Equifax network and data breach:
When data breaches occur - especially ones with a critical impact and a large number of affected consumers, such as the Equifax data breach - the public rightly deserves to know the facts related to the situation. A global, well-funded organization such as Equifax should certainly have the internal resources and expertise to design and implement a comprehensive cyber security program. So, a logical question one might ask is, “Why was a vulnerable Internet-facing system left unpatched for so long?”
Given the size of the company and the nature of its business (Equifax collects and provides personal information on many consumers as a part of credit checks and other inquiries), it would seem fair to assume that Equifax’s internal cyber security and IT experts understand and are accountable to proper cyber security measures, and that the company’s cyber security program is adequately funded and staffed.
Reason:
From the details made available regarding the breach, Equifax claims that the breach occurred from an unpatched vulnerability in a commonly used web application server operating system (Apache) and that the specific vulnerability was discovered, reported, and a patch was issued for Apache in March of this year. However, Equifax neglected to apply the patch to the system that would later be compromised.
As Equifax apparently has a vulnerability management process that involves regularly scanning and patching its systems, many are questioning how this intrusion came to be and why the company’s processes failed to identify and apply the patch.
Solutions:
In examining the root cause of this data breach, here are two key things to consider for your organization's cyber security program:
1. Independent vulnerability validation process
Even for businesses that have mature cyber security processes in place, sometimes missteps or control failures can occur.In the case of the Equifax data breach, it’s very likely that the company had a robust security program in place, however, the Apache Struts vulnerability was apparently suppressed in the company’s vulnerability reporting system, which caused it to not appear in the system’s report activity.
Had the issue shown up on the report properly, the company’s threat and vulnerability experts could have notified the responsible areas, as well as followed up to ensure that proper patches were installed. A second, independent vulnerability validation process could have helped in this case. Note that vulnerability suppression is not an excuse for this breach, but rather, it is an example of how control processes are not infallible.
2. A Layered, Defense-In-Depth Strategy Can Help.
A layered, defense-in-depth strategy, such as the multiple, layered security controls so that there is rarely a reliance on a single control to provide sole and complete protection, as well as periodic inspections of a company’s security posture to validate that controls are functioning as intended. In the case of this Equifax breach, it didn’t originate from a failure to implement an information security program, but rather a failure in at least one control process within the program.
When it comes to vulnerability management, high-risk organizations would be well-served to have a second vulnerability scanning process to serve as a “double check” of the company’s externally-accessible systems to ensure that all security vulnerabilities are identified, categorized, inventoried, and remediated in a timely manner. Ideally, this second scanning process should be conducted using a separate vulnerability scanning engine, as well as by a department or entity independent from the internal function that conducts the primary vulnerability scanning processes.
Had Equifax implemented a secondary vulnerability scanning process, it is likely that the Struts vulnerability would have been detected and could have been added to the company’s vulnerability management efforts, and the breakdown in the primary vulnerability scanning process would have also been detected and could have been addressed.
