Lessons learned from the Equifax Breach – Part 1

First, props to @briankrebs for the evil Equifax logo. 

While those unaffected by the Equifax breach have been stuffing their faces with proverbial popcorn as they watch the latest unveilings and press announcements, those worried that their most sensitive and identifying details have been leaked simply look on in horror, unknowing how to proceed.

The exact details of how the hackers made off with so much data remain fairly obscure. Equifax has stated that their investigation, which started when the breach was first discovered at the end of July, isn’t quite complete yet.

What Equifax has said is the “attack vector” was a vulnerability in the Apache Struts subsystem – CVE-2017-5638, first reported in March. Struts is an add-on to the widely used, open-source Apache web server software. The vulnerability impacts the processing of uploaded data (think usernames and passwords, or requests to look up a person in your massive credit database). This hole allowed a crafted input to be read as code and run by the web server, rather than just fed in as data to be looked up.

Just how big a part this months-old flaw played isn’t clear. There’s been speculation that other Struts vulnerabilities may have played a part, including one disclosed just before Equifax unveiled their breach.

Once the data leak went public, security bods have gone to town digging into the Equifax online infrastructure, finding rafts of other holes, gaps, bad practises and downright stupidity. Any of these may have helped the hackers navigate and pull down their vast haul of data.

Why a flaw, which has been known about since March, was still not patched in mid-May (when the breach is thought to have started) let alone late July when it was finally noticed, leads us to question how seriously they took security in general.

Presumably, such a large number of records being accessed would be more than a minor increase in the traffic to Equifax’s databases. A company whose main business is supposed to be handling highly sensitive financial information should surely be paying close attention to great chunks of it being accessed outside their normal patterns of usage.

This should, you might think, be especially the case in the wake of several other breaches at Equifax over the last couple of years. The natural response to learning that your systems are vulnerable to attack should be to throw everything you can at shoring them up, replacing or repairing the weaker links, and most importantly keeping a close eye out for anything at all suspicious or unexpected.

Whether Equifax lacked the will or the ability to properly monitor who was accessing the highly sensitive data they hold, the whole business smells of neglect and incompetence. No surprise then that Equifax swiftly announced the “retirement” of their CIO and CSO.

So, time for the big question. What can the rest of us learn from this Equifax catastrophe, hmmm?

Tuning legacy systems is NOT optional

Many of us are bad at maintaining legacy systems. First, it isn’t always fun work to trawl through old code, looking for possible vulnerabilities.

As Forbes mentioned, since the Equifax SNAFU, white hat hackers have been probing the Equifax website, looking for insecurities, and – you guessed it – they found many.

“The good-guy hackers have found myriad old technologies running the Equifax site, many of which could be vulnerable to cyberattack. Researcher Kenneth White discovered a link in the source code on the Equifax consumer sign-in page that pointed to Netscape, a web browser that was discontinued in 2008. Kevin Beaumont, a British security pro who’s spent 17 years helping protect businesses, found decade-old software in use.”

Netscape, for G-d’s sake….

So, while I get that it might not be fun to review old code and systems, anybody responsible for a ginormous database crammed with the most personal of information has a moral, ethical and (i hope) legal responsibility to review systems and applications regularly, sniffing out any problems and baking in du jour security.

Take-Away
If you are responsible for systems that either collect or maintain personally identifiable data, schedule regular deep-dives into the inner workings to ensure that you are not rolling out the red carpet for ne’er-do-wells. Not only will this help you keep the regulators at bay during an accidental breach, but you it will also help protect your customers, shareholders, business partners and employees. 

Reparations

So now, millions of people want to know whether they were among the 140+ million whose identity has been compromised. How is one supposed to go about this? The current recommended approach by Equifax is to visit https://www.equifaxsecurity2017.com/ and enter your last six digits (not four!) of your SSN. Am I alone in thinking this is verging on the insane? To my mind, this data is no longer a viable way to identify an individual.

Take-Away

With all this sensitive information now in the public domain, Equifax and others like them need to recognize that dates of birth and SSNs are no longer a reliable means of identifying people. Once the data is out there, anyone can use it to pretend to be whoever they like, and the true owner of the data has no way to change it to regain control. The irony of this situation is that perpetuating and mitigating our broken approach to identity is Equifax’s core business, and this leak has slammed another nail into the coffin of their whole business model.
Expecting people to prove who they are to you by handing over (part of) a “secret” code that you’ve just leaked to the entire world is clearly not going to build trust.

Trust between Equifax and the public remains severely damaged, as demonstrated by the stock price steadily plummeting following the breach. Should you find yourself a victim of a breach, think long and hard about how you approach the fix. Pave the way for your users to get the information, advice and compensation they deserve without requiring them to part with yet more sensitive and identifiable information.

See Part 2 of Lessons learned from the Equifax Breach


How TBG Security can help

TBG Security provides quality penetration tests and risk assessments tailored to your specific needs. Whether you are a governing body, a financial institution, an insurer, a legal or accountancy firm, or a online provider, we can help.

Get in touch. We can chat about your needs and help you figure out the best approach for you.

Previous ArticleLessons learned from the Equifax Breach – Part 2 Next ArticleCISOs, Do you have enough resources to do your jobs? No, we didn’t think so.