- Date = The crisis began in March 10, 2017
- Location = USA
- Parties involved = Chinese state-sponsored hackers ( Four Chinese military officers were also charged.)
- Effect =
A data breach that reveals the personal information of 147 million people.
Their names, addresses, date of birth, Social Security numbers, and driver's license numbers have been revealed. A small subset of records - about 200,000 in order - includes credit card numbers; This group may consist of people who have paid Ecifax directly to order to view their own credit report.
( The company has entered into global agreements with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories. That includes up to $ 425 million in aid to help victims of data breaches. )
- How it Happen =
The company was initially hacked through a consumer complaint portal. The attacker used a well-known vulnerability that should have been patched but was not patched due to a malfunction in Equifax's internal processes.
Attackers can move from the web portal to other servers because the systems are not sufficiently separated from each other, and they can find usernames and passwords stored in plain text, and then allow them to access more systems.
Since Equifax failed to update the encryption certificate of one of its internal security tools, the attacker extracted the data from the network in encrypted form for several months without being discovered. (apache)
Equifax didn't announce the violation until more than a month after it was discovered. During this period, the sale of stocks by executives triggered allegations of insider trading.
To understand how all these crises intersect, let's take a look at how these events unfold.
- How did Equifax handle the incident =
The end-user is generally considered to be the main carrier of cyberattacks. Cybersecurity experts often recommend active user training and awareness and adult-oriented programs Equifax data breach case analysis 6 Training methods to prevent phishing attacks and identity theft (Jensen, Dinger, Wright, and Thatcher, 2017; Thomas JE, 2018;
Thomas and Hornsey, 2014). However, in this case, the most important influencing factor seems to be the system management program. Specifically, the Equifax IT team did not apply the patch when it was released. Even when prompted by multiple sources such as the Department of Homeland Security and software vendors, the IT department failed to apply patches that eliminated vulnerabilities (Marinos & Clements, 2018). The Equifax security team performed a scan to see if there were vulnerabilities in the system (Marinos & Clements, 2018). There are also reports that the scan did not detect the vulnerability Apache Struts CVE-2017-5638. This points to another potential IT system management issue. One possibility is that the scanning software is not properly updated and patched because its current list of vulnerabilities does not contain the appropriate information to detect vulnerabilities. Knowing that the vulnerability does exist, another possibility is that the software used for scanning is invalid or damaged. However, the author believes that it is more likely that the scanning software has not been updated and vulnerabilities cannot be detected.
Equifax IT and security teams also seem to be negligent. Although a scan was performed to see if the vulnerability exists. Specific instructions for applying the patch have been given many times. Apparently, no patch was applied. Why doesn't the team simply check the patch on the server and verify that the patch is installed? Generally speaking, this is a simple process that will immediately indicate that the patch has not been applied when executed. From an ethical and legal point of view, and from a management point of view, Equifax has a fiduciary duty to notify affected consumers that their
information has been leaked, as well as a case study analysis of the Equifax data breach
Try to correct this situation. Equifax's handling of incidents can only be classified as unqualified before and after the incident. As mentioned above, Equifax's lack of patch management due diligence and slow response to instructions to apply patches to resolve known vulnerabilities are the specific reasons for this attack. Since then, the company's behavior seems to be inconsistent with quickly providing information about the attack or solving the problem in an effective way.
The company tried to limit consumers' ability to seek legal remedies and damages (Marinos & Clements, 2018). Before the violations were publicly disclosed, three executives sold approximately $1.8 million in company stock (Melin, 2017). Probably so as not to lose the value of these big stocks. These actions seem to indicate that the response of Equifax and its executive team members has potential profit motives. Executive incentives are generally regarded as the motivation for executives to make decisions to retain personal bonuses and company stock prices, rather than protecting the interests of customers or other stakeholders (Thomas J. E., 2017).
- What are the lessons learned from the Equifax breach =
Get the basics right. No network is invulnerable. But Equifax was breached because it failed to patch a basic vulnerability, despite having procedures in place to make sure such patches were applied promptly. And huge amounts of data were exfiltrated unnoticed because someone neglected to renew a security certificate. Equifax had spent millions on security gear, but it was poorly implemented and managed.
Silos are defensible. Once an attacker enters the boundary, they can move from one machine to another, and from one database to another. If they were restricted to one machine, the loss would be much smaller.
Data governance is key—especially when data is your business. Equifax's database may be even more stingy in giving up its content. For example, users can only access database content on a "need to know" basis; providing general access to any "trusted" user means that attackers can control these user accounts and act recklessly. The system needs to watch out for strange behavior; the attacker executed as many as 9,000 database queries very quickly, which should be a red flag.
Comments
Post a Comment