As part of our 5-part series about Incident Response Planning (IRP), this article dives deeper…
Hackers Exploited a Known Vulnerability to Steal Social Security Numbers
Consumer credit reporting agency Equifax Inc. reported a large breach of consumer personally identifiable information (PII) earlier this month, alerting the public that hackers had stolen names, Social Security numbers, birth dates, addresses and driver’s license numbers of 143 million consumers. In addition, hackers compromised 209,000 credit card numbers stored by Equifax for subscribers of its credit monitoring service. The information reported since has created a new case study in information security and incident response challenges.
Equifax is Likely the Largest and Most Preventable Breach on Record https://t.co/xHsYsD1tq8
— Hitachi Sys Security (@HitachiSysSec) 4 octobre 2017
The Target: Credit Information
As a consumer credit reporting agency, Equifax provides credit information to businesses and seeks to sell products and services to consumers. Retailers, insurance firms, banks and many other businesses rely on Equifax credit reports when credit-checking loans and issuing credit cards to consumers. As a credit bureau, Equifax aggregates data from banks, credit card issuers, auto finance companies, and many other sources to create profiles on millions of people worldwide. This repository had become a rich target for hackers, as the Social Security numbers and other PII is a hot commodity for perpetrators to commit identity theft and fraud.
In addition, Equifax offers credit monitoring and identity theft prevention services directly to consumers which explains why credit card information was stored on Equifax systems.
A History of Security Risk – Equifax was Hacked Earlier in 2017
The September 2017 hack was not the first time that Equifax was breached. In May 2017, hackers targeted Equifax’s TALX payroll division, which provides online tax, HR, and payroll services. The hackers successfully brute forced multiple questions to reset security pins and gain access to Equifax’s customers’ employee data, including employees at Northrop Grumman and University of Louisville. The hack should have acted as a warning as to the importance of cybersecurity for a company storing sensitive information on millions of consumers. However, just two months later Equifax was breached again on a much larger scale.
Unpatched Apache Vulnerability Targeted in Equifax Hack
Equifax has confirmed that the vulnerability targeted in the attack was CVE-2017-5638, an incorrect exception handling and error-message generation process that allows an attacker to remotely execute commands through a crafted HTTP header. The vulnerability is part of the Apache Struts, an open-source framework used in Java web applications. The vulnerability was scored a 10.0, which is deemed critical on the Common Vulnerability Scoring System, and the absolute highest rating. The Apache vulnerability was first reported on March 7, and Apache released a new version the next day, March 8, mitigating the vulnerability. Equifax reported that the unauthorized access occurred from mid-May through July, meaning that they did not patch the critical vulnerability in their public facing website for over two months. Patching known vulnerabilities, especially those allowing remote code execution on a public website, is an IT and security best practice and critical for organizations storing sensitive data.
Patching Best Practices
Organizations and businesses have consistently struggled to implement patching best practices. The timeline between the discovery of a vulnerability and the emergence of an attacker exploit has shortened to hours, making rapid patching of critical systems more important than ever. However, businesses continue to expect 100% availability of critical systems, making rapid testing and patching processes a challenge. Many organizations have not implemented an automated patching solution, relying on a manual process that is slow and vulnerable to human error. A recent study by NopSec published in SC Magazine found that financial sector businesses took up to 176 days to patch security flaws.
The impact of slow security patching can be severe. The Eternal Blue exploit (CVE-2017-0144), for example, was discovered on March 16, 2017. CVSS scored it an 8.1, a high rating. As a SMBv1 server vulnerability, it affected a large number of Windows servers and workstations. When the WannaCry ransomware attack struck on May 12, however, many organizations had not implemented the patch and hundreds of thousands of users found their systems infected with ransomware. This pattern is likely to continue as attackers target recently released vulnerabilities and compromise organizations that have not implemented the latest patches in time.
Depending upon risk, many organizations define a patching schedule of between one week and one month to patch high and critical vulnerabilities (like the Apache Struts one at Equifax) according to leading IT security professionals. Patching best practices recommends regularly comparing reported vulnerabilities against an organization’s environment to determine risk exposure, and patching according to risk. For example, a payment processing system on an e-commerce website would be patched immediately, while an internal employee messaging application not accessible via the internet might not need to be patched as quickly. Organizations that fail to patch effectively, especially for severe risks like the one exposed by the Apache Struts vulnerability at Equifax, take the risk that they will be compromised – a risk that could be avoided if they operated an efficient patching program.
Slow Response Causes Public Outcry
Many in the media have criticized Equifax’s poor response to the incident. After first discovering the breach on July 29, the company waited until September 7 to alert the public to the incident. Data breach laws like the Georgia Personal Identity Protection Act (the state where Equifax is headquartered) require businesses suffering a breach to notify affected customers as soon as possible through mail, telephone, or electronic means.
Post Breach – Equifax Stock Sales Under Investigation
Not only did Equifax wait over 5 weeks to notify the public, but also on August 1 and 2, five days after the breach was discovered, three top Equifax executives sold almost $2 million of their Equifax stock. Chief Financial Officer John Gamble, President of U.S. Information Solutions, Joseph Loughran, and President of Workforce Solutions Rodolfo Ploder sold $1.8 million worth of stock in the days following the breach and now claim that they were unaware of the incident at the time they sold their shares. The U.S. Attorney’s Office in Atlanta, the FBI and the SEC are all now cooperating to conduct a criminal investigation into the three executives for potentially violating insider trading laws and the now “resigned” CEO Richard Smith is now preparing to testify before US Congress. The sentiment that poor security practices did not adequately secure sensitive data, and the slow response to alert the public and authorities combined to place Equifax in the crosshairs of widespread public and media criticism.
Equifax Phishing Website
Equifax’s poor response and its handling of the incident persisted after September 7 prompted Equifax to set up a website to provide a free year of credit monitoring services. Security researchers were quick to test the site, finding that it generated seemingly random results, even with the same input. Some even found that gibberish names and numbers produced identical results. The site was not only criticized for poor performance, but also for not being created securely. Software engineer Nick Sweeting was quick to set up a copy of the easily duplicated site, posting to securityequifax2017[dot]com. After the official Equifax twitter account inexplicably tweeted out the link to his site, he received over 200,000 visits. Equifax’s mistake, again, was poor security practice – a better way to give client’s the opportunity to check if their information had been disclosed, would have been to set up a subdomain of Equifax.com (phishers and other criminals would not be able to create a counterfeit site on Equifax’s domain).
As a result of these struggles, Equifax Chief Security Officer Susan Mauldin and Chief Information Officer David Webb both retired September 15, with Mauldin becoming a target of scrutiny in the media for a perceived lack of information security expertise due to an academic background in music composition. Many others defended her as cybersecurity degrees did not exist until recently, and many experts in the field have come from nontechnical backgrounds and use problem solving skills and analytical thinking to succeed. The attack remains a top news story even weeks later, with government agencies, members of Congress, the media, and public at large questioning Equifax’s handling of both the incident and their response to a loss of PII.
Impact of Equifax Attack
Unidentified attackers compromised the personal information of 143 million U.S. citizens, Canadian, and few thousand international individuals during the Equifax hack, including Social Security numbers. The loss of the PII allows the attackers to perform widespread identity theft, ironically the very thing credit monitoring sites like Equifax are supposed to help prevent. Although the long-term impact is yet to be determined, the attack ranks among the worst breaches to date. While earlier breaches impacted a greater number of credit card numbers, like the 40 million lost by Target in 2013, victims are able to easily cancel a credit card and order a new one. The Social Security numbers and other personal information lost by Equifax are not easily replaced, and can be used to wreak havoc on a victim’s credit through identity theft and fraud – like opening lines of credit, getting medical care, filing fraudulent tax refunds, and even stealing unemployment or other Social Security benefits.
Consumers have several ways to respond to prevent identity theft. Credit freezes are widely recommended as a way for victims to minimize exposure, freezing credit with Experian, Trans Union, and Equifax to prevent any new activity tied to their Social Security number. After calling or using a website to freeze their credit, individuals receive a security PIN that must be used to unlock the account before another credit lookup can be performed. The process has already received criticism – both for the fee that the credit bureaus charge and the poor security around the use of PINs.
Senator Elizabeth Warren introduced a bill last week that would force the credit bureaus to provide free credit freezing and unfreezing, a process that now costs between $2 and $10. As for the security, a New York Times article found that the PINs are easily compromised, as the only information Equifax requires to generate a duplicate to anyone who can provide a name, address, date of birth, Social Security number (all compromised in the hack), and an email address at which to receive the PIN. The process uses four knowledge-based authentication questions that researchers easily compromised with publicly available information from web searches.
Key Practices and Points to Avoid Catastrophic Loss
- An application assessment should have been completed to identify how Equifax’s web applications could have been exploited to gain access to customer data.
- Routine annual or semi-annual comprehensive penetration tests of Equifax’s external systems would have identified the exploitability of unpatched external systems and highlighted the importance of patching external facing systems.
- Information security should have had Board-level visibility and assigned to a committee. This way, the Information Security strategy, of which vulnerability assessment and threat monitoring, patch management and the entire information security policy would be aligned aligned with business strategy, and based on risk.
- All Security leaders and stakeholders should have been visible with a clear role and associated responsibilities. There should have been no delays or confusion during crisis management.
- Security incident response activities should include defining and staffing clear roles and responsibilities for communications, both within and outside the organization.
- Sites for customers to check information (using subdomains of the organization’s main website) should be set up in advance as part of the organization’s incident response preparations, so as to be quickly available if and when a breach occurs.
- The effectiveness of the information security policy would have been assured through review and approval (security incident response and handling with injects into crisis management and business continuity. Vulnerability assessment and threat monitoring for information classified as critical / sensitive assets would be topic specific security policy).
- Patching systems may mean taking them offline, potentially impacting customers or the organization’s business operations. The impact of not applying a patch versus system availability and other considerations should be regularly assessed.
- Risk management and risk assessments should have been conducted in accordance to perceived risk to data, the appropriate scenarios should have been identified (e.g. non patched systems being compromised) and understood.
- Regular risk assessments would have identified the magnitude of risk they are being exposed to particularly concerning unpatched systems handling sensitive consumer information.
- Control assessments should have been performed to assess the effectiveness of operational security controls and specifically those related to patching and updating Internet facing systems.
- Best security practices dictate that the set of security controls for protecting an IT environment is most complete when it is based on industry recognized frameworks such as ISO 27001, NIST 800-53, PCI DSS, CIS Critical Security Controls, and other recognized and accepted frameworks and assessments.
Equifax is the latest in large breaches of sensitive consumer information. The millions of Social Security numbers compromised elevates the attack to a new level of cost and damage; millions of Americans will need to monitor for identify theft for years to come. Equifax’s response – with the slow notification time and the bungled website management, has made them the target of criticism from consumers, the media, security researchers and even US Congress. The cause of the breach inexplicably – an unpatched known vulnerability illustrates the importance of basic security best practices in preventing breaches, as well as the importance of regular vulnerability management and threat monitoring to identify critical vulnerabilities on sensitive systems.