Setting the Stage
Data breaches are the monsters hiding under the server rack for any modern business. Intrusions can remain undetected for months, or as in the case of the recently announced Marriott breach, which compromised data on up to 500 million people, years. It can take even longer for the compromised company to release this information to the public as they scramble to determine the scope and specifics of what data attackers made off with.
It can be hard to learn from large data breaches as the victims of large attacks try to spin themselves in the best light possible. Luckily, some data breaches are so catastrophic the government steps in and provides a more objective look at the mistakes leading up to the attack, such as with the 2017 Equifax breach.
In September 2017, Equifax announced that an attack compromised sensitive data, including social security numbers and other personally identifiable information, of more than 145 million people. The full report from the United States Government Accountability Office (GAO) can be found here.
According to the GAO’s report, in May of 2017, attackers utilized a vulnerability in Apache Struts (CVE-2017-5638, disclosed in March 2017) running on an internet-facing server. From this intrusion, attackers pivoted into other systems and began extracting customer data. Equifax discovered the intrusion on July 29th and announced the breach publicly in September. Not ideal.
Equifax had a little over two months from the time researchers disclosed the Apache Struts vulnerability to when attackers exploited their systems. Lesson one: patch. Easier said than done of course, and this is why Windows 10 now jumps you with updates at inopportune moments, because users don’t update their software. It may be inconvenient, but it’s one of the best ways to protect your systems.
A third-party security audit from experts who specialize in information security can greatly help in this area as well. I’ve heard good things about the fine folks at VantagePoint. A thorough audit will identify if you have a patching policy, if the schedule is frequent enough, and if it is followed effectively. How about an inventory of servers? If news breaks tomorrow about a critical vulnerability, can you quickly find out if any of your servers are vulnerable? If not, or if you’re unsure, now is the second-best time to figure this out.
Let Your Systems Get Hacked
No really, get a pentest. When news of the Apache Struts vulnerability broke, us white-hat hackers had to test for this issue manually before automated tools were updated, but we started testing for it as soon as the information became public. If Equifax had thrown a dart at a calendar to schedule a test for the vulnerable system, they would have had a one in six chance of detecting the issue before attackers did.
If you already pentest your systems, and aren’t constrained by deadlines, consider how to get the most out of a test you’re already paying for. One way is to get your system tested right after major codebase changes or new features are added, when new vulnerabilities are most likely to get introduced.
Is a new attack in the news with an over-the-top acronym? Unsure if you’re vulnerable? Schedule a pentest! A good pentester will already know about all the trendy new cyber-threats, but don’t hesitate to bring up your concerns during the kickoff call.
A New Arms Race
If 2018 has shown us anything, it’s that major data breaches aren’t on the decline. Attackers grow more sophisticated and numerous every year but so do the security professionals trying to stop them. While it is unfortunate that companies like Equifax fall victim to attackers in such spectacular fashion, it is important that everyone with a foot in the digital landscape learn from their mistakes.
There is no one perfect solution, zero-day attacks will continue to pop up from time to time, business interests will continue to oppose robust security practices, but remembering the Equifaxes and Marriotts and the countless others reminds us all that good security is worth it. At the very least make sure you aren’t the easy target. When it comes to cyber thieves, you want them to look more fondly at your competition than you.