As a result, when CVE-2017-5638 was announced, Equifax lacked the ability to quickly determine if, and where, Apache Struts was being used on their network. A key finding from the audit highlighted that Equifax lacked adequate cyber asset management practices, including a comprehensive IT asset inventory. Two years prior to the data breach, major issues with patch management were flagged during an internal audit. No matter how you look at it, there were a series of missteps that pervaded the Equifax data breach. Getting to the root cause: a lack of IT asset inventory and ownership The optics for Equifax worsened when the agency waited 40 days from the time it found out about the breach to the time of public disclosure. This device identified suspicious traffic and flagged data exfiltration. In fact, the intruders were only stopped in their tracks after an inactive network traffic monitoring device had its security certificate updated and became active again. Sensitive data access and exfiltration of personally identifiable information (PII) ensued. Further security flaws in the form of unencrypted (plaintext) credentials facilitated lateral movement to over 48 databases. The web portal had been around since the 1970s, and yet, it somehow slipped under the radar.Īfter discovering the vulnerable systems, hackers conducted an attack on Equifax in May 2017 that lasted 76 days. ![]() Equifax did not apply the patch to an internet-facing consumer dispute portal, and opportunistic threat actors easily found their opening. Despite taking action, there were gaps in the response to this vulnerability at the agency. Equifax’s vulnerability management team sent emails to over 400 people, instructing anyone who had Apache Struts running on their system to apply the patch within 48 hours. At the time, Equifax used Struts to run web applications on multiple legacy systems.Ī few days after it was disclosed, the Apache Software Foundation released a critical security patch for CVE-2017-5638. As a result, the attacker could control the underlying operating system. The vulnerability ( CVE-2017-5638) allowed for remote code execution (RCE), which would allow a malicious threat actor to trivially insert commands into web applications running the vulnerable framework to exploit it. Industry analysis at the time estimated up to 65 percent of enterprises were potentially exposed to this vulnerability. Six months before the breach was disclosed, IT and security departments were alerted about a critical security vulnerability in Apache Struts, which is an open-source framework that organizations use to create Java web applications. The typical third parties interested in buying this data include auto loan companies, mortgage lenders, and credit card companies. Equifax collects consumer data, analyzes the data to create credit scores and reports, and ultimately, sells those reports to third parties. ![]() The 2017 Equifax breach exposed personal information belonging to 147 million Americans, or almost half the country’s population. Let’s take a look at the 2017 Equifax security incident and analyze how a lack of IT asset ownership ultimately contributed to one of the worst data breaches of all time. Digging deeper, the underlying reasons why an organization like Equifax might end up leaving operating assets running vulnerable code becomes clearer. ![]() So, what happened, and why were these vulnerabilities not addressed?Īnswering this question requires delving deeper into the ownership and management of the diverse systems and applications that comprise modern IT ecosystems. When a cybersecurity incident like this occurs, it’s easy to blame it on negligence, but the root cause is often more complex and revealing.Īs the custodian of data belonging to millions of individuals, Equifax poured significant investment into its cybersecurity strategy. In the aftermath, the postmortem analysis zeroed in on a few critical issues that ultimately contributed to the breach, namely out-of-date, vulnerable code. News about the Equifax data breach dominated the headlines.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |