Search Security, December 12, 2018, with comments by Satya Gupta;
An Equifax breach report, based on a government investigation, blamed the incident on multiple security failures and concluded the breach was preventable.
After a 14-month congressional investigation into the Equifax breach, the US House Committee on Oversight and Government Reform has released its report. They hold Equifax accountable for the breach due to multiple security failures on their part. They note the breach could have been prevented if Equifax’s security program had been better.
The committee wrote in the report:
"Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax's IT
management structure existed, leading to an execution gap between IT policy development and operation. This also restricted the company's implementation of other security initiatives in a
comprehensive and timely manner. As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains."
"Second, Equifax's aggressive growth strategy and accumulation of data resulted in a complex IT environment," the report continued. "Equifax ran a number of its most critical IT applications on
custom-built legacy systems. Both the complexity and antiquated nature of Equifax's IT systems made IT security especially challenging."
Many who have followed the Equifax story since the breach have held them accountable for not implementing the patch for the Apache Struts vulnerability available before the breach. Certainly a failure, but the committee found other even more concerning failures that prevented Equifax from even discovering the breach for many months.
Satya Gupta, CTO and co-founder at Virsec Systems Inc., based in San Jose, Calif., said it's easy to "throw Equifax under the bus, and they certainly could have prevented much of the damage from the breach."
"It's dangerous to get on a soap box about patching when most organizations take months to deploy patches across the board. Security by patching is a losing strategy. Organizations need to find ways to protect critical applications, regardless of their patch status," Gupta said. "Clearly, Equifax did not run a tight security ship, and vast amounts of data were spread across many out-of-date platforms."
"More than a technology problem, this was a massive organizational mess, leading to a disastrous public response," Gupta continued. "Slow patching was just one of many structural problems that made Equifax a fat target."
"There are no valid excuses for expired security certificates," Gupta said.
"For any system that is being actively managed, expired certificates are immediately apparent. If Equifax let hundreds of certs expire, there were clearly huge areas of security and IT oversight that were completely lacking," Gupta said. "Well-run IT organizations have tight controls over all business-critical servers and closely monitor where sensitive data is going and being stored. Security certificates must always be up-to-date, and out-of-date systems should be retired whenever possible. While patching can be a legitimate challenge, having clear network visibility should be a prerequisite, not an afterthought."
After the breach was discovered, Equifax put plans in place to deal with the aftermath. Project Sierra was set up to handle the incident response and Project Sparta was set up to handle notifying the public. But after the public was notified, Equifax took a lot of heat for problems that arose from their response to customers.
Gupta also noted ways in which Project Sierra was also troubled.
"Equifax did plenty wrong before the breach to make themselves vulnerable, but well-run IT organizations assume they will be attacked and have clearly defined response plans. Everything about Project Sierra was a disaster, including alleged leaks about its status leading to insider trading charges," Gupta said. "There is no excuse for the months it took from discovering the breach to the public acknowledgment. While most states have breach notification laws, there needs to be tighter standards on the length of time a company can research a breach before coming clean."
Fifteen months later, the country still talks about this massive breach and likely it will remain in the list of top of most significant breaches of all time. The committee’s report provided 7 recommendations for avoiding such devastating breaches in the future.
Recommendation 1: Empower Consumers through Transparency
Recommendation 2: Review Sufficiency of FTC Oversight and Enforcement Authorities
Recommendation 3: Review Effectiveness of Identity Monitoring and Protection Services Offered to Breach Victims
Recommendation 4: Increase Transparency of Cyber Risk in Private Sector
Recommendation 5: Hold Federal Contractors Accountable for Cybersecurity with Clear Requirements
Recommendation 6: Reduce Use of Social Security Numbers as Personal Identifiers
Recommendation 7: Implement Modernized IT Solutions
Read full Equifax breach report highlights multiple security failures article.