Consumer credit reporting company Equifax is the latest in a long line of organizations to be breached. They report that the personal data of an estimated 143 million American consumers has been compromised. The breach reportedly occurred as a consequence of an unmitigated vulnerability in a web application, in this case an Apache STRUTS code flaw.
Common vulnerabilities include un-patched systems, poorly written code, and unnecessary services running on servers. According to Dr. Eric Cole in his book, Advanced Persistent Threat, this type of attack is mainly focused on disclosure and extraction of critical information or intellectual property (p. 53). The information extracted in the Equifax breach includes names, birth dates, credit card numbers, and social security numbers – all of which are critical information.
There are three requirements for any breach to be successful:
- an IP address (system visible from the internet)
- an open port to connect to the system
- and a vulnerability, such as the Apache STRUTS code flaw
If any one of these three is removed, then virtually no external breach can occur.
A key tenet of cybersecurity is that prevention is ideal but detection is a must. It would be nearly impossible for a company as large as Equifax to prevent every single attack against it. There are just far too many adversaries, and the data it manages is far too valuable. However, Dr. Cole’s book highlights the rule of “Inbound Prevention and Outbound Detection” (p. 73). While it may have been nearly impossible for Equifax to identify a single breach, it should have been elementary for them to identify nearly 150 million records being exfiltrated.
This breach will undoubtedly have a far-reaching impact on both Equifax and the millions of individuals affected, an estimated 44% of U.S. consumers. Following an incident or breach, it is industry standard to conduct a “lessons learned” exercise. In defending your network and your overall organization, you must know your weaknesses, especially critical weaknesses. The biggest lesson to be learned from the Equifax breach is to make sure the offense doesn’t know more than the defense.