Following the news of the massive Equifax data breach IT security experts commented below.
Atiq Raza, CEO at Virsec:
This also highlights that web applications remain a major vector of attack. Even as vulnerabilities are found and patched, hackers are developing new fileless techniques to fly under the radar of most security tools. It’s no longer adequate to base security defenses on past attacks – we need to shift to real-time monitoring and security for web applications and all the processes that support them.”
Tim Erlin, Vice President, Product Management and Strategy at Tripwire:
The best time to develop a response plan for a breach is well before one occurs. Information security teams at other organizations should use this incident as an opportunity to evaluate their own plans. All organizations that collect and store sensitive data are targets. Doing the basics right, such as ensuring secure configurations, managing vulnerabilities and capturing log data, is the most effective way to prevent breaches.
A breach isn’t a single point in time, but a span of time in which an organization is compromised. Prevention is primary, but detection and response are absolutely necessary as well.”
Dr. Richard Ford, chief scientist at Forcepoint:
Chris Olson, CEO at The Media Trust:
Michael Patterson, CEO at Plixer:
Ryan Wilk, Vice President of Customer Success at NuData Security:
Keiron Shepherd, Senior Security Specialist at F5 Networks:
John Gunn, chief marketing officer at VASCO Data Security:
.
.
Josh Mayfield, Platform Specialist at FireMon:
This is something I hear from countless leaders in business and security where ‘significant investments in data security’ have been made. Now, Equifax has extremely valuable data – everyone can agree on that point. They have every incentive to keep that data secure; after all, that is their business as a data provider.
If a company like Equifax can make significant investments, have every incentive to keep the most sensitive kind of information secure, but still experience a breach…it stands to reason that our playbook needs a revision. The security playbook consists of a few guidelines and directives, and most organizations have been following this playbook for many years.
The primary directives of the security playbook are:
1) Collect a lot of data
2) Store that data in a big database with finely tune models
3) Sit back and wait for the alerts to stream
But if the playbook would have worked, then the playbook would have worked. Seeing what happened to Equifax should awaken us to the realization that we must do something different. These things happen because we continue to follow an outdated playbook with directives that haven’t evolved to address the changes in the world.
These investments do not address the evolving security landscape, the attack surface growth, or adversary goals. Legacy security investments continue to miss these attacks – like web applications that are left vulnerable to exploit. Secondly, the playbook does not appreciate the mindset of assumed compromise. As organizations continue to adopt this mindset, a new set of plays is needed to serve the new paradigm.
Threat hunting is a discipline that uncovers the changing Tactics, Techniques and Procedures (TTPs) of sophisticated adversaries. Threat hunting involves open-ended, recursive, combinatorial search across all datasets to reveal what is currently hidden.
Organizations have spent billions in currency and labor hours finely tuning monitors and alarm systems. These measures fail when the attacks evolve around our best defenses. Organizations who adopt an assumption of compromise can protect themselves by regularly hunting for threats, using discovery methods to find previously unknown tactics specific to their environments. It is within this mindset that we can explore the potential problems we have not modeled.
We should demystify the notion that threat hunting is the preserve of super-elite organizations or individuals. Anyone can hunt, it only requires following the methods and principles for threat hunting.
Back to Richard F. Smith. He said, “We recognize we must do more. And we will.” That’s encouraging, but perhaps we can adjust what we are doing to protect data, instead of throwing more money and resources at the same systems, in the same paradigm, to serve the same playbook that continues to fail. To keep making the same investments would be the definition of insanity.”
Carl Leonard, Principal Security Analyst at Forcepoint:
“Equifax is clearly taking this breach seriously and investing in security technologies and processes to understand the source of the attack and protect its customers’ data in future. It appears that attackers could have been accessing Equifax’s systems between the middle of May until the end of July before the breach was identified, something which could have been avoided through the use of behavioural analysis technologies. To extract this quantity of data, we assume that criminals may have requested large quantities of data records as opposed to “normal” behaviour of third parties requesting single records on individuals for credit check reference purposes. By applying a human-centric approach to look at the norms of how and why data is accessed and by whom, anomalies such as these could be spotted, investigated, and stopped.
“Consumer trust in organisations is eroded by data breaches of this magnitude. People should also keep a close eye on activity on bank accounts and credit cards, and consider identity theft management services.
“This is an important lesson for credit reporting agencies and data aggregators. The depth and personal nature of the data obtained and stored by such organisations can be incredibly powerful in the wrong hands – the hands of cybercriminals and those with ill intent.
“Once GDPR legislation comes into force in May 2018, any breach impacting any European resident’s PII (as this breach does) will need to be reported within 72 hours, or companies can face fines of up to 10 million Euros or two per cent of global turnover, whichever is higher. These potential financial impacts will certainly drive international businesses to examine their security incident response and reporting processes very closely, as a breach such as Equifax which was announced six weeks after discovery would have a different outcome in a years’ time
“There has been no comment from Equifax to date on whether the data was held in an encrypted database. If data had been hashed and salted, then the breach would not be as large a concern for individuals, as extracting personally identifiable information would be almost impossible.”
“This breach does serve as a further reminder to other organisations holding PII of this scale and nature to closely examine their own security policies. While we don’t yet have technical details of how the breach occurred, other than the likely candidate being via a website application vulnerability, companies should examine security practices such as holding unencrypted data in central repositories, the security processes around APIs, and the implications of upcoming regulations and how it affects those practices.
Dr. Richard Ford, Chief Scientist at Forcepoint:
Robin Tombs, CEO and Founder at Yoti:
Businesses can protect themselves and consumers by asking people to use their biometrics alongside verified identity details so they can be more confident people are who they claim to be.
Individuals controlling their own digital identities will help protect them, their data and make it faster and easier to do trusted business online.”
Etienne Greeff, CTO and Co-Founder at SecureData:
In response to the breach, Equifax created a website – Equifaxsecurity2017.com – that offers free identity theft protection and credit file monitoring to all US customers. However, customers are asked to input additional information into the website that doesn’t even have a valid security certificate. It’s akin to offering contents insurance to a person whose house has already been robbed – and potentially putting them at risk even further. What’s more, Equifax has been relatively tight lipped about the type of information that has been compromised, meaning if customers want to take advantage of the company’s Credit Freeze feature to prevent further credit theft, they have to use a PIN number that may or may not have been stolen by cybercriminals.
In short, Equifax’s knee-jerk and ill-considered response to the breach is shambolic. It appears the company is more concerned about its own image than supporting customers and providing transparency on what exactly has happened. With the GDPR legislation due to come down heavily on companies that neglect to better protect customer data, this should serve as a lesson to other businesses about how to be more prompt and forthcoming with action against cybercrime.”
Simon Townsend, Chief Technologist, EMEA at Ivanti:
Regardless of whether an organisation or country is part of the EU and or needs to comply with GDPR, taking this long to report a breach is arguably morally incorrect and unacceptable in today’s world. Whilst not the largest breach of all time (Yahoo), 143 million US consumers are now left worrying whether their personal identifiable information is in the wrong hands. In addition it has been reported that both Canadian and UK data may have been included.
Lots of people will question how this breach occurred and what could have been done to prevent it. Reports suggest that the breach took place via a vulnerability on a website application which arguably should have been patched and/or secured better. However, the real issue here is the time taken to respond and kick off the remediation process. The reason it took 40 days to report is unknown but it will no doubt come down to a common challenge that many organisations face when IT teams and the business are not aligned or are not in sync when it comes to technology, processes and workflows. IT alone is typically a siloed set of departments and groups. The Web team is separate from the InfoSec team, the patching team separate from the Service Desk. Siloed themselves, using separate tools and platforms and also at times siloed from the business, IT has grown over many years to what is arguably far from Unified.
EU GDPR is trying to help organisations realise the importance of data protection come May 2018, and whilst there are many technologies which can help solve tactical points across the many articles contained in the GDPR, the real message here is around changing both technology, people and processes to create a more Unified approach.
Richard Parris, CEO and Chairman at Intercede:
It’s no surprise, then, that we’re seeing hack after hack. But it’s no longer acceptable to put customers at risk, advising them to ‘change or use complex passwords’ when passwords are the root cause of the majority of data breaches today. Businesses have been warned that current security methods are no longer enough to fend off cyber criminals and it’s us – the general public – that are left to wonder who has access to our data and which of our online accounts could be compromised next.
The right security methods are out there – strong authentication that incorporates multiple levels of authentication such as PIN numbers, devices and biometrics. This makes it much more difficult for cybercriminals to hack into systems. But it appears businesses are getting lazy and lack the volition to make change. Equifax’s data breach is an example of the type of breach we should not be seeing today, and it’s worrying that calls for change are falling on deaf ears. Businesses will have no choice but to sit up and listen as GDPR comes into effect next year, but it’s reproachable to see businesses continuing to play fast and loose with our personal information until something bad happens to them.”
Lee Munson, Security Researcher at Comparitech.com:
That the target of this breach is a company that deals in such sensitive information, including credit card numbers and bank account details, highlights the value of personal and financial data to those who would steal it.
Anyone potentially affected by the breach has some work to do now. While it is not known whether card data was encrypted or not, I suspect it is likely that personal information was easily accessible.
Given how many people create usernames and passwords based on family names, or still use sites with ‘secret questions’ to which the answers are inherently personal, a change of passwords across a number of sites may well be in order right now.
Also, with the same information being an identity thief’s goal, regular checks of bank account statements and credit reports will also be the order of the day, though those affected may want to choose a service from a different credit bureau for this purpose!
Lastly, as with all breaches, Equifax customers should also be on the lookout for spam and targeted phishing emails which use the event to create convincing lures into worlds of even more hurt for them.”
Tim Erlin, VP, Product Management and Strategy at Tripwire:
“The best time to develop a response plan for a breach is well before one occurs. Information security teams at other organizations should use this incident as an opportunity to evaluate their own plans.
“All organizations that collect and store sensitive data are targets. Doing the basics right, such as ensuring secure configurations, managing vulnerabilities and capturing log data, is the most effective way to prevent breaches.
“A breach isn’t a single point in time, but a span of time in which an organization is compromised. Prevention is primary, but detection and response are absolutely necessary as well.”
Amit Yoran, CEO at Tenable:
“We do know that the modern attack surface that organizations have to protect is extremely complex. Their IT systems are constantly evolving and it’s imperative that they maintain a current understanding of their systems, how their business relies on technology, and what their state of cyber hygiene looks like.Those are foundational requirements to understand and manage their level of cyber and business risk. ”
Brian Vecci, Technical Evangelist at Varonis:
While we don’t have the details at this point, it’s possible that when the attackers got in through a website exploit they may have been able to escalate privileges and behave like an insider. Few companies monitor access to sensitive files, so when attackers breach the perimeter, they can take whatever they want for weeks or months before anyone notices.
This is very typical of what we’ve seen time and time again. Organizations are still learning that valuable and sensitive information can make its way from highly secure systems like databases onto file servers where data is often open to everyone and no one is watching what’s being accessed.
Once attackers are in, they’re often able to access any files that aren’t protected–for many companies that’s millions of files. Whenever an attacker can access information for literally months it shows the company had little idea where their most sensitive data is and probably wasn’t monitoring what its users were doing. You can’t catch what you can’t see, and when you’re blind to who’s accessing data like this, a breach is inevitable.
The EU General Data Protection Regulation (GDPR) mandates that companies will need to report this type of breach within days. If a company doesn’t know this kind of data is stored on their file servers and isn’t watching what’s going on, they would have no way of knowing about the breach and no way to report it. It shows how necessary and important regulations like GDPR are – otherwise companies will go weeks – or even months — without even knowing what happened, because they don’t even know that’s happened. GDPR is going to help companies get better at keeping consumer data private, and this breach shows how badly that’s needed.
It’s like if someone walked into a bank dressed like a teller, pretended to work there, and it took the management two months to notice that a stranger was walking out with cash every night. Companies don’t always realize that their protected information is making its way out because they don’t always know where that data is.
Consumers must assume their data is out there and available for sale on the dark web. They’re monitoring their credit because they’ve lost trust in companies to protect the personal data, but the answer isn’t more credit reporting- it’s privacy and security by design.
Some of their most sensitive data was open and available to access, and they weren’t watching who had access and how the files were being used. Loose file security can shut down a business and it’s where most breaches are coming from, and attackers know that many companies have information on file servers they are not protecting.
Many organizations have lost track of where their most sensitive information lives and who has access to it — earlier this year, we found that almost half of the companies we analyzed had 1,000 or more sensitive files with PII, credit card credentials, medical records, and other data on file servers, open to everyone. Those companies were at risk for exactly this type of breach, where someone gets into the network and spends weeks or months stealing all kinds of valuable information before anyone knows it’s gone missing.
Equifax says the hackers accessed certain files from May to July. That’s 2 ½ months of access. It seems like their data security was focused on their database– but not guarding their website and their files. Too many companies have valuable information making its way into files that don’t have the same protection. Once again, we see an organization that wasn’t watching how their data was being accessed.”
Fleming Shi, SVP Advanced Technology Engineering at Barracuda:
Equifax confirmed that a bug in their website was exploited by hackers. Many types of web application vulnerabilities can lead to a major breach. In the case of Equifax, there are two variations that may be relevant to this incident:
- In one instance, a company hosts software that is vulnerable to content injection or privilege escalation attacks. This vulnerability can easily be exploited, once discovered, as not every site is setup for auto updates. In the second instance, web applications or website code is independently vulnerable and subject to various well application-level attacks. In such cases, if software exhibits vulnerability to common attacks like SQL injection, XSS, Buffer, or overflow, this puts an organization at serious risk. The OWASP Top 10 is a good resource to better understand common flaws in web applications. In both cases, the attacker can gain unauthorized access to the backend of an application or website, allowing them to do anything from replacing the content on a site to embedding code, all with the hopes of siphoning highly valuable data.
- For example, if attackers want to steal data, they can gain access by hijacking code-level database connections to run queries. They can also replace existing web forms and route calls with critical information to their own site and harvest credentials for further attack. In some cases, they will inject static content, such as an image, document, binary data, software packages, or stylesheets, which can lead to extended attacks to website visitors.
The vulnerabilities in this breach are quite commonly exploited by hackers. It is easier to exploit vulnerable software hosted on a website because once this vulnerability is exposed, an attacker can “practise and refine” before pulling the trigger on a major attack. All that is needed is the vulnerable version of the hosted software in QA. When website code is independently vulnerable, the nefarious actor must go through trial and error to find gaps in protection. Most reputable sites have a web application firewall in place, which can detect anomalous behavior and prevent continued attack activity on the site. In short, it is more difficult to uncover vulnerable code, but can produce lucrative results if exploited.
In order to keep corporate and user data safe from such breaches, companies should gain a full understanding of what hosting software and other third-party software component may be running on its web applications and website. They should also keep up with version updates, especially when there are security-related fixes. When a security disaster is on the horizon, it’s already too late. Companies should engage in penetration testing beyond a simple “version and patch-level” assessment. This should be part of QAs acceptance criteria. They should also invest in web application firewalls to ensure proper protection. Whether an app or website is build on-premise or in a public cloud, there are tools available for advanced and continuous protection.
For more advanced protection, train software engineers to develop safe practices in coding or hire CISSP/OSCP professionals to test-hack applications or website, including social-engineering attacks that with expose access control weakness and human errors.
Mike Schuricht, VP Product Management at Bitglass:
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.