Equifax Autopsy: what have we learned?

Equifax

On 7th September, Equifax announced a data breach impacting approximately 143 million U.S consumers. This is very likely to be the largest loss of personal data in history. On 8th September their share price plummeted 13.7%.

 Equifax confirmed that the breach was a result of the Apache Struts vulnerability, assigned CVE-2017-5638 , which was disclosed early in March. They also said they were breached on 13th May, having first discovered the problem on 29th July. A patch for CVE-2017-5638, which would have prevented the breach, was made available by the Apache Struts Project on 7th March.

On 3rd October, in testimony before a United States House Subcommittee on Consumer Protection, recently retired Equifax CEO Rick Smith blamed a single employee for the company’s failure to deploy the critical software patch. He also stated that a scanning device, which should have verified that the patch was applied, malfunctioned. The cause of this malfunction has, according to Smith, not yet been identified.

Equifax have been widely criticised for their handling of the breach, particularly the time taken to identify the breach and failings in communicating with affected consumers. Equifax call-centres were unable to deal with the volume of calls received after the breach notification and social media teams repeatedly tweeted a link to a spoofed website, rather than the official breach notification site.

To add insult to injury, customers who accepted the identity protection product Equifax offered in response waved any right to pursue litigation against the company. 

What went wrong?

Applying security patches quickly and effectively is critical when defending systems from attackers. Cyber criminals will often scan large portions of the Internet looking for unpatched systems, exploiting any that are found.

In the case of Equifax, a single employee was ultimately responsible for ensuring that critical software patches were deployed. Relying on a single, potentially fallible human to deploy patches, especially in an organisation responsible for millions of consumers’ data, is reckless.

As Equifax have shown, mistakes can and will happen. The security of your organisation should not rest with one individual. Patches should be applied quickly and their deployment checked and verified by security staff.

Automated scanning tools can help identify missing patches and other security holes. Unfortunately, they are not a silver bullet: they can and do produce false-positive results; they can also produce false-negative results. For reasons so far unknown, the scanning tool deployed by Equifax produced a false-negative result when checking for the Apache Struts patch, leading them to believe that their systems were secure.

The output of automated scanning tools should always be manually verified to ensure that false-positives are avoided. False-negatives are harder to detect, however careful review of applied patches would have identified the false-negative in this scenario.

Equifax chose to deploy a new website to host their breach notification. By not hosting the breach notification on the trusted Equifax domain, they opened themselves up to impersonation and phishing attacks. This is exactly what happened when a fake domain, which was incredibly similar to the legitimate domain, was registered.

The fake domain was so convincing that the Equifax-verified Twitter account began tweeting links to it to concerned customers. Luckily, this fake domain was a parody of the Equifax official site, rather than a malicious phishing site.

Should the worst happen, it's important to have a detailed data breach plan in place before a major incident is discovered. This will dramatically reduce the risk of mistakes being made during the first few days after a breach is discovered. This plan should include details of organisations and individuals who must be notified, plans to secure customer and company data, and plans for notifying customers.

What have we learned

  • The time from vulnerability disclosure to patch being applied is critical. Equifax were breached two months after the Apache Struts vulnerability was disclosed. Had patches been applied in a timely fashion, the breach would likely have been prevented.
  • Trusting a single individual to ensure that patches are applied is a recipe for disaster. Mistakes will always happen. No one person should be responsible for your organisation's security; a properly implemented security policy should prevent this situation from arising.
  • The output from vulnerability scanners must be verified. False-positives are common, but missing a false-negative can be catastrophic. Automated scanning tools are not a silver bullet.
  • In the event of a breach, information should be communicated via established, trusted, channels. Creating a new domain to host your notification site increases the risk of impersonation and phishing attacks. Employees, especially those communicating with the public, should have information about the breach clearly communicated to them, this includes all website links and telephone numbers to be provided to the public. A good incident response plan should include all these details.

The Equifax breach disclosed the personal details of 145.5 million U.S consumers, approximately 8,000 Canadian customers and potentially 400,000 UK customers. So far, the perpetrators have not been identified. The FBI continues to investigate the breach.