Preventing Equifax-Style Hacks

The recent settlement with Equifax over a data breach has brought cybersecurity back into the national conversation. People are angry and making accusations, but how can companies stop this from happening again?

The answer is a little less newsworthy: Everything is in the code.

Before it's too late, organizations can take different steps to deal with technical debt. When organizations don't keep their applications up to date with the latest patch or point level, this is called "technical debt." This leaves organizations open to what are called CVEs, or common vulnerabilities and exposures.

2 different scary things happened IN 2017

In 2017, Equifax announced two concerning events, one in its United States-based operations due to an Apache Struts vulnerability and another in its Argentine operations. Taking the Equifax occurrences into account, we can see how important it is to employ strategies like defence in depth, layered controls, and risk management to strike a good balance between data privacy, security, and availability.

There has been a departure at Equifax of both the Chief Information Officer and Chief Security Officer, as you may already know. In this piece, we'll analyze how the principles taught in CISSP training could have lessened the severity and frequency of the Equifax attacks.

In light of recent occurrences like the Equifax breaches, the eight areas of expertise outlined in the (ISC)2 Common Body of Knowledge have never been more relevant (CBK).

What causes information leaks?

From what we have seen, compatibility is a major consideration. Features and plugins in older versions of Struts may not work properly or at all, and upgrades may be difficult or impossible. These are probably just excuses for why Equifax didn't employ their engineering resources to upgrade to the most recent version of Struts and thereby secure their customers' data from the exposed hack.

Engineers are often pushed to focus on delivering business value and functionality rather than focusing on modernizing software components. They must also maintain up-to-date library or technology stack resources. Officers responsible for information security have been making developers and businesses aware of these CVEs. Choosing where to invest in research and development is a difficult gamble for organizations to take. Without early action to fix CVEs, the danger can easily be the company's undoing.

This exploit is similar to SQL Injection assaults, which often go undetected by perimeter security mechanisms like firewalls, DDOS protection, and intrusion detection. Webservers are vulnerable because exploits are injected into them, allowing hackers to propagate quickly throughout a company. Then they can access information that would normally be protected.

Many application build processes still employ static references to the dependencies and libraries that end up as part of the product in production, even in the age of Agile development with DevOps, continuous integration, and continuous delivery.

One source of the issue is the prevalence of hard-coded references in the build (e.g., the POM file) or in a repository that does not evolve, like Nexus or Artifactory. On the other hand, you may use technologies like Gradle and Git to automatically update your libraries and dependencies with every build.

Put Risk Management First

Risk management and laying down proper policies and standards are the foundation of the "defence in depth" strategy. The Apache Struts security flaw that was released in March 2017 was linked to the U.S.-based Equifax problem, and policies might have specified how often vulnerability scans were to be run and how often they needed to be followed up on.

Systems could be required to be patched within a certain period when a vulnerability is discovered, or the policy could stipulate that the risk involved be evaluated by upper management before an exception from the policy is granted.

With the help of the Software Development Life Cycle guidelines and procedures, the risk assessment will outline the essential enhancements.

One of the initial things that should have been checked before launching a production website in Argentina or after a system change would have been a database that had the vendor default account and password left accessible.

Malicious requests might have been thwarted if an Intrusion Prevention System (IPS) had been in place. Another option would have been to use a Security Information and Event Management (SIEM) system to compile and flag unusual behaviour within a given time window. While we don't yet have all the facts, it's important to keep in mind that the idea of "defence in depth" necessitates the employment of numerous controls to reduce risk to an "acceptable level."

Security, Privacy, and Discretion

Availability, veracity, and privacy are all interconnected. We can keep secrets if we restrict access, but then the company won't have the information it needs to function. The instant situation demands the bureau to have an appropriate report and make it immediately available to the creditor.

This is because many of us today take advantage of "instant credit" while waiting in line or sitting in front of our computers to apply for enticing discounts, promotional financing, or good bonuses with a special credit account.

However, at least some of the improperly accessed records were those in which a person had filed a dispute. The database was an excellent illustration of a system where secrecy should arguably have been the driving factor above availability because of the sensitive information contained in those conflicts (complete social security numbers and even driver's license information).

Although the U.S. incident was linked to an Apache Struts attack, Equifax's Argentine operations used a web-facing database with the default username and password of "admin" and "admin," respectively.

The integrity of the data in the Argentine database is questionable due to the usage of a default username that appears in the vendor documentation, thereby disregarding the confidentiality of the information. One major factor in the need for secrecy is the importance of the information at hand.

To safeguard its subscription revenue, a news site will implement access restrictions on some articles. The data in credit reports is an excellent example of data that requires the maximum level of control to preserve the secrecy of that information, and it is used throughout our lives, not just now but for years to come.

Conclusion

The Equifax mishaps serve as a timely reminder that we implement procedures to safeguard the information entrusted to us. When asked why we have so many different areas to study, I always point to the Equifax occurrences as an example of why it's important to cover all of these grounds.