The year was 2017. News about the Equifax data breach dominated the headlines. In the aftermath, the postmortem analysis zeroed in on a few critical issues that ultimately contributed to the breach, namely out-of-date, vulnerable code. When a cybersecurity incident like this occurs, it's easy to blame it on negligence, but the root cause is often more complex and revealing.
As the custodian of data belonging to millions of individuals, Equifax poured significant investment into its cybersecurity strategy. So, what happened, and why were these vulnerabilities not addressed?
Answering this question requires delving deeper into the ownership and management of the diverse systems and applications that comprise modern IT ecosystems. Digging deeper, the underlying reasons why an organization like Equifax might end up leaving operating assets running vulnerable code becomes clearer. Let's take a look at the 2017 Equifax security incident and analyze how a lack of IT asset ownership ultimately contributed to one of the worst data breaches of all time.
The Equifax breach: a recap #
The 2017 Equifax breach exposed personal information belonging to 147 million Americans, or almost half the country's population. Equifax collects consumer data, analyzes the data to create credit scores and reports, and ultimately, sells those reports to third parties. The typical third parties interested in buying this data include auto loan companies, mortgage lenders, and credit card companies.
Six months before the breach was disclosed, IT and security departments were alerted about a critical security vulnerability in Apache Struts, which is an open-source framework that organizations use to create Java web applications. Industry analysis at the time estimated up to 65 percent of enterprises were potentially exposed to this vulnerability. The vulnerability (CVE-2017-5638) allowed for remote code execution (RCE), which would allow a malicious threat actor to trivially insert commands into web applications running the vulnerable framework to exploit it. As a result, the attacker could control the underlying operating system. At the time, Equifax used Struts to run web applications on multiple legacy systems.
A few days after it was disclosed, the Apache Software Foundation released a critical security patch for CVE-2017-5638. Equifax's vulnerability management team sent emails to over 400 people, instructing anyone who had Apache Struts running on their system to apply the patch within 48 hours. Despite taking action, there were gaps in the response to this vulnerability at the agency. Equifax did not apply the patch to an internet-facing consumer dispute portal, and opportunistic threat actors easily found their opening. The web portal had been around since the 1970s, and yet, it somehow slipped under the radar.
After discovering the vulnerable systems, hackers conducted an attack on Equifax in May 2017 that lasted 76 days. Further security flaws in the form of unencrypted (plaintext) credentials facilitated lateral movement to over 48 databases. Sensitive data access and exfiltration of personally identifiable information (PII) ensued. In fact, the intruders were only stopped in their tracks after an inactive network traffic monitoring device had its security certificate updated and became active again. This device identified suspicious traffic and flagged data exfiltration. The optics for Equifax worsened when the agency waited 40 days from the time it found out about the breach to the time of public disclosure.
Getting to the root cause: a lack of IT asset inventory and ownership #
No matter how you look at it, there were a series of missteps that pervaded the Equifax data breach. Two years prior to the data breach, major issues with patch management were flagged during an internal audit. A key finding from the audit highlighted that Equifax lacked adequate cyber asset management practices, including a comprehensive IT asset inventory. As a result, when CVE-2017-5638 was announced, Equifax lacked the ability to quickly determine if, and where, Apache Struts was being used on their network.
To stay on top of security advisories, organizations need to be able to review their asset inventory to immediately identify systems that may be affected by a vulnerability. By taking this approach, organizations can take action while waiting for vulnerability checks and patches to become available. This step will help organizations assess the potential impact and start tracking down the right people to update affected systems. However, this is easier said than done: asset inventory is usually stored across several data sources, such as vulnerability scanners, CMDBs, device logs, and even spreadsheets, and asset ownership data isn't always tracked in those systems.
Based on post-analysis of the data breach, it was clear that Equifax struggled with cyber asset management: asset inventories weren’t maintained and lacked proper asset ownership tracking.
Clear IT asset ownership is key #
IT asset ownership is challenging – especially for enterprise organizations. Systems are frequently spun up for testing and development, but quickly abandoned as priorities change and people leave. Without clear owners maintaining them, these systems quickly become outdated and ripe targets for attackers. One of the most obvious examples is ACIS (Automated Consumer Interview System), the critical internet-facing system that Equifax struggled to scan and patch.
Additionally, the lack of IT asset ownership hampered Equifax's ability to detect and respond to the breach efficiently. The company used a special device known as an SSL Visibility (SSLV) appliance to monitor encrypted traffic, but this device was left non-operational for over 19 months after its security certificate expired. Equifax did not have a formal certificate management process with defined owners and associated responsibilities. If the agency had defined who was in charge of SSL certificate maintenance, the SSLV's security certificate wouldn't have been offline during the incident. The agency could've then flagged suspicious encrypted traffic flowing out of the network, containing sensitive data.
Key lessons from the Equifax data breach #
So, aside from making sure you have an effective patch management process in place, what are some key takeaways from the Equifax breach?
- An accurate IT asset inventory is a critical requirement for effective protection against and response to cyber attacks.
- All internet-facing assets that can be reached externally need to be identified and managed.
- All IT assets must have a defined person or team who takes responsibility for maintaining different aspects of its lifecycle, from security to patching. These owners can come from IT, security, or relevant business departments.
- Asset ownership tracking is only possible when you have an updated asset inventory that reflects changing roles and responsibilities.
When looking for a cyber asset management solution, keep your eyes out for the ability to assign owners to assets in a scalable and repeatable way. With runZero’s advanced active scanning technology, you can discover all your network-connected assets, as well as build a complete and accurate IT asset inventory. Combined with integrations for CMDB, VM, EDR, and cloud solutions, security teams can zero in on managed and unmanaged assets and find gaps in coverage. Do you know who all your asset owners are?
