When data breaches occur—especially ones with a critical impact and a large number of affected consumers, such as the Equifax data breach —the public rightly deserves to know the facts related to the situation. A global, well-funded organization such as Equifax should certainly have the internal resources and expertise to design and implement a comprehensive cybersecurity program. So, a logical question one might ask is, “Why was a vulnerable Internet-facing system left unpatched for so long?”
Given the size of the company and the nature of its business (Equifax collects and provides personal information on many consumers as a part of credit checks and other inquiries), it would seem fair to assume that Equifax’s internal cybersecurity and IT experts understand and are accountable to proper cybersecurity measures, and that the company’s cybersecurity program is adequately funded and staffed.
From the details made available regarding the breach, Equifax claims that the breach occurred from an unpatched vulnerability in a commonly used web application server operating system (Apache) and that the specific vulnerability was discovered, reported, and a patch was issued for Apache in March of this year. However, Equifax neglected to apply the patch to the system that would later be compromised.
As Equifax apparently has a vulnerability management process that involves regularly scanning and patching its systems, many are questioning how this intrusion came to be and why the company’s processes failed to identify and apply the patch.
3 Lessons Learned from Equifax Data Breach
In examining the root cause of this data breach, here are three key things to consider for your organization's cybersecurity program:
1. Accidents Happen.
Even for businesses that have mature cybersecurity processes in place, sometimes missteps or control failures can occur.
In the case of the Equifax data breach, it’s very likely that the company had a robust security program in place, however, the Apache Struts vulnerability was apparently suppressed in the company’s vulnerability reporting system, which caused it to not appear in the system’s report activity.
Had the issue shown up on the report properly, the company’s threat and vulnerability experts could have notified the responsible areas, as well as followed up to ensure that proper patches were installed. A second, independent vulnerability validation process could have helped in this case.
Note that vulnerability suppression is not an excuse for this breach, but rather, it is an example of how control processes are not infallible.
2. Cyber Attacks Are Inevitable.
Companies with large troves of sensitive data in their systems, and especially ones in the sensitive data business, should expect to be targets for attackers in search of data that can be used for identity theft, credit card fraud, or insurance fraud.
Equifax was, no doubt, aware of such threats, however, a proactive approach to cybersecurity can be the best strategy for safeguarding against these inevitable attackers.
3. A Layered, Defense-In-Depth Strategy Can Help.
A layered, defense-in-depth strategy, such as the one LBMC's Information Security's team espouses, includes multiple, layered security controls so that there is rarely a reliance on a single control to provide sole and complete protection, as well as periodic inspections of a company’s security posture to validate that controls are functioning as intended.
In the case of this Equifax breach, it didn’t originate from a failure to implement an information security program, but rather a failure in at least one control process within the program.
When it comes to vulnerability management, high-risk organizations would be well-served to have a second vulnerability scanning process to serve as a “double check” of the company’s externally-accessible systems to ensure that all security vulnerabilities are identified, categorized, inventoried, and remediated in a timely manner.
Ideally, this second scanning process should be conducted using a separate vulnerability scanning engine, as well as by a department or entity independent from the internal function that conducts the primary vulnerability scanning processes.
Had Equifax implemented a secondary vulnerability scanning process, it is likely that the Struts vulnerability would have been detected and could have been added to the company’s vulnerability management efforts, and the breakdown in the primary vulnerability scanning process would have also been detected and could have been addressed.
The number of threats and the potential impact of cyber attacks is only expected to increase. Here are just a few of the most alarming enterprise cybersecurity predictions according to Cybersecurity Ventures:
- Global ransomware damage costs are predicted to exceed $5 billion this year.
- Nearly half of all cyber-attacks are committed against small businesses.
- Cybercrime damages will cost the world $6 trillion annually by 2021.
If there’s one lesson we’ve learned so far this year, it’s that hackers are always innovating and looking for new ways to attack businesses. IT professionals must constantly keep pace with the changing landscape of cybersecurity to ensure their data is secure.
The Top 3 Cybersecurity Threats
As part of Cybersecurity Awareness month, we wanted to identify some of the most common cybersecurity threats in the market today and share some actionable steps you can take to protect your organization from them.
1. Unpatched Software
The rise in Ransomware attacks has been well documented in 2017. Two of these attacks, WannaCry and Petya, both occurred through unpatched Microsoft Windows operating systems. Today's hackers are well aware of the software updates companies make and will look for every opportunity to exploit any systems that are not updated.
How to Avoid it:
The most common unpatched and exploited programs are browser add-in programs like Adobe Reader and other programs people often use to make surfing the web easier. Having a layered, defense-in-depth strategy is essential for avoiding the careless mistakes that lead to attacks through unpatched software.
2. Sophisticated Phishing Campaigns
Approximately 60 to 70 percent of email is spam. And while phishing emails used to be more obvious, today’s hackers are becoming more sophisticated with the addition of specific company information regarding billing, logistics, and more. The recent increase in EMOTET Trojan Activity is just one example of the increasing sophistication of phishing campaigns. These phishing campaigns contain an increasing variety of malware including banking trojans and the increasingly popular ransomware.
How to Avoid it:
Because of the prevalence of this type of attack, developing an anti-phishing strategy is a must. Educating employees on the potential threats and leveraging inline solutions that proactively identify and quarantine such email threats before they reach a user’s inbox are two essential ways to avoid these attacks. Two-factor authentication measures are also valuable.
3. Employee Social Media Threats
One of the biggest potential threats to a company's cybersecurity is a pathway they might not even be monitoring — their employee's social media. In a social media environment, employees may accept an invitation to connect with someone who appears to be worth following or friending but is a phishing hook that lures users into clicking on bad links. Today's corporate hackers love exploiting corporate social media accounts for the embarrassment factor to glean passwords that might be shared between the social media site and the corporate network.
How to Avoid it:
Today’s social media threats usually arrive as a rogue friend or application install request. The most important step to take is educating employees at all levels about the risks involved with social media use and how they can protect themselves by being smart about who they “accept” and taking a close look at links before you click on them.
The Biggest Lesson: Always Be On Guard
Maintaining an effective cybersecurity program is a constant battle. It can be difficult to stay up-to-date with the latest attack trends and feeling like you need to watch over your shoulder on a daily basis. But trust us: it's much better than the alternative. The consequences of a company-wide security breach will cost you far more than the time, energy, and resources you spend putting the proper security measures in place.
What Does This Mean for Your Business?
Businesses will never reach the finish line in cybersecurity.
Even as businesses get better at deploying defenses, new flaws and new attacks will continue to be identified and launched, which will require organizations to continually adapt their programs and defenses accordingly. Entities committed to proper cybersecurity and data protection must acknowledge this fact and decide to either run the race or stop committing resources to cybersecurity and face the risks and resulting consequences.
For those businesses that are committed to properly and effectively managing cybersecurity risks, cybersecurity professionals such as LBMC Information Security's team continue to find ways to safeguard against the newest threats and attacks, and our mission is to work with organizations to elevate their security objectives into effective, risk-managing cybersecurity programs.
Learn more about LBMC's managed security services!