weerapat1003 - stock.adobe.com
The new Equifax chief has defended the company’s approach to cyber security in a Senate Homeland Security and Governmental Affairs Subcommittee hearing.
The hearing coincided with the publication of a scathing report by the sub-committee that found that Equifax failed to prioritise cyber security before and after the 2017 breach of personal data belonging to nearly 149 million people in the US, Canada and the UK.
“The fact that Equifax did not have an impenetrable information security program and suffered a breach does not mean the company failed to take cyber security seriously,” Equifax CEO Mark Begor said in a prepared statement.
“Before the cyber attack, I understand the [Equifax’s] security program was well-funded and staffed, based on a robust set of policies, standards, and procedures, and supported by general and specialised training,” he said.
Begor noted that more than 1,200 data breaches against US corporations in 2018 showed that companies of all types are falling victim to cyber attacks carried out by “increasingly sophisticated criminal rings” and “well-funded nation-state actors or military arms of nation-states,” reports CNBC.
Since 2017, he said Equifax has added four new directors and created an “audit framework” meant to give the board of directors security benchmarks they understand, and that can make it easier to record progress. The company has drawn up plans to spend $1.25b more between 2018 and 2020 on security and information technology as a result of the incident.
The breach was blamed on a failure to patch all Equifax IT systems to prevent hackers from taking advantage of a vulnerability in the Apache Struts web application framework.
The report found Equifax did not follow its own policies in patching the vulnerability, that it failed to locate and patch Apache Struts, that Equifax left itself open to attack due to poor cyber security practices, that the damage done by the hackers could have been minimised, that Equifax waited six weeks before notifying the public of the breach, and that Equifax did not save records of internal conversations about the breach.
According to the report, the CIO at Equifax from 2010 to 2017 oversaw the company employees responsible for installing patches, but said he was never made aware of the Apache Struts vulnerability and does not understand why the vulnerability “was not caught”.
Although the CIO said he does not think Equifax could have done anything differently, the report notes that TransUnion and Experian received the same information as the public and Equifax regarding the Apache Struts vulnerability, but both companies had deployed software to verify the installation of security patches, ran scans more frequently, and maintained an IT asset inventory.
In response to the Apache Struts vulnerability, TransUnion began patching vulnerable versions of the software within days. Experian retained a software security firm in March 2017 to conduct targeted vulnerability scans of Apache Struts vulnerabilities. After finding an Experian server was running a vulnerable version, Experian took the server offline and began patching it.
Read more about the Equifax breach
- Businesses are still downloading vulnerable versions of the software that was at the heart of the Equifax data breach and failing to update to safe versions.
- Heads roll as Equifax reveals 400,000 Britons affected by breach.
- Equifax appears to have failed to roll out a patch that might have stopped the massive breach of its systems.
- Experts criticised the Equifax breach response as insufficient given the size and scope of the data loss, and said the company was likely not prepared for such an incident.
- While doing preparation work for GDPR, organisations should look at the Equifax breach and understand they would have to notify consumers of a problem much sooner.
The Equifax breach showcases a disconnect between commercial software security practices and their open source equivalents, according to Tim Mackey, senior technical evangelist at Synopsys.
“With a commercial software solution, the supplier is in a position to push security information to consumers. With open source products, unless an effective inventory of open source components in use is maintained, it is difficult to manage an effective patch management strategy.
“For example, open source is often available from multiple distribution channels and a patch designed for one distribution channel may not be effective when applied to the same component obtained from a different channel.”
While the Senate report highlights the value of periodic scanning for vulnerable open source components, Mackey said that practice can easily let vulnerable components be deployed when an organisation uses agile development practices commonly referred to under the DevOps umbrella.
“Instead of periodic scans, comprehensive inventories of open source dependencies should be created during development and when applications care is deployed. Those dependencies should be fed into a continuous monitoring solution designed to identify when new security disclosures are published.
“When combined, such a solution allows for an accurate picture of the security exposure within a given application to be accurately measured in near real time. Armed with the knowledge of a vulnerable open source component and the origin of the component, an effective patch strategy can be created,” he said.
The US Senate sub-committee report makes five recommendations
- Congress should pass legislation that establishes a national uniform standard requiring private entities that collect and store PII [personally identifiable information] to take reasonable and appropriate steps to prevent cyber attacks and data breaches.
- Congress should pass legislation requiring private entities that suffer a data breach to notify affected consumers, law enforcement, and the appropriate federal regulatory agency without unreasonable delay.
- Congress should explore the need for additional federal efforts to share information with private companies about cyber security threats and disseminate cyber security best practices that IT asset owners can adopt.
- Federal agencies with a role in ensuring private entities take steps to prevent cyber attacks and data breaches and protect PII should examine their authorities and report to Congress with any recommendations to improve the effectiveness of their efforts.
- Private entities should re-examine their data retention policies to ensure these policies properly preserve relevant documents in the event of a cyber attack.