Article posted: Oct 10, 2017
By Joakim Thorén, Versasec CEO
If you live in the US, it's likely the Equifax breach has affected you personally. While Equifax is still evaluating the cause of the breach, we're already hearing a number of excuses from the company. And the excuses aren't sitting well with Equifax's board, as Chief Security Officer Susan Mauldin and Chief Information Officer Dave Webb are "retiring". According to an article in ZDNet, Equifax is blaming open-source software for its debilitating security breach that compromised 143 million records. Some industry experts may argue that Equifax shouldn't have relied on open source software to protect American's names, social security numbers, birthdates and home addresses. Others feel that by immediately updating security patches, the breach wouldn't have occurred.
So, who's really to blame, Apache Struts or Equifax's security team? It falls squarely on Equifax's shoulder, as their data breach detector should have alerted them to the breach. While a new and formidable Struts security problem was uncovered on September 5, Apache sent a patch immediately and zero-day exploits aren't that common. The problem with this logic is that the Equifax breach occurred in the July-August timeframe and it was likely another Apache security patch issued in March was never installed. This is truly unacceptable. According to security expert SwiftOnSecurity, "Pretty much 99.99 percent of computer security incidents are oversights of solved problems."
Essentially if the open source software creator provides a security update, it's up to the company to install this update and ensure there were no complications or breaches. It's that simple. This is not new news. Last March, eWeek reported analyst firm Voke Media surveyed 318 firms as part of its security-automation survey and uncovered that "approximately 80 percent of companies that had either a breach or a failed audit could have prevented the issue with a software patch or a configuration change." Even more troubling was that 46 percent of companies waited 10 days to remediate vulnerabilities and apply patches. Those patches or configuration-change backlogs are crucial to preventing data breaches, and often, companies like Equifax, do not quickly act to fix routine software security bugs.
Equifax has made a number of preventable security mistakes this week, including not fixing bugs and using the same login and password to protect sensitive data. According to a BBC article, the company's data was also breached in Argentina, when the IT administration allowed a user to both login as admin and use admin as a password. We've written about the dangers of relying on passwords only to secure data. And Equifax doesn't make it easy, when the login and password are the same and easily deciphered.
The Equifax breach will likely go down as one of the worst breaches in US history, as lenders and credit companies willingly share data so Equifax can collect and analyze credit scores. While there may have been security holes in Apache Struts software, the blame lies solely with Equifax's security implementation team. Let this be a lesson to all companies. Do not ignore security patches and updates and immediately update your software. Your customers, employees, investors demand it and if these warnings are not heeded, your brand reputation will suffer.
Continue to follow this topic on https://twitter.com/hashtag/equifaxbreach.