November 3, 2017
Hundreds of millions of financial and personal data records have been stolen in recent corporate and government data loss incidents. Equifax, in the greatest security breach in U.S. history, lost social security numbers, addresses, driver’s license information and such, for more than 143 million Americans.
Typical to most data loss incidents, there were several things that Equifax might have done to prevent the loss or at least detect it while in progress. But the most fundamental and preventable slip-up was allowing a security flaw (vulnerability) in their network to remain unrepaired, even after their security team had become aware of it. Eventually, it was discovered by an attacker and used to gain access to the valuable data stores.
Specifically, a well-publicized Web application vulnerability on the Equifax network allowed access to certain files. This security issue was known by the company’s security staff and solutions for it existed but were not implemented.
Equifax had two months to prevent its massive data breach but failed to install the fix. A patch for the vulnerability was available in March, but hackers didn’t steal the sensitive information until May. A patch is a piece of software designed to update one part of a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs.
How could this happen? The firm knew the problem existed because it had a tool in place for finding vulnerabilities on its network (vulnerability assessment) and it had been flagged. It also has automated software tools that install new patches across its network (patch management). It is painful that the problem still evaded solution — particularly to the customers and staff who lost their jobs.
If we start with the assumption that the security team was competent, it had these tools and that the tools were being used, then a logical assumption is that either something is wrong with the tools, or there wasn’t enough staffing. Apparently, the enterprise grade firewalls, antivirus programs and IPS/IDS programs they have in place didn’t stop the theft either.
Keeping network components patched is vital. However, it is far tougher than you may think. It is an expensive and a growing problem as the frequency of patch publication by developers increases. We have reached a point where even the resources of the largest corporations, much less our governments, are not keeping up.
A large network will have thousands of applications developed by hundreds of companies installed and running, with each developer releasing new patches quarterly or monthly. Microsoft alone releases more than 300 patches a year. A large network will have tens of thousands of computers, servers, printers, routers, even video cameras, vending machines, etc. – all of them needing updates.
And that is before the coming wave of new components that will soon be added to networks and are often referred to as the Internet of Things (IoT). Lights, temperature controls and innumerable gadgets each of which will have their own software and vulnerabilities.
Staffing is also an issue. There has never been enough, and each company justifies its staffing level right up to the point that data is stolen — then heads roll. In Equifax’s case, all the way up to the CEO.
Here are the pain points for corporate networks today:
- Tools that can discover security weaknesses are often used on a limited part of the network. Also, these tools tend to be inaccurate and cry wolf so often that they tend to be ignored. Scanning everything in the network produces so many false reports that staff is overwhelmed
- Security staffing is always behind the curve. It has been for the past 10 years and will be for the next 20. Thinking of a new field for yourself? Network security! There are few networks in the world that have enough staff to follow up on every problem that inaccurate security testing tools report.
All right, I wouldn’t have spent several hundred words describing how bad it all is, unless I had a solution to offer.
- Use the most accurate testing tools available
- There will never be enough security staff in place to fix or debunk every false claim made by inaccurate network testing tools.
- When Microsoft issues 300 patches, a typical organization needs less than half. Accurate testing should point out just those that are really needed, not simply list all 300 because they are available. Installing everything increases downtime and takes the risk that a new patch might break existing functionality — all of that is quite unnecessary.
- Test Everything in the Network
- With accurate testing in place, the range of the testing can be expanded beyond just the crown jewels. The bad guys often get in first through some unimportant server that is running long outdated software.
- Most networks have accumulated applications and code that are no longer in constant use but are kept around, just in case. If they are not actively tested and patched (or turned off), they can potentially offer an easy avenue for entry to any system.
- Test it Frequently
- Computer networks change constantly. A very complete test done once every two years is worthless two months after it is done, no matter how competent or expensive the consultant.
- Network scanning frequency can be as often as weekly, but certainly should be monthly.
- By scanning everything frequently and accurately, and then tackling the most serious vulnerabilities reported in the most recent reports, a constantly improving trend toward better security is accomplished.
- Patch wisely
- Accurate testing identifies vulnerabilities that actually exist, and only recommends the patches needed to fix them, not a grab bag of everything possible.
- Patch only what is needed, the things that handle existing security or functionality issues. Don’t throw every patch at everything in the network.
Since nearly all data breaches are accomplished by taking advantage of known but unrepaired vulnerabilities, the best security strategy is to find the actual, serious vulnerabilities and utilize all security resources to eliminate them. Once the network is free of all current, serious vulnerabilities, a business then can have the peace of mind to focus on production without the nagging worries of security breach or financial loss.
Brian Pearce has eight years of experience in security and more than 25 years of experience in operations and marketing in technology, Internet retail and franchising. In addition to positions with Memorex and Intel he was a co-owner of an international franchise network, a principle hire in string of successful new business ventures and a founding partner of one of the first Internet advertising agencies that served Microsoft and dozens of dot.com startups in the San Francisco area. He is currently the COO and CMO of Beyond Security, a leading developer of Vulnerability Management solutions for networks, and Black Box (DAST) and White Box (SAST) testing solutions for certification centers and application developers.