Igorance
I can tell the author doesn't have a lot of experience in InfoSec. Also, many of the commenters don't as well. I've been penetration testing for over 15 years, so I've noticed many security cock ups, poor risk management, etc. What I see more of though, are people making comments without thinking it through.
First-- Reworking and following the exact steps a hacker does to your system is common place. It's often necessary to ensure you find everything. This is particularly important with databases... where there is a lot of information. Usually too much for the hacker to scrape and copy in full; so you need to figure out exactly what was copied, removed and/or changed. NOT REWALKING THE STEPS is considered negligent. Making fun of it like this author does, is ridiculously stupid.
Second--ANYONE who thinks their system is so secure because they do everything right is a moron. Not ignorant, but a moron. This includes certificate management. I'm willing to bet I can find a bad cert somewhere in your network. I find them about 70% of the time I look. Or I find they aren't bound correctly, etc. Chances are, your network has at least one, and the system using it doesn't fail because of it.
Third--While no doubt Equifax messed up on this; however, if you don't get why a system doesn't quit working due to an expired certificate--then you haven't worked with really large networks. Also remember, this type of risk is often accepted. Probably on your network as well.
Fourth--Speaking of risk acceptance. Chances are your CIO has accepted some risks, and at first glance (since you're ignorant and don't get the entire picture) you would think he's crazy to do so. ALL NETWORKS HAVE ACCEPTED RISKS.
Fifth-- Struts was a particularly nasty beast. Easy to do (even for you script kiddies) remote exploit which was being actively exploited the same day it was published. Many companies decided to wait until Monday to patch it and became victim to it. Many more would have become victim to it, but were saved by proxy systems being correctly configured to stop outbound traffic. Heck, the system you work on may have been hit, exploited, but saved because of a outbound setting. So... be careful what you gripe about.
So before you begin to throw stones (and nobody in InfoSec should), look at your company's network to see how many exceptions to policy and larger network accepted risks there are.
Also, anyone in InfoSec who believes their network is completely secure from malicious activity should give up this career field, because you don't have what it takes to think forward enough to do the job correctly. All large networks are vulnerable in one way or another... ALL OF THEM. The key is how you respond and gracefully recover from an attack... not just how you work to stop it.
Biting the hand that feeds IT
