> The attackers transferred this data out of
the Equifax environment, unbeknownst to Equifax. Equifax did not see the data exfiltration
because the device used to monitor ACIS network traffic had been inactive for 19 months due to
an expired security certificate.<p>> Equifax had allowed over 300 security
certificates to expire, including 79 certificates for monitoring business critical domains.<p>(on page 2 of the Executive Summary)<p>I've been following the Equifax breach story but this is the first I'm hearing about the expired certificates. That is shockingly bad.<p>I'm a little disappointed in the final "conclusion" of the report, though. The end of the executive summary basically chalks the breach up to two things: "Equifax's IT management structure was complicated" and "Equifax uses legacy software that is hard to secure". These <i>are</i> valid points, but these are also issues that nearly every single major corporation in the world faces, and yet many of them still manage to prevent (or at least mitigate) major breaches. These aren't good enough reasons to explain why Equifax failed so spectacularly compared to every other bureaucratic company with legacy software.<p>Also, I know this report isn't meant to be a remediation strategy roadmap, but it's also pretty disappointing that the recommendations section is basically just 3 pages of fluffy, vague, "X and Y should work together to increase cybersecurity" bullshit. Such a high profile incident would have been a great time for the federal government to really show some leadership (or at least strong guidance) in this realm, but they really didn't. I mean hell, at least link your recommendations to the NIST Cybersecurity Framework...
> Recommendation 6: Reduce Use of Social Security Numbers as Personal Identifiers
The executive branch should work with the private sector to reduce reliance on Social Security numbers.<p>I'm disappointed this is recommendation 6, but at least it is in there. I'm also disappointed that they suggest the executive fix this problem instead of legislating a solution. Hopefully they take some action on their own recommendation!
> In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an
aggressive growth strategy, leading to the acquisition of multiple companies, information
technology (IT) systems, and data. While the acquisition strategy was successful for Equifax’s
bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems,
and expanded data security risks.<p>> Second, Equifax’s aggressive growth strategy and accumulation of data resulted in a
complex IT environment. Equifax ran a number of its most critical IT applications on custombuilt legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made
IT security especially challenging. Equifax recognized the inherent security risks of operating
legacy IT systems because Equifax had begun a legacy infrastructure modernization effort. This
effort, however, came too late to prevent the breach.<p>As someone who works in Tech M&A, I often tell clients "hackers go after the weakest link and you just acquired a new link". They nearly unilaterally ignore this advice and ignored hardening even the smallest of acquisitions, because well, "growth". Someday people will learn.
Just want to talk about Recommendation 6 (Recommendation 6: Reduce Use of Social Security Numbers as Personal Identifiers). Page 96.<p>The recommendation is essentially "Try to convince the public and private sector to use them less." But I'd argue it is well passed time that SSNs be replaced by something fit for purpose. SSNs were never designed to be a unique form of ID, and using things like the cardboard card as further verification is almost comical.<p>I'd like to see an aggressive alternative that uses the best of our security knowledge and then have it vetted by everyone in the security industry with a pulse. We've seen other countries try this. But most of those countries outsource it to the lowest government bidder, who hide the inner workings behind proprietary claims, and never vet the resulting proposal.<p>Instead we need something more akin to the United States Digital Service, a publically created proposal (fully released specs) that is vetted by every academic and security expert they can find.<p>The hardest part will be saying "no" to requirements creep. Allow certain government agencies to continue to use SSNs for now, and have the new ID "flip" into an SSN behind the scenes. Better than needing five hundred different departments to adopt the new standard before it can go live.
Why is Equifax in business still? I don't get it.<p>A company like Bear Sterns got "killed", Enron and others got litigated out. But it looks like Equifax did not face any consequences. Its high time we treat data as an asset class and regulate accordingly. Particularly personal information is acquired by every company and is treated as a valuable commodity. Companies get acquired purely for the amoutn of data they have. The market has already declared it as an asset why is it not regulated?
There is so much to comment on and digest in this report, but the lifecycle of an attack diagram[1] on page 31 (figure 164) is something every software developer should burn in to memory.<p>It is easy to fall in the trap of seeing the most miniscule of vulnerabilities and dismissing it as "no one could ever possibly utilize that as a vector, it's not critical."<p>But that miniscule vulnerability becomes a single link in a ladder to everything in the system. Every seemingly-small vulnerability matters, like this painfully shows.<p>[1] referenced here: <a href="https://blog.hellobloom.io/how-hard-was-the-equifax-hack-a3bae36f9e6f" rel="nofollow">https://blog.hellobloom.io/how-hard-was-the-equifax-hack-a3b...</a>
The report linked here is the House Oversight Committee (Majority) Staff Report.<p>Another report from the committee's minority is also available.<p><a href="https://democrats-oversight.house.gov/sites/democrats.oversight.house.gov/files/Equifax" rel="nofollow">https://democrats-oversight.house.gov/sites/democrats.oversi...</a> Minority Report - FINAL 12-10-2018.pdf
The report doesn't appear to mention that you could just login to their web portal with an obvious password [1]. It also doesn't appear to be under the purview to look at the leadership team selling stock[2]. Both of which it should consider when reviewing the competency and ethics of an organization managing and profiling nearly everyone in the U.S.<p>Speaking of which... why is it only ~50% of the adult population in the U.S.?<p>If the intruders were going around the Equifax network at will (which from the report it
appears they were). We should assume 100% of the data was breached.<p>[1] <a href="https://www.cnbc.com/2017/09/14/equifax-used-admin-for-the-login-and-password-of-a-non-us-database.html" rel="nofollow">https://www.cnbc.com/2017/09/14/equifax-used-admin-for-the-l...</a><p>[2] <a href="https://www.bloomberg.com/news/articles/2018-03-14/sec-says-former-equifax-executive-engaged-in-insider-trading" rel="nofollow">https://www.bloomberg.com/news/articles/2018-03-14/sec-says-...</a>
The most alarming part of this is that it appears that the intrusion was only discovered when the new SSL monitoring certificates were being checked to ensure that the appliance was again "on". I wonder how long it'd have taken if someone hadn't spotted something suspicious by accident at that point - I'm sure we've all spotted bugs or flaws by accident when testing a completely different feature.
>The Equifax data breach and federal customers’ use of Equifax identity validation services highlight the need for the federal government to be vigilant in mitigating cybersecurity risk in federal acquisition. The Office of Management and Budget (OMB) should continue efforts to develop a clear set of requirements for federal contractors to address increasing cybersecurity risks, particularly as it relates to handling of PII. There should be a government wide framework of cybersecurity and data security risk based requirements.<p>From my understanding of FEDRAMP, all of the things that Equifax failed to do should be already covered. Software patching, isolation of data, audit trails etc. etc. Seems more like a massive auditing fail.
Check out how Equifax started rolling heads starting on page 50. They pinned the fact of not patching Struts on a SVP who was one of hundreds of people notified of the need to patch Struts. But he didn't <i>forward</i> that email, so he's toast!<p>Now pardon me while I go route my patch management procedures through the nearest baffling and inane dependency.<p><i>A senior Equifax official was terminated for failing to forward an email – an action he
was not directed to do – the day before former CEO Richard Smith testified in front of Congress.
This type of public relations-motivated maneuver seems gratuitous against the back drop of all
the facts</i>
> Equifax, however, did not fully patch its systems. Equifax’s Automated Consumer Interview System (ACIS), a custom-built internet-facing consumer dispute portal developed in the 1970s, was running a version of Apache Struts containing the vulnerability. Equifax did not patch the Apache Struts software located within ACIS, leaving its systems and data exposed.<p>1970s? Am I reading that right? HTML wasn't even developed yet.
> Equifax did not see the data exfiltration because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic.<p>Ouch.
What does the baseline of "good enough security" look like? For physical banks it looks like money stored in vaults with no staff access, cash in transit stored with market dye, etc etc<p>For the non physical world I have some ideas<p>- The entire infrastructure of IT can be rebuilt in an automated fashion and is done so in a prod-parallel equivalent at least weekly<p>- Any chnage to "vital" files on any server is audited<p>- err?
>><i>"Equifax's IT management structure was complicated" and "Equifax uses legacy software that is hard to secure"</i><p>I feel for them (not!). BUT they shouldn't store any valuable data then. They should be not-insurable.