In the wake of the massive Equifax data breach, there’s a lot we can learn about what to do, what not to do, and how to move forward in an increasingly digital world.
Former President George W. Bush once [not so] eloquently asked, “Is our children learning?” As someone in the security field, I have my own concerns and repeatedly wonder, “Is our enterprises learning?” Major security breaches fill the headlines week after week with no indication that we are learning from our mistakes. Especially when the digital world provides you a virtual minefield of mishaps, most have been unable, or unwilling, to change their ways.
Unfortunately, many organizations lack the funding for security initiatives, and there is an alarming dearth of available cybersecurity talent. This contributes to an inability to adequately address the continuous nature of risk assessment and security control. The fact is, security never stops. But when an issue affects 143 million people like the Equifax hack did, it becomes evident that no one can sit back and hope for the best. We’re now living in a post-Equifax world, and if nothing previously has woken us up to the need to improve our cloud security, then let this be that thing.
The story behind the attack speaks to both the ease with which hackers accessed a trove of files, and the inability — willful or otherwise — on the part of Equifax to ensure proper security controls. The information that has come to light shows that hackers exploited a flaw in the Apache Struts framework, a flaw that users had been warned about and Apache had fixed months prior to the attack. Representatives at Equifax have confirmed that that flaw had been addressed, yet the Wall Street Journal reports that the company was still seeing problems related to that flaw even in late June. Krebs even reported that as of last week, an Equifax portal that could provide access to other sensitive files was protected only with the username/password combination of “admin/admin.” (I mean, come on!)
The collateral damage is just starting to unfold and it’s already bad. A federal criminal investigation has been launched (others are sure to follow), lawsuits are being brought against the company (others will DEFINITELY follow), executive behavior is being scrutinized, the company has lost about $6 billion in market value, and fingers are pointing all over the place. To add to the confusion and frustration, Equifax has not been particularly forthcoming in their communication about what exactly happened, how they’re fixing it, and what the future holds. Customers are confused and angry, social media will keep this story alive for a long time, and the company is generally taking a beating globally.
It turns out that it wasn’t a very complicated attack, and that really makes this sting. We tend to think of hackers as mad geniuses who hold some savant-ish ability to see through radically complex algorithms and focus in on finding the data equivalent of crown jewels. The reality is usually quite different from that; it tends to be lax monitoring or poorly configured IT assets that leave open databases and other repositories. Of course there’s no excuse for anyone who exploits another person or asset for personal gain. But we all know hackers are out there, and yet we keep doing things like leaving folders titled “Passwords”in servers where the password is “password.”
Because it deals in credit data and personal information, Equifax is already a target for hackers, but once the Apache flaw became known, it put the company squarely into their crosshairs. Questions about why the issue wasn’t adequately handled have to be answered. An overview of Equifax’ security protocols and processes has to come to light. But we can learn from Equifax’ misfortunes and create a strategy for operating in environments that are inherently insecure by taking measures to strengthen our enterprise security posture and ensure that we can eliminate some vulnerabilities and have confidence that we can rapidly fix those we become aware of. The key is just that, however – awareness. It breeds the ability to control and without control we have very little hope for avoiding the fate of Equifax and so many others like it.
There will be another breach, soon. And then another after that. Technology isn’t perfect, and the potential for risk will always be part of our digital world, but we need to stop making it easy for hackers to take advantage so easily.