When we see a car wreck it's very easy to slow down and gawk. The first thing we think is “Wow, that's awful,” quickly followed by “Whew… glad that wasn't me,” and then we drive on. Most of us don't spend time thinking about how the wreck happened — we were just glad it wasn't us.
A similar sentiment works in cyber security. But instead of focusing on the wreck, the rest of us responsible and accountable for information security must learn and adapt from every attack. So what can we learn from Equifax?
- Assume you are already hacked. At all times. If you build your operations and defence with this premise in mind, your chances of detecting these types of attack and preventing the breach are much greater than most organisations today.
- The root cause of the breach was a website vulnerability but the data lived on the endpoint. I don't have any details on the initial attack other than “Equifax discovered that criminals exploited a U.S. website application vulnerability to gain access to certain files,” but too many times when it comes to data protection we focus too often on the network and not enough on the data. When we do focus on the data, we focus on malware and not enough on attacks. Attackers will use any and all methods they can (typically the cheapest and fastest) to gain access. You need solutions that provide the full end-to-end picture of an attack.
- Detection still takes too long. Whether it's 10 days, 30 days, 60 days or 210 days, the fact remains that is entirely too long for an attacker to be in your systems. We need to better enable defenders to detect and respond. In this particular case, their detection of the breach was shorter than most; however, the length of time the attackers had access to systems and data left 44 percent of the population vulnerable to identity theft.
- Visibility remains the key to detection and prevention. You cannot detect what you cannot see. It's that simple. You need the right data to detect and prevent these types of attacks. Without it, what shot do you have? If you don't have it, go get it. Remember, you are operating as if you are already breached. You wouldn't walk around your house at night without turning on the lights or a flashlight if you thought someone was in your house, would you?
- We are all in this together. Data is linked. One breach can be leveraged for the next or the next. Think of how this data or the data from the OPM breach can be leveraged for intelligence purposes or cyber-crime? We rely (unfortunately) on national insurance numbers to prove who we are. Most people now know that and take protecting it semi-seriously. What happens when the guardians of this data lapse? Maybe sharing a lesson from another team would have helped…maybe it wouldn't have, but we have to talk about this as a community. We really have to take the lessons learned seriously and drive change in our own programs.
- It does not matter how big you are or the resources your team can access. I am assuming Equifax has a larger information security budget than most organisations. As defenders, we always think, “If I only had enough money or people I could solve this problem.” We need to change our thinking. It's not how much you spend but rather, is that spend an effective use? Does it allow your team to disrupt attacks or just wait to be alerted (maybe)?
- It's time we really start to look at options for replacing the social security number. We have two factors now for all kinds of things. Except what really matters most for most people.
- Encryption is your friend. These efforts are never easy to start and the projects take time, but stick it out — the benefits far outweigh the risks.
- Web application security is still a thing. Markets move and focus shifts over time, but WAF's and dynamic testing are still valuable tools. OWASP groups meet all the time. Check out www.owasp.org for lots of useful information and code.
- Visibility is more crucial than ever. Did I say visibility twice? Because it's that important.
Contributed by Rick McElroy, security strategist, Carbon Black
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.