meet FCRA requirements. It was operating on a complex legacy IT system housed within a data center in Alpharetta, Georgia.

Why would the auditors have been inclined to look at the legacy hardware? Simple: because they were required to.

Accreditation Rules for CertifyPoint’s Audits

ISO 27006, one of the standards that CertifyPoint invokes on its certificates, and for which is must comply with when conducting audits, makes it clear that “critical assets” must be included in an ISO 27001 audit for it to be valid; see this language from ISO 27006 [emphasis added]:

D.1.1 Audit evidence
The best quality of audit evidence is gathered from observation by the auditor (e.g. that a locked door is locked, people do sign confidentiality agreements, the asset register exists and contains assets observed, system settings are adequate, etc.). Evidence can be gathered from seeing the results of performance of a control (e.g. printouts of access rights given to people signed by the correct authorizing official, records of incident resolution, processing authorities signed by the correct authorizing official, minutes of management (or other) meetings etc.). Evidence can be the result of direct testing (or reperformance) of controls by the auditor, e.g. attempts to perform tasks said to be prohibited by the controls, determination whether software to protect against malicious code is installed and up-to-date on machines, access rights granted (after checking to authorities), etc.

Remember, now, investigators found that “legacy systems” from the 1970s were partly responsible for the Equifax hack. There should have been no way that CertifyPoint auditors did not see 1970’s hardware, since they would have been required to look at it. In fact, the complexity of Equifax’s hardware assets would had to have been assessed by CertifyPoint prior to the audit, merely to determine the required audit time. Per Table C1 of ISO 27006:

Image Enlarger

Table D1 of the same standard requires that CertifyPoint would have had to then “identify the assets” during the ISO 27001 audit itself:

Image Enlarger

Mind you, the controversy over how CertifyPoint failed to identify “legacy systems” when doing so was a hard requirement of their accreditation rules, is the easy part of the discussion. Other accreditation rules would have required CertifyPoint to verify much more complicated and difficult aspects, such as database security controls and actual software used; “identifying the assets” only requires glancing at physical hardware. So there appear to be many, many other glaring deficiencies in CertifyPoint’s audit of Equifax.

Effectivity Assurances

Recall that EY claimed, to MarketWatch, that its certification “is not assurance that a company is effectively protected against data security or data privacy breaches such as a cyberattack.” The word “effectively” is stunning in that it entirely contradicts the purpose of CertifyPoint’s services. ISO 17021-1, for which CertifyPoint is accredited, specifically requires that CertifyPoint determine the “effectiveness” of the information security management system [emphasis added]:

Certification of a management system provides independent demonstration that the management system of the organization:

a) conforms to specified requirements;
b) is capable of consistently achieving its stated policy and objectives;
c) is effectively implemented.

Conformity assessment, such as the certification of a management system, thereby provides value to the organization, its customers and interested parties.

In fact, the word “effective” appears 16 times in the ISO 27001 standard, meaning there were 16 separate areas for which CertifyPoint should have verified the effectiveness of the information security management system during an audit. The term appears over 40 times in ISO 17021-1, and 18 times in ISO 27006. That means that the concept of ensuring effectiveness is repeated over and over, nearly 60 times in total, in the rules that govern how CertifyPoint is to conduct audits. There is literally no possible way an accredited certificate can be issued without having assessed the “effectiveness” of the system which was audited.

CertifyPoint could argue that it somehow confirmed the effectiveness of the “information security management system” as some kind of grand-scale, ethereal “thing” apart from its component processes and assets, and thus having an effective “system” doesn’t mean the company could have prevented the hack. This appears to be where EY is headed with their argument, but also defies belief.  CertifyPoint doesn’t audit a “system” per se, it audits the components of that system to then concludes, at the end of the audit, if the system is effective and compliant based on the analysis of the components.

In fact, to issue Equifax its certificate, CertifyPoint’s auditors would have had to verify, line-by-line, the literal requirements of ISO 27001. That is how audits are carried out. Many of the requirements of that standard touch on information security (and it’s in the title), but there are two specific requirements that speak directly to the concept of a cyberattack:

 A.14.1.2 Securing application services on public networks Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.
 A.14.1.3  Protecting application services transactions Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

ISO 27001 also includes requirements to prevent malware injections, such as those used by the Equifax hackers:

A.12.2.1 Controls against malware Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.

Investigators also found that much of Equifax’s vulnerability came from its mind-boggling inability to notice that an SSL certificate had expired for 10 months. This, too, should have been impossible under an ISO 27001 system, as that standard has requirements for just such issues:

A.12.6.1 Management of technical
vulnerabilities
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.

In order for EY’s MarketWatch response to be true, CertifyPoint would have to then admit it didn’t audit requirements A.14.1.2 and A.14.1.3, A.12.2.1, A.12.6.1 and a host of other requirements at all, or audited them and simply did a very, very poor job of it. In admitting that, however, they’d be admitting that their accreditation isn’t fully valid either, since RvA is attesting that CertifyPoint is so good at what they do, they deserve international accreditation. This, then, drags RvA into the conflict: why didn’t RvA ever find that CertifyPoint was issuing certificates without auditing entire clauses of the standard? Better yet, why hasn’t RvA taken action against CertifyPoint since the Equifax debacle? CertifyPoint remains fully accredited even as you read this.

Marketing Claims

We’re still not done. EY’s sudden claim that their CertifyPoint certifications can’t guarantee anything also flies in the face of CertifyPoint’s own marketing, another aspect which faces the public and government contracting officers.

Certification is more than just being compliant to the ISO standard — it’s about continually improving your business to achieve operational excellence! EY CertifyPoint supports clients in meeting their goals and improving the efficiency and effectiveness of their management systems. We keep the business at the centre, identifying areas of redundancy, bottlenecks and potential efficiency gains by means of a systematic and independent certification approach against a recognized ISO standard.

EY also contradicts ISO’s own marketing of their standard:

The ISO/IEC 27000 family of standards helps organizations keep information assets secure.

Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties. ISO 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).

And:

An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure.

By any stretch, Equifax was largely non-compliant to the ISO 27001 standard, and as the House report wrote, the debacle was “entirely preventable.” And yet, both CertifyPoint’s marketing and the certificate issued to Equifax itself, declared it was fully compliant. Worse, CertifyPoint continues to market itself as going beyond mere compliance, and helping companies like Equifax “continually improve.”

As I mentioned, EY’s scripted response is typical in the industry. ISO certification bodies respond to such scandals with three talking points: first, that the certifications don’t guarantee anything; second, that they are the result of a tiny snapshot, taken on the audit day, and can’t reflect the actual company’s operations year-round; and third, that auditors are not trained to root out fraud if the client is engaged in it. Again, you will notice none of those caveats on any ISO certificates, including those of CertifyPoint. If registrars like CertifyPoint were required to put those caveats on their certificates, the world would be alerted to the fact that the audits are largely frivolous, flimsy affairs designed to flow money from consumers to certification bodies, up to accreditation bodies and then to the IAF.

The dramatic damage caused by companies bearing such certificates — who gain access to lucrative contracts with the certs in hand — warrants full government oversight and investigation. Specifically, the House Committee on Science, Space and Technology needs to convene a special hearing on the failings of the ISO scheme within the US, and call forth both the IAF and the American National Standards Institute (ANSI) for testimony explaining just how these things have happened on their watch.

When that happens, though, we can expect the same scripted response as that given by CertifyPoint. Congress can’t fall for it.

[This article was updated on Dec. 30 to correct an error which stated CertifyPoint had responded to Marketwatch; in fact, it was an EY representative, and CertifyPoint has not responded to any questions on the matter.]

Forum Timezone: America/New_York
Most Users Ever Online: 64
Currently Online:
6
Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Mu Beta: 54
dozza: 32
royplchan: 28
jo9977: 23
annie: 23
KH: 20
wayintense: 14
jdgill1963: 13
Richard Billings: 12
ckoski: 9
Newest Members:
Anniethedog
Fjaumm
daler
MichaelM
jpbates222
James van der merwe
Viking
Roberta
Josiebautista
TAW
Forum Stats:
Groups: 13
Forums: 43
Topics: 734
Posts: 1555

 

Member Stats:
Guest Posters: 1
Members: 1672
Moderators: 1
Admins: 1
Administrators: Christopher Paris
Moderators: OQRI