Order from us for quality, customized work in due time of your choice.
Executive Summary
Equifax is a consumer credit reporting agency that gathers and aggregates data on millions of people worldwide in order to report on their credit. The company suffered a massive security breach in mid-2017 via vulnerabilities in the companys digital infrastructure, causing the theft of a huge amount of personal data from the company. The Equifax breach was a serious security breach that put millions of Americans at risk, reportedly around 145 million US customers were impacted by this breach in particular and this equates to almost half of the entire US population. Not only were so many people affected, but they were also affected in a way that meant that their identity could be utilized for malicious purposes, as the attackers were able to access full names, Social Security numbers, birth dates, addresses, and drivers license numbers from the breach.
In this report, the Equifax breach will be covered in detail to examine the facts surrounding the attack, how the breach was caused, and what the company must do moving forward. Six recommendations in total will be provided, three short-term and three long-term strategies to move the cybersecurity of Equifax in a positive direction. The effects of the security breach will continue on for years, possibly decades, and the companys reputation has been irreparably damaged by this incident, however, the company must continue to operate and must improve on its cybersecurity practices moving into the future as it is of utmost importance that another cyber incident like this does not occur.
Background Surrounding the Breach
The information that was stolen is the type of information that criminals can utilize to impersonate cell phone companies, banks, electricity companies, credit card companies, and many others to commit fraud. This information will remain accessible to malicious threat actors far into the future as there is no way of retrieving the data that was stolen, as this is simply not feasible. The attack itself was solely the fault of Equifax for not patching vulnerable systems, even after being made aware of the fact. The attack was not of a sophisticated nature and was the result of an Apache Struts vulnerability. Apache released a security patch for this vulnerability a short time after it was discovered, on March 6th, 2017. The vulnerability itself was labeled as a critical vulnerability as it allowed criminals to exploit web servers. Equifax was notified by Apache themselves as well as US-CERT and the Department of Homeland Security about the vulnerability, as well as provided instructions on how to implement the patch to resolve the vulnerability.
In the following two months, Equifax had still not made a critical change to patch their systems from this vulnerability. Finally, on July 29, Equifax did patch the system, however, it was far too late. On May 13, over 2 months after Equifax shouldve issued the vulnerability resolution patch, the malicious actors were able to utilize the vulnerability to access and steal data from Equifaxs databases which stored millions of customers data. Following the breach, Equifaxs incident response made the incident far worse for consumers as the company waited close to six weeks before reporting that the breach occurred and that huge amounts of personally identifiable information had been stolen. In addition to this, Equifax created a website to help aid customers affected by the breach, however, this website had very poor security as it was a separate domain from Equifax which allowed fraudulent imitators to create fake websites to deal even more damage to victims.
Short-Term Recommendations
Hold Contractors Accountable for Cybersecurity with Clear Requirements
The Equifax data breach and customers use of Equifax identity validation services have highlighted the need for the public and private sectors to remain vigilant in mitigating cybersecurity threats. A concise effort should be made to ensure that a clear set of requirements is developed for contractors that perform work, especially when it relates to the handling of personally identifiable information. A government-wide framework for cyber and data security requirements should exist to allow organizations such as Equifax to more easily align themselves. As a solidified government framework does not yet exist, Equifax should consider proactively conducting oversight of contractors cybersecurity practices/risk, examining contractors past performance information, and building cybersecurity requirements into evaluation factors. Equifax provided identity verification services to three federal agencies and these agencies took action in the aftermath of the data breach. Following the breach, The Internal Revenue Service (IRS), Social Security Administration (SSA), and the U.S. Postal Service (USPS) all made site visits to Equifaxs data center in Alpharetta, GA to review security controls. SSA assessed Equifaxs compliance with the NIST security baseline and shared this information with the IRS and USPS, concluding that the security controls were not sufficient.
Ensure Regular, Thorough Patching Becomes a Requirement
A patch management procedure must be implemented against all servers in the organization. Crowe states that Leaving machines unpatched makes them vulnerable to cyber attacks, and the risk is anything but theoretical. In fact, 57% of data breaches can be directly attributed to poor patch management (para 2). This indicates that patching is critical to preventing cybersecurity incidents and must be completed as soon as possible.
Empower Consumers through Transparency
Consumer reporting agencies should provide more transparency to consumers on what data is collected and how it is used. A large amount of the publics concern after Equifaxs data breach announcement stemmed from the lack of knowledge regarding the extensive data CRAs hold on individuals. CRAs must invest in and deploy additional tools to empower consumers to better control their own data. For example, CRAs should offer consumers a free, simple summary explaining the data collected on the individual. The summary should include the number of times the CRA provided their data to a business within the last year. The summary should be available for consumers to view at any time, outside of the annual free credit report offer. This would allow consumers to track the information CRAs have on them and know how often their information was being shared. Credit report locks and freezes give consumers increased control of their data. CRAs are required to offer free credit freezes to all consumers.571 None of these transparency measures, including credit freezes, should require a consumer to sign up for additional services or make any other commitment.
Long-Term Recommendations
Perform a Security Gap Analysis
Lawler from LP3 suggests that Any company, corporation, or organization that relies on IT should have their system security tested regularly and update their security features to prevent the negative effect of system downtime and illegal hacking (para 5). It is recommended that a quarterly security review be completed that includes penetration testing, with a potentially more in-depth third-party security audit completed once per year. I would highly recommend that Equifax select an industry-standard security framework such as ISO 27002 as a starting point, which provides best practice recommendations on information security management including risk assessment, access control, change management, and physical security. Once a framework is selected that aligns with Equifaxs requirements, it is critical that a gap analysis is performed to determine which controls are out of alignment with the framework. A gap analysis may be conducted by a third-party information security vendor and will involve gathering data on the IT environment, application inventory, policies, processes, and patch compliance across inventory.
Once a gap analysis has been performed across Equifaxs entire information technology infrastructure, a concrete list of issues will have been identified and aggregated across the organization. With this list, a risk assessment must then be performed to determine which issues are the most important for the organization to remediate in the short term, based on the impact that each risk has on the organization if it were to occur. The senior leadership team must make the decision on which risks are the most detrimental to the company and rate every risk with a priority level. Once each risk has been categorized and given priority, a remediation plan then must be created with technical steps on how to resolve each problem presented to the organization.
Implement a Remediation Plan
An information security remediation plan follows from the first short-term recommendation to remediate all of the issues identified in the gap analysis throughout the organization. The approach aims to fix security-related issues in the organization and it is critical for any organization with large quantities of security vulnerabilities such as Equifax. Equifax may decide to have one large remediation plan listing all items which need to be actioned or split the remediation plan up into multiple stages or levels of priority. It is also very important that timeframes for each risk are defined and that owners are assigned to ensure accountability. Once the remediation plan has been completed, it must then be implemented to stop vulnerabilities from being exploited and reduce the level of cyber risk within Equifax.
The planned remediating actions should then be executed in line with the agreed-upon timeframes for each risk. If a problem occurs during the remediation, it should then be recorded against the risk. Any alternative action or change to the remediation should also be recorded against the risk so that this can be tracked if necessary in the future. The IT Security officer within Equifax needs to be made aware of any changes to remediation so that he/she can monitor and upon completion, a rescan should be scheduled and completed to verify that the remediating actions have had the desired effect to control the identified risk. Smith states that Discovering faults and doing nothing about them is useless and will leave your organization susceptible to many threats (para 9). Having a remediation plan is one of, if not the most important recommendations for the cybersecurity of Equifax, as it is the single compiled list of actions that resolve vulnerabilities and prevents risks.
Ensure Security Becomes Part of the Culture at Equifax
Threat Stack suggests that training employees on how to properly communicate is one of the most critical areas of training. Security needs to become a regular part of the conversation at your organization. This means upper management must regularly communicate to all employees that security is essential to running the business (para 2). Checklists should also be created for the company to remind employees of what to do when an incident takes place when a new hire starts (or leaves) and remind staff of the security policies. Managers may need to consider implementing quarterly security training seminars to help integrate security into the company culture.
References
- Lawler, S. (2018). 5 Benefits of Penetration Testing. Retrieved from https://lp3.com/tips/5-benefits-of-penetration-testing/
- Smith, D. (2017). Vulnerability Remediation: 5 Steps Toward Building an Effective Process. Retrieved from https://www.beyondtrust.com/blog/entry/vulnerability-remediation-5-steps-toward-building-effective-process
- Crowe, J. (2018). MSPs: Keys to Streamlining Your Patch Management Process in 2019. Retrieved from https://www.ninjarmm.com/blog/patch-management-process/
- Allin, B. (2018). How to Implement a Security Awareness Program at Your Organisation. Retrieved from https://www.threatstack.com/blog/how-to-implement-a-security-awareness-program-at-your-organization
Order from us for quality, customized work in due time of your choice.