News Stay informed about the latest enterprise technology news and product updates.

Warning for Equifax security issues came months before breach

A security researcher reportedly disclosed a number of Equifax security issues to the company months before the major data breach, and none of the problems were fixed.

A new report alleges the Equifax security issues were far worse than originally thought, and some warnings may...

have gone unheeded for months prior to the company being breached.

A security researcher claimed to have disclosed a number of Equifax security issues in December 2016 -- approximately three months before the initial breach of Equifax systems.

One of the Equifax security issues detailed by the unnamed researcher in a report by Motherboard said an Equifax website exposed the personally identifiable information (PII), including names, city and state locations, social security numbers and birthdates, though a forced-browsing bug.

Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said this sort of bug was "inexcusable in this day and age."

"[Andrew] 'Weev' Auernheimer went to prison over exploiting a forced-browsing bug that revealed far less sensitive information than that revealed through the Equifax web applications," Williams told SearchSecurity. "That a company would be notified about a forced-browsing issue exposing PII and then fail to fix it in the current security climate borders on negligence."

Beyond that bug, the researcher said they found Equifax servers running outdated software and vulnerable to SQL injection attacks, allowing shell access to those systems.

Peter Tran, general manager and senior director of worldwide advanced cyberdefense practice at RSA Security, based in Bedford, Mass., said the Equifax security issues were not unique, but "the table stakes increase exponentially in PII-intensive businesses."

"Blind spots in vulnerability monitoring and visibility can go off the rails very fast, particularly over publicly web-facing assets open to overwhelming amounts of probing and reconnaissance," Tran told SearchSecuruty. "It's a double bubble: If one security layer pops, you can pop the other -- i.e., the classic SQL injection blind spot."

Equifax security response

That a company would be notified about a forced-browsing issue exposing PII and then fail to fix it in the current security climate borders on negligence.
Jake Williamsfounder of Rendition Infosec

With the disclosure of these problems to Equifax, the security researcher asked the company to at least take down the public access to these servers. However, Equifax didn't take action until June -- approximately three months after the company had been breached via an unrelated Apache Struts vulnerability and one month before the company detected that breach.

Hector Monsegur, director of assessment services at Seattle-based Rhino Security Labs, said the "entire situation is inexcusable." But, unfortunately, he said he could also "see how vulnerability warnings may have gone under the radar."

"This is common among organizations with large attack surfaces, vast amount of employees and no coordination between its various IT departments. Unless they drastically change their current state of security, I fear the situation may be getting worse," Monsegur told SearchSecurity. "Eventually, large organizations with lax security will be facing a reality check: There are consequences to major blunders in security. Attorneys general across the United States have been taking action against companies who are not properly safeguarding financial or customer information. Being 'too large to fail' is no longer a free pass."

Rick Holland, vice president of strategy for San Francisco-based Digital Shadows, said the revelation of these latest Equifax security issues makes it "even more difficult to accept former CEO Richard Smith's explanation that a single employee 'not doing their job' was the reason this intrusion occurred."

"Systemic issues in Equifax's vulnerability management program were more likely to have contributed to this breach than a single person. Given the nature of Equifax's data, they were highly likely to be targeted by a vast array of threat actors from nation states to hactivists to cybercriminals," Holland told SearchSecurity. "If their security program is as weak as it is being reported, then you probably had multiple threats actors stepping all over themselves as they probed and pivoted across the environment."

Jules Okafor, vice president of cyber risk programs at Fortress Information Security in Orlando, Fla., said the Equifax security issues appeared systemic.

"Experts attribute Equifax's breach to a combination of small, but incremental technical lapses. Yet, breaches at large enterprises can be directly attributed to failed processes and priorities -- innovation over security, single points of failure and a siloed approach to vulnerability risk management," Okafor told SearchSecurity. "These are systemic issues that impact a security team's ability to detect, respond and remediate critical threats in a timely fashion."

Next Steps

Learn tips on securing SQL servers and protecting databases from attacks

Find out why security is a shared responsibility

Get info on incident response tools that can automate security

Dig Deeper on Information security laws, investigations and ethics

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think about Equifax's security response?
Cancel
When a company like Equifax, whose core business is centered around the collection of NPI, can't execute an effective information security program, how can we (Joe Q Public) expect organizations that gather NPI as a incidental part of their business to do so effectively?  Even our own government has failed miserably in protecting NPI (reference OPM breech), so it is understandable that an overboding sense of hopelessness has set in.  As with terrorism, we have to get it right 100% of the time and that just isn't humanly or technically possible.  How long before the lawyers seize this class action honeypot?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close