The Equifax breach, now believed to have been accomplished through the exploitation of a vulnerability in open-source server software Apache Struts disclosed earlier this month, has rained down criticism on the credit information company for poor security practices and in the US it has prompted at least three congressional committees to consider probing the incident.
Jeff Williams, cofounder and CTO at Contrast Security, wrote in a blog post that two Struts flaws “jump out as possibilities” – CVE-2017-5638, an expression language vulnerability that was disclosed in March, and CVE-2017-9085, a single HTTP request containing an unsafe serialised object that was disclosed in September. The former “is far more likely, but the second is a very remote possibility” because the earlier flaw is “easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,” Williams wrote. To exploit the latter flaw, attackers would have had to have had it before its public release.
However, “for either vulnerability, the process is basically the same. The attacker sends a specific HTTP request containing some special syntax. In one case, an OGNL expression. In the other, a serialised object,” he said in comments emailed to SC Media. “The Equifax Struts application would receive this request, and get tricked into executing operating system commands.”
The attacker can then “use these to take over the entire box – do anything the application can do,” Williams said. “So, they probably stole the database credentials out of the application, ran some queries, and then exfiltrated the data to some server they control on the internet.”
The Apache Struts Project Management Committee wrote in a blog post that “at this point in time it is not clear which Struts vulnerability would have been utilised, if any,” but also said since the Equifax breach was detected 5 July “the attackers either used an earlier announced vulnerability on an unpatched Equifax server or exploited a vulnerability not known at this point in time – a so-called zero-day exploit.” The 9805 vulnerability may indeed be nine years old, but researchers only recently learned of it and addressed it immediately. “We were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP,” the committee said.
While Apache Struts said it its “development team puts enormous efforts in securing and hardening” its software, Equifax drew fire from critics for seemingly falling short on cyber-security hygiene, particularly in regard to website protection. “While details are still emerging, it seems likely that, like too many firms, Equifax was not using the right website security measures to properly protect its network and consumers' data,” said Neill Feather, president of website security firm SiteLock. “With the compounding number of website vulnerabilities discovered daily, this type of security negligence is simply unacceptable.”
Javvad Malik, security advocate, AlienVault, said “Companies like Equifax should know very well that data is the lifeblood of the organisation and its crown jewels” and act accordingly.
While the breach is hardly the first to hit a credit monitoring service, AlienVault threat engineer Chris Doman said “It would likely have taken hours or even days to download all that information from Equifax's database - all without anyone noticing.” The company, thus far, has been light on the details of the incident, but Doman said “normally when this happens it's the result of a simple SQL injection vulnerability. It's a shame to see that despite waiting six weeks to tell customers, Equifax's website telling customers of the breach is broken.”
The breach also is a cautionary tale about the vulnerabilities of web applications and known as well as unknown code.
“As belatedly realised by Equifax, websites are vulnerable to not only known code-web application tools in this instance-but also unknown code,” said Chris Olson, CEO of The Media Trust. “This breach is yet another example of a large-scale security incident that could have been detected much earlier through continuous monitoring of all code executing on a website.”
Calling the credit monitoring company's breach “a very colourful, albeit very sad, example how a vulnerability in a web application can lead to disastrous consequences for an entire company, its customer base and far beyond,” High-Tech Bridge CEO and founder Ilia Kolochenko said that almost any critical data today “is handled and processed by web applications, but cyber-security teams still seriously underestimate the risks related to application security.”
Equifax', Patterson says, “needs to quickly scrutinise historical network traffic analytics to identify and proactively notify every single person whose data was compromised.”
What's at risk
Other recent, high-profiled breaches may have been larger, but given the nature of Equifax' business and the type of data it's charged with protecting, this incident could prove more damaging. “While the scale of the Equifax breach doesn't reach the heights of some previous breaches, such as Yahoo, it is by far the most invasive when you look at all the sensitive personal data accessed,” says Alex Smith, director of security products at Intermedia. “Impacting 143 million consumers touches well over 50 percent of Americans that rely on bank loans and credit scoring.”
Calling the scale of the breach “huge,” Ryan Wilk, vice president of customer success for NuData Security, said it “is likely to have a significant impact in the cyber-crime world,” acting “as a pipeline” for future criminal activity.
“When retailers get hit by a breach like this, it's a single credit card that might get stolen, when Equifax it could be everything about the affected parties, and presumably linked to other things,” said Forrester principal analyst Jeff Pollard, who called on Equifax to provide more information “other than your information was or possibly was accessed.”
“What's even more concerning about this longer term is that Equifax is a major data aggregator, broker, and analytics firm. Given that we don't know the extent of the information breached, it's likely this reaches further into data that Equifax transforms as part of its marketing and analytic services,” said Pollard. “What kind of data did Equifax have, what did they do with it, and what is now in the adversaries hands? How much do they know about us is based on these analytics services?”
The breach is also one “in a long line of examples demonstrating how organisations can be exposed to cyber-risk via weak security controls from a third party in their digital ecosystem,” said Tony Urbanovich, chief operating officer, CyberGRX. “Whether it's to conduct employment and income verifications or to determine the credit worthiness of the people and businesses they interact with, organisations across the country trust the big three credit bureaus and expect them to have strong security controls in place protecting the data they rely on to run their businesses and protect their own personal information. The Equifax breach shows that the concept of blind trust is outdated. It's critical for organiastions to understand the real-time security postures of all third parties in their digital ecosystem.”
The information pilfered by the hackers has a long shelf life and will likely be used in scams for years to come.
“This breach will have devastating consequences for many of the people whose data was compromised,” says Plixer CEO Michael Patterson, adding that the cost would be “enormous” for both Equifax and millions of consumers. “Cyber-criminals have all the data they need for identity theft including names, social security numbers, birth dates, addresses and driver's licence numbers. The cost of this breach will be enormous for not only for Equifax, but more importantly for the millions of innocent consumers who have been affected.”
Feather expects “a ripple effect as well, given it has exposed nearly every aspect of one's financial history.” Websites, he said, “hold the keys to the kingdom for many organisations in terms of access and availability to sensitive customer data, and this is an unfortunate reminder of what can happen when website security is overlooked, as is all too often the case. Many organisations neglect website security, focusing on simpler, more well-known endpoint solutions.”
Noting that “many businesses and financial institutions rely on the compromised information,” Kolochenko said cyber-criminals now “have a great wealth of opportunities to conduct spear phishing, fraud, identity theft, impersonation and social engineering attacks against the victims of the breach.” He cautioned that the industry should brace “for a skyrocketing number of attacks targeting not only the victims, but their relatives, employers and partners. The breached database will likely be shared among various cyber gangs, exacerbating the damage.”
A breach of this magnitude at a credit monitoring service has deeper implications for future relationships between consumers and the financial industry. Kolochenko called the breach “disastrous…probably one of the most detrimental breaches of this year, capable of undermining trust in an already quite fragile online financial space.”
And Feather noted that “the American public trusts the three credit bureaus with their most vital information and holds them to the highest security standards,” which explains “why this breach at Equifax is not only a breach of data, but it's also a breach of trust that will take a very long time to repair.”
The incident could also “have wide-reaching implications for how Americans identify themselves in the future, such as when applying for banking and credit services – simply knowing a name, date of birth, address and Social Security number shouldn't ever be enough,” says Smith. “This breach could finally be the security wake-up call the US needs to widely adopt digital identity tokens, and potentially a digital national identity scheme similar to other countries such as Belgium.”
What to do, what to do
If a company like Equifax, which handles extremely sensitive information, has “every incentive to keep the most sensitive kind of information secure, and whose CEO, Richard F. Smith, said has “made significant investments in data security” can “still experience a breach,” said Josh Mayfield, platform specialist, Immediate Insight at FireMon, said “it stands to reason that our playbook needs a revision,” said Mayfield. “The security playbook consists of a few guidelines and directives, and most organisations have been following this playbook for many years.”
This kind of incident, said Wilk, “amplifies the voices calling out for a more secure method of accessing accounts,” noting that “combining two-factor authentication with a passive biometric solution would render these kind of breaches a thing of the past.”
Most companies, Kolochenko said, “don't even have an up-to-date application inventory,” which makes it impossible for them to identify their assets. “Without knowing your assets, you won't be able to protect them,” he said. “Many global companies still rely on obsolete automated solutions and tools for their application security, while cyber-criminals are already using machine-learning in their attacks when targeting and profiling the victims for example.”
Organisations can reestablish consumer trust to improving control of “the executing code that renders content on their digital properties. The first step is to identify all partners involved in website operations, a process that will yield valuable insight into enterprise-specific ecosystems,” said Olson, who maintained that a highly dynamic digital environment calls for a continuous security approach. “From there, enterprises must clearly communicate their policies for executing on their site and enforce those policies. Partners that violate the policies should be blocked from the website. It's that simple."
Rocky regulatory and legal terrain
While the fallout of the breach is still settling and questions about just how it occurred are mounting, one thing is certain – Equifax needs to provide answers and remedies quickly or face the wrath of regulators and legislators.
By all accounts, the company's response to the breach has been found lacking – from the long stretch between discovery and disclosure, during which time three executives sold off around $1.8 million (£1.4 million) of stock, to its seeming attempts to pitch its monitoring products and its poorly worded disclaimer that seemed to force consumers to give up their right to sue the company so they could see if their data had been affected in the breach.
“Last but not least, such a delayed public disclosure of the breach is quite dubious,” said Kolochenko. “Probably the disclosure was reasonably postponed in the interests of investigation, but it still could endanger the victims. Most important now is to make sure that we do not underestimate the scale of the breach, and have properly identified every victim and the integrity of data that was stolen.”
Critics noted that in the US Equifax's slow disclosure could put it afoul of state data breach laws – and in the future international regulations like Europe's General Data Privacy Regulation (GDPR), which demand quicker notification, as little as 72 hours, after a breach discovery.
“Regardless of whether an organisation or country is part of the EU and or needs to comply with GDPR, taking this long to report a breach is arguably morally incorrect and unacceptable in today's world. Whilst not the largest breach of all time (Yahoo), 143 million US consumers are now left worrying whether their personal identifiable information is in the wrong hands. In addition it has been reported that both Canadian and UK data may have been included,” said Simon Townsend, chief technologist – EMEA at Ivanti. “The reason it took 40 days to report is unknown but it will no doubt come down to a common challenge that many organisations face when IT teams and the business are not aligned or are not in sync when it comes to technology, processes and workflows.”
EU GDPR, he said “is trying to help organisations realize the importance of data protection come May 2018, and whilst there are many technologies which can help solve tactical points across the many articles contained in the GDPR, the real message here is around changing both technology, people and processes to create a more unified approach” to cyber-security. Fines for not complying with GDPR will be quite steep so US companies will need to step up their game.
“Given the nature of Equifax data and the magnitude of the breach make this a watershed moment in breach detection and response. Many difficult questions will be asked and become the crux of numerous legal actions that will likely stem from this event,” said Mark Sangster, vice president and industry security strategist at eSentire. “The most obvious, is why it took so long to disclose the breach. The risk to consumers begins to drop exponentially as soon as the breach becomes public, and affected companies and consumers can take defensive measures to protect their financial identity and funds.”
Sangster noted that the Atlanta-based Equifax “is bound by the state breach notification laws of Georgia, which require a firm to report a breach, stating, ‘The notice shall be made in the most expedient time possible and without unreasonable delay.' In some circumstances, notification is to be made within 24 hours. Did Equifax meet this requirement and do everything in its power to protect those affected by the breach?”
Those are questions that have piqued the interest of US Congress, as well. “It's outrageous that Equifax - a company whose one job is to collect consumer information - failed to safeguard data for 143M Americans,” Senator Elizabeth Warren, D.-Mass., tweeted.
By Friday, Rep. Ted Lieu, D-Calif., was calling on his colleagues in the US House Judiciary Committee to investigate. “In light of recent events, I request the Committee call upon representatives from the “Big Three” credit reporting agencies – Experian, TransUnion, and Equifax – to testify not only on the breach that occurred in May 2017, but also to identify how each company is taking proactive, defensive steps to prevent such breaches in the future,” Lieu wrote in a letter to the committee. “Congress has a strong role to play in preventing such attacks on our financial and IT infrastructure, and must hold those entrusted with our most sensitive data to account.”
By Monday, it seems that Congress would assume that role. The House Energy and Commerce Committee announced that it will hold a hearing on the breach as did the House Financial Services Committee.