informa
/
/
Announcements
Event
Cyber Threats, Cyber Vulnerabilities: Assessing Your Attack Surface | Dark Reading Virtual Event | <REGISTER NOW>
PreviousNext
Risk
Slideshow

7 Takeaways From The Equifax Data Breach

The exposure of PII belonging to 143 million US consumers raises questions about the continued use of SSNs as identifiers, breach liability and app sec spending.
Jai Vijayan
Contributing Writer
September 11, 2017
Application Vulnerabilities Remain The Achilles Heel
Equifax Will Wish It Had Spent More On App Security
It Really Is Way Past Time To Stop Using SSNs As Identifiers
One Year Credit Monitoring Is Not Much Of A Remedy
For Criminals, Personal Data Is Often Cheaper Than Credit Card Data
A 40-Day Disclosure Lag Won't Fly Under GDPR
Threat Actors Are Thinking Bigger
1/7

Credit bureau Equifax's disclosure last week that unknown intruders had broken into its systems and accessed sensitive data on 143 million US residents has evoked a mixture of resignation, concern, and outrage.

The resignation stemmed from the fact that the breach is identical to countless ones before it. Once again a security hole in a Web application gave intruders a way to break into a major company's systems and siphon out a massive amount of data over more than two months without apparently triggering any alarms. The pattern has become so familiar in recent years that there really are no new lessons to be learned from these breaches anymore, at least from a security preparedness standpoint.

The sheer scope of the Equifax compromise has caused a lot of concern. The breach could well be the largest ever involving the exposure of Social Security Numbers, driver's license numbers, and other personally identifiable information. Victims could be at risk of identity theft and impersonation fraud for the conceivable future.

What has caused the outrage is Equifax's apparent security lapses in allowing a breach of this magnitude to happen. Many feel that Equifax, as a company handling vital PII belonging to a very large swath of the American population should have been especially careful about protecting the data. Instead, it appears to have allowed the breach to happen because of its failure to address an Apache Struts vulnerability that it should have known about and addressed.

A lot has been made about the growing sophistication of threat actors and the arsenal of increasingly deadly cyber tools at their command. The depressing reality, however, is that the bad guys rarely need to deploy anything more than rudimentary tools and techniques. As SentinelOne's chief of security strategy Jeremiah Grossman points out, many breaches can be prevented. "If we review the history of breaches, very few, if any, were the result of an exploit or attack technique that couldn't be seen coming," he says. "With respect to the vulnerabilities exploited, we know everything about them—how to prevent them, detect them and fix them." But people in the best position to make an impact are not incentivized to do so.

Here in no particular order are seven takeaways from the Equifax breach:

 
Next slide
Recommended Reading:
Editors' Choice
7 Ways to Lock Down Enterprise Printers
Steve Zurier, Contributing Writer
What Squid Game Teaches Us About Cybersecurity
Orion Cassetto, Senior Director of Product Marketing at Cycode
'TodayZoo' Phishing Kit Cobbled Together From Other Malware
Robert Lemos, Contributing Writer
From Help Desk to Head of SOC: Building a Cybersecurity Career on Empathy and Candor
Jon Hencinski, Director of Threat Detection & Response, Expel.io