Was the zero day to blame at Equifax?
What an executive needs to know about the Equifax data breach
We have all read the headlines; Equifax was breached and your social security number, birthday, name, and a litany of other information is likely for sale to the highest bidder. Amidst the maelstrom of their confused and haphazard PR attempts to control the narrative their stock has plummeted and they have lost customer confidence.
If you read Equifax’s release on the subject they lay the fault for this breach at an Apache Struts vulnerability. It may seem attractive to react perhaps with an email to your IT security staff asking, “Do we use Apache Struts? Can this happen to us?”. However attractive that approach is, it completely misses the scope of the root cause. This was not a tactical issue surrounding the use of a particular vulnerable piece of software, instead it was a strategic failure of culture and focus.
The real questions are:
- Can this happen to my organization?
- How can I prevent this from happening at my organization?
The answers are:
- Almost certainly.
- Keep reading.
Make no mistake; the reason why 143 million consumers’ social security numbers are on sale on the dark web has very little to do with Apache Struts and everything to do with three items of IT culture:
- Deplorable Data Controls
- Minuscule Monitoring
- Checkbox IT Audits
Blaming Apache Struts for this breach is analogous to blaming a car with an empty oil pan for catastrophic failure. The issue is not the car; the issue is the driver who ran the engine while neglecting to check the oil and periodically take the car to a mechanic. Software has vulnerabilities. It is too complex to avoid them.
Every piece of software you use has critical security vulnerabilities. No one can rely on software being bereft of vulnerabilities in order to protect their assets.
Data controls are what prevent irresponsible IT “drivers” from driving without oil. Frequently referred to as roadblocks, they are instead risk-blocks that prevent costly breaches through preventing unsafe configurations. Just like car manuals or next-oil-change stickers, data controls are written policies adhered to by an organization because while they may slow deployment, the risk they reduce is more valuable than the immediacy of the “next big thing”.
Monitoring is what tells us that the oil is low and that current operation is permitting catastrophic failure. Just like a dipstick or check-engine light indicating imminent or current failure, monitoring would have alerted Equifax that their customers’ private data was being exfiltrated from their datacenter to reside on the dark web. Monitoring is what alerts us to breaches and warns us to turn off the car to prevent further damage.
Identical to taking your car to a mechanic for periodic checkups, thorough IT audits permit objective outsiders to assess the current status of your IT security posture. Instead of meaningful audits however, it is more frequent that only haphazard checkbox surveys are completed, leading over time to a decline in security posture due to ever-evolving threats. A trusted mechanic informs you of dangerous conditions early, inhibiting overall impact, a true IT security audit does the same.
Be an Agent of Change
Equifax rolled the dice with insufficient controls, monitoring, and auditing. For as long as we, the industry, treat these breaches as tactical situations (“Do we use struts?”) instead of strategic IT cultural issues, breaches will continue to grow in frequency and in magnitude.
How can you prevent this in your organization? Be an agent of change that affirms the necessity of strategic IT security focus instead of merely “latest breach” tactical response. Invest focus, initiative, and budget at an executive level in controls, monitoring, and external audits.
Article by Karch Frankenfield
CyberSecurity Analyst and IT Controls Auditor