Nettitude's very own Ben Rothke takes a look at the Equifax hack and what it could mean for your business.
The specific details are still filtering out, but even the preliminary information is staggering. Sometime between May and July 2017, Equifax, an Atlanta, Georgia-based consumer credit reporting agency that collects information on over 800 million individual consumers and more than 88 million businesses worldwide, was breached. The hack resulted in the compromise of almost 150 million U.S. residents. Considering the US population is about 325 million people, almost 1 of 2 people will be effected by this breach.
As breach sizes go, this was still way behind the Yahoo hack of 1.5 billion user accounts, and in line with eBay attack with 145 million users compromised, and the 130 million records of the Heartland Payment Systems breach.
But what is unique of the Equifax data is the depth of the level of the personally identifiable information (PII) that was compromised. This includes social security numbers, dates of birth, driver license information, banking account numbers, mortgage data and much more.
Rather than focusing on the raw number of records that were breached; consider the nature of the data. If you weigh those values, then the Equifax attacks quickly turns into the most devastating breach to date.
How did it happen?
The attackers targeted a known vulnerability in Apache Struts, an open source framework for creating Java web applications. The specific vulnerability CVE-2017-5638 was published on March 12, 2017 and a patch issued soon after. Exploit code emerged shortly after the patch was released.
What it means for you
There are many key takeaways from the breach, and I’d like to highlight what I think are two of the most significant. These center around patch management and breach notification.
The vulnerability was announced and patched in mid-March and the Equifax attack didn’t commence until about 6 weeks later. That gave Equifax about a month and a half to patch their affected systems.
Not every vulnerability is created equal and not every patch needs to be installed immediately. Given the circumstances and configurations of the network and applications, in addition to other dependencies, some patches can be delayed.
But the nature of Apache Struts, given that it is used on servers connected to the Internet, lends itself to having a much more aggressive patching schedule. How aggressive that schedule has many dependencies and each organization needs to determine what is right for their specific environment.
There is no magic number when it comes to patching in this case, but it should certainly be measured in days and no more than a week. In the case of Equifax, this turned into months. The is a major patch management fail, and Equifax paid a huge price for that.
What you can learn from the Equifax debacle is that patch management is a serious endeavor and an integral part of any information security program. You need to understand what software is deployed in your organization and how it needs to be patched. The famous quote “eternal vigilance is the price of liberty” can be applied to information security, in that eternal patch management is the price of software security.
The other area where Equifax dropped the ball was with their breach notification. It took them almost two months, and they only made a public disclosure on September 7. This roughly six-week gap from breach awareness to disclosure is an unacceptable amount of time.
It’s not coincidental that the General Data Protection Regulation (GDPR) which goes into effect in May 2018, mandates that in the event of a personal data breach, organization must make notification without undue delay within 72 hours after an organization becomes aware of the breach. If notification is not made within 72 hours, the firm needs to provide a reasoned justification for the delay.
For those organization that will be subject to GDPR, the 72-hour rule will require them to make significant updates to their notification policies and processes. This is not a trivial undertaking and requires significant planning.
For those organizations that won’t have to deal with the monstrosity known as GDPR, they still may have to deal with the HIPAA breach notification rule or other requirements. This will need to make sure their breach notification program needs to be updated, tested, and then retested.
Specifically, if you don’t already have a formal and tested process in place, create an organizational process to identify security breaches and notify relevant authorities and individuals in the event a breach leads to disclosure of personal information. It’s imperative that there be staff assigned and responsibility for every specific task and subtask.
Finally, realize that breach notification is not just an IT issue. There are a lot of stakeholders involved, from IT, information security, marketing, privacy, to legal, customer service, and more.
Part of information security is learning from the mistakes of others. The Equifax breach provides ample learning opportunities. Start making changes today and take steps to reduce the risk of your business becoming another cybercrime statistic. If you have any concerns about your company’s cyber security strategy then get in touch with us here at Nettitude. We can provide you with a half an hour free consultation to advise you on the steps you need to take to boost your cyber security defences.