I recently wrote a blog about my thoughts on the Equifax breach and predicted that, once the cause of the breach was revealed, it would be attributed to human error and could have been completely preventable. As it turns out, I was right. While perusing one of my favorites IT websites, The Register, I came across an article that indicated how the hackers got in. Turns out, it was a vulnerability that was exploited due to Equifax failing to apply a security patch. What made it sting worse is the fact they had about 2 months to apply it. Not 2 days, not 2 weeks, but 2 months. What Equifax failed to patch (a website application vulnerability known as Apache Struts CVE-2017-5638) is not as important to me as why it wasn’t patched?
You would like to believe that Equifax, keeper of a treasure trove of personal data, would be hyper-vigilant around plugging every known exploit. The key word is known. I would be a bit more sympathetic if the hackers exploited an unknown vulnerability, but this was not the case here. So how much time do you have to patch a known security vulnerability? Apparently, less than 2 months. It will end up costing the company millions in legal and litigation costs. Plus, the Equifax brand and stock take a big hit. Certainly, some executives and IT staff will lose their jobs, as well and rightly so. While timing is never great for a breach of this magnitude, but now Congress wants to investigate. Congress may be battling internally over tax reform and healthcare, but they will unite for this cause. This will take months, if not years to play out. All because of a flawed patching regimen. Again, why didn’t they do it? No matter the answer, it won’t satisfy the people like me who were affected or the courts.
Their completely preventable failure is now my problem. Awful.
Working for a technology consultancy that provides cybersecurity solutions, we understand the struggle to defend against cyber-attacks. We work with clients to make them aware of the risks and mitigation strategies. Whether a Fortune 500 company or a local retail shop, you are a target and probably have already been attacked. Perhaps without even knowing it. Undoubtedly, Equifax spends millions of dollars on data security. Despite that, they still got owned by bad actors. So, what does a small or medium-sized business do to protect themselves without a million-dollar security budget? First, accept that you are at risk. Ignoring the problem or telling yourself you are too small for hackers to want to bother with you is a sure-fire way to get breached. Second, don’t assume that what you currently have in place for data security is as effective as you believe. Hubris is an awful thing for security professionals. Stay humble and be open to looking at ways to enhance your security protocols and technology. Third, remember it is rarely a technology problem, but how the technology is deployed (or in the Equifax case, how it wasn’t deployed). Be thorough with basics, such as security patching, periodic pen testing, security policy review. Executives and shareholders alike need to also see the value to invest in security measures. While no security solution is 100% bullet-proof, there are ways to measure acceptable risk compared to the relative security protection. A big security budget doesn’t necessarily translate into an iron-clad defense. The patch that Equifax didn’t deploy was for open-source software.
Imagine that. A multi-million-dollar security budget torched by a failure to deploy a free patch. That should give everyone heartburn.