United States Senate Permanent Subcommittee on Investigations recently published a report titled “How Equifax neglected cybersecurity and suffered a devastating data breach“. It details out what aspects contributed to the data breach at Equifax and how Equifax’s competitors (TransUnion and Experian) were able to successfully mitigate the threat. The report is around 71 pages long and if you happen to have the time, I would certainly recommend going through it. However, this blog tries to capture the key findings from the report and translates these into lessons to avoid a similar incident.
Here is some background context (skip this part if you know about what happened at Equifax)
[Given the press that the incident has received, I doubt there will be many people reading this section at all but nonetheless]
On September 7, 2017, Equifax announced that it had suffered a data breach impacting over 145 million Americans. A vulnerability in Apache Struts – a widely used web application development software – facilitated the breach. The hackers who exploited this vulnerability were able to gain access to the Equifax online dispute portal and then other internal company databases.
What went wrong at Equifax:
- Failure to prioritize cybersecurity resulting in putting customer PII at risk – Until 2015 Equifax had no written corporate policy governing the patching of known vulnerabilities. After implementing this policy in 2015, an audit revealed a backlog of over 8500 known vulnerabilities that had not been patched. This included over 1000 vulnerabilities that auditors deemed critical, high or medium risks that were found on systems that could be accessed by individuals outside of Equifax’s IT networks.
- Equifax never conducted another audit after the 2015 audit and left several of the issues identified in the 2015 audit report unaddressed in the months leading up to the 2017 data breach.
- Information about the vulnerability in Apache Struts failed to reach right folks in Equifax (though it reached to around 400 Equifax employees)
- Tools necessary to exploit the vulnerability in Apache Struts were publicly available and easy to use.
- Failure to comply with its own policies in patching the vulnerability that ultimately caused the breach – Equifax’s patching policy required that critical vulnerabilities be patched in 48 hours, but this was never adhered to.
- Absence of an asset inventory system – Equifax lacked a comprehensive inventory of its IT assets. Thus they (Equifax) were unaware of where and if they used Apache Struts on their network.
- Cybersecurity activities like patching were rated as “lower level responsibilities” by the then CIO in 2017.
- Equifax used what is called an “Honor System” for patching vulnerabilities.
- Other insecurities in the infrastructure allowed the hackers to cause further damage – Equifax did not segment its systems by restricting unnecessary access to other systems once a user was inside the dispute portal. This was conscious decision by Equifax to support efficient business operations and functionality, but it was inconsistent with the standard recommended in the NIST cybersecurity framework.
What worked well for Equifax competitors (TransUnion and Experian):
- Right focus on cybersecurity
- They maintained an accurate and updated IT asset inventory
- Regular scans on timely basis
- Timelines and processes in place for patch management
Key lessons:
- Maintain right focus on cybersecurity
- Maintain an accurate asset inventory
- Ensure vulnerability assessment coverage for all IT assets
- Ensure compliance to patch procedures and timelines
- Have an internal audit team and empower them appropriately
- Conduct audits from external teams regularly
ThreatWatch collects cutting edge vulnerabilities being reported in the wild using AI algorithms running 24×7. It integrates with your asset inventory system to provide continuous and proactive vulnerability assessment for your assets in near real-time. With ThreatWatch’s revolutionary no scan zero touch approach, there is no need for scheduled scans anymore. ThreatWatch allows information to be disseminated to the right folks / groups in your organization in an efficient and seamless manner. Also, ThreatWatch provides detailed context around vulnerabilities (as below) to help you make an informed decision:
- severity rating for the vulnerability
- whether the vulnerability is exploitable
- whether a patch exists
- social media coverage for the vulnerability (twitter, etc.)
Contact us for more details on how ThreatWatch can help your organization improve its security posture.