MESSAGE
DATE | 2017-10-10 |
FROM | Ruben Safir
|
SUBJECT | Subject: [Hangout - NYLXS] credit reporting agency hack
|
The most devastating hack and survalience breach in history. Is it time
to end the use of credit reporting agencies?
What the Equifax hack means for you
Posted by Ben Rothke on Oct 10, 2017 10:09:15 AM
Tweet
Nettitude's very own Ben Rothke takes a look at the Equifax hack and
what it could mean for your business.
The breach
The specific details are still filtering out, but even the preliminary
information is staggering. Sometime between May and July 2017, Equifax,
an Atlanta, Georgia-based consumer credit reporting agency that collects
information on over 800 million individual consumers and more than 88
million businesses worldwide, was breached. The hack resulted in the
compromise of almost 150 million U.S. residents. Considering the US
population is about 325 million people, almost 1 of 2 people will be
effected by this breach.
As breach sizes go, this was still way behind the Yahoo hack of 1.5
billion user accounts, and in line with eBay attack with 145 million
users compromised, and the 130 million records of the Heartland Payment
Systems breach.
But what is unique of the Equifax data is the depth of the level of the
personally identifiable information (PII) that was compromised. This
includes social security numbers, dates of birth, driver license
information, banking account numbers, mortgage data and much more.
Rather than focusing on the raw number of records that were breached;
consider the nature of the data. If you weigh those values, then the
Equifax attacks quickly turns into the most devastating breach to date.
How did it happen?
The attackers targeted a known vulnerability in Apache Struts, an open
source framework for creating Java web applications. The specific
vulnerability CVE-2017-5638 was published on March 12, 2017 and a patch
issued soon after. Exploit code emerged shortly after the patch was
released.
What it means for you
There are many key takeaways from the breach, and I’d like to highlight
what I think are two of the most significant. These center around patch
management and breach notification.
The vulnerability was announced and patched in mid-March and the Equifax
attack didn’t commence until about 6 weeks later. That gave Equifax
about a month and a half to patch their affected systems.
Not every vulnerability is created equal and not every patch needs to be
installed immediately. Given the circumstances and configurations of the
network and applications, in addition to other dependencies, some
patches can be delayed.
But the nature of Apache Struts, given that it is used on servers
connected to the Internet, lends itself to having a much more aggressive
patching schedule. How aggressive that schedule has many dependencies
and each organization needs to determine what is right for their
specific environment.
There is no magic number when it comes to patching in this case, but it
should certainly be measured in days and no more than a week. In the
case of Equifax, this turned into months. The is a major patch
management fail, and Equifax paid a huge price for that.
What you can learn from the Equifax debacle is that patch management is
a serious endeavor and an integral part of any information security
program. You need to understand what software is deployed in your
organization and how it needs to be patched. The famous quote “eternal
vigilance is the price of liberty” can be applied to information
security, in that eternal patch management is the price of software
security.
The other area where Equifax dropped the ball was with their breach
notification. It took them almost two months, and they only made a
public disclosure on September 7. This roughly six-week gap from breach
awareness to disclosure is an unacceptable amount of time.
It’s not coincidental that the General Data Protection Regulation (GDPR)
which goes into effect in May 2018, mandates that in the event of a
personal data breach, organization must make notification without undue
delay within 72 hours after an organization becomes aware of the breach.
If notification is not made within 72 hours, the firm needs to provide a
reasoned justification for the delay.
For those organization that will be subject to GDPR, the 72-hour rule
will require them to make significant updates to their notification
policies and processes. This is not a trivial undertaking and requires
significant planning.
For those organizations that won’t have to deal with the monstrosity
known as GDPR, they still may have to deal with the HIPAA breach
notification rule or other requirements. This will need to make sure
their breach notification program needs to be updated, tested, and then
retested.
Specifically, if you don’t already have a formal and tested process in
place, create an organizational process to identify security breaches
and notify relevant authorities and individuals in the event a breach
leads to disclosure of personal information. It’s imperative that there
be staff assigned and responsibility for every specific task and subtask.
Finally, realize that breach notification is not just an IT issue.
There are a lot of stakeholders involved, from IT, information security,
marketing, privacy, to legal, customer service, and more.
Conclusions
Part of information security is learning from the mistakes of others.
The Equifax breach provides ample learning opportunities. Start making
changes today and take steps to reduce the risk of your business
becoming another cybercrime statistic. If you have any concerns about
your company’s cyber security strategy then get in touch with us here at
Nettitude. We can provide you with a half an hour free consultation to
advise you on the steps you need to take to boost your cyber security
defences.
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://www.nylxs.com/mailman/listinfo/hangout
|
|