Equifax, one of the three largest consumer credit reporting agencies in the U.S., announced last week that a web application flaw exposed 143 million customer records to malicious hackers. Although not the largest breach in size, the Equifax breach may be the largest to date in severity considering the type of PII that was exposed. While mixed reports are speculating over the cause of the breach, criticisms are rising over Equifax’s lack of security practices and safeguards. Here is what you need to know about the Equifax breach and how you can prevent a similar attack at your organization.
What Happened During the Equifax Breach?
Equifax executives stated that the breach was discovered on July 29th and that exposure lasted from mid-May to July 2017. Of the compromised data were names, social security numbers, birthdates, addresses, and driver’s license numbers of millions of U.S. consumers, labeling this the most sensitive breach in history. Reports also noted that 209,000 U.S. consumers suffered exposed credit card numbers as well.
Cyber criminals gained access to this information by exploiting a vulnerability found in a web application. Web application vulnerabilities are the most common target for hackers to exploit, making it critical for organizations to incorporate secure coding and development practices for all web-facing applications. Equifax did not realize the breach right away, reporting that their databases didn’t show any evidence of unauthorized or suspicious activity.
Learning from Equifax’s Mistakes
There are many lessons to be learned from the Equifax breach that can help you to prevent your organization from suffering a similar fate. Here are five key takeaways from the Equifax breach:
Performing an annual risk assessment is an important first step for all organizations to maintain a mature security posture. A risk assessment provides an ongoing, systematic approach for identifying and prioritizing risks, allowing organizations to mitigate potential threats before they happen. A formally documented risk assessment should occur on a yearly basis and after any significant change.
Secure Web Application Coding and Development
Web applications can present a serious threat to organizational security. While there haven’t been many details released by Equifax at this time, we do know that the breach occurred due to a flaw or vulnerability in a web application. Incorporating secure coding and web application development into your security practices can help to prevent this type of attack from happening to your organization. Developers should be trained on an annual basis on secure coding best practices to avoid attacks such as SQL injection. Consider the OWASP Top 10 for a list of the most critical web application security risks to ensure secure coding and development.
Web Application Penetration Testing
Web application penetration testing is a form of permission-based ethical hacking in which a certified pen tester attempts to gain access to an organization’s applications. The purpose is to find weaknesses that could potentially be exploited by a malicious hacker as part of a routine security check. Finding the holes in your security infrastructure before someone else does allows organizations to protect themselves from a devastating attack like the one Equifax has suffered. Penetration testing should be performed, at minimum, on an annual basis, however, with the rapidly changing cyber-threat landscape, many IT security professionals recommend a biannual assessment.
Layered Security Controls
Implementing a defense-in-depth strategy is a good way to present more obstacles to a determined attacker, delaying and detecting them before they become successful. The Equifax breach uncovered the fact that, despite having security issues in the past, there were not many layered safeguards in place to help mitigate an attack. A multi-layered security posture is the best defense. Some examples of layered security controls include antivirus, firewalls, multi-factor authentication, intrusion detection/prevention software (IDS/IPS), and monitoring.
Update Patches and Software
Updating security patches, specifically critical patches, is important for preventing a malicious cyber attack. The number one target of cyber criminals is known flaws left unpatched. Although not directly related to this security breach, security experts reported that Equifax had failed to patch an XSS vulnerability that the company was warned about in 2016. It was also noted that Equifax was using a mix of old technology such as IBM WebSphere, Apache Struts, and Java, leaving their infrastructure vulnerable. Keep patches, software, and all technologies current and up to date to prevent flaws in your security.
Don’t let your organization be the next major data breach headline. Implement these five lessons learned today. For help securing your IT infrastructure and testing your security posture, contact us today.