Last week Equifax reported what is possibly the most significant cyber security breach in history – and they are now paying for it. According to MarketWatch, the company’s value plunged more than $3.5B in just 2 trading sessions. Equifax out of pocket costs may exceed $300M. Farhad Manjoo at The New York Times wrote a blistering piece titled “Seriously Equifax? This Is a Breach No One Should Get Away With.” And yes, the article’s just as pungent as the title – with some enlightening thoughts about national policy and the structure of the credit reporting market.
If you want some thought-provoking societal context for the breach, have a look at those two articles. But if you’re a cloud security professional wondering how to avoid your own Equifax mess, I do have some thoughts on how Lacework can help.
For the record, I have no inside technical information about the Equifax breach. I can, however, give you some insights into how you might protect yourself against similar attacks. According to SC Magazine (“Apache Struts vulnerability likely behind Equifax breach, Congress launches probes”), an exploit of Struts, an Apache web server extension, was probably behind it all. (Sophos has an outstanding piece describing the details: Apache Struts “serialisation” vulnerability – what you need to know).
The Struts issue is a remote code execution (RCE) vulnerability. Extensions for Apache, WordPress, and other popular web products have long suffered from RCE attacks. So why does anyone use them? It’s simple: they’d rather not re-invent the wheel. If Struts helps you get that web form online in a day, you’d probably use it too, right?
RCE vulnerabilities share a few notable characteristics:
- They allow the server to execute arbitrary code submitted by any web site visitor, typically with the same permissions given to the extension itself
- Stock software implementations usually enable far more functionality than you need for the task at hand (e.g. building a web form)
- Attackers are looking at the same CVE database as you are – all they have to do is weaponize the information
As an industry, we’ve responded to these threats by handing down 3 cyber security commandments:
- “Thou shalt not grant applications or users unnecessary permissions” (the principle of least permissions)
- “Thou shalt not enable functionality that exceeds thy needs” (turn off features you’re not using)
- “Thou shalt not allow production software to age without attention” (patch your software)
All kidding aside, these three commandments will keep you out of plenty of hot water, and they may have prevented the Equifax breach too. But easier said than done. Humans are weak, and we have a tough time following rules. I believe in these 3 commandments, but I also know how hard it is for most shops to live them.
That’s where Lacework comes in. Our approach is to simply watch for deviations from normal operations. So if your Struts extension goes for months doing nothing but writing to one database, and then suddenly begins talking to a new server, we’ll spot that and let you know (even if those servers have permission to talk to each other). If your WordPress photo gallery extension motors along peacefully and then suddenly launches a new process, we’ll send you an alert (even if that process is a part of the stock version of the extension). And if one of your admins was on vacation when that critical patch came through, we’ll keep an eye out for miscreants trying to take advantage (even if you never get around to that patch).
This is serious business, and it’s why I’m here at Lacework. We all send our heartfelt regrets out to everyone affected by Equifax. More than a few of us here are dealing with it too, and it’s no fun. If you’re in a position to keep that from happening at your company, please give us a call.