In light of the recent data breaches at Equifax I'm composing some thoughts in two posts. This first post details how organizations often miss the mark securing data due to partial security solutions.
As soon as news of the Equifax breaches hit the wire people were asking: How did this happen? All public accounts point to a vulnerability in the software package Apache Struts, that went unpatched in Equifax's systems for months. (Note that Apache Structs is different from the widely used Apache web server, although that distinction is meaningless for the purposes of this post).
That sounds pretty damning, but I'm not going to speculate why a software package went unpatched. It should have been patched - and swiftly - but what if the flaw was a so-called 0-day exploit without a patch? Would Equifax still be held liable for such a massive breach? The answer should be a resounding yes!
It is often echoed that security is a process. This should mean both that your evaluation and protection of your networks/systems is constantly evolving and that multiple layers of protection are in place between the wilds of the internet and sensitive data and system access. To be blunt: it should be assumed that every device connected to your network is already compromised; all software on your systems is vulnerable; every packet streaming through your wires has been intercepted and manipulated. At every step protections need to be added to minimize exposure.
To illustrate this point, one only needs to look to the other interesting security story of the week: the malware embedded within a signed update of the popular anti-malware tool CCleaner, which was distributed to over 2 million machines and was likely positioned to siphon data for the purpose of corporate espionage. Trust in a signed update from a security vendor is not enough.
Patching flaws is not enough. To properly defend systems and the data within, a holistic approach to cyber security must be taken.
I am not privy to the internal details of the Equifax hack, but a vulnerability in Apache Struts is not to blame. What is to blame is:
Your software is compromised. Your systems are compromised. Your network is compromised. How are you going to secure your data?
Posted: Sep 21, 2017
Keyword tags: securityhackinginfosec