What Equifax Is Still Teaching Us About Security

The U.S. Justice Department recently charged four members of China’s People’s Liberation Army with hacking Equifax in 2017, which caused one of the largest data breaches in history. This indictment is a reminder to IT and security teams that cybercriminals of all backgrounds—from individuals all the way up to government-funded entities—are looking for weaknesses and vulnerabilities to exploit. Is your business ready?

The historic data breach at Equifax, where the personally identifiable information of more than 145 million American citizens was exposed, was a colossal failure of both the company’s IT and security teams, leading to Congressional hearings, firings and resignations of top executives, and even charges of insider trading.

Now, it’s also become a key example of international cyber-espionage.

On February 10, the U.S. Justice Department announced that a federal grand jury had indicted four members of China’s People’s Liberation Army with a slew of charges all related to the hacking of Equifax in 2017. All of the suspects are believed to be in China, and it’s not clear if any will ever face trial in America.

While several investigations by Congress and the Government Accountability Office hinted that the Equifax breach was more than cybercriminals looking for data they could sell on darknet marketplaces, the indictments are the first time government officials have tied the Equifax incident to cyber-espionage orchestrated by a nation-state. 

When announcing the indictments, Attorney General William Barr not only highlighted some of the details of the Equifax breach that were previously unknown, but also hinted that China could also be behind other significant breaches and intrusions at large organizations, including incidents at Anthem, Marriott and the U.S. Office of Personnel Management.

The reasons why any country wants this data can vary. Some security analysts believe it’s a way to build an alternative Big Data database of a geopolitical rival. What this does show, in any case, is that businesses of all sizes must recognize that their data is being targeted by groups more powerful than lone cybercriminals looking to turn a quick buck on Joker’s Stash.

“With the recent news that the Equifax breach of 2017 appears to be of a much different nature than previously thought—an advanced persistent threat unleashed by Chinese nationals, rather than a criminal organization seeking profits on the dark web—it calls into question just how much the cybersecurity industry truly knows about the motives behind hacks, breaches, malware, etc.,” said Rui Lopes, Engineering and Technical Support Director at Panda Security.

Equifax and the Failure to Secure

While not every organization has faced the technological superiority that a country’s military or intelligence apparatus can bring to bear, the 2017 Equifax breach didn’t necessarily have to happen, and the company made it easy for cyber-spies looking for information to overcome security protections.

In short, Equifax’s internal security and IT teams fell down on the job. 

First and foremost, Equifax’s IT and security team did not patch a vulnerability in the Apache Struts open-source web application framework in March 2017, despite the fact that both the U.S. Computer Emergency Readiness Team and the Department of Homeland Security urged organizations to fix the flaw within 48 hours. (Equifax’s two main competitors in the consumer credit reporting business, TransUnion and Experian, each managed to fix the same vulnerability as recommended, an investigation found.)

A Congressional report later found that some 400 Equifax employees received the CERT alert about Apache Struts, but no one, from the CIO down, prioritized it.

The unpatched vulnerability in the version of Apache Struts that Equifax used eventually allowed the hackers a way to enter the internal Equifax infrastructure through a customer-facing web portal, steal additional credentials, map the network, and run some 9,000 SQL queries over the course of nearly 80 days—all while looking for the most sensitive data to take, according to the federal indictments.

In addition, Equifax’s security team allowed eight Secure Sockets Layer (SSL) certificates to expire in November 2016, and none of those were renewed until July 2017. Once that happened, and scanners began checking the network, the security team immediately received alerts about suspicious traffic coming from different IP addresses, including ones in China, and targeting the vulnerable web portal, according to a Congressional report.

By then, the Apache Struts vulnerability was fixed and access to the web portal cutoff, but the hackers had what they needed.

“The Equifax breach was chiefly due to set a of process failures on Equifax’s behalf,” Dr. Richard Gold, the head of security engineering at Digital Shadows, told Dice. “Although they were attacked by a well-resourced threat actor, their security issues were by far the bigger problem. They lacked some of the basic security controls and processes, for example, although they attempted to scan for the Apache Struts vulnerability, their security scanner did not actually detect the vulnerability in question.”

Learning Security Lessons For the New World

What several security analysts agree on is that the Equifax breach changed the game, and the February 11 indictments highlight that fact. Nation-state threat actors, well-funded and trained, are another security threat to businesses, and pursuing much of the same data as cybercriminals.

“Not only is it clear that nation states are perceived to be as active as cybercriminals, but the prior MO of fraud and stolen IDs itself has evolved to include destructive attacks like ransomware,” said Tim Wade, the technical director of the CTO Team at security firm Vectra.

The security experts who spoke to Dice offered some ways that businesses large and small, whether they have dedicated security or not, can help reduce or at least mitigate the chances of this happening, including attacks directed by cybercriminals or nation-state actors.

Implement Zero-Trust

Zero-trust is more philosophy than technologies that can prevent an attack. At its most basic, zero-trust states that security teams should not trust any entity either inside or outside their networks. In other words, a threat is anywhere and everywhere and the perimeter is gone. A zero-trust approach, combined with endpoint protection detection, can help mitigate some risk.

In-Depth Defense

As Gold sees it, both vulnerability management and security monitoring failed Equifax, as IT and security did not keep up with current threats. As a result, companies should consider a defense-in-depth approach that provides multiple, partially overlapping security controls that are underpinned by a robust process.

Back to Basics

The first issue at Equifax was a lack of patching, which shows that good security fundamentals and hygiene remain the top ways to prevent attacks, whether by cybercrooks or spies. A back-to-basics approach entails routinely patching systems, disabling default accounts and credentials, and using strong passwords with multi-factor authentication—all of which can go a long way to reducing an organization’s risk.

“As IT and security professionals, we must stay vigilant and adhere to the fundamentals of security such as patching, asset discovery, enforcing least privilege and training,” said Terence Jackson, CISO at security firm Thycotic. “The way we develop code has to also be secure throughout the lifecycle; oftentimes security is bolted on at the end, which inevitably will leave gaps. No code is perfect, but we should strive for it.”