Ten lessons from the Equifax breach Posted by Damien Biddulph on Wed 13th Sep 2017
'Assume you are already hacked. At all times,' warns Carbon Black security strategist Rick McElroy
It will be a busier than usual weekend for the Equifax IT department...
When we drive past a major car crash, it's a natural reaction to slow down to take a good look.
The first thing most of us think is "Wow, that's awful", quickly followed by "I'm glad that wasn't me". Then we speed up and drive on. Most of us don't spend too much time thinking about how the wreck happened - we were just glad it wasn't us.
A similar sentiment works in cyber security. But instead of focusing on the wreck, the rest of us responsible and accountable for information security must learn and adapt from every attack. So what can we learn from Equifax?
1. Assume you are already hacked. At all times
If you build your operations and defence with this premise in mind, your chances of detecting these types of attack and preventing the breach are much greater than most organisations today.
2. The root cause of the breach was a website vulnerability but the data lived on the endpoint
I don't have any details on the initial attack other than "Equifax discovered that criminals exploited a US website application vulnerability to gain access to certain files", but too many times when it comes to data protection we focus too often on the network and not enough on the data.
When we do focus on the data, we focus on malware and not enough on attacks. Attackers will use any and all methods they can (typically the cheapest and fastest) to gain access. You need solutions that provide the full end-to-end picture of an attack.
3. Detection still takes too long
Whether it's 10 days, 30 days, 60 days or 210 days, the fact remains that is entirely too long for an attacker to be in your systems. We need to better enable defenders to detect and respond. In this particular case, their detection of the breach was shorter than most; however, the length of time the attackers had access to systems and data left 44 per cent of the population vulnerable to identity theft.
4. Visibility remains the key to detection and prevention
You cannot detect what you cannot see. It's that simple. You need the right data to detect and prevent these types of attacks. Without it, what shot do you have? If you don't have it, go get it. Remember, you are operating as if you are already breached. You wouldn't walk around your house at night without turning on the lights or a flashlight if you thought someone was in your house, would you?
5. We are all in this together
Data is linked. One breach can be leveraged for the next or the next. Think of how this data or the data from the OPM breach can be leveraged for intelligence purposes or cyber crime? We rely (unfortunately) on national insurance number to prove who we are.
Most people now know that and take protecting it semi seriously. What happens when the guardians of this data lapse? Maybe sharing a lesson from another team would have helped…maybe it wouldn't have, but we have to talk about this as a community. We really have to take the lessons learned seriously and drive change in our own programs.
6. It does not matter how big you are or the resources your team can access
I am assuming that Equifax has a larger information security budget than most organisations. As defenders, we always think, "If I only had enough money or people I could solve this problem". We need to change our thinking: It's not how much you spend but, rather, is that spend an effective use? Does it enable your team to disrupt attacks or just wait to be alerted?
7. It's time we really start to look at options for replacing the social security number
We have two factors now for all kinds of things. Except what really matters most for most people.
8. Encryption is your friend
These efforts are never easy to start and the projects take time, but stick it out — the benefits far outweigh the risks.
9. Web application security is still a thing
Markets move and focus shifts over time, but web-application firewalls (WAFs) and dynamic testing are still valuable tools. Open Web Application Security Project (OWASP) groups meet all the time. Check out www.owasp.org for lots of useful information and code.
10. Visibility is more crucial than ever
Did I say visibility twice? That's because it's that important.