Equifax’s Problem and How to Avoid It

By Fortra's Digital Defense

Recently, the cause of Equifax’s catastrophic cyber attack was revealed as a hack that exploited a known bug in in Equifax’s web application software, Apache Struts.

Since then, the discourse surrounding the event has shifted to two main subjects:

  1. The blame game: people want to hold someone responsible. The fallout has claimed the jobs of Equifax’s CSO, CIO, and now, CEO.
  2. The preventability of the attack: the attack originated from a known vulnerability. Doesn’t get more preventable than that.

The second focus is what I will explore in this article.

In response to the hack, the Apache Software Foundation released a statement acknowledging that the hack occurred through a bug in its software. In the statement, however, Apache also outlines a list of recommendations that it always provides for users of their software, all of which Equifax failed to uphold.

These snippets capture the message of each point:

  1. Keep track of security announcements affecting this products and versions.
  2. Establish a process to quickly roll out a security fix release of your software product
  3. Don't build your security policy on the assumption that supporting software products are flawless
  4. Establish security layers
  5. Establish monitoring for unusual access patterns to your public Web resources

Based on this statement, the lesson for businesses to take away from Equifax’s breach: do not take cybersecurity for granted. As Apache states, “any complex software contains flaws. Don’t build your security policy on the assumption that supporting software products are flawless”. And, when those flaws are exposed, fix them.


Simply Having a Cybersecurity Policy Doesn’t Cut It

In a recent cybersecurity survey from Clutch, 94% of large companies claim to have a cybersecurity policy in place. Such ubiquity implies that companies recognize cyber attacks as a real threat, thus require formal policy and regulation to combat. This is a correct assumption, with a logical gap. Simply recognizing cybersecurity as a threat does not equate to adequate cyber defense, just like simply using security software does not mean your company is secure.

Clutch’s cybersecurity report elaborates on this disconnect. Despite having a policy in place, over half of businesses experienced phishing attacks and just under half experienced a trojan or malware attack in the past year.

Digital Defense, Inc. CIO, Tom DeSot recognizes the shortcomings of cybersecurity policies in the routine penetration tests he conducts on clients.

“We’re typically about 95% successful in getting [unauthorized] information either over the phone, via email, or in person,” said DeSot. “To me, that shows a weakness in policy.”

To be clear, Equifax is a huge company with complex IT services and resources at their disposal, and they had a cybersecurity policy in place before the attack. Their failure was not due to ignorance on cyber attacks as a threat. Their failure was due to a lack of depth and effective upkeep to crucial elements of their policy.


Don’t be Equifax: Easy Security Measures to Minimize Risk 

No policy will ever be bulletproof. Every company has security liabilities, particularly unwitting employees with inadequate security training.

However, there are easy, yet critical steps, that companies often take for granted, that are needed to address to avoid preventable cyberattacks. Two, in particular, are regular software updates and layered security.


1. Update Critical Software

Architectural and security software are living code designed by humans. Thus, they are prone to manual error and mishap. On the other side, the cybersecurity threat landscape is constantly evolving. Given these factors, software programmers and developers consistently update and reconfigure their products to best protect against the most contemporary threats.

Each company has a responsibility to stay informed of and implement the most recent software updates and to ensure maximum protection. If you installed security software internally, make sure you subscribe to system alerts or other communication with that provider to stay aware of the releases of recent updates and vulnerabilities. If you have cybersecurity companies on retainer, communicate with them regularly. It’s their job to stay on top of the most common, modern cybersecurity threats. Use that knowledge to strengthen your company’s cyber defenses.


2. Install Backup Security  

In baseball, a pitching staff has a starter and relievers. A starter has the potential to go all 9 innings. However, if he is unable to finish a game, due to exhaustion or poor performance, a coach has an entire bullpen of relievers he can depend on to complete the game.

Cybersecurity defense follows the same logic as a pitching staff. Your site and application framework are your major operating platforms (starting pitcher). However, you need additional levels of security (relievers) as an available backup if your operating frameworks are exhausted or bypassed by external threats.

A good cybersecurity policy has a deep “bullpen”, or additional firewalls and obstacles beyond your most external frameworks to thwart attacks. Hackers will find ways to exploit vulnerabilities, particularly on open-source software. However, it is a business’ job to make it as challenging as possible for hackers to access company data. The more security layers, the more challenging an external attack becomes.


Basic Practices Strengthen Cybersecurity Policy

A truly strong cybersecurity policy addresses both basic security measures and protects against contemporary threats. Equifax failed to uphold fundamental cybersecurity protocol and has paid dearly for it. To avoid a similarly avoidable attack, ensure that your company follows basic security practices, as outlined by Apache. In particular, stay informed and address the most recent security software updates and vulnerabilities and establish firewalls as additional lines of defense in case external frameworks are compromised.

Share This