Vulnerabilities / Threats
9/28/2017
10:30 AM
Nick Deshpande
Nick Deshpande
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Equihax: Identifying & Wrangling Vulnerabilities

Now that we know what was taken from Equifax, how it was taken, and what is being sold, what more do we need to learn before the next time?

Equifax recently confirmed that the vulnerability responsible for the massive breach of 143 million records was indeed for the ApacheStruts 2 Web framework, but not CVE-2017-9805 as was initially circulated. Rather, CVE-2017-5638, which could enable an attacker to perform a remote code execution using malicious content in the absence of suitable security measures, has been pinpointed as the flaw that permitted access to the yet-to-be identified actors. CVE-2017-9805 is certainly worthy of our attention: until last week, it was essentially a zero day with exploits available in the wild.

The bug was first found in March, and a patch has been available since its discovery. In essence, Equifax could have been working to address the shortcomings and protect the personal information of millions using publicly available information approximately two months before the breach occurred. For reasons yet unknown, it did not. As a result, millions of Americans are scrambling to find out if they have been breached and to protect their information from being used for identity theft.

On the other hand, Equifax is facing federal scrutiny and a massive hit to its reputation and consumer trust. The firm's top information security executives — its CIO and chief security officer — have departed the company following what's being called one of the worst breaches in US history.

What happened at Equifax, and how can organizations patch their systems and improve their security posture to prevent breaches of this magnitude in the future?

Let's start with what happened: The data exfiltrated between May to July 2017 included names, Social Security numbers (SSNs), dates of birth, and "other information," according to Equifax. That data may now be for sale. Security blogger Krypt3ia found a listing on the Dark Web (shown in the image below) ostensibly placed by the Equifax hackers offering records for sale in return for digital currency. The listing includes some samples of the data in the form of screenshots. How much are the records worth? Four Bitcoins would net you 1 million entries; at today's rate, that’s approximately $13,840. It's unclear if the purchaser could specify what type of entries they could acquire, as an SSN would certainly command more money than dates of birth on secondary markets.

Source: https://krypt3ia.wordpress.com/2017/09/14/equihax/
Source: https://krypt3ia.wordpress.com/2017/09/14/equihax/

The listing is very disconcerting. Until recently, we were aware of the breach's grand scale and some rough order of magnitude in terms of the number of records: 143 million in comparison to the Yahoo hack, which included more, but arguably less-sensitive, records. Seeing records — and the personal identifiable information of individuals — is sobering. For those engaged in threat modeling, the price points provide a marker by which to assess the value of such records in underground markets, although both wallets appeared to be empty at the time of writing.

Vulnerabilities Matter but Do Not Stop Business
We can elicit a number of lessons from this event. In response to Equifax's disclosure of the Struts2 bug, the Apache Software Foundation released some cogent guidance to those using any Web framework. As always, Brian Krebs has provided practical advice to those who may have been affected by the breach. Gartner's Strategic Planning Assumptions are also worth repeating here:

  • Through 2021, the single most impactful enterprise activity to improve security will be patching.
  • Through 2021, the second most impactful enterprise activity to improve security will be removing Web server vulnerabilities.

This incident highlights the importance of a multilayer application security strategy. Firstly, it is absolutely critical to patch systems in a timely fashion. Had Equifax had an effective, multilayered application security strategy that includes the underlying infrastructure, middleware, application, and edge, the company likely would have prevented the intrusion or caught it much sooner. Appropriate data governance also could have diminished the scale of exposure of sensitive data: an understanding of what kind of records are in their possession, their classification, how long they can be kept for, and the security that must be applied to safeguard them accordingly appears to have been elusive.

A mature security regime requires organizations to implement a combination of technical vulnerability management processes and the ability to deploy effective security controls — including compensating controls when patches cannot be deployed in a timely manner.

Web applications and services (like APIs) represent critical business drivers as well as an exposed attack surface for a growing number of organizations. That attack surface can be reduced by properly hardening infrastructure and middleware, using up-to-date frameworks, and defeating attacks at the edge of the network: a Web application firewall, a security control that proxies all Internet traffic while applying a security posture to block traffic deemed malicious or unauthorized, is a highly effective control when properly configured. This year's Verizon Data Breach Investigations Report confirms that Web application attacks lead the pack with respect to breaches, with botnet activity bolstering that number considerably.

Hackers tend to view the human user as a path of least resistance, but that calculus changes considerably when vulnerabilities are discovered in technologies. Today's time-to-exploit has become relatively shorter as security expertise proliferates, even if the number of publicly available exploits is dropping.

Don't give attackers a window of opportunity! Vulnerabilities don’t need to slow down or stop business operations. Deploying patches is absolutely imperative to maintain a strong security posture, but the process can be disruptive or complex, especially for legacy systems, making additional security measures — acting as compensating controls — necessary to provide suitable defenses to maintain exploitable systems while patches are deployed.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Nick Deshpande, CISSP, is the vice president of product development at Zenedge, where he combines his passions for user experience and security. He's a graduate of the Royal Military College of Canada and American Military University. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.