The Equifax data breach is the latest and one of the largest in a series of alarming, high-profile incidents exposing sensitive information. For companies that have responsibility for securely managing similar types of data, it should serve as a wake-up call to review your own policies and processes. Here’s what you can learn from Equifax’s breach and reduce the risk that this happens to your organization.
Of course, these crises are scary events for those with compromised data — and given the scale of this, it could very well impact you. Because Equifax is a consumer credit rating agency, the nature of the data is ideal for identify theft. (CNET has a good primer on what steps consumers should take.)
At the time of writing, the investigation and fallout are still unfolding, but it seems the data breach exposed personal information of approximately 143 million Americans, as well as 400,000 people in the U.K. and 100,000 in Canada [Update: the cybersecurity firm hired by Equifax now says 145.5 million U.S. consumers were impacted, but only 8,000 Canadians]. In the U.S., the information included names, birth dates, social security numbers, addresses and even some driver’s license numbers. Intruders accessed additional personally identifiable information (PII), including the credit card numbers of approximately 209,000 consumers.
So, it’s big. Here are a few takeaways for your organization to consider right away.
Patch Bugs Quickly
Hackers used a vulnerability in an open-source application framework Equifax used in a web application. U.S. CERT identified this vulnerability in Apache Struts (CVE-2017-5638) in early March 2017. Equifax thinks the unauthorized access occurred more than two months later, between May 13 to July 30, 2017.
The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on Web servers. Five days after that, the exploits showed few signs of letting up.”
Some security holes are easier to patch than others. With this vulnerability, organizations had to download updated software and rebuild all web apps that used the older, buggy versions. These may have been spread across scores of servers around the world. And then the rebuilt apps would have to be tested so that wouldn’t inadvertently break something else on a website.
However, the security of your data, and your customers’ data, must take priority. You need to have processes in place for acting on patches quickly.
[Update: In advance of his scheduled Oct. 3 appearance before a House subcommittee, Equifax’s former CEO Richard Smith (who resigned due to the scandal) released prepared testimony that goes into extensive details about what went wrong. Of particular note: an e-mail directing administrators to patch the vulnerability within 48-hour deadline was not heeded; administrators waited a week to scan its network for apps that remained vulnerable; the delayed scan failed to detect that the flaw still resided in a portion Equifax’s site.]
Monitor Known Vulnerabilities
As I write this, we don’t know what measures Equifax had in place during the time of the data breach, but you must assume that if security experts identify and publicize a vulnerability, hackers will hear about it and start looking for it in their targets’ systems.
Know your own network and platforms well enough to actively monitor weaknesses with security tools and detect breaches immediately. Essentially, if you have a gap in your fence, watch it like a hawk until you can patch it up properly.
Conduct Regular Audits
What value do you place on your data? What would it cost your business if it disappeared, or someone stole it?
Here’s what Syracuse University computer security researcher Shiu-Kai Chin, who studies development of trustworthy systems, told Wired:
There is no security without audit. People who run businesses don’t want to think about the cost of information audits, but if they just imagined that every packet of information was a hundred dollar bill, all of a sudden they would start to think about who touches that money and should they be touching that money? They would want to set up the system properly—so you only give people enough access to do their jobs and no more.”
Should a data breach occur, you can limit the impact by implementing user controls and other barriers within your network. Zoning and separation creates monitoring points, which can force a hacker into the open.
Here are a few other prudent practices to implement:
- Use application whitelisting on servers to reduce the risk of server compromise
- Do not give internal servers direct access to the internet
- Use a host software firewall to block unnecessary communication between user hosts and reduce the risk of an attack spreading
Again, we don’t have details, but it would appear that something at Equifax permitted far too much access. You can avoid this by putting in place measures that ensure hackers can’t get everything.
Notify Officials and Customers ASAP
Equifax discovered the data breach July 29—but the world only heard about it September, 7. Five and a half weeks is too long, especially when you’re dealing with data related to their personal finances and identity.
Now, there are often good reasons to not go public right away. You will likely need to coordinate with law enforcement if they are investigating the hack; you will certainly need to investigate the scope of the hack yourself before alarming customers.
But it’s important that you take these steps rapidly. Your organization should have its own documented incident response plan, so everyone understands the process and how decisions will be made. Currently, your state determines what disclosure requirements you face (only eight states even specify timing, ranging from 15 to 90 days). But regulations and the law are not the same as customer expectations. Every day counts, especially if customers’ data is on the black market.
As Equifax’s missteps have amply demonstrated, it’s essential that your organization act as forthrightly and transparent as possible to your customers. Providing reliable avenues for them to seek help, can help insulate you from lasting damage to your brand and reputation.
Your company is almost certainly not the size of Equifax. Nevertheless, you need to protect data that is important to your business and customers. If these emerging IT requirements seem too much for what you can manage in-house, reach out to trusted IT professionals. At Echopath, we can help you plan a cost-effective IT strategy, improve your IT processes, and introduce you to new kinds of solutions to protect your data. Get in touch to have an initial conversation.