Keeping Cyber Attacks At Bay: Lessons Learnt From Equifax

Global information solutions company Equifax is making headlines around the world with news of one of the biggest data breaches in history, affecting as many as 143 million people in the U.S., and as yet undisclosed numbers in Canada, UK and Mexico. The incident makes Equifax the latest addition to a growing list of companies that have fallen victim to massive cyber-attacks.

The breach happened between mid-May and July of this year and Equifax has reported that the stolen records included people’s names, Social Security numbers, birth dates, addresses, and in some cases, driver’s license numbers.

How did it happen?

Equifax has confirmed that the cyber criminals behind the attack, “exploited a U.S. website application vulnerability to gain access to certain files.”[1] The vulnerability was in Apache Struts – a popular Open Source framework for building enterprise-grade web applications in Java. The bug allowed hackers to remotely execute arbitrary commands to gain access into Equifax’s network and scan their database.

It has also been confirmed that Apache issued a patch for this vulnerability on March 7, 2017, the same day it was announced. And the National Institute of Standards and Technology (NIST), which regularly releases various alerts and patches for vulnerabilities, announced the patch on March 10, 2017.

Today, effective security for any organisation is a factor of both the security infrastructure and the associated operations processes. Attacks such as the ones we have seen recently can be attributed more to the fear of application downtime or the fear of business impact that prevents organisations from getting to the latest patch level in a timely manner. Other probable reasons for delaying updates may be:

• The lack of ability to filter through the noise of security announcements, updates and alerts
• Gaps in contextualising the security alerts in terms of prioritisation linked to critical assets and business processes
• Ineffective SLAs around vulnerability management and remediation
• Weaknesses in breach detection mechanisms

Protecting your enterprise

The clear call to action for enterprises is to equip themselves to detect and defeat external and internal attackers in real-time with these best practices:

1. Establish a robust vulnerability management process driven by organisational strategy. Quickly roll out a security fix release for your software product once supporting frameworks or libraries need to be updated for security reasons. Think in terms of a number of hours or a few days, not weeks or months.
2. Patch operating systems, software, and firmware on devices. Use a centralised patch-management system for medium to high severity security patches. Keep track of security announcements affecting products and versions.
3. Secure your offline backups. Ensure backups are not connected permanently to the computers and networks they are backing up.
4. Audit firewalls and IPS configurations. Block access to known malicious IP addresses & SMB/WMI ports. Don’t build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.
5. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer, such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant, or even all, back-end information resources.
6. Test for and identify emerging network vulnerabilities. Prevent external agents from accessing them.

So, looking ahead from the Equifax incident, the focus in the immediate term should be to effectively manage all security systems for potential vulnerabilities and maintain swift remediation practices. Working with a specialised services partner who can prioritise and deliver security patches and build additional safeguards for protection and detection measures in a risk-sensitive manner is the best way to do this.

However, on an ongoing basis, any enterprise needs to evaluate its security posture regularly, and bolster it through effective managed security or specialised services.

Tata Communications offers Managed Security Services that deliver measurable and effective protection against breaches. Speak with an information security expert about strengthening your defences today.

[1] Equifax Announces Cybersecurity Incident Involving Consumer Information