{"id":1930,"date":"2017-09-15T14:43:48","date_gmt":"2017-09-15T20:13:48","guid":{"rendered":"https:\/\/www.rapidsslonline.com\/blog\/?p=1930"},"modified":"2022-04-22T01:09:08","modified_gmt":"2022-04-22T06:39:08","slug":"word-equifax-security-best-practices","status":"publish","type":"post","link":"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/","title":{"rendered":"A Word About Equifax and Security Best Practices"},"content":{"rendered":"<h2>Your credit information may be available on the dark web, but at least we\u2019re learning about cyber security!<\/h2>\n<p>Before we get started talking about Equifax, I\u2019d like to apologize for the brief interruption in our regularly scheduled programming, err\u2026 blog\u2026 posting? As you may know, our company resides in beautiful St. Petersburg, FL, which recently found itself in the path of Hurricane Irma.<\/p>\n<p>We\u2019re glad to say that we made it out safe and relatively unscathed. Most of us have power back by now. I actually had mine back shortly after the storm but continued to eat room temperature beans out of aluminum cans by candlelight while living without electricity for fear of looters.<\/p>\n<p>Anyway, while we\u2019ve been bailing water, a lot has happened in the world of cyber security. Namely, the Equifax Breach. So I figured this would be an excellent opportunity to go over what happened and what we can learn from this whole situation.idUSKCN1BN1WN<\/p>\n<h2>What is the Equifax Breach?<\/h2>\n<p>Equifax, an equestrian telecommunications company\u2026 [Editor\u2019s Note: <em>This was the point that we sent Carl back to do some more research<\/em>] Scratch that. Equifax is one of the world\u2019s largest credit reporting agencies. It keeps information on over 800 million consumers and over 88 million businesses worldwide.<\/p>\n<p>On July 29<sup>th<\/sup>, Equifax discovered that it had been breached. Over the coming days and weeks, it was discovered that over 143-million consumer records \u2013 including full names, addresses, social security numbers and other personal identifying information \u2013 had been compromised. As more and more scrutiny has been applied to Equifax, additional troubling information has emerged that raises serious questions about the company\u2019s security practices.<\/p>\n<p>As far as data breaches go, this could be the motherload. Per a report by Reuters, verified credit card information \u2013 meaning a card that has been tested and is still active \u2013 can fetch 10-20 dollars per card on the dark web. Full ID dossiers \u2013 which include all the information to carry out identity theft \u2013 can fetch up to $10. It may seem like a trivial amount, but when you\u2019re pulling down 143-million records it can turn into a nice haul. Some experts are already calling this the worst breach in history.<\/p>\n<h2>What Happened with Equifax?<\/h2>\n<p>From the sounds of it, Equifax really needs to overhaul its security policies and practices. A lot of what occured comes down to gross negligence. The vulnerability that was used against Equifax is called Apache Struts CVE-2017-5638. Apache Struts is an open-source framework for developing Java web applications. Researchers identified the vulnerability that was used against Equifax on March 6, 2017. It was patched a week later.<\/p>\n<p>Now, if you do the math, Equifax had roughly four and a half months to patch its own systems and remove this vulnerability. It clearly didn\u2019t. Now, 143-million consumer records have been exposed.<\/p>\n<p>And that just appears to be the tip of the iceberg. Hold Security, a Milwaukee-based security firm was able to crack one of Equifax\u2019s Argentinian database and harvest employee information with little more than guesswork. In this case, Equifax was using \u201cadmin\u201d as both a username and the accompanying password for the database. Let\u2019s pause for a second and appreciate a major international credit monitoring agency that has secured its database with the same level of sophistication as the average internet user sets up a router with\u2014using just the default settings.<\/p>\n<p>Let\u2019s just put it this way. I\u2019ve been tricked, duped and ripped off on the internet so much that my coworkers have sarcastically taken to calling me \u201cCautious Carl.\u201d I got ransomware my first day working here. To this day, I&#8217;m considered such a danger I have to ask permission just to use the internet at work. The point I\u2019m making is that when I can look at your company\u2019s security implementation and tell you it\u2019s awful\u2014it must really be bad.<\/p>\n<h2>What Can We Learn From Equifax?<\/h2>\n<p>There used to be a great baseball player named Gary Sheffield that had an amazing swing, which, ironically enough, was also a pretty textbook example of how not to swing a baseball bat. Commentators used to remark that you could look at him in action and teach a young player exactly what not to do. Equifax\u2019s security is a lot like Gary Sheffield\u2019s swing, except for rather than using it to mash 509 career homers like Gary did, Equifax just took a fastball in its daddy bits.<\/p>\n<p>Actually, that\u2019s probably a terrible analogy for a number of reasons, the least of which is that I\u2019m trying to talk to the cyber security community using an example that includes the word \u201cbaseball.\u201d (It\u2019s the game with the bases and the outs and the wooden bats\u2014no, not Cricket. Nevermind. Just nevermind.)<\/p>\n<p>Anyway, the point I\u2019m making is that we could probably write a book on how not to secure a company or organization just using Equifax examples. In fact, someone probably will. The infosec community is petty like that. For our purposes though, there is one big lesson we can take away from Equifax.<\/p>\n<p><strong>Always stay up to date on Security Updates<\/strong><\/p>\n<p>Apache Struts had been patched for months before Equifax was breached. This wasn\u2019t some zero day exploit where nobody had any warning, this was a well-documented vulnerability that should have been dealt with immediately. Or, at least within four and a half months of its disclosure. Granted, this kind of feels like your newly eclipse-blind friend telling you that this was a great lesson about not staring at the sun \u2013 it\u2019s that obvious \u2013 but it\u2019s still good advice. Advice that goes unfollowed far too often, even in this day and age. You just can\u2019t ignore patches and updates. I mean, I guess you can, but this is what happens.<\/p>\n<p>Of course, there are other smaller, more specific lessons that you can glean from this fiasco as well. Like, for instance, don\u2019t ever use admin as a password for anything. Ever. Especially if your username is also \u201cadmin.\u201d Or how about maybe <a href=\"https:\/\/www.reuters.com\/article\/legal-us-equifax-cyber-heitkamp\/u-s-senator-on-equifax-hack-somebody-needs-to-go-to-jail-idUSKCN1BN261\">don\u2019t offload $2-million worth of stock before your company has a chance to disclose a security breach<\/a>. Again, that\u2019s very specific but it\u2019s sound advice.<\/p>\n<h2>A Final Word<\/h2>\n<p>Let this serve as a lesson to you. The next time you get a notification about updating new security settings, spend the minute or so it takes to implement them. Granted, chances are the personal data of 143-million consumers doesn\u2019t hang in the balance, but don&#8217;t let that stop you from updating.<\/p>\n<p>And hey, at at least if you learn this one lesson you\u2019ll be able to say you gained something from this entire debacle when your identity inevitably gets stolen sometime around Christmas.<\/p>\n<p>Thanks, Equifax.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Your credit information may be available on the dark web, but at least we\u2019re learning about cyber security! Before we get started talking about Equifax, I\u2019d like to apologize for &hellip; <span class=\"d-flex justify-content-end\"><a href=\"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/\" class=\"btn btn-blue\">Read More <span class=\"screen-reader-text\">A Word About Equifax and Security Best Practices<\/span><\/a><\/span><\/p>\n","protected":false},"author":10,"featured_media":1933,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[24],"tags":[],"class_list":["post-1930","post","type-post","status-publish","format-standard","has-post-thumbnail","category-web-security-updates"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>A Quick Word About Equifax and Security Best Practices<\/title>\n<meta name=\"description\" content=\"Cautious Carl is back to break down the recent Equifax Breach, including what went wrong and what we can learn from it moving forward.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A Word About Equifax and Security Best Practices\" \/>\n<meta property=\"og:description\" content=\"Cautious Carl is back to break down the recent Equifax Breach, including what went wrong and what we can learn from it moving forward.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/\" \/>\n<meta property=\"og:site_name\" content=\"RapidSSLOnline Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/rsosslcertificates\/\" \/>\n<meta property=\"article:published_time\" content=\"2017-09-15T20:13:48+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-04-22T06:39:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2017\/09\/equifax-breach-data-identify-theft-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"200\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Adam Thompson\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"A Word About Equifax and Security Best Practices\" \/>\n<meta name=\"twitter:description\" content=\"Cautious Carl is back to break down the recent Equifax Breach, including what went wrong and what we can learn from it moving forward.\" \/>\n<meta name=\"twitter:creator\" content=\"@rsossl\" \/>\n<meta name=\"twitter:site\" content=\"@rsossl\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Adam Thompson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A Quick Word About Equifax and Security Best Practices","description":"Cautious Carl is back to break down the recent Equifax Breach, including what went wrong and what we can learn from it moving forward.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/","og_locale":"en_US","og_type":"article","og_title":"A Word About Equifax and Security Best Practices","og_description":"Cautious Carl is back to break down the recent Equifax Breach, including what went wrong and what we can learn from it moving forward.","og_url":"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/","og_site_name":"RapidSSLOnline Blog","article_publisher":"https:\/\/www.facebook.com\/rsosslcertificates\/","article_published_time":"2017-09-15T20:13:48+00:00","article_modified_time":"2022-04-22T06:39:08+00:00","og_image":[{"width":200,"height":200,"url":"https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2017\/09\/equifax-breach-data-identify-theft-1.jpg","type":"image\/jpeg"}],"author":"Adam Thompson","twitter_card":"summary_large_image","twitter_title":"A Word About Equifax and Security Best Practices","twitter_description":"Cautious Carl is back to break down the recent Equifax Breach, including what went wrong and what we can learn from it moving forward.","twitter_creator":"@rsossl","twitter_site":"@rsossl","twitter_misc":{"Written by":"Adam Thompson","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/#article","isPartOf":{"@id":"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/"},"author":{"name":"Adam Thompson","@id":"https:\/\/www.rapidsslonline.com\/blog\/#\/schema\/person\/ab1f810704e5f52f23e62cf0a309fd56"},"headline":"A Word About Equifax and Security Best Practices","datePublished":"2017-09-15T20:13:48+00:00","dateModified":"2022-04-22T06:39:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/"},"wordCount":1153,"commentCount":0,"image":{"@id":"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/#primaryimage"},"thumbnailUrl":"https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2017\/09\/equifax-breach-data-identify-theft-1.jpg","articleSection":["Web Security Updates"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/","url":"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/","name":"A Quick Word About Equifax and Security Best Practices","isPartOf":{"@id":"https:\/\/www.rapidsslonline.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/#primaryimage"},"image":{"@id":"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/#primaryimage"},"thumbnailUrl":"https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2017\/09\/equifax-breach-data-identify-theft-1.jpg","datePublished":"2017-09-15T20:13:48+00:00","dateModified":"2022-04-22T06:39:08+00:00","author":{"@id":"https:\/\/www.rapidsslonline.com\/blog\/#\/schema\/person\/ab1f810704e5f52f23e62cf0a309fd56"},"description":"Cautious Carl is back to break down the recent Equifax Breach, including what went wrong and what we can learn from it moving forward.","breadcrumb":{"@id":"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/#primaryimage","url":"https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2017\/09\/equifax-breach-data-identify-theft-1.jpg","contentUrl":"https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2017\/09\/equifax-breach-data-identify-theft-1.jpg","width":200,"height":200,"caption":"equifax-breach-data-identify-theft"},{"@type":"BreadcrumbList","@id":"https:\/\/www.rapidsslonline.com\/blog\/word-equifax-security-best-practices\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.rapidsslonline.com\/blog\/"},{"@type":"ListItem","position":2,"name":"A Word About Equifax and Security Best Practices"}]},{"@type":"WebSite","@id":"https:\/\/www.rapidsslonline.com\/blog\/#website","url":"https:\/\/www.rapidsslonline.com\/blog\/","name":"RapidSSLOnline Blog","description":"SSL Best Practices for Secure Website","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.rapidsslonline.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.rapidsslonline.com\/blog\/#\/schema\/person\/ab1f810704e5f52f23e62cf0a309fd56","name":"Adam Thompson","sameAs":["http:\/\/rapidsslonline.com"],"url":"https:\/\/www.rapidsslonline.com\/blog\/author\/adam-thompson\/"}]}},"_links":{"self":[{"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/posts\/1930","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/comments?post=1930"}],"version-history":[{"count":0,"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/posts\/1930\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/media\/1933"}],"wp:attachment":[{"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/media?parent=1930"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/categories?post=1930"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/tags?post=1930"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}