Equifax Breach Lessons Learned

Equifax Breach Lessons Learned

After reading the Equifax breach report released by U.S. House of Representatives Committee on Oversight and Government Reform. This would be a great post to summarize and list out key items that went wrong in the Equifax breach. Hopefully, it will lead to a wake up call for other companies in order to better their own information security. 

Security Representative on the Core team

It’s highly important to have someone that understands information security on your core team. Many times, the task gets pushed to the Legal or IT team core team members. This is one of the reasons that led to the breach. IT operational tasks and security tasks need to fall under a specific leader. Ideally, someone that understand security and not just IT. In Equifax’s case, security was represented by the IT team core member. However, their views were not in line with the security team leader. Therefore, something that may be of risk may not reach the CEO’s level and will get missed. However, by having someone in security at the core level. Security will always get to the core members to assess if a risk is severe enough to address.

Monitoring Database Access

Alerting needs to be in place for any company using databases to store company and customer data. Limiting access and setting alerts and detection mechanisms for access would’ve helped detect the breach at an early stage. Monitoring queries being run and looking for lateral movement would’ve most likely caught the breach ahead of time. Databases themselves should also be segmented off in their own network. Many admins place the database on the same web server as the application or separate the web application and database. But, they fail to place them in different network segments. In the end , they keept them on the same segmented network as the application.

Another mishap is not encrypted the data at rest within the database. Sensitive data such as Personal Identifiable Information (PII) should never be stored in plain text and should always be encrypted. At worst, the database is stolen, but all the data is encrypted and becomes useless to the attacker. To keep track of databases, documentation should be created and stored. It will allow others to understand the database owners. And, also the users that need to access them. Along with that, what servers will need to connect to specific databases. Architecture diagrams should exists mapping out all the rows and columns of data in the database. This makes it easier for security teams to understand what type of data is being stored, and if it is required to be encrypted.

Limiting Access to File Shares

One of the issues leading to the Equifax breach was poor security controls on file shares. There were no set controls to state which users require access to specific shares based off their job roles. This allowed the attackers to roam through file shares looking for data. If file shares were locked down. Then the attack would likely have to compromise an account that would only have access to a specific file share.

Using Legacy Systems

One other matter that hurt Equifax quite a lot was the use of old legacy systems. The big issue with legacy systems is that many just do not meet current day security requirements. This leads them open to being vulnerable to attacks and vulnerabilities that someone usually can easy exploit. Imagine a legacy system that contained your customer data. That could easily be compromised through a single vulnerability that is very easy to execute. Equifax may have had a plan in place to upgrade to a more recent and up to date system.

Project timelines needs to be set to state when the legacy system will be replaced. Making sure that a date that is feasible, achievable with someone taking accountability to push the project on forward. Building your own custom applications can increase complexity and adds on issues related to support. It also makes it difficult if someone that developed the system leaves the company. That knowledge then gets lost and does not get passed on to others. Having a non-custom application at least means that the tool will be supported.  Support for it will exist, and that training will be available for new members.

Establishing Accountability

Having someone that is accountable for making sure vulnerabilities are addressed promptly is a must for all organizations. Equifax failed here, and in their case, emails were passed around to several people. No one had any accountability set to be sure that the vulnerabilities are patched. And, that scans show that the vulnerability no longer exists. Someone in management should’ve been in charge to set it as a task to follow up on.

Create a Certificate Management process

One of Equifax’s detection mechanisms failed due to an expired certificate on their IDS sensors. Had the certificate been renewed or not expired. They would’ve most likely detected the attack right away and been able to react much sooner to limit the damage. Therefore, it’s vital for every organization to have a method to keep track of all your company certificates. It is important to have a procedure to know well in advance which certs are going to expire. So that you can renew it in a timely fashion.

A method to list how many certs exist, where they exist, who owns them is vital. Setting up a cert management system will help answer these very questions and make it easier to manage certificates. Some organizations such as Entrust now allow for automatic cert updates right to your system. This makes management easier and saves time that is needed to manage certificates.

Establish a Patch Management process

With the amount of machines organizations have these days, patching is vital and has become a huge issue for many. In Equifax’s case, a missing patch had it been installed on time would’ve protected against this breech. However, sometimes even the best vulnerability scanners will miss critical vulnerabilities. This is why it’s very important to maintain an asset list of all machines. Their operating systems, and applications with version and build numbers. This information can be correlated to outdated version of applications, Operating systems and other outdated software or hardware.

Final Thoughts

Hopefully, this article helps identify some of the reasons that led to the Equifax breech. Also, what other companies can do to be sure they also do not fall prey to the same mistakes. My personal belief is live and learn. Though this breech may have taken place and caused a lot of issues for the public. We must all learn from it so that it does not take place again with Equifax or other organizations.

Feel free to share your thoughts in the comments section below.

You can read the official breach report here -> Equifax-Breach-Report

This site uses Akismet to reduce spam. Learn how your comment data is processed.