The Equifax hack exposed the personally identifiable information of 143 million people and has created a tremendous ethical, public relations, and legal dilemma for the company. Stakeholders are looking for information to understand what happened. The key question: How was the Equifax data compromised? We still don’t know, and that has led to a great deal of criticism and speculation.
Compounding the problem for Equifax (and everyone else) is that the company has made tremendous mistakes in its response efforts. Equifax executives dumped stock after the breach. The company offered free credit-monitoring services to those affected when they attempted to learn if their data was compromised, but only if they sign away their rights to sue for damages.
The cost of the Equifax breach is likely to be greater than the Target breach. A class action lawsuit has already been filed that seeks as much as $70 billion in damages. While the Equifax infrastructure is likely smaller than Target’s, the financial exposure is greater.
Marketing, security, and disaster recovery professionals will be analyzing Equifax’s initial response as a case of what not to do. However, security professionals need to focus on how not to become another Equifax.
In my book, Advanced Persistent Security, I discuss a systematic process of learning from failure and that you can learn from other people’s failure as much as, if not more than, your own. That process involves breaking down the phases of protection, detection, and reaction.
Any minimally capable security program considers that protection will fail, so detection is as important, if not more important, than protection. While failing to keep the attackers out is forgivable, not planning for that inevitable failure is not.
Protect the data
Initial reports claim that a bug in the Apache Struts application was the root cause of the compromise. Even if this is true, it might not be the only vulnerability that existed or enabled the attack. A single point of failure should not result in a compromise of 143 million highly valuable records.
You should be asking questions like these of the Equifax breach:
- Why was that volume of data so readily available to a web application?
- What protections should have been in place to prevent such a compromise of information?
- What protections should have been in place with the assumption that a web application would have an inevitable vulnerability?
- Was there data leak prevention in place?
The questions you might ask are infinite, and they need to be answered as fully as possible. Ask questions about not only what failed, but also what else should have been in place that could have stopped the data compromise. These questions are related to every step in how data is collected, created, stored, accessed, edited, transmitted, and so on. This involves looking at the entire architecture to ensure that if one component is compromised, such as the web server providing data access, that other components of the architecture minimize the data compromise.
Detect an intrusion
As already stated, failure in protection is inevitable. It is critical to have a detection architecture in place to identify when protection fails. For example, I cannot imagine a specific example where a single system should access all 143 million records in the database in a short period of time. There is no reason that the entire database should be copied. There are many tools that would detect such access. Data access is the most paramount of concerns for a company like Equifax, and all data access should be constantly scrutinized.
There are also tools that should detect a compromise of the systems or applications running on those systems. If Apache Struts was modified or manipulated in any way, it should have been detected. The technical architecture of a critical infrastructure should be constantly monitored for any form of compromise.
Network analytics can also look for anomalous activity, including peer to peer activity that is traditionally associated with advanced persistent threats (APTs). While I do not want to loosely use the term APT, it is synonymous with sophisticated attackers who demonstrate discipline, use covert channels, and constantly evolve techniques. Environments such as Equifax should use tools that look for unusual network activity that would indicate any unusual activity.
Behavioral analytics is another detection capability that should be standard for any environment with sensitive information. In the Equifax case, if there was a vulnerability in its web interface application, there should have been a detection capability that looks for unusual access patterns. This is the case for any process that is involved with any type of access or manipulation of data.
As with protection, you need to not only look for what detection was in place and failed, you also need to understand what detection capability should have been in place that would have detected the compromise.
React to the data breach
Upon learning about the breach, it appears that Equifax hired FireEye to perform the investigation. While the hiring of FireEye was a reasonable step, everything else created a public relations disaster.
Shortly after the breach, several executives sold a portion their stock in the company before values plummeted. Equifax claims that those executives did not know of the breach at the time of the sale, but their actions did exacerbate the PR nightmare that has ensued. That reaction was then worsened when Equifax attempted to limit recourse of those impacted.
Public relations should be a concern, however, that should not be the first reaction. There needs to be a comprehensive, proactive plan created for as many types of incidents as possible. Clearly, the nature of the incident response depends upon what it is and how it was detected. If it is a technical attack detected early in the reconnaissance phase, it is different than after there was a complete compromise of the database.
Sadly, I have to reiterate that you should not attempt to further victimize the true victims of the attack, nor attempt to profit from it.
The Equifax hack is a wake-up call, but we have had more than enough wake-up calls. The reality is that most security professionals will complain about the incident, until another comes up, without taking appropriate actions within their own organizations.
Organizations must realize that good security programs require a program that entails a comprehensive protection, detection, and reaction strategy. Equifax can be used to both take away lessons, and probably more valuably, help to justify the cost of putting appropriate programs together.
While I know a lot of people love to hear the stories about the pending multi-billion dollar class action lawsuits against the company, the reality is that tens of millions of dollars will go to lawyers, while pennies will go to the victims. The best you can hope for is that the threat of such lawsuits will help you get the resources to implement a proper security program.