It is being called the most devastating consumer information breach in history. The more than 143 million consumer credit records hacked from Atlanta-based Equifax during May, June and July saw all sorts of personal data stolen, including social security numbers, credit card numbers, birth dates, home addresses, drivers' license information, and “dispute documents” from consumers contesting alleged credit violations. The magnitude of the breach is staggering when you consider nearly half of the nation’s population and almost 100 percent of its work force has been affected.
Many security experts have come down hard on Equifax for waiting more than two months to report the breach. While the financial company realized it had been compromised on July 29, it failed to inform the public until Sept. 7 – noting it was conducting internal investigations.
“I can only surmise that it took them 40-plus days to reveal the breach because they brought in a forensic company to identify the gaps in their security so that they, in turn, could fix those vulnerabilities,” says Steven Bearak, CEO of IdentityForce. “They also needed to confirm the scope of the breach – how much data was compromised. This would include what type of personally identifiable information, the people impacted, and corporate accounts that shared the data.”
Bearak adds that it might have taken time to notify law enforcement and ask for their assistance in the investigation., along with putting a crisis management plan in place. Additionally, Equifax had to outline the timing of the public announcement and what the message would be, including what they would offer to those impacted by the breach.
“Announcing the breach (precisely) on Thursday, Sept. 7 at 5 p.m. ET was intentional,” Bearak says. “The stock market had closed and they were coming up on the weekend, so fewer people may have been following the news closely. They also distributed a pre-recorded video featuring their CEO, along with online access to a database search to verify if your information was exposed, and an offer for consumers.”
The National Response
The federal government – along with several state governments – are not likely to let Equifax escape with a simple mea culpa. The Washington Post reports that the Federal Trade Commission has launched an investigation of the massive data breach late this week, joining New York Attorney General Eric Schneiderman’s formal investigation into the hack last Friday.
Congress is poised to launch its own investigation as Congressman Ted Lieu (D-CA) has teamed with House Judiciary Committee Chairman Bob Goodlatte (R-VA) and ranking member John Conyers (D-MI) to explore the breach. According to CNN Money, House Financial Services Committee Chairman Jeb Hensarling (R-TX) has said his committee will hold its own hearings.
Lawsuits have already been announced by several states against Equifax, including Georgia and Massachusetts, with most figuring to morph into a giant class-action lawsuit, which would go on record as one of the nation’s largest.
“The Equifax breach is the one that pulled down all of America’s pants,” says Andrew Bagrin, founder and CEO of OmniNet, a Firewall-as-a-Service (FWaaS) provider. “The information you kept closely guarded is now out there in the hands of the bad guys. By taking all the information someone would check to validate your credit, it is now quite simple to impersonate you and take money from anywhere based on your outstanding credit rating.
“The good news is that with close to 150 million records stolen, there are not enough bad guys to exploit all of it any time soon,” Bagrin adds. “The chance of your identity actually being used is low. At the same time, this breach has put everyone on the same playing field – instead of identities of only those who are careless.”
Organizations Must Protect Themselves
With consumers’ social security numbers now public, Jeff Williams, co-founder and CTO at Contrast Security, says – in his words – they are basically screwed. “There are so many things that depend on (social security numbers) that it is hard to imagine removing our dependency on this now public identifier. Thus, identity theft is going to be much easier.”
Williams recommends that organizations immediately take the following measures:
- Ensure all applications are secure against both known vulnerabilities in libraries and custom vulnerabilities in their own code, which are even more prevalent than problems like this;
- Establish the ability to identify and protect against application attacks; and
- Establish the ability to respond to new attacks within a matter of hours, across the entire enterprise.
While this latest data breach has many organizations reassessing their security measures, Equifax is now admitting that the culprit that brought down its house has been isolated and is being attributed to a vulnerability in the Apache Struts framework, an open source Model-View-Controller (MVC) framework that helps in building Java Web applications.
“More often than not, we are seeing breaches as a result of an organization's failure to implement ‘security 101’ principles – proper patch management, and secure software development, processes and procedures,” says Leigh-Anne Galloway, Cyber Security Resilience Officer at Positive Technologies. “They are the basic things that organizations fail to do again and again.”
Galloway notes that there have been a number of Apache Struts vulnerabilities identified recently – Cisco revealed a number of flaws in the open-source framework just last week. Unfortunately, these web application vulnerabilities are common, and in Equifax’s case, the vulnerability enabled attackers to execute arbitrary code on a server by manipulating the Content-Type HTTP header.
“Given how often flaws of this nature are discovered, it is not a huge surprise that an exploit of these vulnerabilities was the entry point for the Equifax breach,” Galloway says. “It was a failure on Equifax’s part to patch the issue when a fix became available. The breach is an example of where some simple measures like a Web application firewall and patch management could have prevented a breach of unprecedented scale from occurring.”
Rewriting the Security Playbook
Josh Mayfield, a platform specialist at FireMon, admits he was less-than-impressed with the immediate public statement made by Equifax CEO Richard F. Smith that stated: “While we’ve made significant investments in data security, we recognize we must do more. And we will.”
Mayfield says that statement is very revealing. “This is something I hear from countless leaders in business and security where ‘significant investments in data security’ have been made,” he says. “Equifax has extremely valuable data – everyone can agree on that point; thus, they have every incentive to keep that data secure, because after all, that is their business as a data provider.
“If a company like Equifax can make significant investments, have every incentive to keep the most sensitive kind of information secure, but still experience a breach, it stands to reason that our playbook needs a revision,” Mayfield adds. “The security playbook consists of a few guidelines and directives, and most organizations have been following this playbook for many years.”
As Mayfield sees it, the primary directives of the security playbook are:
- Collect a lot of data;
- Store that data in a big database with finely tune models; and
- Sit back and wait for the alerts to stream.
“Seeing what happened to Equifax should awaken us to the realization that we must do something different,” Mayfield says. “These things happen because we continue to follow an outdated playbook with directives that haven’t evolved to address the changes in the world. Legacy security investments continue to miss these attacks – like web applications that are left vulnerable to exploit. Secondly, the playbook does not appreciate the mindset of assumed compromise. As organizations continue to adopt this mindset, a new set of plays is needed to serve the new paradigm.”
Dr. Richard Ford, chief scientist at Forcepoint, points out that the Equifax breach embodies the threat environment most organizations face every day. He says this is the new normal.
“The rise of large-scale data collection and aggregation has placed considerable pressure on organizations to preserve privacy while leveraging data for legitimate business purposes,” Ford says. “The more sensitive the data, the greater the liabilities caused by a breach.
“The threats to this data are diverse – ranging from the apparent hack disclosed here to accidental loss by authorized users,” Ford adds. “Focusing too narrowly on a single scenario can prevent companies from seeing the full spectrum of risk they face – with dire consequences. Companies must augment legacy defenses with modern, human-centric approaches that look at how and why data is accessed and by whom. This intersection of people, data and systems can become the critical point for effective security and compliance.”
Steve Lasky is Editorial Director for the Southcomm Security Media Group, which includes SecurityInfoWatch.com, Security Dealer & Integrator (SD&I) magazine and Security Technology Executive magazine. Reach him at [email protected].