Equifax breach still fuzzy in the rear-view mirror

Sept. 11, 2018
Just a year after one of the worst data hacks in American cyber history, Equifax and the industry are still searching for answers

It’s been just over a year ago that American credit consumers fell victims to one of the largest data hacks in the country’s history and were victimized a second time as a result of corporate negligence and indifference at Equifax. More than 147 million people in the U.S. had personal and financial data stolen ranging from Social Security and driver’s license numbers to credit card information and birth dates.

As if the massive data loss was not egregious enough, the incredible lack of security preparedness and subsequent inept response to the breach only added insult to injury for millions affected. Equifax had an opportunity to fix known security vulnerabilities in-house and failed to do so say the experts. And when the breach occurred, the company waited more than six weeks to release any public notification. Once customers were informed, the process for them to check the damage and begin a repair process was vague and sometimes simply deceiving. While there have been some executive sacrificial lambs, Equifax, for the most part, has been assessed little accountability for the data disaster.

So just what has been learned from this year of retrospection in wake of the Equifax breach and where does the industry stand 12 months later? We certainly realize it won’t be the last high-profile data hack, but did this event become a teaching moment for other data-centric enterprises?

"After the initial ‘shock and dismay,’ and throwing Equifax under multiple buses, very little has actually changed. While Equifax did plenty of things wrong, blaming the victim is not a lesson learned – it’s avoiding the core issues. Very few organizations want to admit that they are woefully behind on patching, and patching does not equal security. In the very best case, the gap between new vulnerabilities being discovered, patched by the vendor, tested and finally deployed can be weeks,” explains Atiq Raza, Chairman and CEO of Virsec Systems, an information technology company based in San Jose. “But in the real world, the gap is more likely to be months or even years. Since the Equifax breach, several new vulnerabilities have been discovered in Apache Struts, adding to more than 14,000 vulnerabilities published by NIST in the last year – more than doubling the previous year. It’s imperative that we find new security models that protect applications in their current state – not in a mythical fully-patched world."

The Song Remains the Same

Lawrence Pingree, an Executive Vice President of Product Management for SonicWall, a network security solutions provider out of San Jose, admits that a year after the Equifax hack, there have been some lessons learned but cybersecurity, with all its good intentions, still remains a low priority in many organizations.

“There is no shortage of guidance on how best to manage cyber risk, and yet many organizations struggle with both how to prioritize in the context of limited resources and changing risks, and how to measure progress.  The serious financial implications of data breaches as well as recent malware attacks, such as Petya, NotPetya and WannaCry, which impacted numerous companies across multiple industries, have really made more organizations take notice and rethink their security approach,” says Pingree. “Most companies understand that it is critical to have an incident response plan in place, but executives need to appropriately train and define roles for personnel, processes and technology in the event of a crisis. The government can help by sharing actionable cyber-threat information, more actively disclosing vulnerabilities, advancing research and development efforts and imposing consequences on those actors to whom it can attribute malicious cyber activity.”

The Equifax breach was as much attributed to careless security policy as it was a masterful hack according to many security experts. The company failed to install a critical security patch for the open source Apache web framework. One expert says what is even more frightening is that more than 60 percent of respondents to a recent Black Duck survey (Black Duck secures and manages open source software) admitted that their organizations either did not have a formal process for managing their open source software or that they were unaware of one.

“The recommendation for today’s organizations is to build stronger security controls and not rest upon the obscurity of open-source solutions,” says Mike Baker, Founder and Managing Partner at Mosaic451, a networking and cybersecurity managed services company that provides Security Operations Center and Network Operations Center services out of Phoenix. “This lack of defined processes and established baselines causes problems across the board (just ask Equifax), but it is especially problematic when dealing with open source security tools. Without establishing a baseline of normal network activity, it’s impossible to detect the anomalies that indicate a cyber attack; without a formal response process, it’s impossible to effectively respond to and remediate attacks.”

Baker adds that the Equifax breach was “a disaster waiting to happen” and that the proprietary security software used by Equifax was not superior to the open-source solution.

“Security through obscurity does not work. It has never worked. There is a clear and obvious structural conflict of interest for a privately-held company to acknowledge that its core product (its software) is terrible. Private companies don't acknowledge these things unless they're forced to do so,” chastised Baker, who says that the benefits of your core infrastructure and code being exposed to interested groups and individuals serves to expose bugs more quickly, publicly, and helps them to be resolved. “There is a reason that public key cryptography works: the math is public and it's been open to attack for decades.”

Taking in All Perspectives

Sherban Naum, a Senior Vice President for Corporate Strategy and Technology at Bromium, which is a VC-backed startup in the virtualization technology space in Cupertino, says there are several perspectives that need to be shared when analyzing the Equifax aftermath including the company itself, those affected by the breach, credit history and federal government regulations.

Richard Smith, the former CEO of Equifax, recently retired from the credit reporting bureau with a payday worth as much as $90 million — or roughly 63 cents for every customer whose data was potentially exposed in last year’s security breach, according to a Forbes magazine report. Smith was the third Equifax executive to retire under a cloud. Smith’s House testimony in October of 2017 highlighted elements of the source, the data breach, exfiltration and eventual eviction and remediation efforts. “Subsequent, upon discovering they were breached, they brought in experts from USCERT, FBI, and industry to assess and put in place best practices to ensure PII is protected going forward,” adds Naum. “They had access to both prior to the breach, however, but that’s not the point now.  

“From what is publicly known, their move to data and network segmentation/ separation and additional policy and audit controls are standard best practices and appropriate.  However, I am curious to know what they have done to proactively protect their enterprise, as well as what was put in place to survive a future breach, maintain operational integrity while in a compromised state? Compartmentalizing their data with separation is the right thing to have done,” continues Naum. “What have they done to implement restricted, secure access to their high-value assets?  What system enhancements have been made to better share threat data between USCERT and industry to ensure identified issues are reported?

When it comes to the consumer, he questions what recourse they really have. Unfortunately, in the end, the onus falls upon the victim to rectify their individual issues.

“We users are desensitized to these reports at this point.  News breaks of another breach, a letter arrives in the mail informing us of the breach and potential re-use of our PII (Personally Identifiable Information) and a credit monitoring service offering.  We then get new credit cards in the mail and move on,” Naum continues. “The volume of breaches and the limited short-term, direct impact to ‘we’ users seems to have made these events ‘expected and normal.’  I think part of it is the fact that most info has already been stolen and is available for misuse, so I’m not quite sure what is left to steal, what is the real future impact?  What’s the value of stolen PII going forward?”

The woeful response by Equifax certainly motived the credit industry to take some action to ensure they didn’t see themselves on the front page of USA Today. Which leaves Naum to admit events may have “driven better security hygiene and practice,’ but he is not sure they are any more regulated or accountable

And even with Sens. Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) introducing the Data Breach Prevention and Compensation Act in January 2018, does the American public have a better understanding of where things stand with the Committee on Banking, Housing and Urban Affairs?  Does the legislation have legs and will it be run through the process?

Naum would like to know what does Congress plan to do to ensure accountability is applied not only on the activates post-fact but ensuring prevention of consumer data exfiltration; does the FEC stand to have broader authorities in monitoring the industry and are additional regulations needed or are deeper integration points between particular industries, commercial solutions providers and experts at USCERT/ FBI, being more proactive leveraging the expertise of USCERT for threat posture and incident reporting? 

While security experts remain skeptical that private and government entities are coordinating in a cohesive manner to create a true cybersecurity blueprint for future action, security experts have come to recognize that a continuous approach, one conducted through automation, is the only way to effectively understand and deal with cyber threats.

“My sense is that many organizations held meetings and conducted audits in the aftermath of the Equifax story, but did not follow through with rigorous application of security best practices and adequate tools to support their needs. There was yet another vulnerability which was reported with Apache Struts just last month which was the primary driver from the Equifax breach so it's critical for companies to keep up with the new and emerging threats as security is a marathon and not a sprint,” adds Sanjay Kalra, co-founder and Chief Strategy Officer at Lacework, a Mountain View, Calif.-based provider of cloud security solutions.

The stark reality radiating from the one-year anniversary of the Equifax breach is that cybersecurity can only go so far and that most organizations are only as secure as their next inevitable hack. The fact that many in the cybersecurity industry still fail to see any accountability beyond mild “mea culpa” from Equifax 12 months post-attack is unsettling.

"The wake of disaster and confusion from the Equifax hack has yet to settle. Certainly, this breach has been a wake-up call for millions of people that were taking the privacy of their identity for granted. The publicity of this breach highlighted the need for people to proactively control their credit status with locks, freezes, fraud alerts, and monitoring to help protect themselves against the misuse of their identities,” says Thomas Pore, Director of IT and Services for Plixer, a network analytics firm in Kennebunk, Maine. "Despite congressional hearings, investigations, lawsuits, and legislation, Equifax has not yet been held accountable. Protecting consumer’s personal information must be taken more seriously. The General Data Protection Regulation (GDPR), which places the profits of organizations at risk for noncompliance, creates clear accountability for organizations. Until shareholder value is at quantifiable risk, boards of directors are unlikely to make the required investment a priority."

Lack of Accountability is Troubling

It is that lack of Equifax accountability that remains a major point of emphasis for industry executives like Pravin Kothari, the CEO of security vendor CipherCloud, and a cloud security company in San Jose.

"One year after the Equifax breach, nothing has changed -- our consumer data is still being hacked and exposed. The real lesson to be learned is that you can't keep cyber attackers out.  Most large enterprises still use the ‘defend a perimeter’ strategy that fails with such great frequency as to be almost ineffective,” Kothari explains. “It's time to adopt a Zero Trust model, which assumes that every user, both inside and outside the network, is untrusted and hostile. Zero Trust employs technologies such as end-to-end encryption, two-factor authentication and deception technology. The goal is to render all data worthless to the attacker, and to quickly detect and mitigate the incursion so you can resume normal business operations."

Kothari continues that given the more than 147.9 million consumers who were impacted in some way by the Equifax breach, it is regretful that little to no lessons have been learned outside of the Equifax security teams. He adds that even post-Equifax breach; consumers are repeatedly exposed by the increasing barrage of cyber attacks directed at major financial institutions, banks, and their cloud-based infrastructure.

“Equifax and other large financial institutions have very large budgets and highly skilled security operations teams already in place. Despite that, the strategy the largest enterprises employ to construct and ‘defend a perimeter’ fails with such great frequency as to be almost ineffective,” Kothari adds. “It seems that lessons from large-scale breaches remain within the entity that was breached, and little information is shared that can benefit the community at large.  This is a common occurrence, as companies continue to become the next victim of a cyber attack, and we go back through the same playbook of pointing fingers, alerting affected communities and expecting the victim company will fix the issue going forward.”

For Dale Dabbs, CEO/President of EZShield and IdentityForce, it's his belief there’s still much more for both users and institutions can do to help secure personal information. He says that despite the best efforts of InfoSec and cybersecurity professionals within the workplace, cybercriminals are using new, clever tricks to expose vulnerabilities. So it is imperative that consumers take control of their data by being vigilant and engage technologies that can help protect their information assets.

“For example, on the monitoring side, there has been tremendous progress made in digital identity theft protection and fraud alerts. Now anyone can monitor essentially all of their PII, and that of their children, 24/7/365, and get alerted in near real-time to any suspicious activity. This has certainly mitigated some of the risks for individuals and businesses alike,” says Dabbs. “One of the main lessons learned in the aftermath of the Equifax breach is that anyone and everyone can be breached. Taking control, being proactive, and staying vigilant, while working with trusted providers, will help decrease vulnerabilities.”  

Steven Bearak, who is the Co-Founder of IdentityForce, says that in the cyber world, the Equifax breach was considered a Category 5 hurricane and that the information stolen from Equifax and thousands of other organizations is still out there are likely for sale on the online black market. He adds that this anniversary should concern consumers whose one year of free credit and Dark Web monitoring from Equifax may be about to expire.

“It’s clear that many more individuals, families, and businesses have recognized the ever-present threat of data breaches, fraud, and identity theft, and many have taken steps to secure their digital footprint. We have seen this in the growth of our industry both on the consumer and employee benefits side of the business,” Bearak says. “However, there are many ‘old school’ identity crimes still taking place that the majority of people don’t consider today. Those include stolen mail, check fraud, telephone scams, trash picking, and others that don’t get the same media attention as online scams”.

Chris Morales, head of security analytics at Vectra, a San Jose, a Calif.-based provider of automated threat management solutions puts the issue into simple clarity a year later.

“The biggest issue in security is not stopping the attacks. Attacks occur despite our best efforts, as witnessed at Equifax. It took Equifax, and many other organizations, months to identify an attack did occur and then longer to be able to properly respond and report the attack occurred,” he concludes. “The biggest issue is in the ability for organizations to detect, respond, learn, and adapt quickly to attacks when they do occur before the attacker can cause damage.”

About the Author: 

Steve Lasky is the Editorial Director of SecurityInfoWatch Security Media, which includes print publications Security Technology Executive, Security Dealer & Integrator, Locksmith Ledger Int’l and the world’s most trafficked security web portal SecurityInfoWatch.com. He is a 30-year veteran of the security industry and a 27-year member of ASIS.

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazine's Security Technology Executive, Security Business, and Locksmith Ledger International, and the top-rated website SecurityInfoWatch.com. He is also the host of the SecurityDNA podcast series.Steve can be reached at [email protected]