A Word About Equifax and Security Best Practices

5 votes, average: 3.40 out of 55 votes, average: 3.40 out of 55 votes, average: 3.40 out of 55 votes, average: 3.40 out of 55 votes, average: 3.40 out of 5 (5 votes, average: 3.40 out of 5, rated)

Your credit information may be available on the dark web, but at least we’re learning about cyber security!

Before we get started talking about Equifax, I’d like to apologize for the brief interruption in our regularly scheduled programming, err… blog… posting? As you may know, our company resides in beautiful St. Petersburg, FL, which recently found itself in the path of Hurricane Irma.

We’re glad to say that we made it out safe and relatively unscathed. Most of us have power back by now. I actually had mine back shortly after the storm but continued to eat room temperature beans out of aluminum cans by candlelight while living without electricity for fear of looters.

Anyway, while we’ve been bailing water, a lot has happened in the world of cyber security. Namely, the Equifax Breach. So I figured this would be an excellent opportunity to go over what happened and what we can learn from this whole situation.idUSKCN1BN1WN

What is the Equifax Breach?

Equifax, an equestrian telecommunications company… [Editor’s Note: This was the point that we sent Carl back to do some more research] Scratch that. Equifax is one of the world’s largest credit reporting agencies. It keeps information on over 800 million consumers and over 88 million businesses worldwide.

On July 29th, Equifax discovered that it had been breached. Over the coming days and weeks, it was discovered that over 143-million consumer records – including full names, addresses, social security numbers and other personal identifying information – had been compromised. As more and more scrutiny has been applied to Equifax, additional troubling information has emerged that raises serious questions about the company’s security practices.

As far as data breaches go, this could be the motherload. Per a report by Reuters, verified credit card information – meaning a card that has been tested and is still active – can fetch 10-20 dollars per card on the dark web. Full ID dossiers – which include all the information to carry out identity theft – can fetch up to $10. It may seem like a trivial amount, but when you’re pulling down 143-million records it can turn into a nice haul. Some experts are already calling this the worst breach in history.

What Happened with Equifax?

From the sounds of it, Equifax really needs to overhaul its security policies and practices. A lot of what occured comes down to gross negligence. The vulnerability that was used against Equifax is called Apache Struts CVE-2017-5638. Apache Struts is an open-source framework for developing Java web applications. Researchers identified the vulnerability that was used against Equifax on March 6, 2017. It was patched a week later.

Now, if you do the math, Equifax had roughly four and a half months to patch its own systems and remove this vulnerability. It clearly didn’t. Now, 143-million consumer records have been exposed.

And that just appears to be the tip of the iceberg. Hold Security, a Milwaukee-based security firm was able to crack one of Equifax’s Argentinian database and harvest employee information with little more than guesswork. In this case, Equifax was using “admin” as both a username and the accompanying password for the database. Let’s pause for a second and appreciate a major international credit monitoring agency that has secured its database with the same level of sophistication as the average internet user sets up a router with—using just the default settings.

Let’s just put it this way. I’ve been tricked, duped and ripped off on the internet so much that my coworkers have sarcastically taken to calling me “Cautious Carl.” I got ransomware my first day working here. To this day, I’m considered such a danger I have to ask permission just to use the internet at work. The point I’m making is that when I can look at your company’s security implementation and tell you it’s awful—it must really be bad.

What Can We Learn From Equifax?

There used to be a great baseball player named Gary Sheffield that had an amazing swing, which, ironically enough, was also a pretty textbook example of how not to swing a baseball bat. Commentators used to remark that you could look at him in action and teach a young player exactly what not to do. Equifax’s security is a lot like Gary Sheffield’s swing, except for rather than using it to mash 509 career homers like Gary did, Equifax just took a fastball in its daddy bits.

Actually, that’s probably a terrible analogy for a number of reasons, the least of which is that I’m trying to talk to the cyber security community using an example that includes the word “baseball.” (It’s the game with the bases and the outs and the wooden bats—no, not Cricket. Nevermind. Just nevermind.)

Anyway, the point I’m making is that we could probably write a book on how not to secure a company or organization just using Equifax examples. In fact, someone probably will. The infosec community is petty like that. For our purposes though, there is one big lesson we can take away from Equifax.

Always stay up to date on Security Updates

Apache Struts had been patched for months before Equifax was breached. This wasn’t some zero day exploit where nobody had any warning, this was a well-documented vulnerability that should have been dealt with immediately. Or, at least within four and a half months of its disclosure. Granted, this kind of feels like your newly eclipse-blind friend telling you that this was a great lesson about not staring at the sun – it’s that obvious – but it’s still good advice. Advice that goes unfollowed far too often, even in this day and age. You just can’t ignore patches and updates. I mean, I guess you can, but this is what happens.

Of course, there are other smaller, more specific lessons that you can glean from this fiasco as well. Like, for instance, don’t ever use admin as a password for anything. Ever. Especially if your username is also “admin.” Or how about maybe don’t offload $2-million worth of stock before your company has a chance to disclose a security breach. Again, that’s very specific but it’s sound advice.

A Final Word

Let this serve as a lesson to you. The next time you get a notification about updating new security settings, spend the minute or so it takes to implement them. Granted, chances are the personal data of 143-million consumers doesn’t hang in the balance, but don’t let that stop you from updating.

And hey, at at least if you learn this one lesson you’ll be able to say you gained something from this entire debacle when your identity inevitably gets stolen sometime around Christmas.

Thanks, Equifax.