Question

On September 7, 2017, Equifax announced a massive security breach. While
the breach was originally discovered on July 29, the announcement was
delayed by several months. An estimated 145 million US consumers were
affected. The breach resulted in the loss of the following details:
• Names
• Social Security numbers
• Birth dates
• Addresses
• Driver license numbers (at least in some cases)
Equifax attributes the breach to a website application vulnerability that was
exploited by criminals. The Apache Software Foundation believes that the
vulnerability was possibly caused by the March Struts bug. Experts allege
that once a vulnerability is exploited, it allows attackers to gain a foothold.
Generally, following the exploit, the attacker becomes a system user and
hence owns the web server process.
There are mounting concerns that Equifax could have prevented the breach
if simple procedures and best practices were followed. Equifax has been
accused of incompetence in regard to the protection of individual data and
irresponsible behavior in responding to the breach. A patch for the website
application vulnerability that was exploited was available several months
before the attack, in March 2017. Even though Equifax had more than two
months to take remedial actions and apply the patch, no action was taken.
There are several questions that emerge. Is Equifax competent enough to
be the data steward for the public? Why did Equifax take so long to notify the
public? Interestingly, the website set up by Equifax to address questions
about the breach and offer free credit monitoring was itself vulnerable. Why
was Equifax so negligent in handling and responding to the breach?
1. Develop an ideal response strategy for Equifax.
2. Suggest how:
a. A technical security strategy could have helped Equifax
b. A formally defined process could have helped Equifax
c. A normatively developed approach could have helped Equifax
3. Following the breach, what could Equifax have done to protect their
reputation?

Answer 1

Dear Student, I have spent lot of time to make these terms clear and short, so if you got something from it, then give it an upvote. Thank You.

Explanation:

Cybersecurity crises are a high-risk scenario that threatens every single organization today. It’s a scary scenario.

1. Develop an ideal response strategy for Equifax.

When it comes to incident response, it isn't all about forensics and technology.

Solution providers said the Equifax mega-breach this week highlighted that fact, saying public criticisms of the company's failure to have adequate public relations and breach notification procedures in place show the need for the "nontechnical' in an incident response plan.

Jeremy Samide, CEO of North Olmsted, Ohio-based Stealthcare, which offers incident response services as part of its security solution provider practice, said thorough incident response needs to include steps beyond forensics, including legal, regulatory and compliance, executive notifications, breach notification to customers, and more.

a. Technical security strategy

A technical security strategy could have helped Equifax by penetration test or code review could have found the security risk early on. Introducing powerful automation into the company’s security testing would have also helped. They would have been able to identify the risk long before it became a serious problem.

Some key lessons to incorporate before you’re exploited:

• Track of Common Vulnerabilities and Exposures (CVE).
• Keep a detailed list of all the software's dependencies, libraries, and components, by version.
• Incorporate release dependency as part of the build process.
• Ensure the business partners factor 20 percent of their quarterly release budget to keeping applications and their dependencies current.

b. Formally defined process could have helped Equifax?

1. *Equifax's Achilles' heel was failing to update a security certificate for its SSL Visibility (SSLV) appliance, a device used to monitor network traffic leaving ACIS, its Automated Consumer Interview System. The SSL certificate had been expired for 19 months, eliminating the company's ability to visualize the data being exfiltrated from the environment.
2. *Had Equifax implemented a certificate management process with defined roles and responsibilities, the SSL certificate on the device monitoring the ACIS platform would have been active when the intrusion began on May 13, 2017. The company would have been able to see the suspicious traffic to and from the ACIS platform much earlier–potentially mitigating or preventing the data breach," the report reads.

c. Normatively developed approach could have helped Equifax?

For instance, it's likely that the company has some shoring up of its application testing to do, and that it would have benefited from a more comprehensive approach to integrating secure practices into its application development and deployment, a practice known as SecDevOps. Doing so would have ensured that sufficient penetration testing or a code review might have identified the Apache vulnerability before it was exploited.

Likewise, more automated monitoring of Equifax's web application environment with artificial intelligence-infused tools might have helped the company to identify the suspicious behavior when it started occurring, thereby significantly curtailing the extended access the hackers had.

3. Following the breach, what could Equifax have done to protect their reputation?

- Equifax was already challenged pre-crisis, and it did not have much of an emotional buffer or reputational equity to trade-off. Equifax only had an average reputation with a pulse score of 66.5.
- Assessing the risks first allows a business to address its most critical vulnerabilities -- and keep existing systems as efficient as possible -- rather than attempting to prioritize all cybersecurity efforts at once.

- After the data breach, Equifax took two steps intended to remedy the issue: free credit monitoring for one year and a waiver of the requirement that all disputes be settled through arbitration. These offers were meant to both protect consumers from the impact of the hacking and soften the public relations blow on Equifax.