Learn From How Others Get Breached: Equifax Edition
The goal here is not blame, but rather to highlight specific missteps by an organization so that others can avoid making the same mistakes, hopefully making them less likely to fall victim to attacks. On to Equifax, which suffered a breach in 2017 that U.S. prosecutors say resulted in the theft of personally identifiable information for 145 million Americans. On Monday, the Justice Department unsealed an indictment charging four officers of the Chinese People's Liberation
The short version of what went wrong is that beginning in March 2017, hackers found and then exploited an unpatched, critical Apache Struts flaw, using it to gain a beachhead inside Equifax's network. Along the way, they found plaintext credentials being stored in text files, giving them administrator-level access to numerous databases. Over the course of 76 days, attackers ran 9,000 queries against 51 databases, using encrypted communications to exfiltrate data, as well as their own remote desktop protocol and web shell software, together with leased Swiss servers as a staging area so that IP addresses didn't trace back to China.
Before the breach began, Equifax had allowed eight SSL certificates to expire, meaning that a tool it had for analyzing encrypted communications was not working. Once the security team renewed the certificates in August 2017, alarms began sounding, highlighting the malicious activity. If there's one thing that every organization should learn from the Equifax breach, it's about patching.
Continuous vulnerability assessment and remediation is one of the cornerstones of the top 20 critical security control areas identified by the SANS Institute. "And for good reason, as unpatched critical flaws often offer a malicious actor a trivial route to gain a foothold," Stubley tells me. "Without assurance activity focused on ensuring that patches have been applied in a timely manner, organizations are leaving themselves open and increasing the likelihood of a successful breach."