The Equifax Security Breach Affected 143 Million. Why?

Cyber Crime Data Security

When reading the statements coming from Equifax, there seems to be a lot of information in what they fail to say. It is clear the organization simply does not understand certain cyber security basics. It is also evident that leadership has not fostered, nor do they appear to currently be fostering, a corporate culture of cyber security. The recent breach poses a huge threat to consumers, corporations and retailers alike, especially with the holiday season approaching: the personal data of the 143 million Americans could be used to access profiles that shoppers have created on retail sites. Action must be taken now.

FACT: Every patch management system fails from time to time. This can occur when systems are not added or incorrectly removed from the patch management inventory, or when connectivity was lost partway through the patching process, etc.

Don’t become another data breach statistic. Get our FREE Special Report, Data Security:  Data Loss Prevention Best Practices and Proven Policies to Combat Data Breaches right now!

Blaming any one person, function or process shows a fundamental lack of understanding about cyber security. When it comes to patch management, there needs to be a positive and negative validation process in the form of emails and logs reviewed by someone not responsible for applying patches.

Once it is determined that the patches have been applied, a validation of the effectiveness of the patches needs to occur. Independent security scans need to be performed at the end of the patch cycle to verify the effectiveness. The security scan will answer some of the following questions:

  • Did the patches actually get applied?
  • Did the patches undo a previous workaround or code fix?
  • Did all systems get patched?
  • Are there any new critical or high-risk vulnerabilities that need to be addressed?

It is typical for patches to overwrite workarounds or ‘hot fixes,’ making systems susceptible to older vulnerabilities. It is also common for a system to be missing from the inventory. The assessment needs to include network ranges, not just the host IP address listed in the patch management inventory.

Lastly, the assessment will catch the human-introduced issues, such as keeping the default credentials ‘admin’ ‘admin’ on an external facing/production web application, as demonstrated by the Equifax site in Argentina.

Finally, a properly configured scan engine/security assessment tool (updated daily) will catch and alert the team of new critical or high-risk vulnerabilities discovered since the start of the patch management cycle. The ‘bad guys’ will be scanning for all systems vulnerable to any newly discovered attack vector.

The shorter your patch management cycle is, the smaller your vulnerability window. If it is longer than 30 days, or based on a software development lifecycle (SDL) that can take months or a year for a production patch to be approved, you might want to reconsider. It is better to break an application occasionally rather than compromise security. Pick a press release: “Equifax Application Unavailable for 2 Hours” due to an applied patch or “Equifax Security Breach Affects 143 Million.”

The leadership at Equifax did not foster a corporate culture of cyber security. Everyone should be accountable for their actions. If someone failed to apply a patch, they should be held accountable, as should those responsible for checking the work, those running post-patch security scans and those responsible for the patch management policies and procedures.

If the corporate culture is based on a shared responsibility for success and failure then cyber security programs will be effective. Conversely, if the corporate culture looks for scapegoats for failures and leadership feels they are above or exempt from the data security best practices—then there are gaping holes in network security.

There was probably a failure in risk assessment, change management or business continuity/disaster recovery (BC/DR) programs, etc. but, a poor patch management cycle, coupled with a corporate culture of blame shifting, was likely the most direct path to one of the worst published cyber security breaches in history.

  • Julia Martellie

    Great insights – Interesting and something everyone responsible for update/patch/change management should consider. Thank you!

  • I’m not sure if we should hi-5 or begin the banter on what i agree and disagree with. First let me state this, Im not sure why everyone is up in arms about this breach versus the many many others that have taken place in the last 18 months. Data Brokers have been systematically been breached and slapped on the wrist or babied for years, and there is another data-broker that has lost WAY more important information than what has been defined in the Equifax breach. I digress 🙂

    Either way this was refreshing to read, your perspective is spot on in my opinion. However I am a firm believer that Ultimate Responsibility has a face and name, that carries on to other functions and roles based on the leadership and as you stated Cyber Risk tolerance of the organization. *Full Disclosure* I am a former Business Information Security Office (CISO Delegate) at Experian – I have an intimate understanding of what ACTUALLy happens more times than not. Do not listen to any of the rhetoric mansplained at the Senate investigation–well, not the part that the tools that they leverage could not identify the Apache issue.

    The failure happened at multiple layers of the organization, as with Deloitte, and Experian, and the many others. The real problem is hiding in the penalty or incentive to comply. Rest assured the CISO or one of the InfoSec team follows a relatively mature Change Management process, and have Risk Advisory meetings with Senior Leadership, when this risk was articulated it more than likely came wrapped eloquently in a Hallmark bowtie as not to offend anyone in the meeting. Many failures but what we need is regulatory compliance to jump in a knock the socks off of these organizations. A few million dollar fine to a billion dollar a year company is not going to hurt anything. –If Data Brokerage required a license, and the license were to be revoked due to non-compliance I assure you things would change… Ok Im done:)


Leave a Reply

Enter Your Log In Credentials
This setting should only be used on your home or work computer.


Send this to a friend