Analysis of Equifax communication on 15th September 2017
“Chief Information Officer and Chief Security Officer are retiring” — Good call, CSO should always be someone how has information security background. Russ Ayres the new CSO does not have any security background either, good luck Equifax.
“On July 29, 2017, Equifax’s Security team observed suspicious network traffic associated with its U.S. online dispute portal web application. In response, the Security team investigated and blocked the suspicious traffic that was identified.” — Ok, the incident started on July 29th, suspicious traffic was blocked, what about the destination(s) where that traffic was directed at. 29th July happens to be Saturday, where most security staff has a day off, and as a result, bare minimum got done.
“On August 2, 2017, Equifax contacted a leading, independent cybersecurity firm, Mandiant, to assist in conducting a privileged, comprehensive forensic review to determine the scope of the intrusion, including the specific data impact.” — The fact that Equifax engaged Mandiant, tells us that when the Security staff came in on Monday, they figured that this was bigger than what they had imagined and already knew the gravity of the situation. Equifax should have immediately gone public with what they knew about the breach.
“Over several weeks, Mandiant analyzed available forensic data to identify unauthorized activity on the network.” — What are several weeks, this means Equifax leadership is not serious about their customers' data, shows sheer negligence on their part. Incidents such as this should be worked on 24×7 to figure out what happened, hacks happen over packet speed, and data dispersal happens at the same speed or even higher if the information is shared.
“Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents and is working with regulators in those countries.” — If a U.S. Online dispute portal was a treat vector, how was data of U.K. And Canadian residents exposed….what the hell was that data doing in US? Canadian laws specifically state that none of the Canadian resident data shall leave Canadian soil, so Equifax Canada screwed up?
The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017–5638), which was released to general public by U.S. Cert in early March 2017. So between March 2017 and July 30th the Equifax servers were still unpatched. This shows that the Security Program at Equifax was weak in its implementation even though it looked good on paper and to the auditors. How can a web facing server exposed to a vulnerability be exposed for four months. Diligent organization’s if they knew patching the servers would be problematic or take time, other controls such as application firewalls, more IDS/IPS rules to monitor for exploiting the vulnerability and also more scrutiny on SIEM. Looks like failure after failure, good that CSO “retired”.
This is an example of a catastrophic failure of security program. There may be other large/medium/small organizations that me be in the same boat.
Everyone organizations has processes and procedures, the key is to track their performance. It is via their performance that one realizes that a process or procedure needs to be tweaked. Metrics are key drivers for measuring performance.
Metrics are key to success of any program which act as key input to KPI(Key Performance Indicator) and KRI(Key Risk Indicators). Hence the Metrics, KPI, and KRI must be chosen wisely. Putting the right metrics together requires prior experience, having said that I am not saying it is impossible to do. If one does not have experience, they have to dedicate their efforts to developing the Metrics, KPI, and KRI’s. If you are not experienced , start somewhere and monitor the indicators and add/remove as time goes by. Key is being on top of your game, in this time and age IT Security landscape is constantly changing and the processes, procedures, metrics, KPI, and KRI’s are not updated accordingly, failures like Equifax will continue to plaque the organizations.
If you have questions, find inaccuracies, or want to engage for a discussion, contact me via Twitter: https://twitter.com/secprivrisk
Originally published at www.securityprivacyrisk.com on September 16, 2017.