Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/11/2018
05:42 PM
50%
50%

Equifax Breach Underscores Need for Accountability, Simpler Architectures

A new congressional report says the credit reporting firm's September 2017 breach was 'entirely preventable.'

Equifax could have prevented a breach of its systems and the resulting leak of sensitive information on nearly 148 million people by focusing more heavily on security, creating a clear hierarchy of responsibilities, and reducing complexity in its infrastructure, a congressional committee concluded in a report released on Dec. 10. 

Calling the September 2017 breach "entirely preventable," the US House of Representatives' Committee on Oversight and Government Reform placed responsibility for the incident squarely on Equifax's shoulders. The committee's findings come 15 months after the breach, during which time the credit reporting agency has largely escaped investigation or fines. 

"A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals," the report stated. "Equifax's failure to patch a known critical vulnerability left its systems at risk for 145 days. The company’s failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data."

While the report focuses on a set of common recommendations—including increasing transparency for consumers and calling for a review of government agencies' ability to investigate breaches - security experts say companies should focus on policy and process initiatives to improve the ability to detect and eliminate future breach risks. 

"In light of this breach and report, the senior leadership needs to be asking if the organization's cybersecurity is as effective as originally anticipated," says Jesse Dean, senior director of solutions at TDI, a security services firm. "This report underscores the importance of fundamental security practices—not artificial intelligence or machine learning. Executives are responsible for ensuring that basic tenants such as inventory and vulnerability management are being performed and align with organizational policies." 

Security and policy experts expect little to change on the policy front in the US, but underscored two findings of the report. 

Don't Expect Major Legislation or Investigations

Despite the significance of the data leaked in the breach and the total number of records—more than half of all US adults—very little has changed since Equifax announced the incident. The Federal Trade Commission has largely declined to investigate, instead posting information for consumers to avail themselves of the free credit monitoring and noting that credit freezes, where consumers can prevent anyone without a PIN from accessing their credit, are now free to turn off or on.

The Consumer Financial Protection Bureau also has largely been silent on the breach, following the appointment of former OMB Director Mike Mulvaney to head the agency. He has failed to pursue a full investigation of the Equifax breach, according to a February report in Reuters.

The reaction has largely disappointed consumer advocates, says Ted Rossman, an industry analyst with CreditCards.com.

"I really thought at the time that this would be the sea change, finally, because this seemed like something bigger than anything we had seen before, because it was about a company in charge of consumers' data that had a data breach," said Rossman. "Now, more than a year later, Equifax has gotten off pretty easy. It seems like the climate for reform wasn't there, and I don't see it happening in the near future." 

The stock market initially punished Equifax: following the announcement of its breach in Sept. 2017, Equifax's stock price plummeted more than a third of its value to from more than $141 to less than $93 per share. Nearly a year later, Equifax's stock had nearly recovered, but plunged again in late October 2018 to under $97 per share, where the stock has languished following a weak third-quarter earnings report.

Organization Disorganization

Equifax had a convoluted information-technology and information-security organization, where the chief security officer did not report to the chief information officer or the CEO, but instead to the chief legal officer.

This siloed approach to responsibilities directly led to a series of stumbles that resulted in the breach, the report stated. Graeme Payne, Equifax's senior vice president and CIO for global corporate platforms at the time, was fired by Equifax's board, although he did not have direct responsibility for seeing that the vulnerable system was updated.

"The functional result of the CIO/CSO structure meant IT operational and security responsibilities were split, creating an accountability gap," the congressional report stated, adding that "information rarely flowed from one group to the other. Collaboration between IT and Security mostly occurred when required, such as when Security needed IT to authorize a change on the network. Communication and coordination between these groups was often inconsistent and ineffective at Equifax."

Aside from establishing clear areas of responsibility, companies should increase their visibility into the security of their IT networks, experts say. For Equifax, because of the company's complex IT infrastructure, both the patch management and certificate management processes failed. The company could not initially determine that the vulnerable software ran on the affected server, and due to an expired SSL certificate, could not detect the attack traffic because it was encrypted.

"Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging," the report found. "Equifax recognized the inherent security risks of operating legacy IT systems because Equifax had begun a legacy infrastructure modernization effort. This effort, however, came too late to prevent the breach."

In the end, companies need to focus on improving security, experts say.

For consumers, however, the future is less certain.

"As more and more companies move to monetize data and customer behaviors, a lack of political will and a lack of consumer pressure means that your data remains at risk," Mark Nunnikhoven, vice president of cloud research at Trend Micro stated in a blog post on the breach. "Regulation is always challenging but it's clear that the market isn't providing a solution as few of the affected individuals have a relationship with the companies holding the data."

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31793
PUBLISHED: 2021-05-06
An issue exists on NightOwl WDB-20-V2 WDB-20-V2_20190314 devices that allows an unauthenticated user to gain access to snapshots and video streams from the doorbell. The binary app offers a web server on port 80 that allows an unauthenticated user to take a snapshot from the doorbell camera via the ...
CVE-2021-31916
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a syst...
CVE-2021-31918
PUBLISHED: 2021-05-06
A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerability is to data confidentiality.
CVE-2019-25043
PUBLISHED: 2021-05-06
ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.
CVE-2020-18889
PUBLISHED: 2021-05-06
Cross Site Request Forgery (CSRF) vulnerability in puppyCMS v5.1 that can change the admin's password via /admin/settings.php.