The latest report from the U.S. Government Accountability Office (GAO) claims it took Equifax 76 days to detect the massive 2017 data breach, despite hackers having made over 9,000 unauthorized queries on its databases.
Last May, malicious actors exploited a known security vulnerability within the Apache Struts development framework (specifically Apache Struts CVE-2017-5638) in order to gain unauthorized access into Equifax systems. The attackers managed to get away with the personally identifiable information (PII) belonging to over 145 million customers, the majority of which residing in the U.S., and a small number within the UK and Canada. Those impacted by this breach had their Social Security numbers, birth dates, email addresses, addresses, drivers license numbers, payment information, and other data compromised in the attack.
Now, just over a year after the breach went public, the GAO has published a detailed report of its investigation. The report claims hackers began scanning the company’s systems just days after the security vulnerability was made public. One system affected in the attack as an online dispute portal, whereby the hackers were able to successfully execute system-level commands and query tens of databases to find PII. The GAO claims the hackers executed over 9,000 database queries, some of which returned personal information.
Not only did Equifax’s security team fail to detect the Struts vulnerability within the online portal, they even failed to detect the attackers once they successfully gained access. The breach was ultimately discovered by a network administrator conducting routing checks of the operating systems and configuration of IT systems. During the routine check, he discovered a misconfigured piece of equipment that allowed the attackers to communicate with compromised servers and compromise data belonging to 145 million customers without detection. Specifically, while Equifax had installed a device to inspect network traffic or evidence of malicious activity, a misconfiguration allowed encrypted traffic to travel through the network without being inspected.
The misconfiguration was caused by a digital certificate that expired 10 months prior to the massive breach, which allowed hackers to run commands and exfiltrate data over an encrypted connection without detection.
The investigation into the breach revealed that Equifax failed to implement proper network segmentation, which allowed the attackers to access several other databases beyond those related to the online portal dispute they originally hacked. A second problem highlighted in the report is that credentials for accessing multiple databases were stored in one database without being encrypted. The GAO also pointed out that the 9,000 queries run by the hackers showed the lack of restrictions for the frequency of database queries; measures should have been implemented to limit this number.
In addition to the GAO’s recommended security best practices, NNT recommends hardening all systems from the start in order to maintain system integrity. Hardening your systems allows your organization to eliminate or mitigate all known security vulnerabilities hacking them hack-proof. Maintaining a hardened environment and vulnerability management are closely linked to tight change control. Any change made to your configurations could introduce vulnerabilities into your IT environment so visibility and control of changes is an essential security best practice.
The NNT recommended Change Control process starts by introducing NNT Change Tracker Gen7 into the IT environment, but for the best results, we highly suggest the inclusion of NNT FAST Cloud (File Approved Safe Technology). FAST Cloud leveraged external intelligence and whitelisted facilities to automatically approve the validity of file changes as they occur, significantly reducing the amount of ‘change noise’ often associated with change control.
If you’re interested in learning more about the NNT recommended change control program, click here: https://www.newnettechnologies.com/nnt-recommended-change-control-program.html