The Equifax data breach that exposed the sensitive personal information of more than 145 million consumers was one of the worst data breaches of recent years, both for the amount of information exposed and the ease with which hackers moved about the company's systems.
The breach was publicly disclosed on Sept. 7, 2017, and details on the breach slowly trickled out for months afterwards. Now a year later, the U.S. Government Accountability Office (GAO) has released a 40-page report outlining what happened. The retrospective look at the breach provides insights into how the breach occurred and what types of controls and technologies might have helped prevent it.
How the Equifax breach occurred
While public disclosure of the Equifax data breach did not occur until September 2017, Equifax system administrators had in fact discovered the unauthorized access in July 2017 -- months after the attackers first gained entry to the company's servers in March 2017.
The length of time it took before Equifax discovered the breach enabled the attackers to move around within the company's systems for months, relatively unimpeded.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The attack began as many do, with the attackers first conducting reconnaissance by scanning Equifax's publicly accessible systems to look for any known vulnerabilities. The attackers were able to identify that Equifax was at risk from an Apache Struts vulnerability that was only publicly disclosed two days before the attackers began scanning.
The simple initial vulnerability was not the point at which the attackers began to siphon off the data of 145 million consumers, which didn't actually start to happen until May 13, 2017, roughly two months after the initial breach. When the hackers began to exfiltrate data, they used encrypted data channels to avoid detection.
"The use of encryption allowed the attackers to blend in their malicious actions with regular activity on the Equifax network and, thus, secretly maintain a presence on that network as they launched further attacks without being detected by Equifax’s scanning software," the GAO report stated.
Even with the vulnerable system and the encrypted data channel, it still took a lot of effort from the hackers to find and get the Personally Identifiable Information (PII) data they were after. The GAO report noted that the attackers attackers ran approximately 9,000 queries to find PII data sources on the Equifax network.
"After successfully extracting PII from Equifax databases, the attackers removed the data in small increments, using standard encrypted web protocols to disguise the exchanges as normal network traffic. The attack lasted for about 76 days before it was discovered."
Key lessons from the Equifax breach
Much has been made of the fact that Equifax had left one of its servers unpatched to a known vulnerability, but what is clear is that while the lack of patching was a problem, it was only one of many.
Collaboration and reporting
Equifax was, in fact, notified of the Apache Struts vulnerability in March 2017. However, when Equifax sent out a notice to its system administrators to patch the issue, the individual responsible for the online dispute portal, which was the attackers' initial point of entry, didn't get the notice.
"Equifax officials stated that they circulated the notice among their systems administrators," the GAO report stated. "However, the recipient list for the notice was out-of-date and, as a result, the notice was not received by the individuals who would have been responsible for installing the necessary patch."
Lesson: Patch management systems need to be integrated with security notices and threat feeds. Patching via email notices isn't good enough.
IT Asset Management
Equifax did have scanning technologies in place to identify unpatched systems. However, the scans did not detect the vulnerability on the online dispute portal.
Lesson: Organizations should consider the use of an IT Asset Management solution that accurately tracks version numbers of deployed technologies.
Scanning encryption properly
Once the attackers were in the Equifax network, they remained hidden for nearly three months, even though Equifax had scanning technology in place for suspicious activity.
"While Equifax had installed a device to inspect network traffic for evidence of malicious activity, a misconfiguration allowed encrypted traffic to pass through the network without being inspected," the GAO stated. "According to Equifax officials, the misconfiguration was due to an expired digital certificate."
Once the digital certificate was updated, Equifax did in fact detect the malicious activity.
Lesson: Make sure that the systems in place to scan encrypted data are actually doing their job.
The attackers were also able to move around the Equifax network, aided in part by the fact that the network was relatively flat, with different databases all accessible on the same network.
A common best practice for organizations today is to implement a network segmentation approach, where different areas of a company are isolated from each other.
Lesson: Segment and protect PII and other sensitive data to reduce risk.
Another key area that Equifax was deficient in was having proper data governance policies.
"Data governance includes setting limits on access to sensitive information, including credentials such as usernames and passwords," the GAO report states.
With proper data governance processes in place, the attackers would not have been able to run the 9,000 queries looking for PII.
Lesson: Implement a data governance policy to tightly control access to PII and sensitive information.
In addition to improving patching, monitoring, IT asset management, network segmentation and data governance, having proper endpoint security can also potentially help reduce the risk for a breach.
"Equifax stated that they implemented a new endpoint security tool to detect misconfigurations, evaluate potential indications of compromise, and automatically notify system administrators of identified vulnerabilities," the GAO stated.
Lesson: Even if you have network-wide security policies and technologies, don't forget about your endpoints.
While the initial blame in the Equifax data breach revolved around a lack of patching, in the final analysis, it's clear that patching wasn't the only problem that made the massive data breach possible. For organizations of all sizes, the Equifax breach serves as a cautionary tale that in order to properly defend an organization, multiple tools and processes are needed.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.