In response to today’s testimony by former Equifax Chairman and CEO Equifax Richard F. Smith to the Digital Commerce and Consumer Protection Subcommittee of the US House Commerce Committee, two cybersecurity experts commented below on the company’s cybersecurity posture.
Pravin Kothari, Founder and CEO at CipherCloud:
“The CERT Apache Struts notification is no doubt an all-hands-on-deck type of notification, with a criticality of 10 out of 10, which in this case means hacker can get full control of the system.
“A good security process would have identified vulnerable systems within 24 hours and patch must have been applied. But the Equifax process was “weak and broken” because it failed to identify the vulnerable systems. This process is supposed to run every day; not only did they not identify the vulnerability immediately, it went unidentified until they found the breach. It was too late!!
“Equifax did not verify how their effective vulnerability management process was. That indicates the focus was growing their business but not caring about consumers’ data privacy. They apparently did not even have a business continuity and disaster recovery plan (or at least not an effective one); every company of this size should. How can a “consumer dispute website” can have access to the entire database of US consumer PII information? This shows their weak security architecture.
“Updates and fixes on issues that CERT has sent a notice on falls under the areas covered by a good vulnerability management (VM) program, which most of the business of the size of Equifax have. But Equifax’s VM process was not mature nor was it effective, as evident with their failure to identify the vulnerable systems.
“The issue with Equifax is they did not even identify the vulnerable system, it is a moot point to talk about patching. It was hopeless.”
“Equifax should be held to a much higher standard. But their security process was down-right immature.”
Christian Vezina, CISSP, Chief Information Security Officer at VASCO Data Security:
“Re the CERT Apache Struts notification, it’s always a question of managing risks – and this one was a pretty big one. If you have that critical vulnerability running on a web facing server that serves so much personal information, you can’t afford to wait too long. The question becomes “how soon can I proceed?” even if it will result in service interruption.
“Organizations need to have someone assigned to “own” patching and follow-up regularly on any open issues. Now if you really want to do the right thing, you can’t to rely too much on manual processes. You have to automate daily system scans – not only allow to quickly identify new vulnerabilities, but also help track resolution of open issues.
“To confirm patching has been done, then once you are familiar with a tool and have tweaked it to pick everything that’s known, the only way to be certain the job is done is to compare the BEFORE and AFTER.
“Unfortunately, most breaches we see today still exploit relatively old vulnerabilities, and in this event it was the case again. However, the type and amount of data you are processing should dictate how diligent you need to be. Falling prey to a zero-day vulnerability is not the same as delaying the application of available patches for critical known vulnerabilities. The Equifax breach will remain for a long time part of the worst breaches in history.
“Individuals don’t usual ask what protection measures are in place to protect their personal information. Everyone assumes that their data is safe, especially when dealing with such large organizations that hold so much personal information. Given their role and the amount and value of information they hold, Equifax should definitely be among the relatively few organizations that feed on CERT notifications and are ready to respond day and night.”