Scotsman Guide > News > October 2017 > News Story

 Enter your e-mail address and password below.

  •  
  •  

Forgot your password? New User? Register Now.

News Archives

 
Subscribe icon Subscribe to our weekly e-newsletter, Top News.

Experts: Equifax hack reveals systemic failures


Equifax last week revealed that the massive computer hack of its systems announced on Sept. 7 was more damaging than first revealed. Based on the new information surfacing over the past three weeks, cybersecurity experts told Scotsman Guide News that the company failed consumers on several levels.

Most notably, Equifax could have prevented the problem with a security patch two months before the May breach occurred. The company did not patch a well-known vulnerability in a web application in early March. This gave hackers — and not necessarily sophisticated ones — an open door into its system.

hacker Once inside, the hackers had access for two months, enabling them to get hold of sensitive consumer information through a consumer-dispute portal. This exposed data, including social security and credit card numbers, is now estimated to have affected 145.5 million consumers, about 2.5 million more than first thought.

“What caused it is poor patching practices, poor scanning of their network, poor monitoring of their traffic,” said Melissa Derr, director of digital forensics and incident response for the New York City-based Critical Defence.

“It is not like it was a few hours,” Derr said. “This was from, I think, May 13 to the 29th of July. They missed whatever data was going out. That is a long time.”

Over the past month, Equifax executives have apologized repeatedly for the breach. According to a timeline released  by the company, in May, unknown hackers exploited a vulnerability in Apache Struts, an application framework that supports the company’s online consumer-dispute portal.

The Apache bug was already widely known. The U.S. CERT, the federal government’s computer readiness team, posted an industrywide warning about the vulnerability.  The Apache Software Foundation, a nonprofit that supports Apache open-source software projects, released patch instructions on March 7. On Sept. 14, after Equifax revealed that hackers got into their portal through the Apache bug, the Foundation released a statement that the "Equifax data compromise was due to their [Equifax's] failure to install the security updates provided in a timely manner." 

Once inside, the hackers had access from May 13 until July 30. Equifax noticed the suspicious activity on July 29. The company says it closed access to the portal on July 30, and called in a third-party security company to conduct an audit. Equifax first publicly revealed the breach on Sept. 7.

On Oct. 2, Equifax disclosed that its forensic audit discovered an additional 2.5 million consumers had been exposed in the breach. The company also reported that that its third-party vendor, Mandiant, had completed its analysis of the breach.

“I want to apologize again to all impacted consumers,” said its newly appointed interim chief executive officer, Paulino do Rego Barros Jr., in a statement.  “As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisers to implement and accelerate long-term security improvements."

Last week, in testimony before the House Energy and Commerce Committee, Rick Smith, the former CEO who resigned in the wake of the scandal, also said he was “deeply sorry” for the breach and took responsibility for it. He indicated the company was not fully aware that there had been a hack until Aug. 17.

In a statement released Monday to Scotsman Guide News, Equifax said it was developing "a new approach to protecting consumer data — a high priority for the company." 

"We take seriously our responsibility to protect the security of the information in our possession," the statement said. "We have taken short-term remediation steps, and continue to implement and accelerate long-term security improvements as part of ongoing actions to help prevent this type of incident from happening again." 

A systemic failure?

Cybersecurity experts said the Equifax breach could serve as a model for companies — particularly those that store lots of sensitive consumer data, including mortgage companies and banks — on how not to conduct cybersecurity.

“The first takeaway is you have got to patch, patch often, patch right away — don’t wait,” Derr said. “The other one is that they didn’t detect it. They should been regularly doing vulnerability assessments. They seem to have alluded that they did do scans, but the scans didn’t pick it up. Well, you have to use multiple tools. There is this concept in the industry called trust but verify. You trust one tool, but verify it with another. You can’t just trust one company to do all of your work.”

Derr said the Apache bug gave hackers fairly easy entry into the system.

“It doesn’t require a super-sophisticated attacker to exploit this code, because it was available,” Derr said. “You can Google it, you can Google the CVE number, and you can pull up exploit code, and if you know something about computers, you can figure out how to run it.”

Equifax has prominently featured updates about its investigation into the causes of the breach on its web page. Some experts say the company has not adequately accepted responsibility for what appears to be systemic weaknesses in its cybersecurity.

“They said that one IT guy forgot to apply a patch,” said Tim Crosby, a senior security consultant with the Austin, Texas based, Spohn Consulting.

Crosby said Equifax should have had a regular testing cycle in place that would have exposed the vulnerability, and also confirmed that the patch had not been applied in March. If normal protocols were in place, the company would likely have discovered within a few days that the bug had not been fixed, he said.

Crosby said it is also unclear why, once the breach had occurred, that the suspicious activity went undetected for two months; and also why Equifax did not immediately shut down the portal on July 29, but waited a day, to July 30, before taking the application off line. The company also waited three additional days, to Aug. 2, before Mandiant was called in to investigate.

The experts also say Equifax should have immediately notified the public that the investigation into the breach was ongoing, instead of waiting for more than a month.

“It affects all of us and all of our personal information,” Crosby said. “So, it is about as bad as you can get. It is the worst [breach] that I know of, or that has been publicized.” 


 

Questions? Contact at (425) 984-6017 or victorw@scotsmanguide.com.

Bubble 0 Comments

By submitting this comment, you agree to comply with our Terms of Use.



The text exceeds the maximum number of characters allowed.


Are you sure you want to permanently delete this blog comment? This action cannot be reversed.



You must enable your community profile to use this feature.

Cancel Enable profile

You have flagged this post for inappropriate content.

Please explain below. Thank you.

Cancel Submit

Get the latest news and articles from Scotsman Guide straight to your inbox.


Send me the following e-mails:





Learn more about Scotsman Guide e-mails

Thank you for signing up to receive e-mails from Scotsman Guide.

A confirmation e-mail has been sent to the address you provided.

For questions regarding your e-mail subscriptions please contact Circulation@ScotsmanGuide.com or call (800) 297-6061.


Fins A Lender Post a Loan
Residential Find a Lender Commercial Find a Lender
Follow Us:Visit Scotsman Guide Facebook pageVisit Scotsman Guide LinkedIn pageVisit Scotsman Guide g+ pageVisit Scotsman Guide Twitter page
 
 
 
 

 
 

© 2017 Scotsman Guide Media. All Rights Reserved.  Terms of Use  |  Privacy Policy