A Hard Lesson in Vulnerability Management for Equifax
A Hard Lesson in Vulnerability Management for Equifax

Since announcing its breach on Thursday, Equifax has taken a formidable beating in the media, and I suspect at virtually every office water cooler in the U.S. Waiting six weeks before telling consumers about the breach of their sensitive, personal information to first ‘get their story straight’ has many up in arms – and rightfully so. The company’s response has been no better, and likely made matters worse, with their questionable efforts to “protect” consumers in the future.

Lawsuits have been filed for what appears to be Equifax forcing consumers to forfeit their right to sue in order to learn whether or not they were a victim of the hack. Equifax has since stated that the terms limiting legal action only relate to the credit monitoring service, and not the breach, so I guess that’s better than nothing. Company stock price continues to fall; members of Congress are calling for an investigation.

The one thing Equifax has been tight-lipped about so far is the details surrounding the breach. But of course, somebody, somewhere said something and a known server-side vulnerability on the open-source framework, Apache Struts has been accused of serving up the hole. While widely reported on today, this attribution remains unsubstantiated beyond the “non-technical analyst from an Equifax source” reports ZDNet.

It Could be Apache Struts

With that clarification in mind, Struts could be to blame. The framework has been victim of several exploits over time – the most recent of which was identified last week. Since Equifax identified the breach first occurred between mid-May and June, use of the criticial exploit patched on September 5 would have been a zero-day at that time. But more likely, hackers probably used older exploits that we know were patched back in March. (You can read what The Apache Software Foundation has to say about Equifax here.)

Regardless of which vulnerability was used in the hack, or if it was Struts or some other application, you can see a common theme: vulnerability management – and timely patching – is critical to the protection of data. If I’ve said it once, I’ve said it a thousand times: software has holes and those holes, as they are discovered, must be addressed whether it’s server side or on an endpoint.

If Struts was the culprit this time, it was due to a server-side vulnerability. But endpoints are equally vulnerable. Earlier this year, we partnered with the Ponemon Institute to study the cost of insecure endpoints. Fifty-three percent of respondents in the study said the volume or frequency of malware-infected endpoints increased in the past year and seventy-five percent said they aren’t keeping up with software patching.

Despite the valuable information they held, it certainly looks like Equifax doesn’t appear to have deep technical expertise at their upper echelons on how to secure data – that’s really gotta hurt the rank-and-file infosec warriors down in the trenches who likely have been struggling to get resources or attention (a common theme in many organizations). Even for companies that do have that understanding and the resources to keep up, it’s hard work. And if protecting an on-prem database seems challenging, data that is now as mobile as our users only magnifies that challenge.

If we learn anything from this latest mega-breach and the fall out that will surely continue, it’s critically important we hire the right people, design the right processes and employ the right mix of tools that, at least, make it harder for the bad guys. Ultimately, it’s up to the C-suite and the Board to sit up and give cybersecurity issues the attention they need and ensure the people they entrust to protect their digital assets have all the support required to prepare for that 2am phone call from the security team.