Equihax

The Equifax data breach is one of the largest breaches we have seen in cybersecurity. Jessica and Michael discuss this breach, how to avoid breaches, and what to do now that a breach has occurred.

Surviving a Data Breach
Equihax

In A Few Words

The Internet is still the Wild West, and that hasn’t been more apparent than it is right now, in the wake of the Equifax breach. You never know how safe you really are online, even with some of our most trusted companies. Yet, even with all the Internet outlaws, weaknesses, and chaos, there are things we can do to protect ourselves, and even some unexpected heroes.

Unexpected Heroes

Teen Vogue, typically known as a teen gossip magazine, has recently made a habit of breaking out of their typical topics, and included several articles about the InfoSec industry. One of the most recent articles was an interview with Amanda Rousseau, a.k.a. Malware Unicorn, on her experience as a female hacker.

Recent InfoSec articles in Teen Vogue:
http://www.teenvogue.com/story/what-being-a-female-hacker-is-really-like - What Being a Female Hacker is Really Like - August 26, 2017

http://www.teenvogue.com/story/ransomware-everything-you-should-know - Ransomware: Everything You Need to Know - May 16, 2017

http://www.teenvogue.com/story/why-two-factor-authentication-is-important - Why Two-Factor Authentication Is So Important - March 27, 2017

Equihax

One of the largest data leaks in the history of the internet was announced earlier this month. The private data of millions of people was compromised when Equifax servers were breached, as originally reported by CNBC.

Proper handling of incident response

There has been a lot of discussion about proper incident response, and whether Equifax is following acceptable procedures. An article on Krebs on Security even went so far as to call their response a “dumpster fire.”

Equifax has put up a dedicated website to determine if you’re impacted, however, some people are reporting random results, or different results for the same information, depending on the browser being used, mobile vs. desktop, etc.

Equifax is offering free credit monitoring and identity theft protection. Initially their terms of service included a clause that waived right to sue them, but that clause has since been removed.

Several top executives at Equifax sold millions in stock during the time between discovering the breach and disclosing it. While the legality of this may not have been fully determined yet, it has certainly created a lot of backlash in forums and social media.

This breach is allowing monitoring companies to capitalize on fear, by selling credit monitoring and lock services to victims of the breach.

Related articles:
https://www.forbes.com/sites/dianahembree/2017/09/09/consumer-anger-over-equifaxs-ripoff-clause-in-offer-to-security-hack-victims-spurs-policy-change/#7c6e072b6e7e

https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/

Apache Struts

The March Apache Struts vulnerability was speculated to be the cause of the breach, but this was not confirmed until September 13th, 2017. Equifax confirmed that it was the March vulnerability that was exploited on the website the setup for information regarding the data breach, https://www.equifaxsecurity2017.com/.

The Apache Struts vulnerability, CVE-2017-5638, was patched on March 6, 2017, which means that Equifax had approximately six weeks to update their servers before the breach occurred. They reported that the data leak occurred over a period of time, from mid-May through June. What has yet to be announced is if Equifax was in the process of updating their servers to patch the vulnerability, or if they were simply left unpatched with no update plan in place. Patching the Apache Struts vulnerability is labor intensive, and difficult, requiring a migration and rebuild of all apps that used the old version.

Related article:
https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/

Layered security

It is always a good idea to assume breach, and have multiple layers of security in place, so that one web app vulnerability is not what stands between a bad actor and sensitive data. There are some steps that we can all take to help protect against this type of data breach.

Any time you have sensitive data, it is a good idea to have a firewall in place. With a properly configured firewall, you are making it much more difficult for bad actors to get to your data, and will even have the opportunity to track when breaches are attempted, along with data about the attempt.

Network and log monitoring can help you identify breaches. By monitoring your network traffic and server logs, you can see where visitors are coming from, the type of user agent they are using, what they are attempting to do within your network, and a number of other statistics that can help you identify malicious access. You can also set up alerts when certain types of activity occur.

Air gapping sensitive data and networks is a crucial part of protecting sensitive information and systems. It should not be possible to directly access certain information from outside the local network. A level of separation from the Internet should be required for data like social security numbers, credit card numbers, etc.

Consumer Protection: What To Do Now

This breach impacted as many as 143 million consumers in the United States, and another 44 million in the UK, with the numbers for Canada yet to be released. Even if you were not directly affected by the breach, you likely know someone who was. For those of us who were affected, all hope is not lost. There are some steps you can take to protect yourself in the wake of this event.

Go to https://www.equifaxsecurity2017.com to see if you were impacted.
Consider freezing your credit.
Keep in mind that the information needed to unfreeze your credit is also the information that was breached, but along with a PIN that is assigned. Once you have your credit frozen, you should immediately change your PIN.
Check existing accounts, and your free annual credit reports, for abnormalities.
Consider a third party, non-credit score company, solution for credit monitoring.
Update bank account passwords, and remember to not reuse passwords.
Watch for phishing. Some of the data that was accessed can be used by a bad actor to convince consumers that they are a collection agency, credit card company, or other creditor trying to collect any debts you may have.

Related infographic:
https://sc.cnbcfm.com/applications/cnbc.com/resources/files/2017/06/08/dataBreach_v06.jpg

Decoding Security is hosted by Jessica Ortega and Michael Veenstra, and produced by Topher Tebow for Sitelock.

Music:
"Upbeat Forever" Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
http://creativecommons.org/licenses/by/3.0/

SiteLock is the leader in Business Website Security Services.

Copyright © SiteLock 2017