THE EQUIFAX FIASCO AND THE COST OF REACTIONARY CYBERSECURITY POLICIES
By Traci Easton, Friend of the Andersen Alumni
Although the ‘official’ root cause for the hack hasn’t been published yet, there is a lot of chatter about the reasons for the breach. The current contender suggests that the likely cause for the breach is a previously known exploit of Apache Struts, a popular open source framework to develop Java web applications. This is a framework used by many large companies, the difference being, most have a proactive cybersecurity group with policies and procedures in place to protect against such breaches, hopefully that is not wishful thinking. According to IBM approximately 99% of all breaches occur due to the exploitation of known vulnerabilities that have not yet been patched.
Now Equifax faces the daunting task of rebuilding what is very battered image & get ready for onslaught of lawsuits, thus far 100 + and counting, by organizations, banks & mortgage lenders (and individuals).
So, what happened?
Specifically, this previously known vulnerability appears to be one where remote hackers can execute remote commands through an HTTP header, Remote Code Execution. Not only was this increasingly common tactic to damper the efforts of the malicious to attack the applications that hold deeply sensitive data not in place, but it appears that the system had not been patched, a patch that potentially could have thwarted this attack in the first place. Normal security patch management practices were ignored. Patch management is the most basic of task required to protect your environment from known security vulnerabilities. There are great products and services available to identify and patch requisite systems and achieve compliance. This is by far the less expensive option when compared to what Equifax is up against. Truly an ounce of prevention is worth a pound in cure.
Now understandably, the full detail and the circumstances of this breach is not out yet, but the keepers of our data, whether it be banks, hospitals or any other institution that we entrust with our data have an obligation to maintain such data to the best of their ability such that trust is retained. Adding fuel to fire, the response was less than impressive, what with the shady sounding website www.equifaxsecurity2017.com that was hastily put together to enable consumers to check if they were compromised or to the response (or non-response) the automated system came back with.
Simply put, there has been a breakdown of the system at Equifax, top to bottom, trust has been lost and that has consequences. Maybe it’s time to evaluate your relationships, especially one’s that could make or break the trust consumers place in you.
If you are trying to mitigate your vulnerabilities you may want to consider the following three things:
- Vulnerability Management Program Gap Assessment: A top-down review of your vulnerability management program from documentation to execution. Review your organization’s Vulnerability Management Program documentation, interview personnel to evaluate processes, and perform internal and external network vulnerability and penetration testing activities to evaluate the effectiveness of the program
- External Network Vulnerability and Penetration Testing: Allows a trusted third party to engage client infrastructure in a similar fashion as an adversary. Attacking known vulnerabilities to gain access may then lead to lateral movement within the organization. End-Goals for penetration testing is defined by the client.
- External Application Security Testing: Trusted third party testing specifically focused on externally facing web applications. Automated and manual vulnerability and penetration testing performed on applications to ensure secure coding practices and web server configurations are utilized.
It’s these solutions that help mitigate your risk against threats that are coming. If you need a partner you can trust. Solutions II, founded in 1992, operates under a policy of Quality, Passion and Integrity. It is with those guidelines that our solutions have been crafted to assist our clients achieve their business objectives. Evaluate us @ www.solutions-ii.com We can help you address all your security needs, from assessments, remediation to compliance. For all this and more, please visit our website and download our services catalog.