Following the news of the massive Equifax data breach IT security experts commented below.
Atiq Raza, CEO at Virsec:
“Given the frequency of major breaches it’s understandable if consumers are suffering from “breach fatigue” and not paying a lot of attention. But this breach is especially alarming and serious. Almost all the data that credit reporting companies like Equifax hold is sensitive, and much of it is used to establish identity – birth dates, addresses, drivers licenses, and other data types are routinely used to verify identity. It’s one thing to ask a consumer to change a password, but how do you change your birth date?
This also highlights that web applications remain a major vector of attack. Even as vulnerabilities are found and patched, hackers are developing new fileless techniques to fly under the radar of most security tools. It’s no longer adequate to base security defenses on past attacks – we need to shift to real-time monitoring and security for web applications and all the processes that support them.”
Tim Erlin, Vice President, Product Management and Strategy at Tripwire:
“It’s clearly early days for this news, and we can expect to learn more about the details in the future. With nearly every publicly announced breach, there’s new information discovered after the initial disclosure.
The best time to develop a response plan for a breach is well before one occurs. Information security teams at other organizations should use this incident as an opportunity to evaluate their own plans. All organizations that collect and store sensitive data are targets. Doing the basics right, such as ensuring secure configurations, managing vulnerabilities and capturing log data, is the most effective way to prevent breaches.
A breach isn’t a single point in time, but a span of time in which an organization is compromised. Prevention is primary, but detection and response are absolutely necessary as well.”
Dr. Richard Ford, chief scientist at Forcepoint:
“The unfortunate Equifax breach is just another embodiment of the threat environment that organizations face every day – this is the new normal. The rise of large scale data collection and aggregation has placed considerable pressure on organizations to preserve privacy while leveraging data for legitimate business purposes. The more sensitive the data the greater the liabilities caused by a breach. The threats to this data are diverse, ranging from the apparent hack disclosed here to accidental loss by authorized users. Focusing too narrowly on a single scenario can prevent companies from seeing the full spectrum of risk they face, with dire consequences. Companies need to augment legacy defenses with modern, human-centric approaches that look at how and why data is accessed and by whom; this intersection of people, data and systems can become the critical point for effective security and compliance.”
Chris Olson, CEO at The Media Trust:
“As belatedly realized by Equifax, websites are vulnerable to not only known code–web application tools in this instance–but also unknown code. This breach is yet another example of a large-scale security incident that could have been detected much earlier through continuous monitoring of all code executing on a website.It’s time for enterprises to grasp the reality of the highly-dynamic digital environment, which needs a continuous security approach. To re-establish consumer trust, enterprises need to better control the executing code that renders content on their digital properties. The first step is to identify all partners involved in website operations, a process that will yield valuable insight into enterprise-specific ecosystems. From there, enterprises must clearly communicate their policies for executing on their site and enforce those policies. Partners that violate the policies should be blocked from the website. It’s that simple.”
Michael Patterson, CEO at Plixer:
“This breach will have devastating consequences for many of the people whose data was compromised. Cybercriminals have all the data they need for identity theft including names, social security numbers, birth dates, addresses and driver’s license numbers. The cost of this breach will be enormous for not only for Equifax, but more importantly for the millions of innocent consumers who have been affected. Consumers can reduce their risk by going to https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs and taking steps to establish a credit freeze. Equifax needs to quickly scrutinize historical network traffic analytics to identify and proactively notify every single person whose data was compromised.
Ryan Wilk, Vice President of Customer Success at NuData Security:
“The scale of this data breach is huge, and is likely to have a significant impact in the cybercrime world. Breaches such as this, with sensitive and highly valuable personal data involved act as a pipeline for further cybercrime. Those involved should be extra vigilant in keeping an eye out for spearphishing and other targeted cybercrime attempts. As for Equifax, this kind of incident amplifies the voices calling out for a more secure method of accessing accounts. Combining two-factor authentication with a passive biometric solution would render these kind of breaches a thing of the past.”
Keiron Shepherd, Senior Security Specialist at F5 Networks:
“News of this breach is yet another example of credit agencies being targeted by hackers in recent years. Attacks like these can be so destructive, because everyone in the sector uses the same data. It is likely to give rise to phishing attempts from email addresses accessed as part of the breach, as hackers prey on consumers – either those unaware that their data has been compromised or those that use the same passwords across multiple online accounts. With the news that personal data has also been exposed, consumers are also at risk of this data being used for fraudulent purposes. Extra caution is urged in the weeks and even months ahead as attempts to scam vulnerable individuals are likely to be launched. It is another reminder for all firms holding sensitive personal data to review their security policies.”
John Gunn, chief marketing officer at VASCO Data Security:
“The magnitude of this breach is unprecedented and unlike a breach that involves credit card data, these millions of victims will be at increased risk of fraud for the rest of their lives. You cannot get a replacement social security number because your service provider had inadequate security measures.
.
.
Josh Mayfield, Platform Specialist at FireMon:
“The statement from Equifax CEO, Richard F. Smith is revealing, “While we’ve made significant investments in data security, we recognize we must do more. And we will.”
This is something I hear from countless leaders in business and security where ‘significant investments in data security’ have been made. Now, Equifax has extremely valuable data – everyone can agree on that point. They have every incentive to keep that data secure; after all, that is their business as a data provider.
If a company like Equifax can make significant investments, have every incentive to keep the most sensitive kind of information secure, but still experience a breach…it stands to reason that our playbook needs a revision. The security playbook consists of a few guidelines and directives, and most organizations have been following this playbook for many years.
The primary directives of the security playbook are:
1) Collect a lot of data
2) Store that data in a big database with finely tune models
3) Sit back and wait for the alerts to stream
But if the playbook would have worked, then the playbook would have worked. Seeing what happened to Equifax should awaken us to the realization that we must do something different. These things happen because we continue to follow an outdated playbook with directives that haven’t evolved to address the changes in the world.
These investments do not address the evolving security landscape, the attack surface growth, or adversary goals. Legacy security investments continue to miss these attacks – like web applications that are left vulnerable to exploit. Secondly, the playbook does not appreciate the mindset of assumed compromise. As organizations continue to adopt this mindset, a new set of plays is needed to serve the new paradigm.
Threat hunting is a discipline that uncovers the changing Tactics, Techniques and Procedures (TTPs) of sophisticated adversaries. Threat hunting involves open-ended, recursive, combinatorial search across all datasets to reveal what is currently hidden.
Organizations have spent billions in currency and labor hours finely tuning monitors and alarm systems. These measures fail when the attacks evolve around our best defenses. Organizations who adopt an assumption of compromise can protect themselves by regularly hunting for threats, using discovery methods to find previously unknown tactics specific to their environments. It is within this mindset that we can explore the potential problems we have not modeled.
We should demystify the notion that threat hunting is the preserve of super-elite organizations or individuals. Anyone can hunt, it only requires following the methods and principles for threat hunting.
Back to Richard F. Smith. He said, “We recognize we must do more. And we will.” That’s encouraging, but perhaps we can adjust what we are doing to protect data, instead of throwing more money and resources at the same systems, in the same paradigm, to serve the same playbook that continues to fail. To keep making the same investments would be the definition of insanity.”
Carl Leonard, Principal Security Analyst at Forcepoint:
“We have become accustomed to data breaches, but the Equifax breach announced on Sept 8 is significant. This breach affects personal consumer data which people have no choice but to use: their social security numbers, a number which will permanently be associated with an individual. The scale of the breach with over 140 million records being impacted is also significant – this is the equivalent to at least one member of every family in the US.
“Equifax is clearly taking this breach seriously and investing in security technologies and processes to understand the source of the attack and protect its customers’ data in future. It appears that attackers could have been accessing Equifax’s systems between the middle of May until the end of July before the breach was identified, something which could have been avoided through the use of behavioural analysis technologies. To extract this quantity of data, we assume that criminals may have requested large quantities of data records as opposed to “normal” behaviour of third parties requesting single records on individuals for credit check reference purposes. By applying a human-centric approach to look at the norms of how and why data is accessed and by whom, anomalies such as these could be spotted, investigated, and stopped.
“Consumer trust in organisations is eroded by data breaches of this magnitude. People should also keep a close eye on activity on bank accounts and credit cards, and consider identity theft management services.
“This is an important lesson for credit reporting agencies and data aggregators. The depth and personal nature of the data obtained and stored by such organisations can be incredibly powerful in the wrong hands – the hands of cybercriminals and those with ill intent.
“Once GDPR legislation comes into force in May 2018, any breach impacting any European resident’s PII (as this breach does) will need to be reported within 72 hours, or companies can face fines of up to 10 million Euros or two per cent of global turnover, whichever is higher. These potential financial impacts will certainly drive international businesses to examine their security incident response and reporting processes very closely, as a breach such as Equifax which was announced six weeks after discovery would have a different outcome in a years’ time
“There has been no comment from Equifax to date on whether the data was held in an encrypted database. If data had been hashed and salted, then the breach would not be as large a concern for individuals, as extracting personally identifiable information would be almost impossible.”
“This breach does serve as a further reminder to other organisations holding PII of this scale and nature to closely examine their own security policies. While we don’t yet have technical details of how the breach occurred, other than the likely candidate being via a website application vulnerability, companies should examine security practices such as holding unencrypted data in central repositories, the security processes around APIs, and the implications of upcoming regulations and how it affects those practices.
Dr. Richard Ford, Chief Scientist at Forcepoint:
“The unfortunate Equifax breach is just another embodiment of the threat environment that organisations face every day – this is the new normal. The rise of large scale data collection and aggregation has placed considerable pressure on organisations to preserve privacy while leveraging data for legitimate business purposes. The more sensitive the data the greater the liabilities caused by a breach. The threats to this data are diverse, ranging from the apparent hack disclosed here to accidental loss by authorised users. Focusing too narrowly on a single scenario can prevent companies from seeing the full spectrum of risk they face, with dire consequences. Companies need to augment legacy defences with modern, human-centric approaches that look at how and why data is accessed and by whom; this intersection of people, data and systems can become the critical point for effective security and compliance.”
Robin Tombs, CEO and Founder at Yoti:
“As more and more personal details are hacked it’s clear that simply asking people questions about themselves is not a smart way for websites to identify people. It’s now too easy for fraudsters to set up financial or other web accounts without the victim knowing their name is being used to commit fraud.
Businesses can protect themselves and consumers by asking people to use their biometrics alongside verified identity details so they can be more confident people are who they claim to be.
Individuals controlling their own digital identities will help protect them, their data and make it faster and easier to do trusted business online.”
Etienne Greeff, CTO and Co-Founder at SecureData:
“Today’s news on the hack against credit reporting firm Equifax is a textbook example of how not to handle a data breach effectively. Over half the population of America was put at risk, not to mention the vast number of credit cards that were compromised. Yet, despite the severe and far-reaching repercussions of the incident on customers, the reaction from the company has been lacklustre and worrying.
In response to the breach, Equifax created a website – Equifaxsecurity2017.com – that offers free identity theft protection and credit file monitoring to all US customers. However, customers are asked to input additional information into the website that doesn’t even have a valid security certificate. It’s akin to offering contents insurance to a person whose house has already been robbed – and potentially putting them at risk even further. What’s more, Equifax has been relatively tight lipped about the type of information that has been compromised, meaning if customers want to take advantage of the company’s Credit Freeze feature to prevent further credit theft, they have to use a PIN number that may or may not have been stolen by cybercriminals.
In short, Equifax’s knee-jerk and ill-considered response to the breach is shambolic. It appears the company is more concerned about its own image than supporting customers and providing transparency on what exactly has happened. With the GDPR legislation due to come down heavily on companies that neglect to better protect customer data, this should serve as a lesson to other businesses about how to be more prompt and forthcoming with action against cybercrime.”
Simon Townsend, Chief Technologist, EMEA at Ivanti:
GDPR States you have 72 hours, Equifax waited 40 Days…..The need for Unification of IT
Regardless of whether an organisation or country is part of the EU and or needs to comply with GDPR, taking this long to report a breach is arguably morally incorrect and unacceptable in today’s world. Whilst not the largest breach of all time (Yahoo), 143 million US consumers are now left worrying whether their personal identifiable information is in the wrong hands. In addition it has been reported that both Canadian and UK data may have been included.
Lots of people will question how this breach occurred and what could have been done to prevent it. Reports suggest that the breach took place via a vulnerability on a website application which arguably should have been patched and/or secured better. However, the real issue here is the time taken to respond and kick off the remediation process. The reason it took 40 days to report is unknown but it will no doubt come down to a common challenge that many organisations face when IT teams and the business are not aligned or are not in sync when it comes to technology, processes and workflows. IT alone is typically a siloed set of departments and groups. The Web team is separate from the InfoSec team, the patching team separate from the Service Desk. Siloed themselves, using separate tools and platforms and also at times siloed from the business, IT has grown over many years to what is arguably far from Unified.
EU GDPR is trying to help organisations realise the importance of data protection come May 2018, and whilst there are many technologies which can help solve tactical points across the many articles contained in the GDPR, the real message here is around changing both technology, people and processes to create a more Unified approach.
Richard Parris, CEO and Chairman at Intercede:
“Companies like Equifax are supposed to be the bastions of customer data. Yet, as has worryingly become commonplace today, businesses are continuing to neglect how they protect customer data – and even their own data. Recent research we conducted found that 86% of systems administrators within major enterprises – those people that hold the keys to an organisation’s kingdom – are using basic password authentication to protect data. What’s more, 50% of respondents admitted that business user accounts in their organisations were ‘not very secure.’
It’s no surprise, then, that we’re seeing hack after hack. But it’s no longer acceptable to put customers at risk, advising them to ‘change or use complex passwords’ when passwords are the root cause of the majority of data breaches today. Businesses have been warned that current security methods are no longer enough to fend off cyber criminals and it’s us – the general public – that are left to wonder who has access to our data and which of our online accounts could be compromised next.
The right security methods are out there – strong authentication that incorporates multiple levels of authentication such as PIN numbers, devices and biometrics. This makes it much more difficult for cybercriminals to hack into systems. But it appears businesses are getting lazy and lack the volition to make change. Equifax’s data breach is an example of the type of breach we should not be seeing today, and it’s worrying that calls for change are falling on deaf ears. Businesses will have no choice but to sit up and listen as GDPR comes into effect next year, but it’s reproachable to see businesses continuing to play fast and loose with our personal information until something bad happens to them.”
Lee Munson, Security Researcher at Comparitech.com:
“The scale of the Equifax breach, if the quoted figure of 143 million compromised records turns out to be accurate, is immense and could have far-reaching consequences for its American customers.
That the target of this breach is a company that deals in such sensitive information, including credit card numbers and bank account details, highlights the value of personal and financial data to those who would steal it.
Anyone potentially affected by the breach has some work to do now. While it is not known whether card data was encrypted or not, I suspect it is likely that personal information was easily accessible.
Given how many people create usernames and passwords based on family names, or still use sites with ‘secret questions’ to which the answers are inherently personal, a change of passwords across a number of sites may well be in order right now.
Also, with the same information being an identity thief’s goal, regular checks of bank account statements and credit reports will also be the order of the day, though those affected may want to choose a service from a different credit bureau for this purpose!
Lastly, as with all breaches, Equifax customers should also be on the lookout for spam and targeted phishing emails which use the event to create convincing lures into worlds of even more hurt for them.”
Tim Erlin, VP, Product Management and Strategy at Tripwire:
“It’s clearly early days for this news, and we can expect to learn more about the details in the future. With nearly every publicly announced breach, there’s new information discovered after the initial disclosure.
“The best time to develop a response plan for a breach is well before one occurs. Information security teams at other organizations should use this incident as an opportunity to evaluate their own plans.
“All organizations that collect and store sensitive data are targets. Doing the basics right, such as ensuring secure configurations, managing vulnerabilities and capturing log data, is the most effective way to prevent breaches.
“A breach isn’t a single point in time, but a span of time in which an organization is compromised. Prevention is primary, but detection and response are absolutely necessary as well.”
Amit Yoran, CEO at Tenable:
“The details of any incident may not be known until a thorough forensic investigation is complete. Too much speculation before the facts are known is irresponsible.
“We do know that the modern attack surface that organizations have to protect is extremely complex. Their IT systems are constantly evolving and it’s imperative that they maintain a current understanding of their systems, how their business relies on technology, and what their state of cyber hygiene looks like.Those are foundational requirements to understand and manage their level of cyber and business risk. ”
Brian Vecci, Technical Evangelist at Varonis:
“This is a prime example that attackers are going to be able to get in no matter what steps a company puts in place, and as one of the big three reporting agencies Equifax should know that and be prepared.
While we don’t have the details at this point, it’s possible that when the attackers got in through a website exploit they may have been able to escalate privileges and behave like an insider. Few companies monitor access to sensitive files, so when attackers breach the perimeter, they can take whatever they want for weeks or months before anyone notices.
This is very typical of what we’ve seen time and time again. Organizations are still learning that valuable and sensitive information can make its way from highly secure systems like databases onto file servers where data is often open to everyone and no one is watching what’s being accessed.
Once attackers are in, they’re often able to access any files that aren’t protected–for many companies that’s millions of files. Whenever an attacker can access information for literally months it shows the company had little idea where their most sensitive data is and probably wasn’t monitoring what its users were doing. You can’t catch what you can’t see, and when you’re blind to who’s accessing data like this, a breach is inevitable.
The EU General Data Protection Regulation (GDPR) mandates that companies will need to report this type of breach within days. If a company doesn’t know this kind of data is stored on their file servers and isn’t watching what’s going on, they would have no way of knowing about the breach and no way to report it. It shows how necessary and important regulations like GDPR are – otherwise companies will go weeks – or even months — without even knowing what happened, because they don’t even know that’s happened. GDPR is going to help companies get better at keeping consumer data private, and this breach shows how badly that’s needed.
It’s like if someone walked into a bank dressed like a teller, pretended to work there, and it took the management two months to notice that a stranger was walking out with cash every night. Companies don’t always realize that their protected information is making its way out because they don’t always know where that data is.
Consumers must assume their data is out there and available for sale on the dark web. They’re monitoring their credit because they’ve lost trust in companies to protect the personal data, but the answer isn’t more credit reporting- it’s privacy and security by design.
Some of their most sensitive data was open and available to access, and they weren’t watching who had access and how the files were being used. Loose file security can shut down a business and it’s where most breaches are coming from, and attackers know that many companies have information on file servers they are not protecting.
Many organizations have lost track of where their most sensitive information lives and who has access to it — earlier this year, we found that almost half of the companies we analyzed had 1,000 or more sensitive files with PII, credit card credentials, medical records, and other data on file servers, open to everyone. Those companies were at risk for exactly this type of breach, where someone gets into the network and spends weeks or months stealing all kinds of valuable information before anyone knows it’s gone missing.
Equifax says the hackers accessed certain files from May to July. That’s 2 ½ months of access. It seems like their data security was focused on their database– but not guarding their website and their files. Too many companies have valuable information making its way into files that don’t have the same protection. Once again, we see an organization that wasn’t watching how their data was being accessed.”
Fleming Shi, SVP Advanced Technology Engineering at Barracuda:
This breach is a like a Category 5 hurricane in the cyber world, affecting at least one-third of the U.S. population. The lasting impact from the breach will go on for years.
Equifax confirmed that a bug in their website was exploited by hackers. Many types of web application vulnerabilities can lead to a major breach. In the case of Equifax, there are two variations that may be relevant to this incident:
- In one instance, a company hosts software that is vulnerable to content injection or privilege escalation attacks. This vulnerability can easily be exploited, once discovered, as not every site is setup for auto updates. In the second instance, web applications or website code is independently vulnerable and subject to various well application-level attacks. In such cases, if software exhibits vulnerability to common attacks like SQL injection, XSS, Buffer, or overflow, this puts an organization at serious risk. The OWASP Top 10 is a good resource to better understand common flaws in web applications. In both cases, the attacker can gain unauthorized access to the backend of an application or website, allowing them to do anything from replacing the content on a site to embedding code, all with the hopes of siphoning highly valuable data.
- For example, if attackers want to steal data, they can gain access by hijacking code-level database connections to run queries. They can also replace existing web forms and route calls with critical information to their own site and harvest credentials for further attack. In some cases, they will inject static content, such as an image, document, binary data, software packages, or stylesheets, which can lead to extended attacks to website visitors.
The vulnerabilities in this breach are quite commonly exploited by hackers. It is easier to exploit vulnerable software hosted on a website because once this vulnerability is exposed, an attacker can “practise and refine” before pulling the trigger on a major attack. All that is needed is the vulnerable version of the hosted software in QA. When website code is independently vulnerable, the nefarious actor must go through trial and error to find gaps in protection. Most reputable sites have a web application firewall in place, which can detect anomalous behavior and prevent continued attack activity on the site. In short, it is more difficult to uncover vulnerable code, but can produce lucrative results if exploited.
In order to keep corporate and user data safe from such breaches, companies should gain a full understanding of what hosting software and other third-party software component may be running on its web applications and website. They should also keep up with version updates, especially when there are security-related fixes. When a security disaster is on the horizon, it’s already too late. Companies should engage in penetration testing beyond a simple “version and patch-level” assessment. This should be part of QAs acceptance criteria. They should also invest in web application firewalls to ensure proper protection. Whether an app or website is build on-premise or in a public cloud, there are tools available for advanced and continuous protection.
For more advanced protection, train software engineers to develop safe practices in coding or hire CISSP/OSCP professionals to test-hack applications or website, including social-engineering attacks that with expose access control weakness and human errors.
Mike Schuricht, VP Product Management at Bitglass:
“We see breach after breach attributed to poorly patched or ill maintained internal applications, which is ironic considering security professionals continue to predict cloud apps as the bigger security concern. It’s becoming more and more clear that moving to the cloud often means increased security, as the ability to adequately protect the application is an existential question for cloud app vendors.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.