By Patrick Vernon, freelance writer.
Equifax bragged about holding thousands of times more data than the Library of Congress. However, the “entirely preventable” Equifax data breach demonstrated that the company did not know how to properly protect that data.
The Equifax data breach is blamed upon the company ignoring to apply a patch to a vulnerable Apache Struts web server, allowing an attacker to gain access to the organization’s internal systems. However, this may not be the entire story. While the patch obviously was not applied, the cause may not have been negligence on behalf of Equifax. The existence of the Apache Struts vulnerability on Equifax’s servers was a major contributor to the company’s famous data breach. Yet the focus on it takes away from the other failings of the company to secure its customers’ sensitive data.
The Equifax Breach
One of the most infamous and wide-reaching data breaches in history, the Equifax breach was caused by a simple unpatched vulnerability. The Equifax breach occurred in 2017 and exploited a vulnerability in Apache Struts, an open source web server that is used by a number of organizations.
Earlier in 2017, an exploitable vulnerability was discovered in the code, and the developers issued a patch and properly publicized the existence of the patch and the need to apply it. Since the vulnerability was being actively exploited by attackers, the Department of Homeland Security (DHS) even issued a warning to organizations about the importance of applying the patch as soon as possible. Months after the patch became available and the DHS warning, an attacker took advantage of the Apache Struts vulnerability to gain access to Equifax’s servers. The vulnerability allowed the attacker to gain remote shell access to the servers, which they exploited to find a password file that decrypted the databases that they downloaded from Equifax systems.
Due to a number of cybersecurity issues, Equifax did not detect the 9,000 database queries and 265 downloads performed by the attacker in the course of the attack. As a result, the personal data of 148 million customers was exposed. The breach was called “entirely preventable” since the breach was enabled by the failure of Equifax to implement a number of elementary cybersecurity protections. The cybercriminal took advantage of a long series of cybersecurity shortcomings to gain and maintain access to Equifax systems for over two months and steal customer data. However, the successful attack began with that unpatched Apache Struts vulnerability.
The Other Side of the Story
The scope of the Equifax breach resulted in a lot of scrutiny directed toward the company’s cybersecurity. The fact that the Apache Struts vulnerability was unpatched despite warnings from DHS that it was being actively exploited resulted in the company being widely censured.
But did Equifax really simply ignore DHS guidance regarding the Struts vulnerability? An interview with Graeme Payne, the former CIO of Equifax blamed for the breach, raises the possibility that the company truly believed that the vulnerability was patched on their systems. According to Payne, Equifax’s security team had applied the patch designed to remediate the Apache Struts vulnerability to the company’s servers. After applying the patch, the security team scanned the servers for vulnerabilities, and the scan stated that the patch was successfully applied.
The success of the Equifax breach demonstrates that this is not the case. A patched vulnerability would not have allowed an attacker to exploit the systems and gain access to sensitive data. Further discussion suggests that the issue may be related to how the scan was performed. Vulnerability scans can either be unauthenticated (not using user credentials to access protected functionality) or authenticated (providing access to protected functionality). Based upon how a scan is performed and the scanner used, the scanner may receive a very different view of the organization’s vulnerability to attack.
Identifying all of the vulnerabilities in an organization’s web presence may require running scans with different settings and potentially with different scanners. Since many organizations do not have the resources to accomplish this, unpatched vulnerabilities or ones where patch application failed, like the Equifax Apache Struts vulnerability, could persist undetected and leave an organization vulnerable to attack.
The Importance of Strong Data Security
In the case of Equifax, the mistake that enabled the attacker to turn an intrusion into a massive data breach was the failure to properly monitor and protect sensitive data. A failure to monitor the communications of the vulnerable web server (due to a certificate over a year out of date) and lack of visibility into the 9,000 database requests and 265 downloads performed in the course of the attack is what enabled the data leak.
While performing vulnerability scans and patching vulnerabilities is important, most of the damage done during a cyberattack is caused by the attacker gaining access to sensitive data. The failure of Equifax’s security scanner to detect the unpatched Apache Struts vulnerability is concerning, but the lack of a strong data security solution is worse. The ability to identify and alert upon suspicious access to sensitive data could have stopped the Equifax attacker, and many other data breaches, in their tracks.
Patrick Vernon is an experienced freelance writer, specialising in business and finance related content. Patrick has gained experience writing for a variety of magazines and websites, researching the latest money saving tips and offering his advice to the public.