Did Equifax Have A Ciso, Cio, A Cto, Or A Data Manager? Did They Have An Incident Response Process?

Equifax breach report highlights multiple security failures

An Equifax breach report, based on a government investigation, blamed the incident on multiple security failures and concluded the breach was preventable.

The U.S. House Committee on Oversight and Government Reform published a new report detailing how the Equifax breach happened and how it could have been prevented.

The committee ended in its Equifax alienation study that the incident -- which affected 148 million people -- was "entirely preventable" and occurred because Equifax "failed to implement an acceptable security program to protect this sensitive data."

"Equifax should have addressed at to the lowest degree ii points of failure to mitigate, or even prevent, this data breach. Outset, a lack of accountability and no clear lines of authorisation in Equifax's It management structure existed, leading to an execution gap between IT policy development and functioning," the committee wrote in the report. "This too restricted the company's implementation of other security initiatives in a comprehensive and timely manner. As an case, Equifax had allowed over 300 security certificates to elapse, including 79 certificates for monitoring concern critical domains."

"Second, Equifax'south aggressive growth strategy and accumulation of information resulted in a complex IT environment," the written report continued. "Equifax ran a number of its most critical IT applications on custom-built legacy systems. Both the complexity and antiquated nature of Equifax's Information technology systems fabricated IT security especially challenging."

The Equifax breach report broke down the timeline in great detail, starting with the initial disclosure of the Apache Struts vulnerability used in the assail on March 7, 2017. Equifax received the alert from the Section of Homeland Security well-nigh the vulnerability on March 8 and notified responsible personnel to patch systems on March nine. The company performed a scan for whatever systems still vulnerable on March fifteen and didn't find whatsoever, despite attackers first exploiting vulnerable systems on March ten.

"Equifax, yet, did not fully patch its systems. Equifax'southward Automated Consumer Interview System (ACIS), a custom-congenital internet-facing consumer dispute portal developed in the 1970s, was running a version of Apache Struts containing the vulnerability," the report adamant. "Equifax did not patch the Apache Struts software located within ACIS, leaving its systems and data exposed."

Rudolph Araujo, vice president of marketing at Awake Security, based in Sunnyvale, Calif., said the issue was likely a lack of "checks and balances to brand sure the patch was really successfully deployed, services restarted, etc."

"They quite likely may have passed an audit for their patch management procedure by claiming they take that equally a procedure, only this is a good example of why this process merely would never work in whatsoever sizeable system. For instance, were they even in a position to know all of the Apache servers in an environment as large and complex as Equifax?" Araujo said.

"Equally the report points out, the company under Richard Smith was growing rapidly and processing enormous amounts of information," he continued. "This often leads to shadow IT, where developers, business units, etc., spin up their own infrastructure, and one wonders if the security team even had visibility into it."

Satya Gupta, CTO and co-founder at Virsec Systems Inc., based in San Jose, Calif., said information technology'south easy to "throw Equifax nether the bus, and they certainly could have prevented much of the harm from the breach."

"It'due south dangerous to get on a lather box about patching when well-nigh organizations take months to deploy patches across the board. Security by patching is a losing strategy. Organizations need to find ways to protect critical applications, regardless of their patch condition," Gupta said. "Clearly, Equifax did non run a tight security transport, and vast amounts of data were spread beyond many out-of-date platforms."

"More than than a technology problem, this was a massive organizational mess, leading to a disastrous public response," Gupta continued. "Wearisome patching was simply one of many structural bug that made Equifax a fat target."

More security troubles

Beyond the Apache Struts patching issue, the Equifax breach study noted the company had serious issues with security certificates.

"Equifax did not see the data exfiltration, because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security document. On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic," the commission constitute. "After updating the security certificate, Equifax employees identified suspicious traffic from an IP accost originating in China. The suspicious traffic exiting the ACIS application potentially contained paradigm files related to consumer credit investigations. Equifax discovered information technology was nether active assail and immediately launched an incident response attempt."

Araujo said the certificates in question were probable needed to decrypt data before it was processed by an intrusion detection organization.

"If the SSL inspection device does not have the advisable certificates, it can't decrypt the data and, consequently, cannot feed that into the intrusion detection systems. Clearly, this should never have happened," Araujo said. "Fifty-fifty if the certificates had never expired, it would not exist surprising at all if there had been no threat alerts, given how ill-equipped traditional IDPS are at detecting information exfiltration, peculiarly the low and slow kind."

Jesse Dean, senior director of solutions at Tetrad Digital Integrity, based in Washington, D.C., said this should be taken every bit "a cautionary tale for CISOs, C-suite and boards, equally Equifax is not dissimilar almost medium to large organizations when it comes to cybersecurity."

"It's like shooting fish in a barrel to say Equifax should accept maintained a better inventory and bookkeeping of their certificates and should have known how to run a proper vulnerability browse. They all take a budget, tools, teams, training and policies. Information technology'due south the effectiveness of each of those piece parts and how they piece of work together that has continued to plague the cyber manufacture since its inception," Dean said. "What, unfortunately, gets lost is the visibility and accountability effectually the pedestrian, yet paramount fundamentals of cybersecurity, such equally network segmentation, inventory, certificate and vulnerability direction."

"There are no valid excuses for expired security certificates," Gupta said.

"For any system that is being actively managed, expired certificates are immediately apparent. If Equifax let hundreds of certs elapse, in that location were clearly huge areas of security and IT oversight that were completely lacking," Gupta said. "Well-run It organizations have tight controls over all business-critical servers and closely monitor where sensitive data is going and being stored. Security certificates must always exist up-to-date, and out-of-appointment systems should exist retired whenever possible. While patching can be a legitimate challenge, having clear network visibility should be a prerequisite, non an afterthought."

Co-ordinate to the Equifax alienation report, the company had ii initiatives put in identify following the discovery of the attack: Project Sierra to handle the incident response and Project Sparta for notifying the public of the breach.

"The purpose of Projection Sparta was to create a consumer-facing website for individuals to find out whether they were afflicted by the alienation and, if then, to register for credit monitoring and identity theft services," the committee wrote. "Almost immediately, issues existed with Equifax'southward public response. The website and call centers were overwhelmed with requests for information and left consumers without answers as to whether they were affected past the breach."

Gupta noted that Project Sierra was also troubled.

"Equifax did plenty wrong before the breach to make themselves vulnerable, but well-run IT organizations assume they will exist attacked and take clearly defined response plans. Everything about Projection Sierra was a disaster, including declared leaks most its status leading to insider trading charges," Gupta said. "There is no alibi for the months information technology took from discovering the alienation to the public acknowledgment. While most states have alienation notification laws, there needs to be tighter standards on the length of time a company can research a breach earlier coming clean."

Dig Deeper on Security operations and management

Interview: Jamil Farshchi, CISO, Equifax

Past: Karl Flinders
How and why data breach lawsuits are settled

Past: Alexander Culafi
Equifax shares 'risk balky' cloud security model post-breach

Past: Bridget Botelho
United states fines Equifax $700m over 2017 breach

Past: Alex Scroxton