Dark Reading’s 7 Takeaways From The Equifax Data Breach; And A Couple That They Overlooked
The cyber security website, DarkReading.com, posted a September 11, 2017 article, “7 Takeaways From The Equifax Data Breach,” by Jai Vijayan discussing their key observations with respect to this latest Tier I, or ‘Category 5’ cyber breach.
Application-level Vulnerabilities Remain The Achilles Heel
Mr. Vijayan notes that “application-level vulnerabilities have caused far more data breaches in recent years, than any other vector.” In its public statements (written & oral) to date, Equifax points to an application security issue as the primary cause for their major cyber breach — “but, has not specified what that exactly was,” he added. “But, Baird Equity Research identified the issue as a known security flaw in the open-source, Apache Struts framework for Java apps,” Mr. Vijayan wrote. “If true, then the consensus among [cyber] security analysts that the application vulnerability was something that Equifax should certainly have known about and have been protected against.”
Equifax Will Wish It Had Spent More On App Security
The old saying of “you can pay me now, or pay me later,” comes to mind. You can make a conscious decision upfront not to spend as much on the cyber security side of things; but, if you decide to go that route — you had better fully understand and appreciate what the potential worst case scenario is….if you do. You can spend yourself into oblivion and perhaps still not be fully protected from a cyber beach. Everyone, or just about everyone, should understand by now that the Internet and Worldwide Web were built on a faulty foundation when it comes to security. How many times have you heard that you cannot fix a house with a bad foundation. People will not like the fact that you have a vulnerable system; but, they will give you, or most will give you the benefit of the doubt if you/the company has taken at least a basic level of cyber security steps to protect their data. If it is determined that Equifax failed to impose best cyber hygiene practices and turned a blind eye to the application vulnerabilities it was confronted with, then the company will end up paying a much higher price for this oversight, than if it had tried to seriously address this vulnerability but failed. What would have been considered basic/reasonable measures to protect the personal information of their customers personal data? Was Equifax knowledgeable of these ‘standard’ cyber security measures; and, did they take any pro-active steps to ‘harden’ their digital firewall for their most precious data? Even if Equifax is able to survive this digital Black Swan event, the cost to the company in dollars and reputation — is going to be very steep, and maybe even fatal.
It Really Is Way Past Time To Stop Using SSNs As Identifiers
Really, no further words are necessary on this issue.
One-Year Credit Monitoring Is Not Much Of A Remedy
As Mr. Vijayan notes, “it has become standard for companies that suffer data breaches to offer one-year credit monitoring for the victims.” I guess it is better than nothing; but, once this information, especially SSN’s and other critical personal data has been digitally compromised — well, one cannot put the tooth paste back into the tube. “Your birth date and SSN do not change over time,” Mr. Vijayan wrote — which reinforces the prior observation. This threat and compromise will have negative consequences for some, long beyond the one-year time frame.
For Criminals, Personal Data Is Often Cheaper Than Credit Card Data
As Mr. Vijayan notes, “in the underground market [and Dark Web], dossiers that contain full sets of Personally Identifiable Information (PIIs) on individuals — or ‘Fullz’ as they are referred to — currently are cheaper to buy than certain categories of credit card data,” according to research from SecureWorks. “Depending on factors like who’s selling, the victims country and additional information, like a full passport scan of the victim, a Fullz record can fetch maybe around $10. That’s in contrast to the nearly $20 per card that credit and debit cards with high balances can garner on the Dark Web, SecureWoks research showed. One reason why PII records are cheaper — though they hold a potentially much bigger upside from a crook’s standpoint — it is probably because identity and impersonation fraud are harder to pull off than credit card fraud,” Mr. Vijayan wrote.
A 40-Day Disclosure Rate Won’t Fly Under General Data Protection Requirements (GDPR) Governance
The old saying, “What did you know, and when did you know it,” comes to mind. Mr. Vijayan notes that “Equifax first discovered the intrusion on July 29th; but, did not publicly disclose it till September 7. That means there was a period of 40 days between when the company knew that tens of millions of SSNs and other sensitive personal data was potentially being misused, and when the victims were told about it.” Current breach disclosure laws mandate quick notification — 72 hours — with some exceptions; but, certainly not weeks. But, the CEO of Equifax has an Op-Ed in today’s (September 13, 2017) USA Today, defending the delay in notifying their customer base — because the company did not know that the breach of their data was as large and profound as it was. But, that statement brings up a whole host of other questions: Should the company’s cyber security personnel have known sooner about the extent of the breach? Or, was this breach carried out by a particularly sophisticated cyber adversary/crook, who used clever denial and deception techniques that disguised the true magnitude of the breach? Bad news does not get better with time. Did the company delay, or ‘sit on’ this bad news for any extended period of time, or, as the CEO wrote today, Equifax was not aware of the extent of the breach until the past few days.
Threat Actors Are Thinking Bigger
“Attacks like the one on Equifax, and the Distributed-Denial-Of-Service (DDoS) attacks on Doman Name Systems (DNS) service provider Dyn last year, which caused disruptions for many major websites, are an indication that threat actors are turning their focus on bigger, and more impactful [fruitful] targets,” said Alp Hug, Founder and COO of Zenedge. “Increasingly, we’re going to continue to see this trend of hackers going after larger, more strategic, more impactful targets. Why go after one nuclear plant, when you can shut down the entire continent. Why go after one hospital and their devices, when you can go after all Internet-of-Things (IoT) devices from a manufacturer?,” he said.
Other Issues Not Mentioned By Dark Reading
As Craig Timberg wrote in this morning’s (September 13, 2017) Washington Post, “notably absent from the public statements by Equifax have been key terms such as “encryption,” or “system monitoring,” or “penetration testing.” “All are staples of modern online security, widely adopted across corporate America, and especially within the financial services industry, given the high degree of sensitivity about the information it keeps on us all,” Mr. Timberg wrote. Equifax has been silent on these issues/procedures thus far; and, that is likely to be expected because of potential lawsuits and allegations of potential negligence. A breach of “143 million records either suggests a very patient, sophisticated hacker, or an incredibly weak security system,” said Matthew Green, a Johns Hopkins University cryptographer and [cyber] security expert.
And, these kinds of cyber threats and breaches are likely to get even more damaging and profound as artificially enhanced malware begins to make inroads over the next year. Industrial-grade, stealth malware that is capable of hiding and changing its character, masquerading as legitimate software, lying in wait for the right time, place, and opportunity. There is something to be said for the off-the-grid types. But, for the overwhelming majority of us, going off-the-grid is not practicable, nor desirable. So, we have to understand that every device is either dirty, or can be compromised; and, we should never assume otherwise. Individuals and companies who do so otherwise, will eventually pay a price, sometimes a steep one — for that negligence, or willful blindness.
Finally, I wonder if we will eventually see a “Dr. No” in cyber space, a ransomware genius, who threatens to wreak profound digital havoc and mayhem, unless he, or she, is handsomely compensated. The digital adversary…….gets a vote! V/R, RCP, www.fortunascorner.com