Now that we’ve had an opportunity to autopsy the breach, what have we learned?
Last September Equifax disclosed that its credit reporting database had been breached and sensitive consumer data – like social security numbers, addresses, driver’s license numbers and a whole range of other private information – on over 143-million people had been compromised.
As the news poured out following the breach the tendency may have been to focus more on the sensational aspects of the discussion. For instance, ample attention was paid to the fact that the person overseeing security had been a music major in college. A non-issue that while superficially salacious, lacked any ability to provide strategic insight into how to better secure databases or avoid breaches in the future.
But time has passed, the security community has had time to assess and now we can begin to glean some actual lessons from this whole debacle. I took the opportunity to speak with experts in the infosec community and these were some of their biggest takeaways.
The Little Things Matter
One of the common themes amongst the experts we spoke with was that little mistakes can cost you big-time.
“Equifax was attacked through a vulnerability in the Apache Struts web-application software,” said Steven Weisman, a lawyer and college professor who teaches White Collar Crime at Bentley University. “A patch for the particular vulnerability exploited had been issued in March and the breach did not occur until May. The lesson is a simple one. Whenever security updates are issued they must be installed as soon as possible. The delay on the part of Equifax was inexcusable.”
However, according to Druce MacFarlane, vice president of products and marketing at Bricata, things aren’t that simple.
“One of the underlying issues that have come to the forefront in the aftermath of the Equifax breach is patching vulnerabilities. Big organizations with complex IT infrastructure prefer to test new vulnerability patches before implementing these to a live environment. This change in management process helps ensure these don’t cause another problem,” says MacFarlane in a recent contribution to CSOonline.com. “This creates a gap – the time between the revelation of a new vulnerability and the implementation of a patch. In turn, this initiates a race as bad actors start narrowing down high-value targets that remain unpatched.”
“A layered security posture with complementary tools (that ideally play well with each other) offers advantages,” according to MacFarlane. “A responsible enterprise should either patch or aggressively monitor a new vulnerability – and preferably they do both. The longer Equifax stayed vulnerable to this exploit, the more inevitable such a breach became.”
Lipservice Over Security
One of the other takeaways was that Equifax seemed more interested in sounding good about security than actually being good about security.
“Security lipservice is more of a problem than we realized,” said Kenneth S. Robb, Cyber Security and Risk Consultant at Citadel Cyber Solutions. “Revenue/Ease of Use/Stock Price were all valued higher within Equifax.”
Robb went on to say that our most sensitive data is now public record yet most banking institutions still rely on those data points for account verification.
“Security must now be at the forefront of everything we do (Thwarting Social Engineering through Training, securing data in transit and at rest, data tokenization),” said Robb. “Whether we like it or not, Equifax has thrust us all forward as our own data managers.”
Jason Remillard is the President of Data443 Risk Mitigation, Inc. is less interested in casting blame and more focused on what this means for the storage of data at rest.
“Without full knowledge about who is ‘at fault’ – the main point is that the information needs to be encrypted at rest, and any single application/service/user access is decrypted as part of the transaction,” said Remillard. “There are several technologies available for this type of protection – however, they all require application modifications – something I suspect was the blocking factor in further protecting this highly sensitive infrastructure. Either way, sensitive information must not leave its repo without crypto approvals – new regulations like GDPR will further enhance this requirement”
The GDPR or General Data Protection Regulation is an incoming set of rules from the EU that will affect all companies with a footprint in Europe.
Had it been in effect when this breach occurred Equifax would be facing hundreds of millions of dollars in fines.
And that, itself might be the biggest takeaway from all of this. Other companies need to take note and get in compliance before May 25, when the GDPR goes into effect or else similar mistakes could have astronomical financial consequences.
And of course the last takeaway, agreed upon almost universally, was don’t use “Admin” as a password to protect important databases. Admin is a default password, one that was clearly never changed after the setup.
It seems silly to have to say it. But, here we are…