Blog / EQUIFAX Breach Update: Post Mortem – April 17, 2019
EQUIFAX… Yup, that’s still an ongoing thing. A 71-page report was submitted to the US Congress that goes into the details of their failings, and there were a lot.
A few excerpts from the report include comments like:
“Based on this investigation, the subcommittee concludes that EQUIFAX’s response to the March 2017 Cyber Security vulnerability that facilitated the Breach was inadequate and hampered by EQUIFAX’s neglect of Cyber Security.”
“EQUIFAX’s shortcomings are longstanding and reflect a broader culture of complacency toward Cyber Security preparedness.”
“EQUIFAX failed to prioritize Cyber Security.”
“Good Cyber Hygiene is not the responsibility of one person, it’s the responsibility of the business.”
If you’re curious about the specifics, the entire PDF report can be found online. As an IT Security person, I went through the whole thing. It seemed important to my position when you get down to it. I’d recommend it to anyone who’s in charge of Computer Security, at any level.
I try to follow situations like this. As someone involved in Cyber Security, it’s useful to find out what allowed the situation to happen.
First, it’s important to keep learning. The methods and tools that criminals use, are constantly changing and being improved upon. Don’t stand still; the bad guys certainly won’t. I need to try and keep tabs on stuff like that.
Different methods of attack mean you need to evolve your tools to detect them. An example would be tools that detect if files are being encrypted. Before Ransomware, tools that looked for this didn’t exist, since there was no need for them. Another example would be the Norsk Hydro Ransomware event. It was different, since it spread using Active Directory.
Second, it’s beneficial for me to see what different outfits are doing wrong. It’s not to look down on them or anything; it’s to learn from their mistakes. By finding out what they did wrong, I can improve recommendations I give as part of our Security Assessment Service.
The best thing to do with failure is to learn from it. It doesn’t matter if it’s your failure or not, as there’s still something to be learned. Look at the situation and find out what went wrong.
A list of things to learn from EQUIFAX:
EQUIFAX failed to follow their written Policy for installing critical patches and updating software.
EQUIFAX does have a Policy requiring that important patches get applied within a certain time frame. This is a good Policy to have and is something that every company should also possess. Making sure that the software your company uses is kept updated, is part of basic Security Hygiene. However, the fact remains this important patch (which fixed a severity 10 out of 10 vulnerability score in a service open to the Internet) was not installed months after it was made public. Having a piece of paper with the rules on it is worthless, if nobody follows them. It’s also easy to notice when someone investigates you, so it’s in the best interests of your own organization to have reasonable, intelligent rules and policies. It’s also important to ensure they get followed, which means there need to be checks and balances along the way.
EQUIFAX lacked a system to track IT assets
Without a system to look at and electronically track what you have in real time, you can’t say for certain exactly what you have connected to your network. This is not totally unusual for an organization, but at the same time you need to measure Security against the value of the information you are trying to protect. The most important aspect of Electronic Security is knowing exactly what hardware (and software) you have running on your network. This is easy to set up and inexpensive (there’s lots of free tools), so for a company like EQUIFAX that keeps personal information on pretty much everybody not to have something like this in place, is inexcusable. Having a system like this is something I recommend in pretty much every Security Assessment, regardless of the company or organization.
The Intrusion wasn’t detected because of an expired SSL Certificate. As the certificate had been expired for over 2 years, encrypted traffic inspections had been non-functional for that long.
SSL Certificates are something you need to have for secure communications. They can be easily purchased in a few minutes online and cost anywhere from 10-100 dollars each. This is chump change to EQUIFAX and honestly not a massive expense for most organizations, since a certificate is generally good for at least a year. Having a valid certificate would have meant the attackers had been detected almost immediately (instead of having around 3 months of unrestricted access.) Your IT department needs to have the budget to make sure all its tools are working (Subscriptions are kept up to date, Support Contracts renewed, etc.) They also need the time to keep tabs on things. Automated tools are great, but just because they aren’t sending any notifications, doesn’t mean nothing is wrong. Your IT people also need the time to do periodic manual checks of the equipment to make sure everything is working properly.
After gaining access to the network, the attackers found files with plain text user credentials in them.
This gave the attackers further access than they already had, with almost zero effort. The apparent reason this was done was “to facilitate business processes.” It goes without saying that storing usernames and passwords in an un-encrypted format is always a terrible idea. Regardless of the feeble reasoning that deemed this to be necessary, the act of storing important information in this way means that they believed their Internal network was perfectly secure. This demonstrates a complete disconnect with reality. Login information should never be stored unnecessarily. Any time it does get stored, every precaution needs to be taken to protect it. Apparently, the fact that this information was stored in the first place, directly violated EQUIFAX’s own official policies.
The CIO (Chief Information Officer) and the CSO (Chief Security Officer) were separated by multiple levels of Management.
Not only were these two key positions separated by multiple levels of Management, they weren’t even in the same organizational branch structure. The CIO is responsible for the overall operations of a company’s computers and networks. The CSO (sometimes called the CISO, Chief Information Security Officer) is responsible for Electronic Security. These two positions have a deep impact on each other and often the CSO reports directly to the CIO. In smaller companies, the duties of these positions are the responsibility of a single person (whoever is in charge of IT.) At some point there is enough work to warrant a second position. At EQUIFAX the CSO wasn’t even in the IT chain of command; he reported to Legal. The reason for the restructuring was apparently due to some personality conflict between managers several years ago. The result is that neither department had any actual authority over the other, so communications between the two were less then adequate.
EQUIFAX identified weaknesses with their policies not being strictly followed as early as 2014 yet did nothing to correct this.
Documents and testimony show that EQUIFAX was aware (at Senior Management level) that their IT Security wasn’t up-to-scratch. They knew many of the weaknesses identified in the congressional report and had known about them for several years. Yet, they had made no moves to correct these shortcomings. It’s one thing not to always follow the rules that have been put into place. It’s another to have everyone right up to the top ignore them as well. When I perform a Security Audit, the final part is delivering the results to the customer. Along the way, I’ve checked into the computers, interviewed people, looked at policies, and generally kicked over all kinds of rocks. By that time, I have a pretty good feel for the organization. Some of them I can be reasonably certain will put every effort into acting on the recommendations the report contains. I’m certain that others will put the report in a drawer, pat themselves on the back for going through the effort to get it done and feel good about doing it. Once an organization has been made aware they have a problem, it’s their responsibility to correct it.
There’s more that I could talk about, but I’ll stop here. You don’t write a report that approaches 100 pages, only to have 6 items to highlight. That’s excessive even by government standards. These points were ones that I figured could be pulled out and explained in a way that was useful to any organization.
Like I said already, anyone involved in IT Security should really give the report a read. It’s an opportunity to learn.
It’s doubtful that this is the end of it either. Considering the colossal blunder EQUIFAX made, it seems likely it’s not the last that will be heard about this. We’ve already seen multiple countries update (and sometimes implement) Breach and Privacy-related laws/legislation. Some fines have been levied and several Class Action lawsuits have been filed. For myself, I’ll be keeping my eyes peeled for news about EQUIFAX for years to come.
Your Friendly Neighbourhood Cyberman.