The Whole Story? Understanding the Causes of the Equifax Hack, Part 1

You likely know most of the details about the Equifax cyberattack. On Thursday, September 7, Equifax announced that an attack on its Apache Struts implementations had resulted in a compromise of the personally identifiable information of possibly 143 million people.

As bad as that is, Equifax also revealed that it discovered the compromise on July 29, but only reported it to the world on September 7. Plus, the security world knew about a patch for this back in March. The hysteria has begun.

In my mind, this is about as bad as a hack can get. We’re talking about U.S. Social Security numbers, driver’s license numbers and so forth. With this hack, we’re not just talking about millions of usernames, as with the Yahoo attack or even millions of credit card numbers, as with the Staples hack. It’s even worse than the Office of Personnel Management (OPM) hack, where 21 million Social Security numbers were compromised.

We’re talking about core services, here. Your identity. Your financial identity, including your credit history and your ability to apply for mortgages and any other financial services. Potential attackers now have enough information to steal the identities of millions. This is a hack on the foundational building blocks of our society: individual identity and the ability to get credit.

But let’s step back a bit from the hysteria. After all, I think a lot of the information we get concerning hacks – factual or not – tends to omit the more important underlying stories, or narratives, concerning cybersecurity.

The Cybersecurity Narrative

I’ve become convinced that each major hack arrives with its own narrative that helps push the security industry along in one way or another. When Target got hacked, the narrative had at least three parts:

1. Security pros can’t simply install security information and event management (SIEM) and intrusion detection tools and use the default settings.
   
   
2. Increasingly, hacks create long-lasting damage. Target ended up revealing more than company-specific usernames and passwords. People’s credit cards became available on the dark web.
   
   
3. If you’re a major industry player, you’d better have a very, very good plan for when you get hacked.

So far, the narrative in the Equifax attack seems to have, at least, the following elements.

1. Respond Correctly: As bad as the Target hack was, at least they responded to the issue pretty well. Very well, actually. But the Equifax response thus far has been abysmal, at best. It’s so bad that the U.S. Justice Department is getting into the act, investigating that not only did Equifax executives keep the compromise from victims for more than a month, but they may have dumped much of their Equifax stock only days after the company learned about the breach. I’m sure carefully selected lawyers will explain that this is all a misunderstanding. Whatever.
   
   
2. Create a Response Team: At the risk of being redundant, prepare a good Computer Security Incident Response Team (CSIRT). A properly trained, properly funded CSIRT could have handled this incident far more professionally. The real story involves how a company could wait more than a month to report an incident. I addressed CSRIT metrics in a recent presentation.
   
   
3. Properly Train Your Individuals: It’s not enough to prepare a response. Everyone from management to IT pros needs to be trained and qualified to do their work.
   
   
4. Get Control Over the Software Development Lifecycle: It seems that companies worldwide still have major problems governing the code they use and create.
   
   
5. Create a Framework: Dozens of security frameworks and approaches exist. NIST, COBIT, CMMI, TOGAF, ISO/IEC. The list goes on. A friend of mine who works for a major retailer told me, though, that it’s vital to create your own framework that fits your own company. I think that this lesson will be learned and re-learned over time.
   
   
6. Create Cybersecurity Metrics to Prove Return on Investment (ROI): I’m sure we’ll learn that the Equifax security team had all sorts of resources. Then folks will discuss how the Equifax cybersecurity team didn’t use the resources correctly. But it’s not useful to blame anyone. The issue is that the IT security profession still hasn’t figured out how to create and apply meaningful metrics that help them pivot resources to address the most pressing issues. If you can’t determine the right framework, then you don’t have the right metrics. And if you don’t have the right metrics, you simply can’t argue where to best apply limited funds. It’s that simple. It’s vital for industry leaders to determine these metrics. Right now, software vendors and policy wonks are creating standards. But standards and metrics need to be custom created by industry bodies, not by software vendors.

What About the Patch?

I’m not going to list “Patch your servers” as element number 7. Why? Because it’s a cheap shot. I understand, in some ways, why the Apache Struts problem wasn’t patched quickly. But more on that next time….

If I had to choose one major story element, here, I’d choose the fact that cybersecurity professionals still aren’t able to create proper metrics and ROI. That’s a major root cause for our continuing cybersecurity problems. Until we get that right, our security problems will continue to get worse. If you’re interested in helping solve the problem, contact me on Twitter: @jamesstanger. I’ll be happy to talk about how we’re working with the industry to help.

Get the skills you need to identify and analyze vulnerabilities with CompTIA Cybersecurity Analyst (CSA+).