Last week, we discussed the famous Equifax data breach, which exposed the personal data of almost 150 million Americans. This week, we’re going to take a look at what we can learn from it.
Patching problems
One of the major causes of the Equifax breach was an unpatched vulnerability in Apache Struts. A patch had been made available, and Equifax was even notified, but the patch was never applied. One of the major problems is that Equifax sent out the notification to many of its security employees, however it was using an old mailing list. The individuals responsible for patching the software were never informed.
This failure gives us a pretty clear takeaway—we must have appropriate communication systems in place. If we direct an admin to install a patch for us, then we need to ensure that they are actually receiving the command. Considering the importance of patching critical systems in a timely manner, there also need to be checks and balances in place to ensure that these patches have actually been applied.
This brings us to the second failure: Equifax scanned its systems but didn’t identify the unpatched servers. We aren’t exactly sure what went wrong in this instance, but it’s clear that the scan was ineffective since there were still unpatched servers. If we want to save ourselves from Equifax’s fate, then we need to ensure that we are scanning all of our systems, and that our scanning tools are up to date with the latest vulnerabilities. If they are outdated, this gives hackers a window of opportunity in between the discovery of the vulnerability and when we finally get around to patching it.
Expired certificates
During the breach, the attackers were able to avoid detection while communicating with compromised servers and stealing data. This is because the company’s network traffic inspection tool had a certificate that expired 10 months earlier. Because of this, it wasn’t able to inspect the encrypted traffic, which allowed the attackers to move sensitive data around undetected.
The lesson here is to always renew your certificates. A big company like Equifax will have a lot of certificates that are hard to keep track of. Companies should maintain a centralized certificate inventory to help them keep up to date with their certificates.
Network segmentation
In total, the attackers were able to access 51 Equifax databases. The United States Government Accountability Office found that Equifax’s systems were insufficiently segmented from one another. This meant that the attackers could move between databases with relative ease. These days, it’s recommended to adopt a zero-trust approach where networks are divided into many microsegments, each with their own authentication controls at their boundaries. This can prevent, or dramatically slow down attackers as they attempt to move laterally through the network.
Plaintext usernames and passwords
While the attackers were searching through Equifax’s network, they stumbled across a database with unencrypted usernames and passwords. Obviously, passwords should never be stored as plaintext. Instead, we should only store the password hashes that have been appropriately salted. Best practices for password storage are to use algorithms like Argon2, bcrypt, or PBKDF2.
