Equifax Redux Part 1: Assume You Are Already Compromised

In light of the recent data breaches at Equifax I'm composing some thoughts in two posts. This first post details how organizations often miss the mark securing data due to partial security solutions.

As soon as news of the Equifax breaches hit the wire people were asking: How did this happen?  All public accounts point to a vulnerability in the software package Apache Struts, that went unpatched in Equifax's systems for months.  (Note that Apache Structs is different from the widely used Apache web server, although that distinction is meaningless for the purposes of this post).

That sounds pretty damning, but I'm not going to speculate why a software package went unpatched.  It should have been patched - and swiftly - but what if the flaw was a so-called 0-day exploit without a patch?  Would Equifax still be held liable for such a massive breach?  The answer should be a resounding yes!

It is often echoed that security is a process.  This should mean both that your evaluation and protection of your networks/systems is constantly evolving and that multiple layers of protection are in place between the wilds of the internet and sensitive data and system access.  To be blunt: it should be assumed that every device connected to your network is already compromised; all software on your systems is vulnerable; every packet streaming through your wires has been intercepted and manipulated.  At every step protections need to be added to minimize exposure.

To illustrate this point, one only needs to look to the other interesting security story of the week: the malware embedded within a signed update of the popular anti-malware tool CCleaner, which was distributed to over 2 million machines and was likely positioned to siphon data for the purpose of corporate espionage.  Trust in a signed update from a security vendor is not enough.

Patching flaws is not enough.  To properly defend systems and the data within, a holistic approach to cyber security must be taken.

I am not privy to the internal details of the Equifax hack, but a vulnerability in Apache Struts is not to blame.  What is to blame is:

• After Struts was compromised, why didn't the Web Application Firewall (WAF) filter out the attack?  Was it due to a misconfiguration?  Was the attack sufficiently advanced that the attack could not be easily detected?  Or, was there no WAF present?
  
  
• Once the attack advanced into the web core, was sandboxing employed to contain the attack?  If yes, how was the sandbox breached?  If no, why wasn't sandboxing employed?
  
  
• Once the attack went beyond the webroot of the compromised server, how did it scale to the point of accessing system data?  What additional systems were compromised to get from an internet facing server to sensitive data records?  How and why were they compromised?  Was this due to a network misconfiguration?
  
  
• And the ultimate issue: Why was the sensitive data of hundreds of millions of people left unprotected?  Was the data encrypted at rest?  Was it encrypted in transit?  Why weren't individual records hashed in some way to prevent the full decryption of the complete data in one fell swoop?  Or, was it not encrypted to begin with?

Your software is compromised.  Your systems are compromised.  Your network is compromised.  How are you going to secure your data?

Continue to read second post

Posted: Sep 21, 2017