By Joe Alecci, IT Senior Manager
At this point, we have all heard about the Equifax breach that has affected approximately 143 million U.S. consumers along with certain citizens in the UK and Canada. Equifax did not initially provide much detail regarding the cause of the breach in its official announcement that was just released on September 7. What is known is that the breach occurred during mid-May through the end of July, and Equifax has now confirmed that the breach was linked to a U.S. website application vulnerability (Apache Struts CVE-2017-5638) in order to gain access to consumer information, such as Social Security Numbers, credit card numbers, birth dates, addresses, etc.
Although there is and will be plenty of blame to go around, right now, from an organization standpoint, the following important questions might be raised: "Could this happen to us?" and "How do we prevent this?" Situations like this should be used by Chief Information Security Officers (CISOs) as a learning opportunity and a chance to review their current controls and cybersecurity position. There are a couple of things that an organization can glean from this situation.
First, a company like Equifax with a $17 billion market cap (as of September 11, 2017) probably has a significant cybersecurity budget and resources, given that its business is all about Personal Identifiable Information (PII). The question becomes, were their resources allocated properly? For smaller organizations with a limited budget, proper allocation is more important and should be based upon the organization's Data Classification and Risk Assessment. The goal of these documents is to ensure you are allocating whatever limited resources you have towards the most critical areas of risk that face your organization.
Second, it is important for organizations to adopt the mindset that they are "always" under attack, and think more in the terms of prevention first and recovery second. Having this type of mindset enables your organization to take an offensive approach, which includes having a full understanding of your own networks and what "normal" activity looks like. Attackers are constantly performing information gathering on their targets and end up knowing more about their targets' networks than the targets themselves. Adopting this type of mindset would help with spotting potential abnormalities, and could help prevent or stem the damage from an attack.
As noted above, cyber attack prevention is key to a quality cybersecurity program. However, in the event of a breach, detection and response could be equally important in protecting both your non-public information and your brand. It appears from the outside that given the time between detection and notification of customers, Equifax's Incident Response Plan may need to be updated as well.
Joseph Alecci, CISA, CISM, CISSP, CRISC
Senior Manager – IT Audit & Information Security
Joseph Alecci leads the IT/Cybersecurity Audit & Risk Management Group at P&G Associates. He has over 20 years of experience in information systems and auditing management and is a member of the ISACA N.J. Chapter Board of Directors.