The Equifax Data Breach Disaster: ICIT’s Synopsis of America’s In-Credible Insecurity

The following are some of the key points excerpted from Part One of the ICIT Equifax report entitled “America’s In-Credible Insecurity,” written by James Scott, Senior Fellow, Institute for Critical Infrastructure.

This polemic 32-page report is an essential read for security practitioners, executives with responsibility for data security and privacy and a profound warning for CXO’s and board-executives in companies with responsibility for protecting Personally Identifiable Information, (PII).

The recommendations offered in this ICIT report can help consumers and organizations alike mitigate some of the emerging attack vectors and regain a semblance of control over their identity, sensitive information and lives. Moreover, it summarizes essential elements of a strong security policy in the Organization Remediation section and excerpts the best practices in the Technical Controls section of the report that are fundamental in protecting sensitive assets.

Had the recommendations in this article been implemented by competent security professionals, this breach would most likely not have happened.

It seems like competent security leadership should be common sense for a publicly traded company, as cyber security is extremely complex, threats are evolving fast and organizations are struggling to keep up with changing technology. It is beyond belief that the two now ex-cyber security leaders were security neophyte’s vs natives.

Organizational Remediation

Develop an Information Security Team

A qualified information security team with adequate resources is an organization’s best defense against internal and external threats.

The work of the information security team begins with a comprehensive risk analysis that identifies critical data assets, system vulnerabilities, risks according to the current threat landscape and deficiencies in the organizational cyber security, cyber-hygiene training, or incident response plan. Without a risk assessment, the organization cannot make informed cyber security decisions.

If Equifax had controls in place to monitor data egress, it would have noticed the significant data traffic of 143 million consumers’ information leaving its servers. Without qualified information security personnel, technical controls do little other than reinforce the C-suite’s delusion of security.

It is important that the C-suite and senior management consult the information security team on cyber security decisions, because the executives may not grasp the realistic view of the organization’s cyber-posture in relation to the modern threat landscape.

Heed the Information Security Team

In most incidents, the non-technical and technical controls implemented by the information security team as a result of a comprehensive risk assessment would have precluded the compromise of critical systems or the exfiltration of sensitive data if personnel had only acted in accordance with the implemented controls.

All too often, the policies, procedures, guidelines and controls implemented by the information security team are only paid lip service or are broadly interpreted.

Protect Data According to Its Value

Data brokers and other organizations in possession of treasure troves of sensitive PII, EHRs, and other valuable data are the constant targets of threat actors ranging from cybercriminals to nation-state sponsored APT’s. The number or attempted and successful intrusions are limited when data is protected according to its value wherever it is stored, however it is transmitted, and whenever it is processed.

Update and Patch

Systems and applications are investments that require the same level of due diligence and upkeep as tangible assets. Many organizations struggle with patch management, and there can be a significant gap between vulnerability revelation and system and application updates.

That seems to have been the case with Equifax. Apache Struts (CVE-2017-5638) was made public on March 7, 2017, and a patch was made available on that very same day.

To alleviate the burden of patching, organizations should automate patches wherever possible and incorporate regular updating and patching into the daily duties of a well-resourced information security team.

The Principle of Least Privilege

Critical assets may be servers containing personally identifiable information (PII), electronic health records (EHR), financial records, or intellectual property, or they could be vital services such as email, payroll, and networked device control panels.

Personnel should only be assigned the least privileges necessary to fulfill their role in the organization. Privileges should be periodically reassessed to ensure that roles and needs have not changed, and to ensure that privileges are revoked from users who no longer perform the specified roles in the organization.

Limit Access to Necessity

Critical assets can be best protected by minimizing the number of people with access to only personnel who absolutely require access to fulfill their roles in the organization. Even if a position requires access to a critical asset, it may not require access to all the data contained within that asset.

Segregate Administrative Duties by Role

Administrative duties should be separated so that one individual does not have control over an entire process. For example, an employee should not be able to request, authorize, process, and receive payment for a product or service.

No system administrator needs to have the highest level of permissions or carte blanche access to any data or system on the network. Segmenting administrative duties limits potential lateral movement.

Conclusion

Equifax’s inability to remediate the Apache Struts vulnerability with a readily available patch will cost the organizations millions or billions of dollars and will put nearly half of the United States population at risk of identity theft, fiscal fraud or medical account compromise for at least the next decade.

Worse, because Equifax delayed disclosure and botched incident response, consumers are severely unprepared for the onslaught of social engineering campaigns and exploitative attacks that cybercriminals and techno-mercenaries are preparing to launch.

Centrify strongly endorses the above policy and remediation suggestions proposed by ICIT. Our most advanced customers have adopted these principles and have substantially reduced the risk of breach.

Join ICIT and Centrify, along with an array of Cybersecurity luminaries including Gen (Ret.) Keith Alexander at CyberConnect in New York on November 6-7, 2017.