Application Security , Breach Notification , Business Continuity Management / Disaster Recovery
Equifax: What's Changed Since the 2017 Mega-Breach?CISO Jamil Farshchi and Other Security Professionals Review Lessons Learned
Three years ago, consumer credit reporting firm Equifax suffered a massive data breach. But since then, company officials say they have worked tirelessly to address the shortcomings that allowed the breach to occur.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Equifax's current CISO, Jamil Farshchi, took on the job in February 2018, which was five months after the company issued its first public breach notification. Since then, multiple investigations have produced recommendations that security experts say don't just apply to Equifax, but should serve as a lesson for every organization that wants to maintain a more effective information security program (see: Learn From How Others Get Breached: Equifax Edition).
But Equifax was far from a bystander in its own recovery. Above all, three initiatives have been key to addressing both the cultural and infrastructure issues that had opened the door to the security incident, Farshchi told Information Security Media Group in a wide-ranging interview recapping lessons the company has learned since 2017 (see: Equifax CISO Jamil Farshchi Reflects on Breach, Recovery).
Specifically, he says, Equifax's most important post-breach initiatives included:
- Improving systems monitoring;
- Enhancing the security team’s communication with the C-suite;
- Changing the corporate culture by getting employees to recognize the importance of cybersecurity.
Improving Systems Monitoring
Addressing systems monitoring, Farshchi says: "We've instituted this concept of assurance so we can consistently and continuously in real-time monitor not only the coverage but the effectiveness of every single one of our controls and cloud space. And so if someone does configure a firewall or whatever, we really see it - we can even proactively prevent them from being able to do that.”
Systems monitoring is a priority because the data breach stemmed from Equifax's security team failing to patch a vulnerability in Apache Struts even after it had been warned and conducted a search. This allowed threat actors to have access to the company’s network for several months.
Facilitating Better Communication
The second initiative that Farshchi is pursuing focuses on being able to effectively communicate with the executive team, board of directors and other non-technical staffers on cybersecurity issues facing the company.
"We've established a framework to be able to more effectively communicate technical security risks in a businesslike fashion, tying into things like attack vectors," Farshchi says.
The CISO believes the framework Equifax has developed to accomplish this task works so well that he’s making it open source and freely available to others.
Changing the Culture
In the wake of the breach, cultural issues have been the most difficult challenge for Equifax to overcome, Farshchi says.
For example, to determine whether training is working, the company issues a scorecard to every employee - from the CEO on down - each month that shows how well they performed, from a cybersecurity perspective.
"We've applied educational best practices so that they get immediate feedback in terms of what they did right and what they did wrong," Farshchi says. "We put a positive spin on it; we try not to be negative and the downer all the time." The scorecard supplies immediate feedback on what a staff member should do and how they can do better.
Recap: Data Breach
Here's a recap on how the Equifax data breach occurred, and the subsequent fallout.
The breach first came to light publicly on Sept. 7, 2017, when Equifax issued its first breach notification, saying that the incident had begun earlier that year. Investigators ultimately found that hackers accessed 145 million Americans' consumer records, as well as 400,000 records for residents of the U.K., and 19,000 Canadians' records.
Exposed information included names, Social Security numbers, birth dates, addresses, and in some cases also driver's license numbers. In addition, 209,000 U.S. residents' credit card numbers were compromised.
Equifax first spotted the breach of its systems on July 29, 2017. After conducting an investigation, the company later announced that its systems had been compromised from mid-May to July of that year.
In the wake of the breach, Equifax CEO Richard Smith, CIO David Webb and CSO Susan Maudlin all announced their "retirement," and departed before the end of September (see: More Questions Raised After Equifax CIO, CSO 'Retire').
The breach triggered multiple lawsuits, damaged the firm's reputation and ultimately saw it get slammed with a $575 million fine from the Federal Trade Commission as well as the maximum possible penalty at that time - £500,000 ($659,000) - by Britain's Information Commissioner's Office for its security shortcomings (see: Equifax's Colossal Error: Not Patching Apache Struts Flaw).
Equifax also agreed to pay $38 million in total to settle separate lawsuits filed by Massachusetts and Indiana over the breach, and to settle a U.S. class-action lawsuit for $1.38 billion.
Earlier this year, the Department of Justice indicted four Chinese military officers serving with the 54th Research Institute - part of the People's Liberation Army's - in connection with the Equifax hack, but no arrests have been made (see: No Surprise: China Blamed for 'Big Data' Hack of Equifax).
Smith, the former CEO, was summoned to testify before multiple Congressional committees to explain what had happened.
At one hearing before a U.S. House subcommittee in October 2017, he revealed that the U.S. Computer Emergency Readiness Team had notified Equifax of the Apache Struts vulnerability earlier that year - on March 8 - and that the following day, the company's security team was informed. Under company policy, these workers had 48 hours to search for and then patch any problems. But the company's internal scans failed to find all vulnerable versions of Apache Struts. Compounding the problem, in May 2016, Equifax had let a digital certificate for a network scanning tool expire, leaving it unable to inspect encrypted traffic for signs of malicious activity.
When Equifax's security team finally renewed that digital signature, the network scanning tool detected suspicious network traffic, which the team traced to its U.S. online-dispute portal, running on Struts. That prompted the team to block the suspicious traffic and further investigate, as Smith testified. The security team found "additional suspicious activity" the next day, he said, at which point it took the web application offline.
On Aug. 2, 2017, Equifax hired the law firm of King & Spalding as well as FireEye's Mandiant response group to investigate. Nine days later, digital forensic investigators reported that hackers may have accessed a data table containing personal information for customers. Four days after that, the team confirmed that the information had not only been accessed but also stolen. All of this happened despite Equifax having crafted policies and implemented tools that, in theory, should have spotted and blocked the attack.
Security Experts Offer More Takeaways
Security experts say there are multiple lessons that all organizations should learn from the Equifax incident, not least so that they don't fall victim to preventable attacks (see: What Went Wrong at Equifax? We Have Good Answers ).
Tom Pendergast, chief learning officer at the cybersecurity and privacy education firm MediaPro, says the incident points to the importance of certain must-have security capabilities.
"Segment your networks and train on appropriate incident reporting to flag issues as soon as possible," he says. "Infosec leaders need the support of the business to put protections in place - and incidents like Equifax help make the case for budget, staff, and training to secure the organization."
Companies need to avoid simply "checking off" the right boxes in a security checklist rather than making cybersecurity part of the corporate culture, says Charles Ragland, a security engineer at digital risk protection firm Digital Shadows.
"Creating realistic risk-management frameworks for vulnerability assessment results is one of the top ways to maintain your security posture and reduce your attack surface,” Ragland says. “Evaluating the difference between vulnerable and exploitable systems and making decisions based on business needs and risk tolerance is crucial for organizations to prevent an Equifax-style attack.”
Mark Kedgley, CTO at compliance software provider New Net Technologies, says businesses must also ensure they automate as many aspects of their security and compliance programs as possible. "Automation is the only way to deal with the scale of today’s enterprise IT infrastructure,” he says. “But too many organizations are still short of where they need to be in terms of the foundational controls, such as vulnerability management, configuration hardening and change control."
Executive Editor Mathew Schwartz contributed to this report.