Equifax Breach: 'This Will Continue, And Only Get Worse'

Contributor: Jason Koestenblatt
Posted: 09/08/2017
Image: 
Equifax

Credit reporting agency Equifax announced this week 143 million American citizens’ social security numbers were compromised this year due to a cybersecurity breach.

The breach occurred over the course of more than two months, from mid-May through the end of July of this year, the company stated. Hackers were able to gain access by exploiting a “U.S. website application vulnerability,” Equifax stated.

Being forced to take a reactive approach, the company is using a cybersecurity firm to conduct an assessment and provide recommendation on next steps. The name of that company was not released.

The breach goes beyond social security numbers. According to Equifax:

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents.

Equifax said it makes cybersecurity a daily priority, but this incident clearly broke down the walls of whatever measures were put in place.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer, Richard F. Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”

According to an exclusive report by the New York Post, Equifax is putting the breach's onus on open-source software Apache STRUTS. That has not been confirmed by Equifax, rather relayed by an analyst with William Baird & Co. 

What may be of more concern is the duration in which hackers were residing inside Equifax’s database – more than two months, according to the company.

“This is another object lesson in how hard it is to keep large data stores secure,” said Nathaniel Gleicher, Former Director of Cybersecurity Policy for the White House and current Head of Cybersecurity Strategy for Illumio. “Even large organizations struggle, because it’s far too easy for intruders to slip across the perimeter and then bide their time inside compromised networks until they can get to the most valuable data. If we want to stop breaches like this, we have to get much better at stopping lateral movement within compromised networks.”

One cybersecurity analyst believes Equifax was in decent shape when it comes to protection, and that news of major breaches should be expected in the future.

“Expect the news more frequently as Equifax has pretty strong security controls and monitoring in place,” said Jon Oltsik, Senior Principal Analyst with Enterprise Strategy Group. “If your organization collects, processes, and stores valuable data, chances are very good that someone wants to steal it. Given this, you have to be extremely diligent with cybersecurity controls. You should also think like the enemy and figure out how they will likely attack you.”

Continously monitoring their security architecture - especially considering the sensitive information within Equifax's database - is a full-time effort that should have been paramount for the security team.

"This is a continuation of the breach cycle," said University of Wisconsin-Madison Chief Information Security Officer Bob Turner. "Equifax, OPM, Target, Anthem, and the rest are learning that they are vulnerable - something they should have figured out when they placed the information systems online to begin with. Having an adequate security architecture is key, and ensuring that architecture is regularly checked, continously monitored, and periodically upgraded is the key to success.

"Until that happens as a matter of habit, companies will hemorrhage data in a way that costs them their brand," Turner continued. "How unfortunate that Equifax is the first of the 'Big Three' credit monitoring bureaus to fall. They should have known better considering they have everyones's PII and financial records in their hands."

One chief information security officer believes this won’t be ending anytime soon, and that Equifax may have been its own worst enemy in this breach.

“Clearly this will continue in the future and only get worse,” said Rizwan Jan, CISO, The Henry M. Jackson Foundation for the Advancement of Military Medicine. “The lack of a secure development life cycle (SDLC) and active scanning of their websites for any vulnerabilities seem to be the issue (poor security hygiene). This highlights the importance of security baked in the development process along with continued scanning of their high-risk assets (external facing websites) on a more frequent basis.

“As part of our due diligence to protect our employees and customers,” Jan continued, “we are actively hunting the dark web to see if any of their data is being sold or exposed.”

While this particular instance broke through a web firewall, enterprise security administrators need to keep an eye on all endpoints, as mobile device use continues to grow - and more importantly, continues to become a threat vector. Longtime network security companies are seeing the importance of a complete unified endpoint approach and pivoting to cover the entire landscape. Earlier this year, cybersecurity vendor Symantec made a massive move by acquiring mobile threat defense solution provider Skycure, as an example.

As previously reported by Enterprise Mobility Exchange, smartphones accounted for 85% of all mobile malware infections in 2016, leaving enterprises susceptible to breaches through their own employees - unknowingly or otherwise - on a daily basis. 

So what does it mean for enterprises going forward?

“This breach might just have put the nail in the coffin of the idea that we can use personal identifiers like social security numbers as security factors,” Gleicher told Enterprise Mobility Exchange. “Few institutions still use them for primary security, but much of the affected data (birth dates, town of residence, etc.), is still used to verify identity. It’s past time that we realized that you can’t rely on this data by itself. We need to evolve our understanding of identity if it is going to hold up in the modern era of cyber(in)security.”

It will also mean a top-down approach when it comes to cybersecurity decision-making. IT administrators are not alone in the fight against breaches or hacks, and the effort to ward off malicious actors should be an enterprise-wide initiative.

"For the security leaders within an enterprise, there are two primary lessons that can be gleaned from this and applied going forward," said Eric Brohm, Vice President of Cybersecurity for Wyndham Worldwide. "The first is that hackers do not just care about payment card data (PCI), but personal information (PII) as well. We need to move past the notion that an environment does not need to be rigorously secured if it is not part of a cardholder data environment (CDE) – PII can be just as attractive to a hacker looking to monetize it. Secondly, organizations should ensure that their web applications are coded securely if developed in house, or up to date with patches if they are using a third party application. For the business leaders of an enterprise, from the Board of Directors down, the dip in the Equifax stock price alone brings another lesson in the value that a mature Information Security program can bring to the enterprise in helping minimize the risk and losses associate with data breaches.  It is imperative that organizations continue to develop and fund their Information Security programs with full support from the top down."

Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection.

Jason Koestenblatt
Contributor: Jason Koestenblatt