Analysis of the Equifax Breach (2017)
My information security management portfolio
Work belongs to Dan Qutaishat, this work can be referenced by using any of the established referencing methods such as Harvard.
1. Identification of the Security Issue
The infamous Equifax breach which occurred in March 2017 led to the exposure of approximately 143 million people’s data, in which confidential information was leaked – this included addresses, social security numbers and drivers’ license numbers. An approximate 200,000 also had their credit card details exposed. The data breach was caused due to a vulnerability CVE-2017-5638 which was discovered in Equifax’s Apache Struts server. Equifax did notice this malicious code and intended to patch it, but the negligence of the employees to follow the set protocol, meant that the issue was left unresolved. This vulnerability carried a high-risk rate of a breach due to it making the system exposed to command injection attacks i.e., SQL injections- which can be executed under the Web server’s privileges as confirmed by Synopsys (2017). The attackers then started to move from the compromised server into the network’s remaining servers, up to July 2017, the attackers gained access to multiple Equifax databases. A predominant reason that attributed to the Equifax breach is the failure of Equifax to renew their public-key certificate for nearly 10 months prior to the attack thus the encrypted traffic was not being inspected. Additionally, Nohe, P. (2018) endorsed that the attackers were in the network of Equifax for 76 days without being discovered, as it took a while for the information to be leaked onto the dark web. Thus, many believe the breach was caused by Chinese state-sponsored hackers.
2. Analysis of the Issue
The data breach though may only be attributed to the vulnerability CVE-2017-5638; had several other zero-day vulnerabilities and compliance failures recorded by the Senate (2018) which expanded on the malpractice of Equifax. The overall report discussed the idea that the data breach itself could have been “entirely preventable” and was a failure of cybersecurity due to Equifax failing to address visible security issues.
Once the Senate preformed an audit it was evident via their backlog that their current patch and configuration management controls were not designed adequately to ensure Equifax systems were securely configured and patched in a timely manner. This led to there being approximately 1000 vulnerabilities rated as medium-critical on external facing systems whilst there were 7500 high-critical vulnerabilities on internal systems; these affected a total of 23,150 hosts. Many of these vulnerabilities were 90 – 365 days old, thus were undetected, portraying a clear negligence by Equifax. The age of these vulnerabilities is illustrated in figure 1 below (based on statistics from the senate’s audit) (Portman, R. & Carper, T., 2018).
When it came to patching, Equifax failed to complete accurate network documentation and followed a reactive patching process rather than a proactive one which led to it being much easier for the Apache Struts vulnerability to linger unnoticed for as long as it did. Equifax also showed clear negligence by ignoring the email sent out by the US-CERT on March 8, 2017 which alerted companies about the vulnerability CVE-2017-5638 in certain Apache Struts versions (Portman, R. & Carper, T., 2018).
Unfortunately, the tools necessary to perform this vulnerability were quite simple and publicly accessible, making companies such as Equifax an easy target, but even after Equifax knew about the notice for months they still failed to respond appropriately as they did not manage to implement standard cybersecurity regulations which led them to fail in compiling their own internal policies. This was further aggravated by them not having network documentation and so lacked a comprehensive IT inventory. As a result, this meant that even though the company had a policy to patch critical vulnerabilities within 48 hours, this policy was rendered useless- as it was not followed.
Though the Equifax patch management policy displayed that the IT department had to patch vulnerabilities within 48 hours, the patch was not created until August 2, 2017, which was 5 months after the vulnerability was first announced by the US-CERT.
3. Threat Vectors
Threat vectors refers to the mechanisms/path taken by the hackers to exploit the system and breach their data. In this case, the Equifax company website is built on the Apache Struts software, it provides a framework that helps companies manage their large databases on information. Professor Sluiter (2019) suggested that the hackers managed to infiltrate into the system through several steps. On the exterior of the website, there was a firewall and an SSL certificate, but the hackers managed to infiltrate the firewall through accessing standard open ports, then they managed to access the web-server. Following this occurrence, the vulnerability was present in the Apache Struts App server. Therefore, once the hackers managed to access the Apache Struts server and found that it was not updated, they were able to run an exploit so that they can browse around the network. Through accessing the network, they managed to retrieve a text file which included the details of other administrators and root passwords of Equifax’s systems – enabling their access to the remaining databases as they gained more privileges/authority.
Equifax stored the details of 143 million people in their database – this included their credit histories and reports; there were a total of 43 servers. Through these servers, the hackers exported the data into text files, in 10MB increments, then sent these files back to China via the firewall. During this time, several Equifax employees were updating their SSL servers and noticed the suspicious traffic in their network and thus caused them to report that they had to breach, but by then, the damage was already inflicted.
4. Assets Affected by Breach
Data is a valuable asset that all organisations have to handle. Assets refer to valuables and can be either tangible or intangible and thus does not only refer to things but can refer to people, software etc.
During the Equifax breach, a total of 2.4 million personally identifiable information (PII) was collected, as not only text documents from their servers were leaked but also an image storage folder which included images of government issued documentation known as an online dispute portal. Trend Micro (2018) believed the assets affected can be divided into three distinct categories which are: data elements stolen from customers, government issued IDs of customers and intangible assets of Equifax.
Data Elements Stolen from Customers
There were a variety of data elements stolen from customers. Almost all customers (143 million) got their names, date of birth and SSN stolen, though most of this information can be viewed as public; the taking of the SSN however can be extremely damaging due to it affecting your credit as the hackers would have access to your credit card details and will essentially be able to sell legal and financial intelligence on the dark web which could cause the customers to have their identities impersonated. Other data elements and the number of US consumers they affected is illustrated below:
Government Issued IDs of Customers
There was a giant role in which the online dispute portal was breached and so images were leaked which caused 182,000 US consumers in total, but this meant that government-issued IDs were leaked. The information leaked by the statistics below and the use of PII can be used to disclose US laws and identity theft protection – which means more illegal actions can be done to impersonate facts of customers.
Intangible Assets of Equifax
There are several intangible assets of Equifax which are many things. One of the most important essential assets was flaws in the software, mainly due to patches not being developed and maintained regularly. As a result, this causes the reputation of the system to be impacted and so the customers’ reputation in system would be damaged again in the media. Furthermore, due to this effect, there became maintenance which occurred after this deal in order to re-implement patches and get customers/media support of the company which slowly allowed the re-building of intangible assets over time; this can be done through adding IT department.
5. Short Term Impact
Initially, the breach in July was seen as “one of the biggest data breaches” in history and it rapidly saw the worsening of the Equifax reputation and increased distrust from customers. Melin, A. (2017) who analysed shares, realised they dropped by 13% the day the breach went public. Simultaneously, as soon as the breach became public: local, state, and federal governments in the United States, United Kingdom and Canadian regulators all intervened.
Local governments alleged that Equifax failed to implement reasonable security practices, they requested $2,500 for each law violation and a court order was issued to implement security procedures. The state governments such as those of New York, went a step further by Attorney General Eric Schneiderman introducing Stop Hacks and Improve Electronic Data Security Act (SHIELD) which demanded that any business holding sensitive New Yorker data would need to (Rotenberg, M. (2018)):
a) Adopt rational administrative, technical, and physical safeguards.
b) Expand date types that prompt reporting needs to include biometric data and username-password combinations.
c) Provide safe harbour protection for companies to gain certification if their data protection is at the highest standards.
These legislative changes and the worsening of the Equifax reputation ultimately led to Equifax executives selling $1.8 million worth of stock by August 2017 illegally (inside trading) and them hiring the Mandiant firm to conduct a forensic investigation of the breach and initialised the sequence of multiple organisations investigating the extent of the breach. By September, there began to become a slight improvement in their safety measures following Paulino do Regos Barros Jr. becoming Interim CEO on the 26th September, he created a free option to allow students to lock and unlock their credit, by October the IRS awarded a multimillion-dollar-fraud prevention contract to Equifax and by January of 2018 Equifax customers were offered a “Lock and Alert” product which helped them control their credit report access. Ultimately, though the company saw a downfall in reputation and financially; following their management change, there became a clear shallow improvement in their implementation of security safeguards (Warren, E. (2018)).
6. Scope
The Equifax breach was a greatly impacting infringement of rights worldwide, the scope of the plan proposed will aim to reduce the effects or the probability of a breach occurring again in the company. The scope of the plan however will only be limited to the IT department and the Board of Directors. The scope of the plan will highlight certain aspects of how these departments can be improved, these include but are not limited to the following policies.
The IT Department
The scope of the plan will tackle the importance of ensuring the IT software is kept up to date which includes regular maintenance opportunities and the importance of building an IT inventory. The scope will also discuss changes in training that need to be introduced as a safeguard to ensure all members are more prepared to tackle a security breach and to ensure that exploitations of the system are quicker to recognise and fight against and sometimes expand to the company’s employees.
Board of Directors
The scope of the plan will tackle the importance of implementing legislative safeguards to ensure stakeholders’ money is being divided correctly i.e. the money is invested well into the company to advance protective consumer safeguards e.g., implementing new protective software. The importance of yearly training for the board of directors to ensure they are up to date with their legal and business responsibilities and the possibility of contractual changes to hold them more accountable.
7. Asset Register
The table contains a breakdown of key assets and their attributes, with descriptions of each and note-worthy comments.
7. Potential Vulnerabilities and Threats
Table contains the different potential threat vectors and the potential implications of their actions.
8. Risk Register
The table categorises the assets into sets and discusses the risks, vulnerabilities and impacts of each set. It also tackles the risk level, risk level percentages are based on how likely that type of asset would be vulnerable at Equifax and finally suggested controls.
9. Procedural Controls
a) Cybersecurity framework compliance training: essential to train the IT department specifically about the important guidelines and standards that need to be taught as well as the most important preventative measures against breaches (Reciprocity, 2021).
b) Incident response plans: Important for the IT department to devise plans in case a breach occurs and the fastest solutions and countermeasures that need to be taken per each scenario.
c) Bi-yearly company policy meetings: it is important that not only the IT department and Board of Directors, but the entire company should have meetings twice a year which teaches them the importance of changing their passwords regularly and ensuring no personal data is stored on the computers and that work computers should remain in the company.
10. Technical Controls
a) Firewall and antivirus continuously monitored: due to the state-sponsored hackers managing to initially breach the data via the firewall, it is important to ensure it is up to date and checked up on a day-to-day basis.
b) Establishing network monitoring tools (Resilient Energy, n.a.): this can be easily achieved by using open-source intrusion detection tools such as Snort, Bro or Kismet which all can essentially monitor the traffic and convert it into events and if there are any anomalies then they would be logged and an automated countermeasure would be done (Drolet, M. (2018)).
c) Data encryption: other than root administrative passwords, the data should be better encrypted to ensure the data cannot be read if breached, this can be done i.e., by converting the files with a private secret key that follows SHA-256 hashing algorithm that is hard to crack and only with administrators.
d) Penetration testing: ethical hackers employed to carry out stimulated attacks to discover exploitable vulnerabilities e.g., code injection attacks (Mehta, P. (2021)).
11. Compliance Controls
a) Continuous maintenance: Equifax was blamed continuously for having out of date technologies and lack of IT amendments and so they need to be constantly re-done.
b) Update patch management policy: they lack the IT patches from being updated, so it needs an IT inventory to be updated so the patches are regularly updated – so maintenance.
c) Create and regularly update IT inventory: has a constant asset in IT by the IT department in a list so they can tell interruptions in network and so they can update patches and maintenance.
d) Monthly risk assessment updates: if there are new asset adaptations and so new risks are necessary, then the assessment needs to be re-done monthly to improve defence, improve plan based on IT inventory etc.
e) Yearly Board of Directors Assessment: the Board of Directors need to be taught about modern legislative regulations and how to ensure the shareholders’ and customers’ data is correctly stored and how Equifax’s finances are appropriately divided amongst their different sectors to ensure up to date technology and the most advanced controls.
12. Physical Controls
a) CCTV: cameras are necessary in the company especially throughout the night to keep monitoring the computers in case an intruder sabotage the workplace.
b) Biometrics: for advanced technologies and servers and doors, there needs to be bodily checks such as face ID or fingerprints which is needed to secure certain devices and delete data or move it if there is not an authorised response.
c) Motion and Thermal alarm systems: if there is an alarm based on movement or energy in the database room or servers then they would destroy the threat in the room to protect the assets.
13. Evaluation
After careful analysis of the issue, it was very apparent that the Equifax data breach was due to deep rooted issues in the company such as failure to follow framework guidelines that they had in place meaning they failed to preform maintenance and patching on time but also leading them to be quite negligent when it comes to suspicious activity across their network. These issues though fundamentally, are exacerbated by the lack of an IT inventory which essentially allowed Equifax to turn a blind eye to any zero-day vulnerabilities and any new vulnerabilities that occur.
Therefore, it is extremely important to tackle these issues, which is what the proposed controls aim to do, the variety of controls being put in place, aim to tackle the clear issues that Equifax have chosen to ignore. Due to the issues being quite fundamental, it is important to first tackle the issue by implementing training to ensure members of the IT department in particular are up to date with cybersecurity compliance, re-evaluate the patching policy and for the Board of Directors to go through a yearly training where they must complete an assessment to ensure they are up-to-date with legal compliance laws and to be able to handle investing the shareholders’ finances into the company properly to ensure the company has the most modern software and tech hardware. It is of the upmost importance that Equifax begin to preform data encryption via SHA-256 as requiring a key would help further protect customers’ assets and for the company to invest in network-monitoring tools. Though these steps might be quite costly, they will ultimately be of the benefit of both company and customers and will help increase the customers’ trust in the company.
References
Drolet, M. (2018), “5 Open Source Intrusion Detection Tools That Are Too Good to Ignore”.Towerwall. Viewed on February 10th, 2022 < https://towerwall.com/5-open-source-intrusion-detection-tools-that-are-too-good-to-ignore/>
Hopkins, M. (2014), “What is CSR All About?”. ResearchGate. pg. 1-5. Viewed on January 20th, 2022. < https://www.researchgate.net/publication/246912286_What_is_corporate_social_responsibility_all_about>
Mehta, P. (2021), “Pen testing (penetration testing)”. SearchSecurity. Viewed on January 21st, 2022 < https://www.techtarget.com/searchsecurity/definition/penetration-testing>
Melin, A. (2017), “Three Equifax Managers Sold Before Cyber Hack Revealed”. Bloomberg. Viewed on December 1st, 2021 < https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack>
Mort, S. (2017), “CVE-2017-5638: The Apache Struts vulnerability explained”. Synopsys. Viewed on November 28th, 2021. < https://www.synopsys.com/blogs/software-security/cve-2017-5638-apache-struts-vulnerability-explained/#:~:text=What%20is%20CVE%2D2017%2D5638,privileges%20of%20the%20Web%20server.&text=The%20vulnerable%20code%20is%20in%20the%20Jakarta%20Multipart%20parser.>
Nohe, P. (2018). “The Equifax Data Breach went undetected for 76 days because of an expired certificate”. Hashedout. Viewed on November 28th ,2021. < https://www.thesslstore.com/blog/the-equifax-data-breach-went-undetected-for-76-days-because-of-an-expired-certificate/>
Portman, R. & Carper, T. (2018) “How Equifax Neglected Cybersecurity And Suffered A Devastating Data Breach”. United States Senate. Viewed on November 25th, 2021. < https://www.hsgac.senate.gov/imo/media/doc/FINAL%20Equifax%20Report.pdf>
Reciprocity (2021), “What Are The Types of Information Security Controls”. Reciprocity. Viewed on December 12th 2021 < https://reciprocity.com/resources/what-are-the-types-of-information-security-controls/#:~:text=Procedural%20controls.,place%20to%20enhance%20network%20security>
Resilient Energy (n.a.), “Technical Controls”. Resilient Energy Platform. Viewed on January 15th, 2022 < https://resilient-energy.org/cybersecurity-resilience/building-blocks/technical-controls>
Rotenberg, M. (2018), “Examining The Current Data Security and Breach Notification Regulatory Regime”. House Committee on Financial Services. pg. 1-10. Viewed on December 3rd 2021 < https://epic.org/wp-content/uploads/testimony/congress/EPIC-Testimony-HFS-2-14-18.pdf>
Sluiter, P. (2019), “How Equifax was Hacked”. Youtube. Viewed on November 29th ,2021. < https://www.youtube.com/watch?v=MKaNxE7pGWA&t=2s&ab_channel=ProgrammingwithProfessorSluiter>
Trend Micro (2018), “Equifax Reveals The Extent of 2017 Data Breach, Details Number of Stolen Records”. Trend Micro. Viewed on 30th November, 2021 < https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/equifax-reveals-extent-of-2017-data-breach-number-of-stolen-records>
Warren, E. (2018), “Bad Credit: Uncovering Equifax’s Failure to Protect Americans’ Personal Information”. United States Senate. pg. 5-50. Viewed on December 5th ,2021 < https://www.warren.senate.gov/files/documents/2018_2_7_%20Equifax_Report.pdf>