News

9/10/2018
12:47 PM
Steve Zurier
Steve Zurier
Slideshows
Connect Directly
Twitter
RSS
E-Mail
50%
50%

The Equifax Breach One Year Later: 6 Action Items for Security Pros

The Equifax breach last September was the largest consumer breach in history. We talked to experts about lessons learned and steps companies can take to prevent and minimize future breaches.
Previous
1 of 7
Next

Image Source: Shutterstock via Piotr Swat

Image Source: Shutterstock via Piotr Swat

Large breaches have become such a fact of everyday life for the past few years that it’s easy to pass off the Equifax breach last September as just another in a long string of bad security news. But make no mistake about it: this was a huge breach that will take several years to sort out.

When the dust settled earlier this year, Equifax finally disclosed that 147.9 million people were affected in some way. Sensitive personal information was stolen, including the names, Social Security numbers, and dates of birth of the victims, as well as phone numbers, email addresses, and genders.

George Avetisov, CEO of HYPR, says while the breach itself caused great harm, rank-and-file consumers and companies not directly affected by the Equifax breach are still at risk because all that personal data still resides on the Dark Web and can be used for future account fraud, synthetic identity attacks and credential re-use.

"We know how many consumers had their data stolen," Avetisov says. "But it's difficult to quantify the impact, as we may never know the full extent of the account fraud and credential re-use that will stem from the Equifax breach for years to come."

Avetisov and other experts say companies must do all the security hygiene basics: such as more patching more effectively, deploying encryption and tokenization, and above all, taking better care of their data.

"Companies have to start treating data as something of value," says Brian Vecci, technical evangelist at Varonis. "Start by turning on the lights and finding what data you have."

In putting together this slideshow, we talked to Avetisov and Vecci; Julie Conroy, research director for Aite Group’s Retail Banking practice; and Peter Firstbrook, a research vice president at Gartner who focuses on security. 

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Previous
1 of 7
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/18/2018 | 3:25:26 PM
Re: Passwords, people. Passwords.
GAO report - breach caused by a misconfigured device that monitored network traffic - and this device let encrypted data through and out.  This misconfig was caused by one ----- ONE FOLKS ----- expired certificate.  There, just one thing.   Incredible.  SANS INSTITUTE NEWSLETTER: 

QUOTE

A report from the US government Accountability Office (GAO) on the Equifax breach found that the company had to look at the attackers' database queries to determine exactly what information had been compromised. (The breach affected more than 165 million people worldwide.) The report found that "while Equifax had installed a device to inspect network traffic for evidence of malicious activity, a misconfiguration allowed encrypted traffic to pass through the network without being inspected." The misconfiguration was due to an expired certificate.
DorisHuntley
50%
50%
DorisHuntley,
User Rank: Apprentice
9/17/2018 | 10:23:18 AM
Re: Passwords, people. Passwords.
Rignt
lunny
100%
0%
lunny,
User Rank: Strategist
9/13/2018 | 12:58:06 PM
Passwords, people. Passwords.
The core problem was that it was easy for the attackers to obtain the credentials to access the databases.  The Struts vulnerability was simply the unlocked bedroom window the theives used to enter the house.  It could have been one of any number of access points.  If the IDs and credentials for the database systems were properly protected, this would have never become news.  There was initial focus on some poor scapegoat IT director who didn't patch in time.  But I'll bet you a dollar on a doughnut that if he had tried, his application owners would have screamed, "We can't patch now!  We have a major product release that day/week/month that can't be delayed!"  These are the same application owners who think it's just fine to still be running their applications on obsolete operating systems, etc.  Until this industry gets credential security management under control, everyone's just whistling past the graveyard worrying about patching a million vulnerabilities.  Almost every breach boils down to easily obtained passwords to key data assets.  It's still too easy for the bad guys.  Heaven help the enterprise where the attacker is an insider.
BradleyRoss
100%
0%
BradleyRoss,
User Rank: Strategist
9/11/2018 | 4:42:22 PM
Admit you have a problem and that it must be fixed
I think the main need is for a change in attitudes.  You have to decentralize the operation, but also have to understand what decentralization means.  You have to assume that one of the major components of the system will be completely compromised.  You have to decide how you can prevent a compromised component from damaging the integrity of the whole system.  Being able to convince upper management that the system is secure is not enough, it actually must be secure.  Upper management can't rely on people telling them the truth, especially if it is felt that telling the truth will get you fired.  If the people under you say that making the system secure will cost money, you have to be willing to spend money.  I had a manager that he didn't like working with experienced people because they kept telling him about things that needed to be fixed.
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: White Privelege Day
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17282
PUBLISHED: 2018-09-20
An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.
CVE-2018-14592
PUBLISHED: 2018-09-20
The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.
CVE-2018-15832
PUBLISHED: 2018-09-20
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI ha...
CVE-2018-16282
PUBLISHED: 2018-09-20
A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI.
CVE-2018-16752
PUBLISHED: 2018-09-20
LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.