When we see a car wreck it’s easy to slow down and gawk. The first thing we think is ‘Wow, that’s awful,’ quickly followed by ‘Whew… glad that wasn’t me,’ and then we drive on. Most of us don’t spend time thinking about how the wreck happened — we were just glad it wasn’t us.
A similar sentiment works in cyber security. But instead of focusing on the wreck, the rest of us responsible and accountable for information security must learn and adapt from every attack. So what can we learn from Equifax?
1.Assume you are already hacked. At all times. If we build your operations and defence with this premise in mind, our chances of detecting these types of attack and preventing the breach are much greater than most organisations today.
2. The root cause of the breach was a website vulnerability but the data lived on the endpoint. I don’t have any details on the initial attack other than ‘Equifax discovered that criminals exploited a U.S. website application vulnerability to gain access to certain files,’ but too many times when it comes to data protection we focus too often on the network and not enough on the data.
When we do focus on the data, we focus on malware and not enough on attacks. Attackers will use any and all methods they can (typically the cheapest and fastest) to gain access. We need solutions that provide the full end-to-end picture of an attack.
3. Detection still takes too long. Whether it’s 10 days, 30 days, 60 days or 210 days, the fact remains that is entirely too long for an attacker to be in our systems. We need to better enable defenders to detect and respond. In this particular case, their detection of the breach was shorter than most; however, the length of time the attackers had access to systems and data left 44 per cent of the population vulnerable to identity theft.
4. Visibility remains the key to detection and prevention. We cannot detect what we can’t see. It’s that simple. We need the right data to detect and prevent these types of attacks. Without it, what shot do we have? If you don’t have it, go get it. Remember, we are operating as if we are already breached. We wouldn’t walk around the house at night without turning on the lights or a flashlight if we thought there was an intruder.
5. We are all in this together. Data is linked. One breach can be leveraged for the next or the next. Think of how this data or the data from the OPM breach can be leveraged for intelligence purposes or cyber crime? We rely (unfortunately) on a social security number to prove who we are. Most people now know that and take protecting it semi seriously. What happens when the guardians of this data lapse? Maybe sharing a lesson from another team would have helped…maybe it wouldn’t have, but we have to talk about this as a community. We really have to take the lessons learned seriously and drive change in our own programs.
6. It does not matter how big you are, or the resources your team can access. I am assuming Equifax has a larger information security budget than most organisations. As defenders, we always think, ‘If I only had enough money or people I could solve this problem.’ We need to change our thinking. It’s not how much we spend but rather, is that spend an effective use? Does it allow our team to disrupt attacks or just wait to be alerted (maybe)?
7. Encryption is our friend. These efforts are never easy to start and the projects take time, but stick it out — the benefits far outweigh the risks.
8. Web application security is still a thing. Markets move and focus shifts over time, but WAF’s and dynamic testing are still valuable tools. OWASP groups meet all the time. Check out www.owasp.org for lots of useful information and code.
9. Visibility is more crucial than ever. Did I say visibility twice? Because it’s that important.