Vulnerabilities / Threats

9/28/2017
10:30 AM
Nick Deshpande
Nick Deshpande
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Equihax: Identifying & Wrangling Vulnerabilities

Now that we know what was taken from Equifax, how it was taken, and what is being sold, what more do we need to learn before the next time?

Equifax recently confirmed that the vulnerability responsible for the massive breach of 143 million records was indeed for the ApacheStruts 2 Web framework, but not CVE-2017-9805 as was initially circulated. Rather, CVE-2017-5638, which could enable an attacker to perform a remote code execution using malicious content in the absence of suitable security measures, has been pinpointed as the flaw that permitted access to the yet-to-be identified actors. CVE-2017-9805 is certainly worthy of our attention: until last week, it was essentially a zero day with exploits available in the wild.

The bug was first found in March, and a patch has been available since its discovery. In essence, Equifax could have been working to address the shortcomings and protect the personal information of millions using publicly available information approximately two months before the breach occurred. For reasons yet unknown, it did not. As a result, millions of Americans are scrambling to find out if they have been breached and to protect their information from being used for identity theft.

On the other hand, Equifax is facing federal scrutiny and a massive hit to its reputation and consumer trust. The firm's top information security executives — its CIO and chief security officer — have departed the company following what's being called one of the worst breaches in US history.

What happened at Equifax, and how can organizations patch their systems and improve their security posture to prevent breaches of this magnitude in the future?

Let's start with what happened: The data exfiltrated between May to July 2017 included names, Social Security numbers (SSNs), dates of birth, and "other information," according to Equifax. That data may now be for sale. Security blogger Krypt3ia found a listing on the Dark Web (shown in the image below) ostensibly placed by the Equifax hackers offering records for sale in return for digital currency. The listing includes some samples of the data in the form of screenshots. How much are the records worth? Four Bitcoins would net you 1 million entries; at today's rate, that’s approximately $13,840. It's unclear if the purchaser could specify what type of entries they could acquire, as an SSN would certainly command more money than dates of birth on secondary markets.

Source: https://krypt3ia.wordpress.com/2017/09/14/equihax/
Source: https://krypt3ia.wordpress.com/2017/09/14/equihax/

The listing is very disconcerting. Until recently, we were aware of the breach's grand scale and some rough order of magnitude in terms of the number of records: 143 million in comparison to the Yahoo hack, which included more, but arguably less-sensitive, records. Seeing records — and the personal identifiable information of individuals — is sobering. For those engaged in threat modeling, the price points provide a marker by which to assess the value of such records in underground markets, although both wallets appeared to be empty at the time of writing.

Vulnerabilities Matter but Do Not Stop Business
We can elicit a number of lessons from this event. In response to Equifax's disclosure of the Struts2 bug, the Apache Software Foundation released some cogent guidance to those using any Web framework. As always, Brian Krebs has provided practical advice to those who may have been affected by the breach. Gartner's Strategic Planning Assumptions are also worth repeating here:

  • Through 2021, the single most impactful enterprise activity to improve security will be patching.
  • Through 2021, the second most impactful enterprise activity to improve security will be removing Web server vulnerabilities.

This incident highlights the importance of a multilayer application security strategy. Firstly, it is absolutely critical to patch systems in a timely fashion. Had Equifax had an effective, multilayered application security strategy that includes the underlying infrastructure, middleware, application, and edge, the company likely would have prevented the intrusion or caught it much sooner. Appropriate data governance also could have diminished the scale of exposure of sensitive data: an understanding of what kind of records are in their possession, their classification, how long they can be kept for, and the security that must be applied to safeguard them accordingly appears to have been elusive.

A mature security regime requires organizations to implement a combination of technical vulnerability management processes and the ability to deploy effective security controls — including compensating controls when patches cannot be deployed in a timely manner.

Web applications and services (like APIs) represent critical business drivers as well as an exposed attack surface for a growing number of organizations. That attack surface can be reduced by properly hardening infrastructure and middleware, using up-to-date frameworks, and defeating attacks at the edge of the network: a Web application firewall, a security control that proxies all Internet traffic while applying a security posture to block traffic deemed malicious or unauthorized, is a highly effective control when properly configured. This year's Verizon Data Breach Investigations Report confirms that Web application attacks lead the pack with respect to breaches, with botnet activity bolstering that number considerably.

Hackers tend to view the human user as a path of least resistance, but that calculus changes considerably when vulnerabilities are discovered in technologies. Today's time-to-exploit has become relatively shorter as security expertise proliferates, even if the number of publicly available exploits is dropping.

Don't give attackers a window of opportunity! Vulnerabilities don’t need to slow down or stop business operations. Deploying patches is absolutely imperative to maintain a strong security posture, but the process can be disruptive or complex, especially for legacy systems, making additional security measures — acting as compensating controls — necessary to provide suitable defenses to maintain exploitable systems while patches are deployed.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Nick Deshpande, CISSP, is the vice president of product development at Zenedge, where he combines his passions for user experience and security. He's a graduate of the Royal Military College of Canada and American Military University. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: So now we are monitoring the monitor?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14623
PUBLISHED: 2018-12-14
A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is vulne...
CVE-2018-18093
PUBLISHED: 2018-12-14
Improper file permissions in the installer for Intel VTune Amplifier 2018 Update 3 and before may allow unprivileged user to potentially gain privileged access via local access.
CVE-2018-18096
PUBLISHED: 2018-12-14
Improper memory handling in Intel QuickAssist Technology for Linux (all versions) may allow an authenticated user to potentially enable a denial of service via local access.
CVE-2018-18097
PUBLISHED: 2018-12-14
Improper directory permissions in Intel Solid State Drive Toolbox before 3.5.7 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2018-3704
PUBLISHED: 2018-12-14
Improper directory permissions in the installer for the Intel Parallel Studio before 2019 Gold may allow authenticated users to potentially enable an escalation of privilege via local access.