In the second part of this 2-part blog Information Security veteran Max Pritchard looks at where we are a year after the data breach at credit reference agency, Equifax and discovers what we can learn from it. If you missed part one you can read it here.
In August 2018 the US GAO publishs a report into the breach and the actions of Equifax and Federal Agencies. The detailed and scathing report critically concludes that the US administration, 12 months on from the breach, has failed to act on the failures at Equifax and that the Federal regulators opened investigations, but that no enforcement action had been taken.
How soon we forget
One year on from the breach notification, and the stock price for Equifax Inc had recovered from the 35% drop observed in the immediate aftermath of the notification of the breach.
Request for information
In December 2018 plaintiffs in the US file a motion for evidence (documents and witness statements) provided to Congress to enable them to write and publish a report into the breach, which concluded it was preventable, to be made available. Discovery is expected to last well into this year.
US regulatory process has thus far failed to level any meaningful monetary penalty against Equifax Inc for letting sensitive personal information of over 44% of the US population to get into the hands of unknown threat actors. The change of president and the turmoil in Federal Government of the first year of the new administration contributed to the lack of regulatory action.
The consolidated lawsuits are ongoing with the discovery phase expected to continue into 2019. At least the Judge has rejected Equifax’s calls to dismiss the claims from individuals.
The UK regulator fined Equifax Ltd to the maximum level it could under the 1998 Data Protection Act, but this was tiny compared to company revenues, profits, executive pay, and legal fees in the US and although it prompted ‘disappointment’ from Equifax, there is little indication that anything has improved for UK data subjects.
GDPR too late
The EU GDPR deadline was 25th May and the ICO ruled that the failures leading to the breach occurred prior to the 25th and so the new penalty regime (which could have provided for fines up to 4% of global turnover) was not applicable.
So what did we learn?
Fix that bug
Patching software quickly and comprehensively is important to stopping criminals identifying and exploiting your business. This means an IT security focus on inventory management (what software do I have? who patches it? How quickly can I patch it?), access to high quality information about security vulnerabilities, and a robust process for testing and applying patches.
Servers that cannot be updated or patched should be isolated from others as far as possible or removed from the network entirely until a fix or workaround can be found.
Because none of these processes will ever be guaranteed, servers will need to be tested regularly using vulnerability assessment (VA) tools. If this can be done in an automated manner, so much the better.
Servers should be routinely hardened by removing services that are not required, ensuring that all instances of passwords are encrypted and that encryption keys are not available.
Don’t forget the logs
Server logs and network logs should be analysed, in real-time if possible, for indicators of compromise (IoC) or anomalies. Breach detectors, or honeypots, can be deployed in sensitive network segments to help identify hackers or malicious employees operating inside the network perimeter.
It is not just about the technology
Security is not all about the technology or compliance. Operational process and comprehensive design assuming failure alongside broader use of detection, testing, and monitoring are required in modern networks.
But will things change?
Data protection regulation still has to catch up, particularly in the US. Director-level retirements and resignations, mid-management criminality and jail time, and staff being fired when the system fails are accompanied by short-term drops in share price and long-winded legal cases going nowhere fast. It’s all unwelcome, but how much will it change big business behaviour where consumers and their information are products, not paying customers? What do you think Equifax has learned from its experience?
What’s the damage?
Corporate reputational and business damage can be reduced by having a well-thought out transparent response plan, including communication with regulators, government bodies, customers, and particularly data subjects, in advance of the inevitable failure in information security. I don’t know what Equifax paid for Mandiant’s service, or what their legal fees look like, but it may be better to spend that money on their security in advance, rather than leave it to chance.
To find out what you can do right now to avoid ending up in a similar situation contact us or give us a call on 0845 625 9025.
Missed part one? You can read it here.