Don’t be the next Equifax
2017 has been dominated by high-profile data breaches, writes Mike Pittenger, the vice president for security strategy at Black Duck Software. You could well be the next victim, joining Verizon, Bell, HipChat, the Association of British Travel Agents (ABTA), and an ever-growing cast of businesses whose customers’ personal data has been stolen in cyber attacks. Let’s take a look at one specific, high-profile breach – Equifax – and what lessons can be learned from Equifax’s mistakes.
What happened at Equifax?
There is plenty of blame to go around when a vulnerability is known and an exploit published, yet a relatively simple update is ignored. (Now former) Equifax CEO Richard Smith testified to Congress, “There was a protocol in place to fix the software flaw that led to Equifax being breached. It wasn’t followed. The individual who was responsible for communicating the patch in the organisation, did not. A few days later, there was a scan of the system, which also didn’t reveal the vulnerability.” The breach resulted in Smith, the CIO and the CSO losing their jobs. The FTC is now investigating, and penalties resulting from regulations such as GDPR would earn the attention of any Board of Directors.
Smith hasn’t explained so far why they lacked controls such that an oversight by a single employee in a $3 billion organisation could result in this damage. Nor has he elaborated on what was used to “scan” the Equifax systems, but given its failure to identify a known open source vulnerability, one could assume that it wasn’t a dedicated open source vulnerability management solution. More likely, it was a Vulnerability Assessment (VA) scanner that “didn’t reveal the vulnerability.”
This isn’t surprising. The primary focus of these tools is to identify unpatched or misconfigured commercial software and operating systems. Outside of Linux patches and “big” vulnerabilities like Heartbleed and Poodle, only a handful of the over 3,000 vulnerabilities disclosed in open source each year are covered by these tools. If you don’t have a rule for a vulnerability, you won’t find it.
Equifax won’t be the last victim
It makes sense that the longer a vulnerability goes unpatched, the greater likelihood of an attack. While Equifax was successfully attacked within a couple of months of the Struts vulnerability disclosure, we often give attackers far more time due to lack of visibility into the vulnerable components in use. On average, the open source vulnerabilities identified in the commercial software Black Duck has audited had been publicly known for more than four years, and we still see instances of Heartbleed, Poodle, and Shellshock. Expect to see this vulnerability exploited for years to come.
Know your code
The Equifax breach is not an indictment of open source. Open source, like commercial/proprietary code, is software. It’s going to have vulnerabilities. Like most vulnerabilities in open source, the Struts vulnerability was disclosed responsibly and a fix was published concurrent with the vulnerability disclosure. Equifax had plenty of time to remediate the issue prior to the attack. The fact that they didn’t – or couldn’t because they weren’t aware of the vulnerability – should be a lesson for us all; know your code.