In early September, Equifax, one of the largest credit agencies in the country, announced a major cybersecurity incident. Initial projections stated that 143 million US consumers were affected, however later findings added 2.5 million more people to the list of those impacted, including people in Canada and the United Kingdom. It's easily the worst corporate data breach to date. Let's take a look at what happened, and explore some important lessons that can be learned from the attack and Equifax’s subsequent response to help organisations of all sizes strengthen their cyber resiliency.
It was an unpatched vulnerability in Apache Struts, an open-source web server software that provides a programming framework for building web applications in Java, that let the cybercriminal in. There was a patch available, however it had not been applied successfully by Equifax. The vulnerability allowed the attacker to take control of their website and remain "resident” in the system for an estimated two months (although there is speculation this could have been a secondary attack and residence could have been longer). This means the attacker had the ability to control Equifax's website for a significant period of time and do whatever they wanted without detection.
In a Sept. 7 statement, Equifax said that most of the consumer information accessed included “names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers” as well as “credit card numbers for approximately 209,000 consumers.” The company added that 182,000 credit-dispute documents, which contain personal information, were also stolen.
It was a gold mine of information for the thief. And there are serious implications of this information getting out.
Overall, Equifax’s response was poorly executed, and many may argue, negligent. While they did hire Mandiant, an American cybersecurity firm, to investigate and clean up the breach, they made many mistakes along the way. Here are just a few.
- Following the breach, they directed potential victims to a separate domain, equifaxsecurity2017.com, instead of building pages about the breach on their main, trusted website, www.equifax.com. The new site was riddled with bugs, and you could not rely on the application designed to let you know if you were part of the breach.
- The company’s official Twitter account mistakenly tweeted a phishing link four times, instead of the company’s actual breach response page.
- They waited at least a month before disclosing the breach, and company executives sold 2 million in stock holdings before the breach was disclosed.
It’s a laundry list of bad situations made worse by poor planning, response, and management. This is an organisation that is trusted with the most sensitive information for just about any American consumer. This incident seems to show that they did not take this charge as seriously as they should have, or care enough to do the most basic things well.
Evidence suggests the company had not invested in proper incident management and lacked any policies and procedures to guide response requirements. Plus their patch management program / execution failed and their detective controls were severely lacking or non-existent.
#1. Preparation is the key to effective response.
This is something we talk about a lot at Sage. If you’re relying on IT or basic computer response planning to get you through an incident like this, you’re going to find yourself in the same boat as Equifax. The planning aspect and the organisational intelligence of this function has to be your main focus. People, process, technology… in that order.
The thought that goes behind the preparation drives best practice for implementing controls. All the knowledge you need to do this right is readily available. There is no excuse in 2017! Especially when we have these clear examples of how to do it wrong.
#2. Standard preventative and detection controls are critical to incident management.
Leverage the knowledge that’s already out there to put a program in place that will protect you, your customers, your patients, and your clients. For example, let’s look at patching. It’s extremely important not to just trust when a patch is deployed, that it has been applied successfully. You need a culture around your controls, and the culture around patch management includes verifying patches have been successfully applied with scans and other tools.
The quicker you detect a threat, the better. As cybercriminals continue to get more adept at using techniques and building tools that circumvent traditional signature-based detection technologies, you may want to explore more proactive approaches, including cyber threat hunting. The SANS 2017 Threat Hunting Survey found that organisations using threat hunting tactics saw an improvement in both the speed and accuracy of response, a reduced number of actual breaches based on the number of incidents detected, along with many other measurable security improvements.
#3. Planning, practice, and testing processes must go beyond the checkbox.
Your goal should be increasing the capabilities and intelligence of your organisation. It’s really easy to say you’re testing a plan by getting everyone around the table once a year and doing a simulation. Challenge yourself to do more! Practice! Do departmental drills! We need to practice things we want to be good at. People in a crisis can’t be expected to execute a plan that’s never been practiced or has only been tested around a table.
Anyone can be breached at any time, it doesn’t matter what your control environment is. Preventative controls are going to eventually fail. If a criminal wants to get in, they are going to get in if they have enough time and resources. So you need to think about detective controls and response strategies. That’s what’s going to save the day. We now know that the longer a breach goes undetected, the more each record clean-up is going to cost you. It just behooves you from a business and strategic perspective to do this planning and practice.
#4. Disclosure and public relations protocols must also be carefully planned and rehearsed.
Again, you should know what you will say, who will say it, and how they will say it. It’s definitely a good idea to do practice and role play for those people responsible for delivering the messages. Get them out there and get critiques, then refine them.
#5. Know before the worst happens how you will respond to customers and the public.
This is more than just a verbal response. Just remember Equifax’s choice to stand-up a whole new website that was riddled with errors. That was a bad strategy from the beginning, and was poorly executed as well. You need to think about things like, how your message will go out on social media, how your message and your platform will be delivered, if you need to offer identity theft protection, and if you need to do more than talk to the public.
Be sure to test platforms used for communications, and ensure testing includes technical security testing of any publicly available information system that you need to deploy in response to an incident.