Cyber security experts worldwide are scratching their heads over the Equifax breach. The real question has certainly got to be: why were the arbiters able to get to the data in the first place? Why wasn’t it encrypted?
Beyond that, Equifax has recently confirmed that an unpatched flaw in the Apache Struts Web Framework was to blame for the firm’s breach, which has exposed the social security numbers and other personal details of 143 million Americans, and many personal details of 400,000 of UK customers as well.
Let’s be accurate: Equifax did not install the security update to Apache Struts when it came out, leaving it vulnerable to attackers looking for an easy way breach its website and capture user’s personal data.
Unfortunately, it’s not an uncommon position for companies to find themselves in. Often, their software providers can’t patch systems because they may be using an older operating system or running some sort of custom software. At this point it’s essential to investigate these third party contracts and whether they may make a company more vulnerable.
Applying the Apache Struts security update is more complex than it may sound – it’s more involved than operating system and system software updates because the vulnerability resides within a web application framework. To deploy the update requires applying both the update to Apache Struts and recompiling and redeploying web applications built using the previously vulnerable Apache Struts framework. The responsibility of applying this type of update lies between what SysOps and DevOps are doing within an organisation.
Traditionally, SysOps is maintaining and updating the infrastructure stack and DevOps is building web apps on top of it, so this update lies somewhere in between.
Complexity is not an excuse
To successfully deploy this type of update requires an organisation to have robust patch management processes and a joined up technology team with responsibility and oversight – exactly the type of processes and team you’d expect a company like Equifax to have.
Equifax had months to deal with the Apache Struts vulnerabilities and to resolve the patching issue, which was a key issue tied to every level of system criticality. Like any organisation, it was dealing with new complexities: with the increase in Internet connected devices, the number of assets that an organisation needs to configure, and patch/update maintenance that is growing exponentially. However, it’s no excuse.
IT security is a matter of prioritisation and corporate culture. Organisations are always going to be presented with an ever more complex set of security challenges, advice and product options, but leaders and senior executives need to understand their infrastructure, IT and people security risks and prioritise financial investment and time.
Poor cyber hygiene
The patch frequency being applied within in an organisation is a big indicator of a company’s attitudes towards cyber security. If it’s not being done correctly internally or by a third party, this is a real issue.
There are highly critical vulnerabilities that can be exposed through the versions of the software that are running, whether that be operating systems, or specific services (web servers, SSH servers, database servers.)
All of this suggests whether or not there is a process in place in the organisation that effectively manages the patching process, which is a real challenge for companies. Legacy systems are often the most vulnerable and the risk/reward decision around upgrading or not can divulge a lot about a company’s corporate culture in the cyber security space.
It’s important to point out that Equifax’s shortage of cyber security insurance (a policy which apparently covers between $100m-$150m) could well have been tied to its negligence surrounding patching frequency, amongst other key IT cyber hygiene criteria.
>See also: Equifax taken down by phishing attack
Today’s cyber risk underwriters monitor patching practices very closely, making patching a key indication of cyber hygiene and a big indicator of the level of cover an insurer is willing to provide.
Cyber security is about understanding your assets and what they are running, security control choices (such as implementing encryption) and your culture, people and processes. In this case, there were clearly shortcomings in at least one of these three areas.
All companies in the business of collecting and storing customer data have several important lessons to learn from Equifax: keep your data safe by prioritising security and patching procedures, and when in doubt, get educated regarding your cyber security score – it’s not just a number.
Sourced by Tom Beale, CTO, Corax