Equifax accused of 34 control and process failures in official report into 2017 data breach
Equifax accusing of failing to implement "adequate security" by US Congressional committee
Equifax, the credit rating agency at the centre of one of the world's biggest data breaches, has been accused of failing to implement "adequate security" to protect its data in the official US government report into the breach.
The report by the US House of Representatives Committee on Oversight and Government Reform claimed that the data breach "was entirely preventable" and accused the company of failing to fully patch its systems.
Equifax failed to fully appreciate and mitigate its cybersecurity risks
Furthermore, the report confirms, Equifax security staff failed to notice the exfiltration of data because the device used to monitor network traffic had been inactive for 19 months due to an expired security certificate.
It was only when the security certificate was finally updated that suspicious traffic from the company's Automated Consumer Interview System (ACIS) to an IP address originating in China was noticed.
"Equifax noticed additional suspicious traffic from a second IP address owned by a German ISP, but leased to a Chinese provider. These red flags caused Equifax to shut down the ACIS web portal for emergency maintenance. The cyberattack concluded when ACIS was taken offline," the report states (PDF).
Lack of leadership and accountability allowed processes to fail, tools to fall into disrepair and policies disregarded
CIO David Webb notified CEO Richard Smith on 31 July of the attack, two days after the certificate had been updated, but the public weren't informed until September. Webb and Smith were elbowed out eight days later.
"Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented," the 96-page report concluded.
The initial attack vector had been an unpatched Apache Struts web server, which acted as the front-end to ACIS, a system with a heritage going back to the 1970s.
Commenting on the findings, Adrian Sanabria, vice president of strategy at penetration testing company NopSec, listed all Equifax's various different IT security failures.
"Equifax's Global Threat and Vulnerability Management Team (GTVM) forwarded an alert about Struts to over 400 internal employees (likely a pre-existing distribution list for vulnerability announcements). As many organisations do, Equifax had an internal meeting about this specific vulnerability.
"The email was sent 2 days after this vulnerability went public. The email instructed Struts to be patched within 48 hours [and] the meeting was held a week after the email was sent.
"Already, there is a red flag here. Why hold a meeting about fixing a vulnerability *five days after* everyone was required to fix it? Because you know that no one actually did."
Even so, it took the company more than two months to eventually apply the patch, by which time its systems had already been thoroughly compromised - especially after the attackers had found a 13-year-old file containing user names and passwords, in plain text, for a total of 48 different databases across the company's network.
"Why didn't Equifax notice the exfiltration? Well, honestly, most organisations aren't set up to detect data exfiltration on the wire," continues Sanabria.
"But wait, Equifax WAS set up to detect that sort of activity! Why didn't they? I don't have the words, so I'll just quote directly: ‘Equifax did not see the data exfiltration because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic.'
"WOW, 19 months. And that's because no one was formally responsible for certificate management internally. In an organization that owned over 17,000 routable IPs. Maybe it was just internal certificate responsibility that got the hot potato treatment?
It wasn't the only expired certificate. At the time of the breach, Equifax had allowed at least 324 of its SSL certificates to expire, the report notes.
"I'm guessing they were doing some SSL inspection, which is why the certificates were so important. I'm going to go out on a limb and say they probably shouldn't have been solely depending on packet inspection," continues Sanabria.
"Even without decrypting traffic, they should have noticed massive amounts of data going to servers in China and Germany from unusual sources that don't normally send large amounts of data to those destinations. Netflow should have been enough, in my opinion.
"Anyway, after fixing the certificates, they IMMEDIATELY noticed the attack, proving they owned the tools to get the job done…
"The underlying conclusion throughout the Equifax breach report is that:
- Staff were AWARE of deficiencies;
- Proper processes, tools and policies existed;
- Lack of leadership and accountability allowed processes to fail, tools to fall into disrepair and policies disregarded."
While Equifax security staff used a scanner to probe its versions of Apache Struts for vulnerabilities, the tool wasn't set-up properly to uncover them, scanning only root directories, anomaly detection was inadequate and security staff failed to test their measures and countermeasures.
"TEST YOUR CONTROLS," advised Sanabria.
"It blows my mind that so many security controls are deployed but never tested…
"In total, I counted 34 control and process failures that contributed to the Equifax breach. Perhaps five or so could have prevented the breach entirely. Many of the remaining 29 could have detected the breach in enough time to stop it."