In: Computer Science
On September 7, 2017, Equifax announced a massive security
breach. While
the breach was originally discovered on July 29, the announcement
was
delayed by several months. An estimated 145 million US consumers
were
affected. The breach resulted in the loss of the following
details:
• Names
• Social Security numbers
• Birth dates
• Addresses
• Driver license numbers (at least in some cases)
Equifax attributes the breach to a website application
vulnerability that was
exploited by criminals. The Apache Software Foundation believes
that the
vulnerability was possibly caused by the March Struts bug. Experts
allege
that once a vulnerability is exploited, it allows attackers to gain
a foothold.
Generally, following the exploit, the attacker becomes a system
user and
hence owns the web server process.
There are mounting concerns that Equifax could have prevented the
breach
if simple procedures and best practices were followed. Equifax has
been
accused of incompetence in regard to the protection of individual
data and
irresponsible behavior in responding to the breach. A patch for the
website
application vulnerability that was exploited was available several
months
before the attack, in March 2017. Even though Equifax had more than
two
months to take remedial actions and apply the patch, no action was
taken.
There are several questions that emerge. Is Equifax competent
enough to
be the data steward for the public? Why did Equifax take so long to
notify the
public? Interestingly, the website set up by Equifax to address
questions
about the breach and offer free credit monitoring was itself
vulnerable. Why
was Equifax so negligent in handling and responding to the
breach?
1. Develop an ideal response strategy for Equifax.
2. Suggest how:
a. A technical security strategy could have helped Equifax
b. A formally defined process could have helped Equifax
c. A normatively developed approach could have helped Equifax
3. Following the breach, what could Equifax have done to protect
their
reputation?
Dear Student, I have spent lot of time to make these terms clear and short, so if you got something from it, then give it an upvote. Thank You.
Explanation:
Cybersecurity crises are a high-risk scenario that threatens every single organization today. It’s a scary scenario.
1. Develop an ideal response strategy for Equifax.
When it comes to incident response, it isn't all about forensics and technology.
Solution providers said the Equifax mega-breach this week highlighted that fact, saying public criticisms of the company's failure to have adequate public relations and breach notification procedures in place show the need for the "nontechnical' in an incident response plan.
Jeremy Samide, CEO of North Olmsted, Ohio-based Stealthcare, which offers incident response services as part of its security solution provider practice, said thorough incident response needs to include steps beyond forensics, including legal, regulatory and compliance, executive notifications, breach notification to customers, and more.
a. Technical security strategy
A technical security strategy could have helped Equifax by penetration test or code review could have found the security risk early on. Introducing powerful automation into the company’s security testing would have also helped. They would have been able to identify the risk long before it became a serious problem.
Some key lessons to incorporate before you’re exploited:
b. Formally defined process could have helped Equifax?
c. Normatively developed
approach could have helped Equifax?
For instance, it's likely that the company has some shoring up of its application testing to do, and that it would have benefited from a more comprehensive approach to integrating secure practices into its application development and deployment, a practice known as SecDevOps. Doing so would have ensured that sufficient penetration testing or a code review might have identified the Apache vulnerability before it was exploited.
Likewise, more automated monitoring of Equifax's web application environment with artificial intelligence-infused tools might have helped the company to identify the suspicious behavior when it started occurring, thereby significantly curtailing the extended access the hackers had.
3. Following the breach, what could Equifax have done to protect their reputation?
- Equifax was already challenged pre-crisis, and it did not have
much of an emotional buffer or reputational equity to trade-off.
Equifax only had an average reputation with a pulse score of
66.5.
- Assessing the risks first allows a business to address its most
critical vulnerabilities -- and keep existing systems as efficient
as possible -- rather than attempting to prioritize all
cybersecurity efforts at once.
- After the data breach, Equifax took two steps intended to remedy the issue: free credit monitoring for one year and a waiver of the requirement that all disputes be settled through arbitration. These offers were meant to both protect consumers from the impact of the hacking and soften the public relations blow on Equifax.