Equifax Breach: A Monumental Failure To Patch Known Vulnerabilities

Hardly anyone in the cybersecurity field didn’t see this coming.

When credit reporting giant Equifax announced on September 7, 2017 that hackers had penetrated their systems and stolen records containing social security numbers, names, addresses, and other private financial data from more than 143 million Americans, it was a big enough story to make the news – and stay there even in the weeks since.

As one of the big three credit screening firms, Equifax holds records on just about every American citizen alive or dead in the past few decades, and millions more overseas… and you can be sure identity thieves, scammers, and other criminals are licking their chops.

Civilians might have assumed that a company charged with safeguarding that much valuable data would have top notch security professionals on staff, using the latest and most up-to-date tools and processes to secure their systems. After all, Equifax has poured almost a quarter billion dollars into cybersecurity and has a 225-person cybersecurity team on staff.

But cybersecurity professionals know that the reality is that even the biggest and most likely targets for hacking attacks are often poorly managed and sometimes laughably insecure—money and expertise are wasted when unwitting executives undermine the work through poor process control.

In Equifax’s case, a two-month old vulnerability in Apache’s Struts MVC web application framework, used on the company’s public facing disputes website, hadn’t been patched—despite a patch being made available by the Apache Foundation. Not only was the company aware of the flaw, according to testimony from the now-deposed CEO Richard Smith, but it was also aware of the patch… and still didn’t manage to apply it.

Unpatched Software Vulnerabilities Are Like Handing Thieves the Keys

Unfortunately, this scenario is all too common.

Unpatched software vulnerabilities account for nearly half of all security breaches according to a 2015 report from Hewlett-Packard. This is hardly a recent development; PC World was sounding the alarm all the way back in 2009.

According to security firm Symantec in a 2016 report, 75% of all publicly accessible websites suffer from known, unmatched software vulnerabilities, so Equifax had a lot of company.

But they also had an enormously valuable target: the most vital personal and financial information for nearly every American consumer over the age of 18.

Nor was it Equifax’s first time at this rodeo. A September 2017 article in Forbes conveniently lists five other security breaches at the company in recent years, including some they were still fighting over in court with affected consumers and businesses. Worse, a problem with a third-party vendor used by the company caused a malware-infested popup to appear on the credit dispute website that users were flooding onto in the wake of the breach.

Big Breaches Make The News, But Death Comes From a Thousand Cuts

Of course, it’s not just Equifax, and just because the event made headlines, it may not be the real story. According to IRS Commissioner John Koskinen, quoted in an October 2017 article in The Hill, a big chunk of the affected individuals from the Equifax attack had probably already been compromised and just hadn’t been aware of it. The IRS estimates that more than 100 million Americans have already had their personal information lifted by hackers.

For cybersecurity pros, the fact that major corporations with important data to safeguard routinely fail on such elementary security precautions is teeth-gnashingly infuriating. Not only is it a security best practice, but also a basic system administration process. That fact that anybody that has let the fox in the henhouse through this kind of negligence continues to draw a paycheck at any legitimate business in the country is something that is baffling and discouraging.

Penetrating the company’s web servers was only the first element of the exploit, and it’s unclear what happened internally after the gates fell. Presumably, the company had additional internal safeguards on the protected data; just as clearly, those were penetrated as quickly as the web servers.

But much can be learned about a company’s internal security posture by the way it manages public-facing servers. Although they may be run by different teams with different levels of expertise, the management at the top sets the tone for the whole business. If they aren’t demanding basic competence at the point of heaviest attack, it’s likely they aren’t any better at ensuring the corporate crown jewels are secure.

Equifax’s response to the crisis simply provided further evidence that the organization was bereft of competent management and lacked strong internal processes. A site set up to inform consumers whether or not they had been affected in the initial breach was quickly revealed to be completely inaccurate. Worse, although the company waived fees for placing a credit freeze on consumer data, it was revealed to be using PINs (Personal Identification Numbers) for the service that were easily calculated and could be used by anyone to unfreeze the account again.

Basic Precautions Are Unlikely To Gain Traction As Long as Consequences Are Light

One thing you learn fast in cybersecurity is that you have to learn to look at scenarios from different perspectives in order to understand your vulnerabilities. In some senses, being baffled by the failure of corporate IT units to exercise basic security precautions when charged with safeguarding some of the most valuable data in the country represents a failure of imagination.

It may not be that the leadership of those companies or IT departments are as oblivious as a cybersecurity expert might assume. Instead, it’s more likely that they are behaving rationally according to the incentives on the table.

It’s true that CEO Richard Smith and the CIO and CSO of Equifax were all let go (allowed to “retire” technically) in the wake of the scandal. But being fired as a mighty chief executive doesn’t have quite the same sting to it as it does for technicians and analysts further down the food chain. Smith, for example, walks away from his desk with more than $90 million in vested options and other benefits. It’s difficult to see a lot of incentive to improve security processes from the top down when the worst that can happen is that you’ll walk away with eight figures and a swank house.

In testimony before the House Energy and Commerce Committee, Smith laid the blame on a single IT staffer for failing to communicate the necessary information about the patch. In addition to revealing unconscionable security and patching processes, though, Smith’s testimony uncovered the poor vulnerability scanning practices used by the company under his tenure. Despite the Struts vulnerability being included in many popular databases and security scanners, no sign of it was uncovered in two months of routine checks of the company website.

It’s unclear if the staffer that was blamed for the failure was fired. It’s pretty clear that not much has changed at Equifax and that not much is likely to change when the low-hanging fruit like essential software patches can’t be taken care of.