Learning from the Equifax Fiasco

143,000,000 Victims. 

Any Lessons?    

When faced with the almost incomprehensible scope of last month’s Equifax episode, words like “breach” and “hack” seem inadequate to convey the scope of the incident. “Catastrophe” may be closer.

Consider:  The number of victims is equivalent to the entire populations of Australia, Canada, Ireland, Italy, Israel, and Sweden – combined.

Now think through the wide variety of personal information that resides in each file. Social Security, credit card, and bank account numbers. Date of birth. Current and previous addresses. Employment information. Legal information from public records.

Think the bad guys could wreak havoc on your life if they had that information about you?  Well, they do.

What really happened?

A flaw in the Apache Struts tool, which was used to build the company’s online dispute portal, was identified by the US Department of Homeland Security back in March. Equifax officials claim that they became aware of the vulnerability at that time, and their security department “took efforts to identify and to patch any vulnerable systems.”

The company discovered the breach on July 29. It waited an extra day to see if it could identify “additional suspicious activity” before taking the affected web application offline. Three days later, they hired an outside cybersecurity firm to conduct an investigation. That firm’s forensic analysis indicated that a series of breaches had occurred between May 13 (two months after the DHS notification) and July 30.

The firm waited more than a month before notifying its customers and shareholders about the attacks, which gave three executives enough time to dump $1.8 million worth of Equifax stock. On September 15, the company announced the forced resignation of their Chief Information Officer and Chief Information Security Officer. Other employees subsequently reported that the IT security process quickly descended into chaos. CEO Rick Smith resigned earlier this week.

 

Immediate lessons for all corporations, regardless of size . . .

 

Incident response planning is vital.

What happens in the immediate aftermath of a cybersecurity incident can often limit exposure. Or it can make things a whole lot worse.

Suddenly you have to . . .

1.    Identify the attack

2.    Isolate and quarantine the threat

3.    Spin up an investigation team

4.    Collect and sift through logs

5.    Identify compromised systems

6.    Restore your critical data

7.    Work with key technology and financial vendors

8.    Keep upper management apprised

9.    Keep the feds updated

10.  Execute your breach notification plan. (What do you mean, you don't have one?)

The headache could get worse in a hurry. Like the Equifax hack, more than half of successful cyberattacks exploit vulnerabilities for which there are known and well-tested patches.  Most trigger log notifications that could have provided the first signs of a compromise, if they hadn't gone unnoticed for more than a month. (Feel like explaining that one?) 

And if you operate under regulatory guidelines, federal officials will also come knocking to conduct a breach investigation of their own. They'll likely request an incident log and your latest risk analysis. Hope your record keeping has been thorough.

Talk to us about building an incident response plan to keep you from looking like your own version of Equifax.

Delays can be fatal.

This one has two dimensions, and both of them suddenly seem obvious.

First, delays in investigating and deploying critical security patches leave key systems vulnerable far longer than advisable. We know from experience that patches often negatively impact the performance of multiple systems. Here at SLPowers, we test all non-critical security patches before pushing them out to target devices. That said, 1.) security patches need to be released rapidly, with a tested and proven roll-back process ready to go. And, 2.) deployment of those patches, even in a company the size of Equifax, needs to be accomplished and verified a lot sooner than was the case here.

The other obvious lesson about delay has to do with notification. At best, delays in disclosing a cyberattack make companies appear incompetent. Worse, they can seem shady. Worst of all, there are legal implications at work as well. (The ex-CEO of Equifax will be hauled before Congress next week.)

Who’s your CISO?

In many organizations, the person carrying the CISO initials aren’t really considered part of the senior executive team. It’s often a position created out of regulatory necessity, but somewhat isolated from the true decision makers. This is a mistake.

Information Technology is essential to every business. And the risks associated with a network breach impact the entire organization, not just IT. So bringing your CISO deeper into the company’s larger strategic planning structure only makes sense.

But firing them in the midst of the most chaotic days after an incident makes no sense at all. You need some measure of continuity, of authority, of accountability to make sense of everything and execute your response plan. Fire them afterwards, if you must.