The recent Equifax cyber breach should serve as a reminder to all of us that we live in a very delicate and complex digital ecosystem. Equifax is among the largest credit bureaus in the world. It boasts that it manages data on over 820M consumers for over 91M businesses worldwide. The recent breach impacted over 143M American consumers. That is roughly 45% of the US population.
What is more disturbing is the information that was stolen. This information included name, address, Social Security Number, birth date, and even some driver licenses data. This is more than enough information to clone your identity and file for loans and credit cards in your name.
How did this happen? Supposedly the hackers accessed a known vulnerability, Apache Struts CVE-2017-5638 in the Equifax web system to gain access. The fix to this vulnerability was discovered by the open source community and posted on March 10, nearly two months prior to the hackers gained access to Equifax. As a result, the Equifax CIO and CISO are no longer employed.
Sure, a critical patch should be applied quicker than two months. But consider what we are asking. Most IT shops of any size have multiple operating systems, multiple database management systems, multiple middleware components, and various applications – all provided by different vendors, all with different release cycles. Microsoft, for example, has released 872 security patches so far this year. So IT is dealing with hundreds of patches across the board every month. Of course some of these patches impact performance on other products, so applying a patch isn’t always a straightforward exercise. This takes coordination and extreme diligence.
But even if your IT group is PERFECT, there are still major risks. Security is everyone’s problem. Some of the most well publicized hacks were perpetrated by phishing attacks. A business user clicks on a suspicious link and “boom”, the hackers have access. But how about business users that sign up for technology services without leveraging their IT organization? In my career I can recall a number of times when sensitive (sometimes very sensitive) information was being pushed to a third party website by our business with no assurances of the data’s safety. I recall one instance of employee data (name, address, SSN) being provided to a very small (less than 10 person) group that had almost no security capabilities. IT shut this down and brought the data back in house. The business group that put the data out of the web site was HR. Ramifications? None.
I was impacted by the Equifax breach. It upsets me, but I understand what IT shops all over the world are facing. Cyber criminals are often extremely bright people. They are often well funded and have access to amazing amounts of technology. It is an arm’s race. And to be honest, I am not sure it is one that is winnable without help from other places.