Are organizations better off today than they were three years ago when a devastating breach at Equifax exposed sensitive customer data and poor security practices in equal measure?
The consensus among experts is that companies still have a ways to go.
“Unfortunately, not much has changed,” said Greg Foss, senior threat researcher from VMware Carbon Black.
The breach led to significant fines and the retirement of Equifax’s chief executive and chief information officer, congressional probes and proposed legislative and regulatory changes. It also saw the credit monitoring company take a huge hit to its reputation.
But even with lessons from the Equifax breach looming large, organizations still are caught flat-footed by similar threats, in part because those threats continue to evolve and proliferate – and attackers are persistent.
“Any organization can be breached and security never ends,” Equifax Chief Information Security Officer Jamil Farshchi told SC Media in June before taking the stage at InfoSec World 2020 to deliver the keynote.
Farshchi joined the credit reporting agency after attackers exploited vulnerabilities in Apache Struts – twice missed by Equifax security – and compromised the personal data of 182 million U.S. consumers and the credit card information of about 209,000. He has spent the better part of his two-year tenure guiding Equifax through a security transformation plan, and taking to the podium to urge other organizations to learn from his company’s mistakes.
As it turns out, it’s a message/guidance that corporate America is hungry to hear: 40 percent of security leaders in a recent study from Ostermann Research and Immersive Labs said they aren’t confident in their team of responders precisely because they feel security has failed to adapt to today’s threats.
“Cyber crisis response, sadly, currently lags the threat landscape,” said Max Vetter, chief cyber officer at Immersive Labs. “This is because it is still far too static, stored in a folder..only updated and tested at infrequent intervals.”
That’s a particularly dangerous place to be during a pandemic, where attackers take aim at newly remote and vulnerable workforces.
“COVID-19 has undoubtedly amplified the susceptibility of organizations to cyberattacks of all kinds,” said Foss. “Through the extension of the traditional perimeter to the increase in destructive attacks with impunity against opportunistic targets, we are seeing a surge of new threat actors, ransomware, and even nation-state adversaries getting involved in the theft of information for resale.”
Those attacks won’t let up any time soon. Attackers, who have grown more sophisticated and bold, Foss said, “will continue to take advantage of opportunities, leveraging the most efficient means to profit from an intrusion, often including redundancy planning in more recent intrusions.”
All the more important, then, for organizations to take the lessons learned from the Equifax breach to heart.
Blocking and tackling are still important.“Equifax was a good example, highlighting the importance of taking care of the basics and understanding the organization’s full exposure,” said Foss. “Some proper testing and validation early on using repeatable and vetted processes would have highlighted these vulnerabilities and could have helped to prevent one of the most impactful breaches of personal information of our time.”
Keep on patching. At its core, the attack on Equifax was “opportunistic and the result of a combination of vulnerabilities that often go unnoticed in many organizations that lack proper tooling and processes to prevent common but avoidable exposures such as default credentials and patch management,” said Foss.
Implementing regular updates is both a no-brainer and a potential disrupter – patching one application can impact other apps and operations throughout an organization. But patch you must, said Tom Pendergast, chief learning officer at MediaPro. “The core actions that could have prevented the Equifax breach — effective patching and network segmentation — were well known to all before the breach,” he pointed out.
Don’t shortchange security. From Pendergast: segment your networks, and train on appropriate incident reporting to flag issues as soon as possible. Such practices will mean that business leaders have a better recognition of what’s required to secure the organization against cybercrime.
While the breach highlighted “issues of all kinds in relation to the simplicity of the attack that resulted in such a catastrophic breach, companies continue to cut corners with security,” said Pendergast. Security will always be seen as an overhead cost for a lot of organizations, he added.
But to put protections in place, information security leaders need the support of the business, so “incidents like Equifax help make the case for budget, staff and training to secure the organization.”
Bolster security policy. “Moving forward, policies and even laws should be much more stringent around the security requirements of handling sensitive PII,” said Foss. Low fines are less impactful for organizations that are trusted stewards of our personal data.
“With more and more personal information being stored across a myriad of companies of all kinds, we have to begin to hold companies more accountable if they aim to collect, store, and transmit our sensitive information,” he said.
Build a security culture around risk. An autopsy of the Equifax breach provides a laundry list of fatal failures.
“Corners were cut on key security controls which were then compounded by human error and gaps in critical processes to address vulnerabilities,” said Mark Kedgley, CTO at New Net Technologies. The “key lesson is that it isn’t enough to just have some security controls and products in place. Effective cybersecurity requires a pervasive adoption of security best practices at all levels throughout an organization.”
Organizations should create realistic risk management frameworks for vulnerability assessment results — one of the top ways to maintain your security posture and reduce your attack surface, said Charles Ragland, security engineer at Digital Shadows. “Evaluating the difference between vulnerable and exploitable systems and making decisions based on business needs and risk tolerance is crucial for organizations to prevent an Equifax-style attack.”
Mature security program results, he said, “don't always manifest themselves in prominent ways, which unfortunately leads many organizations to place security on the back burner.” In fact, “when treating security as a box-checking exercise, and not a workplace culture, organizations are often surprised when an incident happens."
That’s a lesson that Equifax has learned, albeit the hard way.
“You have to focus on risk rather than standards compliance,” said Farshchi. “You’ve got to build in a culture of risk. You have to get risk to a threshold acceptable to the business. I want multiple data sets across the organization, not fully relying on one source.”
In the years following the attack, Equifax has sought to sharpen its security and regain the trust of customers and the industry. The credit monitoring firm isn’t looking for a single product or innovation to hang security on – nor is it relying on checkbox compliance when it comes to raising employee awareness. Instead, “we’ve built it in and provide immediate feedback so employees can see how their behavior negatively impacts something,” said Farshi.
“But we’re not using it as a stick," he added. "We also don’t need to go for a moonshot or just throw education at them. If it’s contextualized they can truly learn by the experience itself. Positive exposure is what [causes] behavior to improve. Cultural behavior is the most difficult to change, but change will come as long as you show incremental improvement."
As Equifax comes to the end of its security transformation plan, Farshchi believes the company has “made tremendous progress.” But “it doesn’t end here.”