Photo by Jon Tyson on Unsplash
Remember the Equifax breach? It was huge; to note: 148 million consumers around the world had their credit records stolen, the company lost almost $6 billion in market cap wiped out, and it has burnished a cautionary tale into the places in CEO’s brains where nightmares are made. The impact and notoriety of the breach was so impactful that The Oversight Committee of the U.S. House of Representatives conducted a year-long study to understand why it happened, how it happened, and how it can be prevented in the future. For Equifax executives, it’s damning. For the rest of us it’s an easy-to-follow blueprint for what not to do.
The House Oversight Committee found that, basically, Equifax was simply lazy and careless. There was no massively coordinated effort among nefarious hackers, nor any particularly complex algorithmic approach behind the breach. Equifax was found to have had lax security practices and relied on systems and tools that were outdated and mismanaged.
The report is condemning and accusatory, but you should take the time to read it because it can serve as an example of what NOT to do for anyone and every organization that handles sensitive data. And that’s pretty much all of us.
Again, the findings of the Committee demonstrate a shocking lack of attention paid to data protection. Now, consider that the only thing this company does is create, analyze, and sell data. A reasonable person would expect a rigorous effort put to the test of security, but that was not the case. The report explains that, among other things:
- The company had already been warned by the Department of Homeland Security that they needed to fix a known vulnerability in Apache Struts, but it had been ignored.
- The engine powering the Apache Struts server was an operating system supporting the ACIS platform, which was housed on decades-old servers made by Sun Microsystems.
- Attackers were able to pop a web shell on top of the Sun server, which essentially gave them total access.
- Once in through the server, the attackers discovered an unencrypted file of passwords which gave them access to 48 databases that held unencrypted consumer credit data.
- The attackers sent more than 9,000 queries to these databases on 265 separate occasions. Each time they exfiltrated credit card user data.
So you might be shaking your head right about now, as this all seems absurd. How could a massive, global, data behemoth not know that all of this was happening? Well, do you know what’s happening in your environment right now?
This isn’t meant to point fingers at Equifax, or at anyone. The fact is that data moves, changes, and transacts at an unimaginable pace, and the infrastructure required to support it demands a full-time, continuous management effort. We aren’t able to see everything that’s happening in our cloud environments, nor can we apply a human effort to the forensics needed to identify sources of vulnerabilities.
But this is precisely why automation and a continuous approach are critical for every organization. While few organizations will fail as gloriously as Equifax did (remember, this is a company whose CEO, Richard Smith, passed blame onto a single member of the company’s IT team while pretending it wasn’t his fault. You can print this — it was most definitely his fault), but no one really knows what’s happening to their data and resources unless they have a tool that identifies, analyzes, and reports about threats.
Take this tidbit, for example; the report states, “Equifax did not see the data exfiltration because the device used to monitor network traffic had been inactive for 19 months due to an expired security certificate…” Just look at that sentence. If you don’t know you have an expired security certificate, then you probably also aren’t aware that your monitoring device is inactive, and if that’s inactive, you can’t detect data exfiltration. The idea here should be to keep this simple; know where the threats and vulnerabilities are, ensure you are alerted to them immediately, and apply appropriate remediation.
The former company CIO even admitted that, had they known about the issues within the Struts, it could have been fixed immediately with a patch. But they weren’t aware of the vulnerabilities. They also clearly didn’t have a culture that suggested it would be interesting to know if 9,000 suspicious queries were being made to servers that held precious data.
No one wants to be the example of what not to do, but if there is any silver lining in any of this, perhaps Equifax can provide an anti-roadmap. We can learn from Equifax’s misfortunes and create a strategy for operating in environments that are inherently insecure by taking measures to strengthen our enterprise security posture and ensure that we can eliminate vulnerabilities and have confidence that we can rapidly fix those we become aware of. The key is just that, however — awareness. It breeds the ability to control and without control we have very little hope for avoiding the fate of Equifax and so many others like it.
There will be another breach, soon. And then another after that. Technology isn’t perfect, and the potential for risk will always be part of our digital world, but we need to stop making it easy for hackers to take advantage so easily.