News

9/10/2018
12:47 PM
Steve Zurier
Steve Zurier
Slideshows
Connect Directly
Twitter
RSS
E-Mail

The Equifax Breach One Year Later: 6 Action Items for Security Pros

The Equifax breach last September was the largest consumer breach in history. We talked to experts about lessons learned and steps companies can take to prevent and minimize future breaches.
2 of 7

1. Pay attention to patching and configuration management
Too often in security we are our own worst enemies. Most analysts agree that the Equifax breach could have been prevented or minimized if the company had instituted a solid patching system that would have identified a vulnerability in an Apache Struts application. While companies need to focus on encryption and do a better job at data management, Peter Firstbrook, a research vice president with Gartner who focuses on security, says setting up a consistent patch and configuration management program can prevent the vast majority of breaches. A ServiceNow study conducted by the Ponemon Institute found that 57% of breaches could have been prevented by an available patch.
Image Source: Shutterstock via Credo Graphics

1. Pay attention to patching and configuration management

Too often in security we are our own worst enemies. Most analysts agree that the Equifax breach could have been prevented or minimized if the company had instituted a solid patching system that would have identified a vulnerability in an Apache Struts application. While companies need to focus on encryption and do a better job at data management, Peter Firstbrook, a research vice president with Gartner who focuses on security, says setting up a consistent patch and configuration management program can prevent the vast majority of breaches. A ServiceNow study conducted by the Ponemon Institute found that 57% of breaches could have been prevented by an available patch.

Image Source: Shutterstock via Credo Graphics

2 of 7
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
DorisHuntley
50%
50%
DorisHuntley,
User Rank: Apprentice
9/17/2018 | 10:23:18 AM
Re: Passwords, people. Passwords.
Rignt
lunny
100%
0%
lunny,
User Rank: Strategist
9/13/2018 | 12:58:06 PM
Passwords, people. Passwords.
The core problem was that it was easy for the attackers to obtain the credentials to access the databases.  The Struts vulnerability was simply the unlocked bedroom window the theives used to enter the house.  It could have been one of any number of access points.  If the IDs and credentials for the database systems were properly protected, this would have never become news.  There was initial focus on some poor scapegoat IT director who didn't patch in time.  But I'll bet you a dollar on a doughnut that if he had tried, his application owners would have screamed, "We can't patch now!  We have a major product release that day/week/month that can't be delayed!"  These are the same application owners who think it's just fine to still be running their applications on obsolete operating systems, etc.  Until this industry gets credential security management under control, everyone's just whistling past the graveyard worrying about patching a million vulnerabilities.  Almost every breach boils down to easily obtained passwords to key data assets.  It's still too easy for the bad guys.  Heaven help the enterprise where the attacker is an insider.
BradleyRoss
100%
0%
BradleyRoss,
User Rank: Strategist
9/11/2018 | 4:42:22 PM
Admit you have a problem and that it must be fixed
I think the main need is for a change in attitudes.  You have to decentralize the operation, but also have to understand what decentralization means.  You have to assume that one of the major components of the system will be completely compromised.  You have to decide how you can prevent a compromised component from damaging the integrity of the whole system.  Being able to convince upper management that the system is secure is not enough, it actually must be secure.  Upper management can't rely on people telling them the truth, especially if it is felt that telling the truth will get you fired.  If the people under you say that making the system secure will cost money, you have to be willing to spend money.  I had a manager that he didn't like working with experienced people because they kept telling him about things that needed to be fixed.
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: In Russia, application hangs YOU!
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7929
PUBLISHED: 2018-09-18
Huawei Mate RS smartphones with the versions before NEO-AL00D 8.1.0.167(C786) have a lock-screen bypass vulnerability. An attacker could unlock and use the phone through certain operations.
CVE-2018-7991
PUBLISHED: 2018-09-18
Huawei smartphones Mate10 with versions earlier before ALP-AL00B 8.0.0.110(C00) have a Factory Reset Protection (FRP) bypass vulnerability. The system does not sufficiently verify the permission, an attacker uses a data cable to connect the smartphone to the computer and then perform some specific o...
CVE-2018-14641
PUBLISHED: 2018-09-18
A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel from 4.19-rc1 to 4.19-rc3 inclusive, which can cause a later system crash in ip_do_fragment(). With certain non-default, but non-rare, configuration of a victim host, an attacker can trigger this ...
CVE-2018-14642
PUBLISHED: 2018-09-18
An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests.
CVE-2018-16958
PUBLISHED: 2018-09-18
An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The ASP.NET_SessionID primary session cookie, when Internet Information Services (IIS) with ASP.NET is used, is not protected with the HttpOnly attribute. The attribute cannot be enabled by customers. Consequently, this cookie is...