Lessons from the Equifax Data Breach
By Jorge Zelaya - Article on September 25, 2017
- Cyber Security
- Data Breach Notification
- Data Privacy
- Identity Theft and Fraud
The Equifax data breach has made headlines because of the scope and sensitivity of the information that was stolen: hackers stole extensive PII on over 143 million Americans. The nature of its business made Equifax a prime target for hackers, but the new reality of cyber crime is that all of us are under attack every day. Every organization that holds personal data, from financial institutions to education, healthcare, and government, needs to continuously improve its security posture while, at the same time, preparing for the security incidents that will inevitably happen. Every breach that hits the headlines is a data point to help improve our defenses, so let’s look at what we can learn from the Equifax situation.
According to Equifax, the hack exploited a months-old vulnerability in the Apache Struts web framework. Apache had released a security patch for the problem in March 2017, and Equifax hadn’t installed the patch by the time the cyber attack began in May.
Sure, software updates take time and resources, but IT teams no longer have the luxury of rolling out patches at their convenience. All code has vulnerabilities. So, organizations need to automate systems and processes to roll out security updates as soon as they become available.
While recent years have brought unprecedented cyber threats, they have also brought powerful new capabilities and frameworks for improving security processes. Based on the DevOps software development philosophy, DevSecOps is a cultural mindset of achieving greater efficiency through collaboration between engineering, operations, and security professionals. By applying this practice, IT teams can automate the process of applying a patch in a test environment, testing, and then promoting that build to a production environment. The goal is to treat servers like cattle: if there’s a problem, spin up a new one with necessary updates and kill off the old one to improve the herd. Even in a critical environment such as a hospital, systems can be designed to accelerate and automate software patching so resource and operational constraints don’t put security at risk. Bottom line: if your internal processes are taking months to roll out software patches, it’s time for an overhaul.
Another lesson from the Equifax data breach is that compliance does not equal security. Equifax is under constant audit but, as this incident proves, compliance is not enough. The cyber security threat landscape changes daily, and compliance frameworks are slow to adapt. Internal and third-party security compliance assessments don’t go deep enough to identify security vulnerabilities that pose a real threat to organizations. We need to move beyond compliance to cyber security programs that can adapt to match the evolving threat landscape.
The Equifax breach raises several other common issues around information security practices. The first is the need for watchfulness. According to the authors of the 2017 Verizon Data Breach Incident Report, median time to discover a breach is still a month, while data compromise happens within minutes or hours of an attack. Organizations need to get better at monitoring systems so that they can contain attacks and mitigate vulnerabilities. For example, machine learning can be used to distinguish normal from abnormal traffic on our systems. The other challenges are communication and incident response. Much has been made of the fact that Equifax waited six weeks to inform the public about the breach, and then its response processes were inadequate to handle the traffic from consumers wanting answers and action. Every organization needs an incident response process that takes into account the worst-case scenario, lays out how both internal and external communication will be handled, and identifies resources and tools in advance to support potential breach victims. As the impact to Equifax’s stock price shows, incident response can have profound business impact, so good response needs to be a core part of business planning.
In today’s threat environment, cyber security must be viewed not as a support function but as a core business process. The three pillars of a successful cyber security program are people, process, and technology. Leaders need to train people to make the right decisions on a daily basis—to be informed about security threats, vigilant, and on the lookout for ways to improve security practices. Every IT and infosec organization needs to continuously improve its processes to ensure that they do the right thing, at the right time, with the right people. And decision-makers must invest in best-in-class technology to help prevent, detect, and respond to security incidents. In an environment where cyber threats are a fact of life, these practices will provide a solid foundation on which organizations can thrive and grow.