Blog LBMC

Print Divider Print Divider Branding
 

Cybersecurity: Three Lessons Learned from Equifax Data Breach

10/12/2017  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

When data breaches occur—especially ones with a critical impact and a large number of affected consumers such as the Equifax data breach —the public rightly deserves to know the facts related to the situation. A global, well-funded organization such as Equifax should certainly have the internal resources and expertise to design and implement a comprehensive cybersecurity program, so, a logical question one might ask is, “Why was a vulnerable Internet-facing system left unpatched for so long?” 

Given the size of the company and the nature of its business (Equifax collects and provides personal information on many consumers as a part of credit checks and other inquiries) it would seem fair to assume that Equifax’s internal cybersecurity and IT experts understand and are accountable to proper cybersecurity measures, and that the company’s cybersecurity program is adequately funded and staffed.

From the details made available regarding the breach, Equifax claims that the breach occurred from an unpatched vulnerability in a commonly used web application server operating system (Apache), and that the specific vulnerability was discovered, reported, and a patch issued for Apache in March of this year, but Equifax neglected to apply the patch to the system that would later be compromised.

As Equifax apparently has a vulnerability management process that involves regularly scanning and patching its systems, many are questioning how this intrusion came to be, and why the company’s processes failed to identify and apply the patch.

3 Lessons Learned from Equifax Data Breach

In examining the root cause of this data breach, here are three key things to consider for you business' cybersecurity program:

Accidents Happen

Even for businthat have mature cybersecurity processes in place, sometimes missteps or control failures can occur.

In the case of the Equifax data breach, it’s very likely that the company had a robust security program in place, however, the Apache Struts vulnerability was apparently suppressed in the company’s vulnerability reporting system, which caused it to not appear in the system’s report activity.

Had the issue shown up on the report properly, the company’s threat and vulnerability experts could have notified the responsible areas, as well as followed up to ensure that proper patches were installed. A second, independent vulnerability validation process could have helped in this case.

Note that vulnerability suppression is not an excuse for this breach, but rather, it is an example of how control processes are not infallible.

Cyber Attacks are Inevitable

Companies with large troves of sensitive data in their systems, and especially ones in the sensitive data business, should expect to be targets for attackers in search of data that can be used for identity theft, credit card fraud, or insurance fraud. 

Equifax was, no doubt, aware of such threats, however, a proactive approach to cybersecurity can be the best strategy for safeguarding against these inevitable attackers.

A Layered, Defense-In-Depth Strategy Can Help

A layered, defense-in-depth strategy, such as the one LBMC's Information Security team espouses, includes multiple, layered security controls so that there is rarely a reliance on a single control to provide sole and complete protection, as well as periodic inspections of a company’s security posture to validate that controls are functioning as intended.

In the case of this Equifax breach, it didn’t originate from a failure to implement an information security program, but rather a failure in at least one control process within the program.

When it comes to vulnerability management, high-risk organizations would be well-served to have a second vulnerability scanning process to serve as a “double check” of the company’s externally accessible systems to ensure that all security vulnerabilities are identified, categorized, inventoried, and remediated in a timely manner.

Ideally, this second scanning process should be conducted using a separate vulnerability scanning engine, as well as by a department or entity independent from the internal function that conducts the primary vulnerability scanning processes.

Had Equifax implemented a secondary vulnerability scanning process, it is likely that the Struts vulnerability would have been detected and could have been added to the company’s vulnerability management efforts, and the breakdown in the primary vulnerability scanning process would have also been detected and could have been addressed.

So What Does This Mean for Your Business

Businesses will never reach the finish line in cybersecurity. 

Even as businesses get better at deploying defenses, new flaws and new attacks will continue to be identified and launched, which will require organizations to continually adapt their programs and defenses accordingly. Entities committed to proper cybersecurity and data protection must acknowledge this fact and decide to either run the race, or stop committing resources to cybersecurity and face the risks and resulting consequences. 

For those businesses that are committed to properly and effectively managing cybersecurity risks, cybersecurity professionals such as LBMC's Information Security team continue to find ways to safeguard against the newest threats and attacks, and our mission is to work with organizations to elevate their security objectives into effective, risk-managing cybersecurity programs.

Learn more about LBMC's managed security services!

Download Breach: A Guide to Network Security Best Practices for Prevention, Detection, and Response.

Inside you’ll learn:

  • Risk assessment tips — how to gauge the relative security of your data
  • Why you need to shift the focus from technology and tactics to people and processes
  • How to mitigate cyber crime through better controls and processes
  • Practical strategies for reducing cyber crime
  • How to assess which security tasks to handle in-house and when to consider adding managed security services 

Download the free guide to make sure your network security and data are safe. We hope you find it useful!