It has been two years since Equifax announced a data breach that exposed the financial records of more than 147 million people, and the news continues to dominate the headlines. After two years of investigation and negotiations, the company finally agreed on a global settlement of up to $425 million to those impacted by the breach. Part of the investigation handled by the House Oversight Committee found that the breach was wholly avoidable and Equifax was at fault for not practicing the basics of cyber hygiene.
Let that sink in for a second.
Equifax, one of the largest financial data-gathering organizations in the world and one of three significant credit information sources for millions of people around the world, fell victim to its poor security execution at the most basic level. The attackers gained access through an unpatched Apache Struts web application, despite a patch being available from Apache for almost three months prior to the breach. Had Equifax simply deployed the fix for this known critical vulnerability, it would have prevented the whole fiasco. The real question here is, How can an organization that is sophisticated and well-funded with advanced security tools, not have the basics down?
It may be intuitive to think that attackers commonly use unknown methods of attack that are difficult to anticipate, but that’s not what happens in reality. “Most breaches we become aware of are caused by a failure to update software components that are known to be vulnerable for months or even years,” said René Gielen, vice president of Apache Struts, in the company’s official response to the data breach.
Many of these breaches are avoidable, and others possibly slowed down, if proper cyber hygiene and endpoint hardening practices were in place and practiced. We, as an industry, might hope users at all levels are following the fundamental rules, but the truth is that convenience often trumps security practices.
A report released by Ponemon Institute and ServiceNow called attention to how the basics of cyber hygiene, or lack thereof, have impacted the number of breaches. “Fully 57% of respondents who reported a breach said that they were breached due to a vulnerability for which a patch was available but not applied. 34% say they actually knew they were vulnerable before the breach occurred.”
Where do we go from here? Many organizations need to approach the basics and rebuild the foundation of their security strategy for good cyber hygiene. The Center for Internet Security (CIS) maintains a guide, “CIS Controls,” which provides 20 foundational and advanced cybersecurity actions for IT security leaders. And the first six are crucial to building a solid foundation for the latter 14 controls.
Inventory and Control of Hardware Assets
Maintaining a full auditable list of all hardware assets is the first step to a strong security foundation. It starts with both understanding what hardware assets your environment requires along with the needs of your users. An environment’s security is at risk the moment an unknown device connects to a corporate network. Even in approved BYOD environments, every device is an asset that needs its security kept up to date and access logs tracked.
Inventory and Control of Software Assets
Managing the deployment of OEM and third-party software means developing an understanding of what software your endpoints and users require. For all businesses, maintaining this inventory and managing the deployment of third-party software requires diligence. Admins need to verify the integrity of deployed software immediately and often, auditing the devices under their control to identify out-of-date software early. Knowing the software and versions gives a team a clear picture of their target size as well as potential vulnerabilities, and naturally transitions into a continuous vulnerability management strategy.
Continuous Vulnerability Management
The Equifax data breach occurred due to its failure to manage and mitigate vulnerabilities in its system. This failure left the company’s infrastructure and data vulnerable and provided a larger, more easily exploitable target to attackers. Further research shows that 80% of threats are avoidable if you keep your corporate endpoints patched and updated. By presenting a smaller, more difficult target for attackers, you can solve for most of the underlying vulnerabilities that are leveraged. And, implementing automated patching and system hardening services can keep this typically heavy workflow manageable for an IT security team.
Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
To improve the reliability and security of endpoint configuration management, it is critical to identify the impact of all configuration changes before releasing them to endpoints. Applying a continuous delivery method to configuration management ensures that incoming patches and configuration changes are validated against a test server to verify that the expected behavior of the software installed on each endpoint does not change. Once done, the configuration changes can be automatically applied to production endpoints safely and securely.
Controlled Use of Administrative Privileges
Administrative privileges are the keys to your kingdom and should be assigned sparingly. Common vectors of attack include malicious emails, compromised web pages and password guessing, all to take advantage of uncontrolled or forgotten administrative privileges that allow attackers to roam easily from within a target. From local machines to network-level control, everyday users should have just enough access and control to complete their tasks without putting any component of the infrastructure at risk.
Maintenance, Monitoring and Analysis of Audit Logs
Maintaining system logs is more than an audit-friendly service, and while often overlooked in terms of management and monitoring, this can be one of the most valuable sources of data of an attempted or successful breach. Whether using a security information and event management (SIEM) solution to collect the various data into one console or managing the individual services on their own, reviewing logs on a regular basis can mean the difference in the time to mitigation. Tracking behavior, access locations, file movement and network traffic are all solid evidence to use in the hunt for a breach.
The unfortunate aspect to the connected world is that the vectors of attack continue to change and keeping up with those exploitable attack surfaces can be difficult. But a solid security foundation built around automation, monitoring and system hardening can help make your corporate IT infrastructure a smaller target to potential attacks.