When reading the statements coming from Equifax, there seems to be a lot of information in what they fail to say. It is clear the organization simply does not understand certain cyber security basics. It is also evident that leadership has not fostered, nor do they appear to currently be fostering, a corporate culture of cyber security. The recent breach poses a huge threat to consumers, corporations and retailers alike, especially with the holiday season approaching: the personal data of the 143 million Americans could be used to access profiles that shoppers have created on retail sites. Action must be taken now.
FACT: Every patch management system fails from time to time. This can occur when systems are not added or incorrectly removed from the patch management inventory, or when connectivity was lost partway through the patching process, etc.
Blaming any one person, function or process shows a fundamental lack of understanding about cyber security. When it comes to patch management, there needs to be a positive and negative validation process in the form of emails and logs reviewed by someone not responsible for applying patches.
Once it is determined that the patches have been applied, a validation of the effectiveness of the patches needs to occur. Independent security scans need to be performed at the end of the patch cycle to verify the effectiveness. The security scan will answer some of the following questions:
- Did the patches actually get applied?
- Did the patches undo a previous workaround or code fix?
- Did all systems get patched?
- Are there any new critical or high-risk vulnerabilities that need to be addressed?
It is typical for patches to overwrite workarounds or ‘hot fixes,’ making systems susceptible to older vulnerabilities. It is also common for a system to be missing from the inventory. The assessment needs to include network ranges, not just the host IP address listed in the patch management inventory.
Lastly, the assessment will catch the human-introduced issues, such as keeping the default credentials ‘admin’ ‘admin’ on an external facing/production web application, as demonstrated by the Equifax site in Argentina.
Finally, a properly configured scan engine/security assessment tool (updated daily) will catch and alert the team of new critical or high-risk vulnerabilities discovered since the start of the patch management cycle. The ‘bad guys’ will be scanning for all systems vulnerable to any newly discovered attack vector.
The shorter your patch management cycle is, the smaller your vulnerability window. If it is longer than 30 days, or based on a software development lifecycle (SDL) that can take months or a year for a production patch to be approved, you might want to reconsider. It is better to break an application occasionally rather than compromise security. Pick a press release: “Equifax Application Unavailable for 2 Hours” due to an applied patch or “Equifax Security Breach Affects 143 Million.”
The leadership at Equifax did not foster a corporate culture of cyber security. Everyone should be accountable for their actions. If someone failed to apply a patch, they should be held accountable, as should those responsible for checking the work, those running post-patch security scans and those responsible for the patch management policies and procedures.
If the corporate culture is based on a shared responsibility for success and failure then cyber security programs will be effective. Conversely, if the corporate culture looks for scapegoats for failures and leadership feels they are above or exempt from the data security best practices—then there are gaping holes in network security.
There was probably a failure in risk assessment, change management or business continuity/disaster recovery (BC/DR) programs, etc. but, a poor patch management cycle, coupled with a corporate culture of blame shifting, was likely the most direct path to one of the worst published cyber security breaches in history.