3 Years Later: The Equifax Breach

On September 7, 2017, Equifax issued a breach notification. What was breached? Personal records for a staggering 145 million Americans, including Social Security Numbers, birth dates, addresses, and more. Before the end of the month, Equifax’s CEO, CIO and CSO had all left the company. Eventually, the company would pay a $575 million fine to the Federal Trade Commission, $38 million to settle lawsuits filed by Massachusetts and Indiana, and $1.38 billion to settle a class-action lawsuit. That nearly $2 billion in fines and settlements doesn’t even count damage to their brand reputation, lost business, and other internal costs related to the breach.

Just a few months after the breach, Jamil Farshchi took the unfilled CISO position at Equifax, and has spent the last 3 years shoring up the company’s cybersecurity posture. So, what has changed in the last 3 years? In a recent interview, Farshchi pointed to 3 key areas:

  • Improving systems monitoring
  • Enhancing the security team’s communication with the C-suite
  • Changing corporate culture by getting employees to recognize the importance of cybersecurity

In order to understand the drivers behind these 3 initiatives, it’s important to understand how the breach occurred. Earlier in 2017, Equifax was notified of the Apache Struts vulnerability, which allowed attackers to remotely execute code on a target system. Unfortunately, despite a tight 48 hour internal SLA for patching such critical vulnerabilities, the Equifax team was unable to find all of the vulnerable systems. Confounding the issue was the fact that Equifax had let a digital certificate for a vulnerability scanning tool expire nearly a year earlier. The result? The team had no ability to decrypt traffic to look for malicious behavior.

In short, the $2 billion mega breach was caused by breakdowns in basic information security processes that could have been avoided.

Improving Systems Monitoring

According to Farshchi, Equifax has “instituted this concept of assurance so we can consistently and continuously in real-time monitor not only the coverage but the effectiveness of every single one of our controls and cloud space. And so if someone does configure a firewall or whatever, we really see it – we can even proactively prevent them from being able to do that.

Systems monitoring is a priority because the data breach stemmed from Equifax’s security team failing to patch a vulnerability in Apache Struts even after it had been warned and conducted a search. This allowed threat actors to have access to the company’s network for several months.

Farshchi is talking about continuous, risk-based vulnerability management. The Equifax team had been warned about the Struts vulnerability, but failed to patch all instances. Today’s enterprise must leverage comprehensive, continuous IT asset inventory in order to identify and categorize all assets. Paired with features like natural language search, it should take seconds to identify all vulnerable assets whenever a new critical CVE pops up. And a modern approach to vulnerability management must extend beyond misconfigurations and unpatched software. There are hundreds of attack vectors that adversaries can use to improperly access your network, and you need to be aware of all of them.

Facilitating Better Communication

On facilitating better communication, Farshchi says that, “we’ve established a framework to be able to more effectively communicate technical security risks in a businesslike fashion, tying into things like attack vectors.”

Many CISOs have struggled to effectively communicate cybersecurity progress and priorities to non-technical stakeholders like the rest of the executive team and the board of directors. The issue lies primarily in communicating in technical terms rather than business terms. Skillful CISOs must learn to translate their technical communications to “language of business,” so that others understand and are better positioned to support cybersecurity initiatives and programs.

Changing the Culture

According to Farshchi, “we’ve applied educational best practices so that they get immediate feedback in terms of what they did right and what they did wrong. We put a positive spin on it; we try not to be negative and the downer all the time. The scorecard supplies immediate feedback on what a staff member should do and how they can do better.

It’s hard to get everyone on board with cybersecurity initiatives, and education needs to be an ongoing process. Being able to understand and report on the cyber hygiene habits of all employees also helps identify the most risky users that can be targeted for additional communications and training. Through such a process, the infosec team can prioritize user training just like they would prioritize unpatched software vulnerabilities or other security issues.

Balbix Can Help

Every organization can learn from the breach that unfortunately occurred at Equifax. If any of the three issues above sound like they might apply to your organization, Balbix can help. Each of these items can be automated on a continuous basis with the Balbix platform, saving valuable time and money, and reducing breach risk by 95% or more.