While I was recently sharing my 7 secrets of infosec tips and best practices at an amazing conference, CloudSEC 2017 in the UK, hackers were hard at work attacking Equifax in the USA. Of course, when do they ever sleep?
On September 7, 2017, we learned of a massive data breach targeting Equifax. While a very limited number of UK citizens and Canadians were affected, a huge number, nearly ½ of all Americans had their personally identifiable information (PII) exposed – we’re talking over 143,000,000 people. This included consumer dispute documents, credit card data and much more.
Having served on MITRE’s OVAL advisory board, part of the CVE program (common vulnerabilities and exposures) for many years, and hearing that it was an attack against their public facing website, my guess was it had something to do with CVEs discovered in IBM Websphere, the server they appear to be running at Equifax. Visit the http://nvd.nist.gov national vulnerability database and look for CVE’s in IBM Websphere to see what I’m talking about.
So, we’re back to the drawing board again on ‘what could Equifax have done right’? We’ll, they could have patched their CVE’s. If no patches available, they could have created additional IDS, IPS and firewall rules to be on the lookout for exploits against their vulnerabilities such as CVE-2017-5638 and CVE-2017-9805.
They could have setup rules so outbound traffic anomalies (ie loads of PII leaking out of the web server) could be stopped rapidly using my favorite method of information security, discussed by Winn Schwartau in his book with the same title “Time Based Security”. It’s not about if you will get breached, it’s about when. The key is to be faster than the exploiter by making the time it takes to steal, longer than the time it takes to react. This is so simple and obvious yet rarely implemented at the Web Server or Firewall.
They could have run strong encryption with best practices in key management. Seems they did not do so. In addition, while there is a great loss of PII, their reaction to the problem is very telling and educational on what not to do when you’ve been breached.
Equifax is offering one free year of their credit monitoring service and has now hosted a new website called http://www.equifaxsecurity2017.com/ which helps you determine if you’ve been affected. Sounds good, right? Well, not really. Here’s why – until pressured, they actually had legalese claiming you were waiving your rights by being in their database/being a customer, including limiting your ability to sue them in the event they caused you harm – like a PII theft! However, pressure from US government officials, http://www.Consumer.gov, cyber security experts, lawyers and the mainstream media have given them a heavy dose of reality and they are now claiming they will not use this argument specifically in this data breach incident, ie, you can sue them if you are victimized.
Here are some of the best tips from the Federal Trade Commission’s (FTC’s) consumer web site to deal with the situation if you think you’ve been victimized:
Recovering from Identity Theft
Is someone using your personal information to open accounts, file taxes, or make purchases?
Visit IdentityTheft.gov, the federal government’s one-stop resource to help you report and recover from identity theft.
Data Breach? Lost Info?
Did you get a notice that says a company lost your personal information in a data breach? Did you lose your wallet? Or learn that an online account was hacked? Here are steps you can take to help protect yourself from identity theft.
Protecting Your Identity
What can you do to keep your personal info secure? Are identity protection services worth the cost? What about credit freezes? Check out the FTC’s identity theft articles to find out.
Free Resources for Your Community
You can help people learn about identity theft — whether you’re chatting with friends and family, sharing info on a social networking site, or taking resources to a religious group or PTA meeting. It’s easy to use and share these free resources from the FTC.
- Free Identity Theft Resources
Free booklets — in English and Spanish — can help people in your community protect their identity and recover if an identity thief strikes.
- gov Presentation
Use this PowerPoint to show how IdentityTheft.gov makes it easier to report and recover from identity theft.
- gov Video
For Law Enforcement
Local police can help identity theft victims by:
- encouraging them to create an Identity Theft Report and get a personal recovery plan at gov
- sharing free identity theft resources from the FTC
- taking a police report if asked. Some businesses require a police report to remove fraudulent debts from a victim’s account.
For Attorneys and Advocates
The FTC’s IdentityTheft.gov can assist attorneys who counsel identity theft victims. The site provides victims with a personal recovery plan, walking through each step to take. It also provides pre-filed letters and forms to send to credit bureaus, businesses, and debt collectors.
Many companies keep sensitive information about customers or employees in their files or on their network. The FTC has free data security resources — including free publications, videos, and tutorials — to help businesses of any size protect their customers and meet their legal obligations.
In closing, as you may already know, I’m a strong advocate for STRONG PRIVACY. If businesses and government agencies promoted STRONG PRIVACY and implemented it properly, we would be hearing less and less about breaches and incredible financial losses, that affect all of us. This year alone, I expect World Bank to tell us, year end, that we’ve seen nearly $1 TRILLION in damages and data theft, nearly double last year. This cannot continue at this rate without all of us, globally, feeling the affects. STRONG PRIVACY means STRONG ENCRYPTION, no backdoors, no vulnerabilities that are known or easily exploitable and believing that PII is the most valuable data on Earth. When organizations start to feel this way, you’ll see better INFOSEC practices that keep out the bad guys more often. Until then, your records are probably for sale on the black market right now, so take precautions.