Security InfoWatch: More questions than answers in Equifax hack

September 15, 2017
In The News
More questions than answers in Equifax hack

It is being called the most devastating consumer information breach in history. The more than 143 million consumer credit records hacked from Atlanta-based Equifax this earlier this spring saw all sorts of personal data stolen including Social Security numbers, credit cards numbers, birth dates, home addresses, drivers' license information. and "dispute documents" from consumers contesting alleged credit violations. The magnitude of the breach is staggering when you consider nearly half of the nation's population and almost 100 percent its workforce has been affected.

Many security experts have come down hard on Equifax for waiting more than two months to report the breach, which supposedly occurred between mid-May and July. The financial company realized it had been compromised on July 29 but failed to inform the public until September 7, noting it was conducting internal investigations.

"I can only surmise that it took them 40 plus days to reveal the breach because they brought in a forensic company to identify the gaps in their security so that they, in turn, could fix those vulnerabilities. They also needed to confirm the scope of the breach – how much data was compromised. This would include what type of personally identifiable information, the people impacted, and corporate accounts that shared the data," says Steven Bearak, CEO of IdentityForce.

Bearak adds that it might have taken time to notify law enforcement and ask for their assistance in the investigation, along with putting a crisis management plan in place outlining the timing of the public announcement and what the message would be in addition to what they would offer publicly to those impacted by the breach. "I believe that announcing the breach on Thursday, September 7 at 5 PM Eastern Time was intentional. The stock market had closed and they were coming up on the weekend when fewer people may have been following the news so closely. They also distributed a pre-recorded video featuring their CEO, along with online access to a database search to verify if your information was exposed, and an offer for consumers."

But the federal government and several government agencies aren't likely to let Equifax escape with a simple mea culpa. The Washington Post reports that the Federal Trade Commission has launched an investigation of the massive data breach late this week joining New York Attorney General Eric Schneiderman's formal investigation into the hack last Friday. Congress is also poised to launch its own investigation as Democratic Congressman Ted Lieu of California has teamed with House Judiciary Committee Chairman Bob Goodlatte and ranking member John Conyers to explore the breach. According to CNN Money, House Financial Services Committee Chairman Jeb Hensarling, a Texas Republican, has said his committee will hold its own hearings.

Lawsuits have already been announced by several states against Equifax, including Georgia and Massachusetts, with most figuring to morph into a giant class-action lawsuit, which would go on record as one of the nation's largest ever.

"The Equifax breach is the one that pulled down all of America's pants. The information you kept closely guarded is now out there in the hands of the bad guys. By taking all the information someone would check to validate your credit, it is now quite simple to impersonate you and take money from anywhere based on your outstanding credit rating," warns Andrew Bagrin, founder and CEO of OmniNet, a leading Firewall-as-a-Service (FWaaS) provider to businesses and organizations of all sizes. "The good news is that with close to 150 million records stolen, there are not enough bad guys to exploit all of it anytime soon—the chances of your identity actually being used is low. At the same time, this breach has put everyone on the same playing field—instead of identities of only those who are careless get continuously stolen, this reduces their recurring events and increases the events of those whose identity was previously safe".

Jeff Williams, Co-Founder and CTO at Contrast Security, says that "consumers are basically screwed" since their social security numbers are now public. "There are so many things that depend on this that it's hard to imagine removing our dependency on this now public identifier. So, identity theft is going to be much easier."

He recommends that organizations should immediately take the following measures:

  • Ensure that all their applications are secure against both known vulnerabilities in libraries and custom vulnerabilities in their own code, which are even more prevalent than problems like this.
  • Establish the ability to identify and protect against application attacks.
  • Establish the ability to respond to new attacks within a matter of hours, across their entire enterprise."

While this latest data breach has many organizations reassessing their security measures, Equifax is now admitting that the culprit that brought down its house has been isolated and is being attributed to a security vulnerability in the Apache Struts framework, an open source Model-View-Controller (MVC) framework that helps in building Java Web application.

"More often than not, we are seeing breaches as a result of an organization's failure to implement security 101 principles, proper patch management, secure software development, processes and procedures. It's the basic things that organizations fail to do, again and again," chastises Leigh-Anne Galloway, Cyber Security Resilience Officer at Positive Technologies. "There's been a number of Apache Struts vulnerabilities identified recently – Cisco revealed a number of flaws in the open-source framework just last week – and web application vulnerabilities are unfortunately common. In this case, the vulnerability allowed attackers to execute arbitrary code on a server by manipulating the Content-Type HTTP header. Given how often flaws of this nature are discovered, it's therefore not a huge surprise that an exploit of vulnerability was the entry point for the Equifax breach. The cause though was a failure on Equifax's part to patch the issue when a fix became available. The Equifax breach is an example of where some simple measures like a Web application firewall and patch management could have prevented a breach of unprecedented scale from occurring."

Josh Mayfield, a platform specialist with Immediate Insight at FireMon admits he is less than impressed with the immediate public statement from Equifax CEO, Richard F. Smith that stated: "While we've made significant investments in data security, we recognize we must do more. And we will."

Mayfield says that statement is very revealing.

"This is something I hear from countless leaders in business and security where ‘significant investments in data security' have been made. Now, Equifax has extremely valuable data – everyone can agree on that point. They have every incentive to keep that data secure; after all that is their business as a data provider." he continues. "If a company like Equifax can make significant investments, have every incentive to keep the most sensitive kind of information secure, but still experience a breach, it stands to reason that our playbook needs a revision. The security playbook consists of a few guidelines and directives, and most organizations have been following this playbook for many years."

As Mayfield sees it, the primary directives of the security playbook are:

  • Collect a lot of data
  • Store that data in a big database with finely tune models
  • Sit back and wait for the alerts to stream

"But if the playbook would have worked, then the playbook would have worked. Seeing what happened to Equifax should awaken us to the realization that we must do something different. These things happen because we continue to follow an outdated playbook with directives that haven't evolved to address the changes in the world," Mayfield says. "These investments do not address the evolving security landscape, the attack surface growth, or adversary goals. Legacy security investments continue to miss these attacks – like web applications that are left vulnerable to exploit. Secondly, the playbook does not appreciate the mindset of assumed compromise. As organizations continue to adopt this mindset, a new set of plays is needed to serve the new paradigm."

Dr. Richard Ford, chief scientist at Forcepoint points out that the Equifax breach embodies the threat environment most organizations face every day. He says this is the new normal.

"The rise of large-scale data collection and aggregation has placed considerable pressure on organizations to preserve privacy while leveraging data for legitimate business purposes. The more sensitive the data the greater the liabilities caused by a breach. The threats to this data are diverse, ranging from the apparent hack disclosed here to accidental loss by authorized users. Focusing too narrowly on a single scenario can prevent companies from seeing the full spectrum of risk they face, with dire consequences," says Ford. "Companies need to augment legacy defenses with modern, human-centric approaches that look at how and why data is accessed and by whom; this intersection of people, data and systems can become the critical point for effective security and compliance.

Issues: National Security and Foreign Affairs
Congressman Lieu
Washington DC Office
2454 Rayburn HOB
Washington, DC  20515
Phone: (202) 225-3976
Los Angeles Office
1645 Corinth Ave, Suite 101
Los Angeles, CA  90025
Phone: (323) 651-1040
Manhattan Beach Office (By Appointment Only)
1600 Rosecrans Avenue, 4th Floor
Manhattan Beach, CA  90266

 

Our Manhattan Beach office is not regularly staffed and is by appointment only. Please contact our office to schedule an appointment there.