Why are we still talking about patching? Because Equifax

On 7th September 2017, Equifax, a US Atlanta based credit rating company, released a press release that the company had suffered a massive data breach impacting 143 million American’s. The then former CEO Richard Smith said the hack was his number one worry, and as the story unfolded, the breach has been marked as the worst data breach in US history.

The data breach included the personal information of half the US population. The information stolen included security numbers, birth dates, addresses and in some cases driver’s license numbers. The wake of the data breach saw the immediate departure of the chief information officer, the chief security officer, and the departure of their CEO Richard Smith.

Equifax’s actions prior to disclosure and response to the hack, once the hacker attack was disclosed, left many American’s confused, angry and vulnerable. The irony? The information lost was of Americans who purchased the identification protection service, Watchdog.

In what is a common thread these days, the CEO departs, the CIO departs, the CISO departs, and the share price drops. And even as Richard Smith utter the words - “We pride ourselves on being a leader in managing and protecting data…” Equifax had already been massively breached, and executives knew of the hack weeks prior to the disclosure.

Equifax had no immediate comment. Four days after the disclosure, Wall Street traders punished the share price, and the share price lost more than a third of their value.

The cost of the Equifax data breach will not be fully known for some time. The 2013 Target data breach of 40 million US shoppers neared $300 million US ($389 million AUD). Could it be possible that the Equifax data breach will be the first company to near $1 billion in costs due to a data breach?

So, with all this, how did the data breach happen in the first place? According to the company’s press release on the 15th of September 2017, following an extensive internal review by Cyber Security firm Mandiant, the flaw was in a tool designed to build web applications, Apache Struts.

Apache Struts is used by many large businesses and government organisations.

The Apache Struts vulnerability was identified and disclosed by the US-CERT in March 2017. Equifax’s security department "was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems."

In the end, Equifax was slow. Too slow to move, too slow to patch and too slow to respond. 

Many large corporations and government agencies with hundreds and thousands of machines must identify the vulnerability, implement and test the patch to make sure it doesn't break anything before making it public.

And this takes time. Time the hackers use to their advantage.

How do you protect against Apache Struts vulnerability? If you haven’t already, you should immediately upgrade (patch) Apache Struts to version 2.5.13  https://struts.apache.org/announce.html#a20170905

And while patching is difficult, slow and tedious, patching is ranked number 2 on the Australian Signal Directorate (ASD) Top 4 Mitigation Strategies. The Top 4 strategies, application whitelisting, patching systems, restricting administrative privileges and creating a defence-in depth system will go a long way to help you to protect your ICT systems. https://www.asd.gov.au/publications/protect/top_4_mitigations.htm

As a Dragonfly Insight Subscriber, you would have received our Bulletin on Apache Struts. Be sure to flag our Insight newsletter as “not junk” to receive these alerts.

If we have learned anything from this latest breach, patch your applications and systems in a timely manner.