Equifax breach. Major holes in network were not updated and closed. Are you aware of the holes in your network?
Recently we saw a flurry of “anniversary” stories regarding the Equifax breach.
The breach compromised crucial personal data of more than 147 million people – the Social Security numbers of nearly all of them, plus name, address, birthdate, gender, driver’s license and phone number of fewer of them, but still in the dozens of millions.
Actually, the breach occurred 16 months ago, and Equifax – one of the “big three” credit reporting agencies – discovered it in late July. It just didn’t acknowledge it publicly until Sept. 7
At the time there were congressional promises to create a national breach notification law governing how and how quickly companies must notify anybody whose personal information is stolen in a breach. That would have overridden the current jumble of state laws on the issue.
But it was mostly theater – which is mostly what committee hearings are. Since then, any legislative initiatives have stalled and there have been no government sanctions on the company or its leaders.
Indeed, Smith told committee members that Equifax considers its customers to be banks and other businesses – not the consumers who are required to hand over their PII (personally identifiable information) if they want to get a loan.
And, as has been clear for decades, banks and other businesses tend to have much more sway with government than consumers.
Yes, there have been lawsuits, charges of insider trading against two top executives, and some in top management besides Smith are no longer there. The new chief information security officer, Jamil Farshchi, told Wired magazine in July that the company has invested $200 million on data security infrastructure.
Which is a lot of money at one level, but only 1.4% of the net worth of a $13.8 billion company.
So what about the world of data security? There are always ongoing tweaks, but Equifax was not a game changer.
Indeed, that breach happened because the company had failed to install a patch that had been available for two months, for a vulnerability in Apache Struts, a popular open source web software. A year later, numerous companies have failed to patch that same bug.
“I’d love to say that Equifax was a turning point in application security,” said Tim Mackey, technical evangelist at Black Duck by Synopsys, “but the 2018 OSSRA (Open Source Security and Risk Analysis) report showed that of the analyzed code bases containing Apache Struts, a third of them still contained a version vulnerable to the same bug that impacted Equifax.
“It’s fair to conclude that a lack of awareness of precisely what’s in a given software application and its ‘stack’ is part of the problem,” he added. “Put another way – you can’t patch what you don’t know you’re running.”
Shield has the answer:
24/7 Continuous Network Exploit Detection
Shield-CyBot is the virtual droid you are looking for when it comes to detecting real ways hackers could disrupt your business. Sure it’s also a next-generation vulnerability management tool. Sure it’s the world’s first Automated Pen Testing solution. Yes, it continuously maps Attack Path Scenarios so you can focus your time and resources on critical vulnerabilities that threaten your business.
Please contact us today to arrange a demo of Shield-Cybot and get a free network security assessment.
Plug holes before hackers find them! +1.855.787.7253 | firstname.lastname@example.org
This entry is based on: Sep 11, 2018, Forbes article, Equifax Breach: Catastrophic, But No Game Changer Yet. By Taylor Armerding