The Equifax breach occurred just over a month ago yet the fallout in terms of what new regulations and fines will result from the largest PII breach to date will likely be months if not a year down the road. But that doesn’t mean your organizations has to wait, here are some dependable indicators your organization could be headed for an Equifiasco. Queue up the Key Stone Cops music.
- When hacked you wait 6 weeks before going public
- After going public, you set up a completely new domain to communicate with your customers that sounds exactly like a phishing domain or at least one that celebrates your epic fail as though it’s the first in a yearly series.
- Your communications team intern apparently can’t remember the domain of said site exactly so he goes where any millennial turns to answer questions and Google graciously provides a similarly worded phishing domain, which he then proceeds to point to said phishing site from the company’s main website and twitter feed sending more than 200,000 hits to the phishing site.
- The website you set up on this questionable domain returns seemingly random answers of “yes you were/no you weren’t” breached to real and imaginary identity information.
- Systems are secured with the imaginative user name/password combination of admin/admin because “No sophisticated attacker would ever try that.”
- Someone implements a brilliant scheme for helping users remember their password: make it the same as their user name.
- Someone implements a brilliant scheme for helping users remember their user name: make it their last name.
- Your HR department goes to University of Georgia’s Music program to recruit senior executive information security talent.
And while we’re at it, you know here at UWS we really like indicators of compromise. IOCs are normally very arcane and technical but here’s a great compound indicator that a breach may already be in progress: Executives start selling their stock and your CSO’s LinkedIn profile and every other reference to them on the Internet including YouTube videos, interviews, etc. suddenly disappear.
Well, that, along with some artistic license, was fun (and mostly deserved) but it’s the other mistakes Equifax made that allowed this to happen in the first place and those mistakes are sadly all too common.
First of all, patching. Although this is being challenged by some researchers, it’s being reported that the hack is being blamed on an unpatched vulnerability. If that’s true the sequence would be something like this: A vulnerability was discovered. A patch was released. Equifax made an effort to install the patch. They missed at least one system. If we’re honest that’s pretty believable. There are lots of systems and lots of patches. But hopefully closed loop patch management and vulnerability scanning would find patch failures. And those compensating controls aren’t instantaneous either.
All it takes is one. Well, all it takes is one unpatched system to give an attacker an opening but it should take more than that for them to steal your crown jewels.
In a Wired article Alex McGeorge points out that “Security best practices dictate that“ the web server account ”have as little privilege as possible on the server itself, since security vulnerabilities in web applications and web servers are so commonly exploited”. But the article says “hackers could have found credentials or other information in plaintext right away if Equifax didn't have proper protections in place.”
It’s reasonable to suppose that Equifax wasn’t following this and other best practices because of the admin/admin combo discovered on one system and so many other indicators coming out.
Even if you are a company where you and management understand today’s risks and are committed to securely managing privileged accounts it’s still not easy.
In this webinar, we’ll look at what we know about the Equifax incident – more information is coming out all the time – and discuss how you can slow down attackers, harassing them every step of the way so that one missing patch on one Internet facing system doesn’t expose your most internal secrets.
It takes more than patching. It takes network segmentation. It takes monitoring. And it takes privileged account management. If you are trying to manually locate every privileged account and keep it secure the odds are stacked against you.
Please join me for this real training for free event.