Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains, prior to a data breach that exposed the personal data of over 143 million people, including 15.2 million UK records.
That’s according to a new report from the US House of Representatives’ Oversight Committee. It gave short shrift to the company’s argument that one IT technician failing to patch was to blame for the breach, which saw hackers exploit a vulnerability in Apache’s Struts system to steal the personal data of half America’s population.
The 96-page report [pdf] is a salutary lesson in how a major breach happened – and two points of failure may sound eerily familiar warnings to many enterprises.
Equifax Security Failure: Lack of Accountability and IT Complexity Blamed
As the report notes: “Firstly, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and operation. This also restricted the company’s implementation of other security initiatives in a comprehensive and timely manner.”
“Secondly, Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Equifax ran a number of its most critical IT applications on custom-built legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging.”
How the Hack Happened
The report is also a compelling insight into how hack occurred. During the attack, which began in May 2017 and which lasted for 76 days. the attackers dropped web shells (a web-based backdoor) to obtain remote control over Equifax’s network. They found a file containing unencrypted credentials usernames and passwords), enabling the attackers to access sensitive data outside of the ACIS environment. The attackers were able to use these credentials to access 48 unrelated databases.
The report notes: “Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted personally identifiable information (PII) data 265 times. The attackers transferred this data out of the Equifax environment, unbeknownst to Equifax. Equifax did not see the data exfiltration because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security certificate.”
Another learning point: 67 of Equifax’s self hosted webapps can’t have generated any IDS alerts for almost two years due to expired SSL inspection certs. If you aren’t getting any IDS alerts, you need a process to detect, and proritise remediation.
— Kevin Beaumont (@GossiTheDog) December 11, 2018
Chris Wallis, founder of UK-based security monitoring provider Intruder, told Computer Business Review: “An outsourced approach may have helped in this case, allowing external teams of experts to properly configure tools capable of detecting the weaknesses on the perimeter, while the internal teams focused on the detection and response capabilities. Equally, better asset management and modern cloud deployment techniques could have helped the security team know where to aim their scans.”
He added: “What’s also amazing is the time between the vulnerability being announced, and exploits occurring. This is a trend that we also saw with the Drupal vulnerabilities this year – the time between vulnerabilities being announced and hackers exploiting them are days, not months. This raises questions about how many companies secure themselves, and in fact why the PCI Data Security Standard is still only mandating quarterly vulnerability scans. If this doesn’t change soon, we’re likely to see our credit card data going the same way as our credit reference data.”
Identity Needs to be “More Dynamic”
Chris Morales, head of security analytics at Vectra, told Computer Business Review in an emailed statement: “The best data protection strategy is to not have the data… The definition of identity needs to be more dynamic. A person would better be identified based on biometrics and behaviour, not just SSN (and driver’s license or any other type of simple digit-based identifier). What is needed is modernisation of back end systems to support new authentication techniques that would better serve as a personal identity.
He added: “As for preventing the breach, I don’t believe prevention will ever be 100%. That is unrealistic. I bring this up because the report states the breach was entirely preventable. I don’t believe that to be true. It is a classic could have should have scenario. All networks have become highly complex and the failure comes down to people and process, not necessarily technology. As long as a motive exists, attackers will continuously attempt to compromise networks until they succeed. It is the same notion as building a wall would stop the drug trade. The criminal build tunnels instead.”
“What I do believe is we can improve our ability to detect and respond when a breach occurs by looking for the type of behaviours an attacker would perform and correlating those in real time to alert on the most critical of actions before they become a problem to reduce the impact. We have to get faster at detecting the attacks that will and do happen.”
Equifax has since employed award-winning CISO Jamil Farschi to shake up its security. He was awarded CISO of the year last month by publication CIODive.