Maksim Kabakou - Fotolia
The U.S. House Committee on Oversight and Government Reform published a new report detailing how the Equifax breach happened and how it could have been prevented.
The committee concluded in its Equifax breach report that the incident -- which affected 148 million people -- was "entirely preventable" and occurred because Equifax "failed to implement an adequate security program to protect this sensitive data."
"Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax's IT management structure existed, leading to an execution gap between IT policy development and operation," the committee wrote in the report. "This also restricted the company's implementation of other security initiatives in a comprehensive and timely manner. As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains."
"Second, Equifax's aggressive growth strategy and accumulation of data resulted in a complex IT environment," the report continued. "Equifax ran a number of its most critical IT applications on custom-built legacy systems. Both the complexity and antiquated nature of Equifax's IT systems made IT security especially challenging."
The Equifax breach report broke down the timeline in great detail, starting with the initial disclosure of the Apache Struts vulnerability used in the attack on March 7, 2017. Equifax received the alert from the Department of Homeland Security about the vulnerability on March 8 and notified responsible personnel to patch systems on March 9. The company performed a scan for any systems still vulnerable on March 15 and didn't find any, despite attackers first exploiting vulnerable systems on March 10.
"Equifax, however, did not fully patch its systems. Equifax's Automated Consumer Interview System (ACIS), a custom-built internet-facing consumer dispute portal developed in the 1970s, was running a version of Apache Struts containing the vulnerability," the report determined. "Equifax did not patch the Apache Struts software located within ACIS, leaving its systems and data exposed."
Rudolph Araujo, vice president of marketing at Awake Security, based in Sunnyvale, Calif., said the issue was likely a lack of "checks and balances to make sure the patch was actually successfully deployed, services restarted, etc."
"They quite likely may have passed an audit for their patch management process by claiming they have that as a process, but this is a good example of why this process just would never work in any sizeable organization. For instance, were they even in a position to know all of the Apache servers in an environment as large and complex as Equifax?" Araujo said.
"As the report points out, the company under Richard Smith was growing rapidly and processing enormous amounts of data," he continued. "This often leads to shadow IT, where developers, business units, etc., spin up their own infrastructure, and one wonders if the security team even had visibility into it."
Satya Gupta, CTO and co-founder at Virsec Systems Inc., based in San Jose, Calif., said it's easy to "throw Equifax under the bus, and they certainly could have prevented much of the damage from the breach."
"It's dangerous to get on a soap box about patching when most organizations take months to deploy patches across the board. Security by patching is a losing strategy. Organizations need to find ways to protect critical applications, regardless of their patch status," Gupta said. "Clearly, Equifax did not run a tight security ship, and vast amounts of data were spread across many out-of-date platforms."
"More than a technology problem, this was a massive organizational mess, leading to a disastrous public response," Gupta continued. "Slow patching was just one of many structural problems that made Equifax a fat target."
More security troubles
Beyond the Apache Struts patching issue, the Equifax breach report noted the company had serious issues with security certificates.
"Equifax did not see the data exfiltration, because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic," the committee found. "After updating the security certificate, Equifax employees identified suspicious traffic from an IP address originating in China. The suspicious traffic exiting the ACIS application potentially contained image files related to consumer credit investigations. Equifax discovered it was under active attack and immediately launched an incident response effort."
Araujo said the certificates in question were likely needed to decrypt data before it was processed by an intrusion detection system.
"If the SSL inspection device does not have the appropriate certificates, it can't decrypt the data and, consequently, cannot feed that into the intrusion detection systems. Clearly, this should never have happened," Araujo said. "Even if the certificates had never expired, it would not be surprising at all if there had been no threat alerts, given how ill-equipped traditional IDPS are at detecting data exfiltration, especially the low and slow kind."
Jesse Dean, senior director of solutions at Tetrad Digital Integrity, based in Washington, D.C., said this should be taken as "a cautionary tale for CISOs, C-suite and boards, as Equifax is not unlike most medium to large organizations when it comes to cybersecurity."
"It's easy to say Equifax should have maintained a better inventory and accounting of their certificates and should have known how to run a proper vulnerability scan. They all have a budget, tools, teams, training and policies. It's the effectiveness of each of those piece parts and how they work together that has continued to plague the cyber industry since its inception," Dean said. "What, unfortunately, gets lost is the visibility and accountability around the pedestrian, yet paramount fundamentals of cybersecurity, such as network segmentation, inventory, certificate and vulnerability management."
"There are no valid excuses for expired security certificates," Gupta said.
"For any system that is being actively managed, expired certificates are immediately apparent. If Equifax let hundreds of certs expire, there were clearly huge areas of security and IT oversight that were completely lacking," Gupta said. "Well-run IT organizations have tight controls over all business-critical servers and closely monitor where sensitive data is going and being stored. Security certificates must always be up-to-date, and out-of-date systems should be retired whenever possible. While patching can be a legitimate challenge, having clear network visibility should be a prerequisite, not an afterthought."
According to the Equifax breach report, the company had two initiatives put in place following the discovery of the attack: Project Sierra to handle the incident response and Project Sparta for notifying the public of the breach.
"The purpose of Project Sparta was to create a consumer-facing website for individuals to find out whether they were affected by the breach and, if so, to register for credit monitoring and identity theft services," the committee wrote. "Almost immediately, problems existed with Equifax's public response. The website and call centers were overwhelmed with requests for information and left consumers without answers as to whether they were affected by the breach."
Gupta noted that Project Sierra was also troubled.
"Equifax did plenty wrong before the breach to make themselves vulnerable, but well-run IT organizations assume they will be attacked and have clearly defined response plans. Everything about Project Sierra was a disaster, including alleged leaks about its status leading to insider trading charges," Gupta said. "There is no excuse for the months it took from discovering the breach to the public acknowledgment. While most states have breach notification laws, there needs to be tighter standards on the length of time a company can research a breach before coming clean."