<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2923012&amp;fmt=gif">
Rutter - Boston Area Managed IT, Cloud, Cybersecurity, Networking
Free Consultation

How to protect your company from an Equifax type security breach

October 11, 2017 | By Steven Baker | Enterprise Security
    

FB - Monitoring & Management

Last week, the former CEO of Equifax testified in front of the house energy and commerce committee regarding the massive data breach that his company fell victim to earlier this year. This breach caused the exposure of approximately 143 million U.S. consumers personal and financial information.

In his testimony, Richard Smith explained that the breach was caused by the failure of a single individual to properly communicate and act on a patch to a critical vulnerability.

“Both the human deployment of the patch and the scanning deployment did not work,” Smith told Congress. “The protocol was followed.”

While I would agree with Mr. Smith that there was certainly human error involved in the cause of this breach, I’m of the belief that it had very little to do with a single individuals decision not to deploy a patch.

Instead, I would contend that if as an organization of any size, you are relying on patching as your first and last line of defense against attack, the human error is that you have not learned from history and your security policy and controls are severely lacking.

The Patching Problem

 As an industry, we have struggled with patching and patch management for many years. There are many technical and business reasons why this is and most likely will always be the case.

  • We are dependent on the timely release of patches by vendors
  • Patches must be tested and approved before deployment
  • There is always business impact to patching
Register for our upcoming cybersecurity webinar with Crowdstrike>>

 

Very few organizations that I have worked with over the years would allow their critical business applications to undergo patching for any reason, without thorough testing and understanding of the impact of the patch. This takes time.

On average I would say at a minimum it takes a week or more and in some cases several weeks for even a critical security patch to be deployed across an organization.

Let that sink in for a moment. 1 week = 168 hours = 10080 minutes = 604800 seconds in which a critical asset is vulnerable.

In an industry where we look at things like availability and uptime in seconds and percentages under 99% are unacceptable, how is it that we are OK with allowing a single vulnerability to put us in such a precarious spot for just shy of 2% of a year if we patch in a week? (1.92% to be exact). Now multiply that by the number of vulnerabilities that require critical security patches in a year...scary.

The Real Problem

I would never advocate that you throw your patching program and patch management systems out the window. There are many excellent tools that help with the automation of deploying and tracking the status of patches across your organization. Know them and use them. But only do so as part of a larger information security program and infrastructure.

Both SANS and NIST cover patching in their respective security frameworks. But they are a single component of a much larger framework that is necessary to properly protect an organization.

If we know that patching takes time, then we must utilize other compensating controls to protect ourselves during a period of vulnerability. This is the essence of risk mitigation.

In the case of Equifax very little has been divulged about their compensating controls and how they helped (or failed). But, in broad terms they don’t appear to have been very well implemented.

For example: 

  • Was there a properly configured web application / application firewall in place protecting critical assets?
  • What type of privileged access control was in place to prevent a forward-facing server from having the ability to expose 143 million records? (directly or indirectly).
  • What type of breach detection systems were in use across the organization to look for anomalies or bad actors?
  • What proactive monitoring controls were put in place to once vulnerable assets were identified
  • Who was reviewing the data from various systems to identify and respond to a potential breach?

These questions are universal in nature and aren’t industry or application specific and they are questions that every organization should be asking as they review their security posture. They’re also just the tip of the iceberg.

The Solution

I mentioned earlier that I agreed with Mr. Smith’s statement that human error was involved in the cause of this breach. Simply put that is because often, we don’t ask the questions that need to be asked. That is our error.

Sometimes it’s because we already know the answer (we don’t have those controls in place) and once we open Pandora’s box, we know that it will mean more time and more money spent on fixing the controls that aren’t in place or properly deployed.

Other times, it is because we would rather focus on the things we think our organization does effectively. I.E. the success story.

Then of course, there is the if it is not broken don’t fix it mentality that often drives how we prioritize our initiatives and budgets across IT and IT Security. This one gets turned on its head the moment a breach happens and becomes public.

At the end of the day though, I would suggest that asking these questions now, within your organization, of your peers and leadership is far easier than having those questions asked of you by investors, consumers or a house oversight committee.

Start taking a more holistic look at your security posture and compensating controls. Spend the time (and if necessary the budget) to get them in order and then validate and test that they are working properly on a regular basis. Never assume that because it is supposed to work that it is indeed working.

Will this guarantee you 100% protection from every vulnerability and attack? No. But it will improve your organizations overall security posture and gives you a better chance at success than relying too heavily on a single control to protect your data.

A Public Service Announcement

There is a very high likelihood that you or someone you know was impacted by the Equifax breach. I highly recommend you not ignore this. Otherwise you will most likely end up as one of the millions of Americans who fall victim to identity theft every year.

I highly recommend putting freezes on your credit with the 3 major credit bureaus especially if you are static at the moment (IE not buying a house, or a car). There are some costs associated with freezing / unfreezing, but they are minimal compared to the potential financial loss if you end up being a victim of identity theft.

If you’re not willing to go through this process, there are a number of organizations that provide credit fraud alerting, I would find one you are comfortable with and utilize their services; AAA for example (Yes, the road side assistance folks), offers free basic credit monitoring if you are a member and an enhanced service for a reasonable price.

Cybersecurity Webinar

Related Articles

Desktop Analytics: Modernizing Windows 10 Updates

June 2, 2021

What is Desktop Analytics?

Read More

Azure Cost Management: Orchestration Actions within Azure Budgets

June 2, 2021

Microsoft introduced Azure Budgets as a means to help companies plan for and drive organizational...

Read More

Microsoft Defender Antivirus: The Cons of Running Two Antivirus Software

May 24, 2021

Read More

Comments

Rutter Networking Technologies
10 High Street | Andover, Massachusetts 01810 | (978) 642-1000
Monday - Friday 8:00am - 5:00pm

Copyright 2024. All Rights Reserved.