Equifax – lessons to be learned about online security
Equifax security breach- a few lessons that we can learn about online security
“As we move into the era of digitalization, are we ignoring the risks that come with it”
The Equifax data breach
In September 2017, Equifax (a consumer credit reporting agency) announced that it was a victim of a cyber security breach with more than 143 million customer records compromised [1]. In October 2017, they announced that a further 2.5 million users may have had their information stolen from the Equifax servers [2]. In the age of digitalization as more and more companies move their assets and operations online, Equifax can serve as a wake up call regarding the importance of understanding the risks associated with this move.
Exhibit 1. Equifax homepage sharing the details of the cybersecurity incident [3].
Equifax operates in the business to business space providing consumer credit information to its customers, ranging from insurance firms to banks and other financial institutions. While Equifax publicly announced about the breach in September, reports suggest that the hack took place months earlier in May-June 2017 [4] and that Equifax may have even known about the issue as early as July 2017, based on the fact that key executives ended up selling their stock options right after the data breach took place [5]. But were there visible signs that Equifax ignored that might have helped them mitigate the risks and prevent this attack from happening? The hackers exploited a security vulnerability,CVE-2017-5638 [6], associated with Apache struts, a software framework used by Equifax. The security issue was published on March 10 and was rated as a risk based on a CVSS score of 10 (please see Exhibit 2). Equifax had a lot of time to address the issue and in multiple instances security analysts reported the lack of support for security updates [7].
Exhibit 2. The security issue that led to the Equifax breach(published on March 10,2017) [6].
Some lessons to be learned
As a company moves into the digital space, all the positives that come along with it may conveniently drown out all the risks. Equifax made the same mistake and failed to acknowledge the inherent risks that came with the domain that they operated in. The annual report released by the company had zero keywords mentioning the risks associated with data breaches and Equifax may not be the only company at fault in this regard [8].
Going through the list of all the companies that have had to deal with hacking incidents, from Yahoo to Sony, a common trend that a lot of companies have followed is that they first ignore the issue, then try to hide the issue once they become aware of the consequences and finally try to deny the extent of impact. This is exactly what happened in the case of Equifax as well.
Equifax didn’t have the firewall to protect itself and the fact that they only announced the breach 3-4 months after it took place does not inspire confidence in their ability to even detect fraud, let alone protect against it. Some of the steps that companies exposed to security attacks should do is to understand the industry that they are in and have a well trained security team to keep their systems up to date. As security issues are exposed, it is extremely important to involve the community of white hats, a term used to describe an ethical computer hacker, by setting up bug bounty programs that rewards security experts for finding and reporting risks associated with your system. It is also extremely vital to have pre-set processes to deal with cases of security breaches and be in a position to protect your customers.
Equifax may have been one of the largest security breaches but we have seen security issues affecting a whole range of well reputed companies ranging from JP Morgan Chase to Ebay, LinkedIn and Yahoo. Going through the list of officially reported security vulnerabilities, we can see that there are multiple security issues released every month and it requires a lot of time and effort to get on top of these issues [9]. Companies who have not updated their systems for a while, could find themselves in a situation in which they may have to re-configure a big part of their systems.
As we go forward in this era of digitalization, we need to think about a few questions : Is Equifax a mere representation of an entire range of companies exposed to the risk of security breach? While it is imperative for companies to be aware of the inherent risks and damages which a security incident can cause, how can companies protect themselves in the time of the dark web and tor ? How should companies deal with the aftermath of a hacking attack ?
[Word count : 785]
Sources:
[1] https://www.cnbc.com/2017/09/07/credit-reporting-firm-equifax-says-cybersecurity-incident-could-potentially-affect-143-million-us-consumers.html
https://www.theatlantic.com/business/archive/2017/09/equifax-cybersecurity-breach/539178/
[2] https://www.forbes.com/sites/winniesun/2017/10/02/what-you-should-do-now-after-the-equifax-security-leak/#1ca73e482123
[3] https://www.equifax.com/personal/
[4] http://money.cnn.com/2017/09/08/technology/equifax-hack-qa/index.html
[5] https://www.npr.org/sections/thetwo-way/2017/09/08/549434187/3-equifax-executives-sold-stock-days-after-hack-that-wasnt-disclosed-for-a-month
[6] https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2017-5638
[7] https://securityboulevard.com/2017/09/the-equifax-breach-the-signs-were-there/
[8] https://www.huffingtonpost.com/entry/the-equifax-breach-and-5-years-of-missed-warning-signs_us_59bf2480e4b06b71800c3b07
[9] https://www.cvedetails.com/vulnerability-list/year-2017/vulnerabilities.html
Large scale hacks like Equifax beg an even bigger question: Can companies and our government ever fully protect themselves from data breaches? If we take the most secure systems, it seems that there will always be a hacker or team of hackers out there who can beat it. Cyber security reminds me of diseases – you find a cure for one disease, but then just as quickly a new one has popped up.
E.C. Scott, completely agree there is no such thing as a perfectly secure system. Given enough resources, any system can be broken into. One way to look at this is that an organization’s security systems need to be secure enough that the cost to break into the system far outweighs the benefit of doing so. It is a difficult thing to measure that threshold and but an appropriate risk analysis can help you detect that level and that can allow the organization to invest in security protocols and teams accordingly. In this particular case, equifax failed to consider the risks and therefore had a very low threshold for security breach.
To your question about how companies should address issues like this: A theme I see with the hacked companies you mention is that they didn’t seek to add protections above and beyond their view of the baseline amount – and that came back to haunt them, especially when their view of the baseline amount was faulty (like Equifax’s lack of a robust firewall). I think one of the important ways for companies to handle the fallout of security breaches like this is to be able to tell their customers all the many defensive mechanisms they did have in place ahead of time. Even when they fail to stop the attack, this would give them an advantage for retaining/regaining consumer trust. The companies hit the hardest are the ones that didn’t seem to even try to keep consumer data safe, and those who don’t adequately or quickly acknowledge the problem – just like Equifax.
Equifax certainly had a Web Application Firewall. Every WAF comes with the OWASP ModSecurity core ruleset (https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project) to protect against the top 10 most common vulnerabilities (e.g. SQL injection, XSS scripting, etc…). The challenge is WAF ruleset management. Every open-source HTTP server, whether it is Apache or Nginx, will have CVEs (http://nginx.org/en/security_advisories.html). Updating a WAF with rules to defend against new vulnerabilities requires multiple updates for an on-premise WAF box. Enter the power of the cloud. A cloud-based WAF can update these new rules immediately, on the operators behalf. For this reason legacy organizations, like Equifax, should layer on a cloud-based WAF with their on-prem equipment. Barracuda, a WAF vendor, sold to PE firm Thoma Bravo on November 27 (http://www.zdnet.com/article/barracuda-networks-is-sold-to-thoma-bravo-for-1-6-billion/) because on-premise boxes are the past, not the future. The lesson to me here isn’t a lack of proper equipment, it’s a lesson on time to remediation. Remediation times drag with on-premise equipment. The future is not on-premise, it’s in the cloud.
I agree with your point that moving a lot of your security dependencies to a centrally managed architecture, cloud or otherwise, can allow an organization to apply comprehensive system wide updates in a more timely manner. The issue that I see with a lot of organizations with a legacy infrastructure is that it is a massive effort to move their deeply integrated systems to a new platform. It also becomes difficult to justify doing so as it comes at a very high cost and the risk of having system downtimes, especially when there may not a lot of visible business impact.