Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/11/2018
05:42 PM
50%
50%

Equifax Breach Underscores Need for Accountability, Simpler Architectures

A new congressional report says the credit reporting firm's September 2017 breach was 'entirely preventable.'

Equifax could have prevented a breach of its systems and the resulting leak of sensitive information on nearly 148 million people by focusing more heavily on security, creating a clear hierarchy of responsibilities, and reducing complexity in its infrastructure, a congressional committee concluded in a report released on Dec. 10. 

Calling the September 2017 breach "entirely preventable," the US House of Representatives' Committee on Oversight and Government Reform placed responsibility for the incident squarely on Equifax's shoulders. The committee's findings come 15 months after the breach, during which time the credit reporting agency has largely escaped investigation or fines. 

"A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals," the report stated. "Equifax's failure to patch a known critical vulnerability left its systems at risk for 145 days. The company’s failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data."

While the report focuses on a set of common recommendations—including increasing transparency for consumers and calling for a review of government agencies' ability to investigate breaches - security experts say companies should focus on policy and process initiatives to improve the ability to detect and eliminate future breach risks. 

"In light of this breach and report, the senior leadership needs to be asking if the organization's cybersecurity is as effective as originally anticipated," says Jesse Dean, senior director of solutions at TDI, a security services firm. "This report underscores the importance of fundamental security practices—not artificial intelligence or machine learning. Executives are responsible for ensuring that basic tenants such as inventory and vulnerability management are being performed and align with organizational policies." 

Security and policy experts expect little to change on the policy front in the US, but underscored two findings of the report. 

Don't Expect Major Legislation or Investigations

Despite the significance of the data leaked in the breach and the total number of records—more than half of all US adults—very little has changed since Equifax announced the incident. The Federal Trade Commission has largely declined to investigate, instead posting information for consumers to avail themselves of the free credit monitoring and noting that credit freezes, where consumers can prevent anyone without a PIN from accessing their credit, are now free to turn off or on.

The Consumer Financial Protection Bureau also has largely been silent on the breach, following the appointment of former OMB Director Mike Mulvaney to head the agency. He has failed to pursue a full investigation of the Equifax breach, according to a February report in Reuters.

The reaction has largely disappointed consumer advocates, says Ted Rossman, an industry analyst with CreditCards.com.

"I really thought at the time that this would be the sea change, finally, because this seemed like something bigger than anything we had seen before, because it was about a company in charge of consumers' data that had a data breach," said Rossman. "Now, more than a year later, Equifax has gotten off pretty easy. It seems like the climate for reform wasn't there, and I don't see it happening in the near future." 

The stock market initially punished Equifax: following the announcement of its breach in Sept. 2017, Equifax's stock price plummeted more than a third of its value to from more than $141 to less than $93 per share. Nearly a year later, Equifax's stock had nearly recovered, but plunged again in late October 2018 to under $97 per share, where the stock has languished following a weak third-quarter earnings report.

Organization Disorganization

Equifax had a convoluted information-technology and information-security organization, where the chief security officer did not report to the chief information officer or the CEO, but instead to the chief legal officer.

This siloed approach to responsibilities directly led to a series of stumbles that resulted in the breach, the report stated. Graeme Payne, Equifax's senior vice president and CIO for global corporate platforms at the time, was fired by Equifax's board, although he did not have direct responsibility for seeing that the vulnerable system was updated.

"The functional result of the CIO/CSO structure meant IT operational and security responsibilities were split, creating an accountability gap," the congressional report stated, adding that "information rarely flowed from one group to the other. Collaboration between IT and Security mostly occurred when required, such as when Security needed IT to authorize a change on the network. Communication and coordination between these groups was often inconsistent and ineffective at Equifax."

Aside from establishing clear areas of responsibility, companies should increase their visibility into the security of their IT networks, experts say. For Equifax, because of the company's complex IT infrastructure, both the patch management and certificate management processes failed. The company could not initially determine that the vulnerable software ran on the affected server, and due to an expired SSL certificate, could not detect the attack traffic because it was encrypted.

"Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging," the report found. "Equifax recognized the inherent security risks of operating legacy IT systems because Equifax had begun a legacy infrastructure modernization effort. This effort, however, came too late to prevent the breach."

In the end, companies need to focus on improving security, experts say.

For consumers, however, the future is less certain.

"As more and more companies move to monetize data and customer behaviors, a lack of political will and a lack of consumer pressure means that your data remains at risk," Mark Nunnikhoven, vice president of cloud research at Trend Micro stated in a blog post on the breach. "Regulation is always challenging but it's clear that the market isn't providing a solution as few of the affected individuals have a relationship with the companies holding the data."

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.
CVE-2019-12830
PUBLISHED: 2019-06-15
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.