Equifax Breach Offers Recommendations For Securing Your Network

It’s unlikely at this point that pretty much everyone has heard of the Equifax data breach that occurred just over a year ago. As a refresher, it affected somewhere between 145 and 147 million people. That’s just short of half the population of the United Sates. Recently, the Government Accountability Office (GAO) released a report as to how that breach happened and there are certainly ways to prevent attackers from doing the same to your organization.

Four major factors allowed attackers to gain access to the systems in March of 2017 and they will be discussed. Attackers started scanning systems a mere two days after it was made public that a vulnerability existed in an Apache server. Equifax was indeed notified of that issue separately, but failed to patch it for several months. During that time, the criminals were perusing the network and slowly siphoning off the personally identifiable information (PII) in small chunks. This was to avoid being detected. They didn’t actually start pulling that information until May. Yet, they were never found poking around. The GAO report noted that they ran roughly 9,000 queries to find the PII data sources; all without detection.

While not patching the system was certainly a failure of Equifax, there were other reasons the attackers were successful.

1. It was determined that the point of entry was the company’s online dispute portal. That’s where the notification that a patch needed to be applied was sent. However, those responsible for doing that never got the notice. Their recipient list was actually outdated, so the person who needed to get it, didn’t.

Needed Improvement: Integrate patch management with other feeds, such as security notifications and/or threats. Using only one communication channel isn’t enough anymore. Always keep your notification lists up-to-date. When someone leaves or a job role changes, check those lists. It’s important.

2. The scanning products that Equifax had in place to identify unpatched servers and systems was not effected. It just didn’t find this one.

Improvement: Ensure that the Asset Management system used in your organization accurately tracks product version numbers too.

3. The attackers used encryption to hide their actions for three months. There was scanning technology in place, but it was not properly configured, according to the GAO report. Equifax explained that the digital certificate associated with it had expired. In fact, that certificate had expired 10 months earlier. That made it possible for encrypted traffic to miss inspection. The attackers used that to their advantage.

Improvement: Ensure all systems are properly configured and that all certificates are valid at all times. And certainly ensure systems that are supposed to be protecting your network are kept up-to-date and are properly configured.
4. Equifax had a relatively “flat” network design. This means that different databases were accessible all on the same network. In fact, Equifax reported that once the attackers gained access via the online dispute portal, they acquired access to an additional 48 databases that were unrelated. They were able to get credentials stored unencrypted.

Improvement: A best practice today is to segment networks. Keep different areas isolated from others and protect PII and other sensitive information.

5. Equifax had implemented a new endpoint security tool that was intended to detect misconfigured devices and notify systems administrators of identified vulnerabilities. Unfortunately, it missed a significant one, though it wasn’t reported how. In addition to this, use access controls. If someone doesn’t need access to a database or system, don’t give it to them. The fewer people that have access to sensitive information, the better.

Improvement: Ensure that all systems designed to protect the network are properly configured, updated, and kept that way at all times. One tool isn’t enough anymore.

While all of these are certainly ways to improve any organization’s network, don’t forget to implement a thorough and continual awareness training program. No matter how many security policies are in place and how many tools are properly implemented, phishing email can still bypass all of it. It only takes one person to click one malicious link or open a malicious attachment to put the entire organization and the information it keeps at risk.

Stickley on Security
Published October 28, 2018