The recent Equifax data breach exposed extremely sensitive data of 143 million consumers, putting more than half of Americans at risk. While an IBM i server was likely not involved here, Equifax’s actions – and more importantly, its inactions – can teach IBM i shops something about data security.
Just when you thought the string of major data breaches couldn’t get any worse, Equifax happened. The number of people impacted by the hack is relatively small, as these things go. When you consider that Yahoo’s 2014 breach exposed the data of 1.5 billion people, and that Adult Friend Finder’s 2016 breach exposed 412 million accounts, the Equifax hack looks small by comparison. (Heck, even the GOP lost data on 200 million voters last fall.)
But of course, not all data breaches are equal. As one of the three major credit reporting agencies, along with Transunion and Experian, Equifax maintains extremely sensitive and detailed financial data on just about every American who has ever applied for credit. In this case, hackers made away with Social Security Numbers, birth dates, addresses, and in some cases drivers’ license numbers for 143 million people, mostly in the U.S. but also some in Canada and the United Kingdom This data is the “Holy Grail of what bad guys want,” said CNBC’s Jim Cramer.
Here are three lessons that all companies, including IBM i shops, can learn from the Equifax hack:
Hackers entered Equifax servers by exploiting an unpatched vulnerability in Apache Struts, a popular open source development framework for Web applications.
Okay, fair enough. Hackers try to exploit security holes in popular software products all the time. Zero-day vulnerabilities can be extremely hard to stay on top of, especially with so many shared software components being used in today’s complex enterprise systems. Playing whack-a-mole every week with flaws and patches takes a toll on weary administrators.
But here’s the thing: the Apache Software Foundation issued patches for the vulnerability in March. By the time Equifax discovered it was hacked in late July, it was too late, and the hackers had made off with sensitive data of millions of consumers.
There’s really no excuse for leaving a critical system, such as the core database that houses credit data on 143 million consumers, unpatched for so long. Unfortunately, this sort of negligence in handling sensitive data is much more common than you might think. And it’s not restricted to companies running commodity systems. For a sobering reminder of just how poorly IBM i shops are configuring their systems, read about HelpSystems‘ latest State of Security report.
Richard Marko, the director of technical services for security products at Vision Solutions (which recently bought IBM i security software provider Enforcive), says IBM i shops should keep an eye out for security-related program temporary fixes (PTFs). “IBM i shops could face the same dangers [as Equifax], especially if using the web services available on the system,” he tells IT Jungle. “At Vision Solutions, we are more concerned about simpler vulnerabilities that seem to get overlooked on a regular basis” such as default passwords, old user profiles, and leaving exit points vulnerable.
Once the hackers wormed their way into Equifax’s systems via the Struts vulnerability, it’s unlikely the records were just sitting there for the taking. One of the core principles of security is to put rings of protection in place. So the Equifax hackers likely had additional work to do.
The Equifax hackers likely stole the credentials of legitimate users, which would enable them to mask their activities. Alex McGeorge, who heads up threat intelligence for the cybersecurity firm Immunity, says it’s common for hackers in these situations to “become” the system owner of a Web process.
“Security best practices dictate that this user have as little privilege as possible on the server itself, since security vulnerabilities in Web applications and Web servers are so commonly exploited,” Wired quotes McGeorge as saying.
It’s important to monitor use of these powerful user profiles, and to protect them with strong authentication. However, it’s possible that Equifax stored these administrative credentials in plain text. Security journalist Brian Krebs discovered some disturbing signs of carelessness on the part of Equifax.
“It took almost no time for [security researchers] to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: admin/admin,” Krebs writes on his blog.
In the IBM i world, it’s disturbing how often administrators leave their IBM i servers basically wide open. One in 10 user profiles examined by PowerTech has a default password, which is the same as the user name in IBM‘s operating system.
As bad as Equifax’s data breach is – and it really is one of the worst ever – the Atlanta, Georgia, company made it worse as a result of its response to the breach.
The first mistake Equifax made was taking so long to admit to the breach. While hackers had two months in the company’s systems, Equifax reportedly didn’t discover the breach until the end of July. But it took nearly another month and a half before it reported the breach to the public in early September.
And to make matters worse, the website that Equifax set up to ostensibly “help” consumers figure out if their data was impacted required consumers to give up their right to sue the firm. The company eventually rolled that requirement back, but it left people with the impression that Equifax was tone deaf to their concerns.
To be sure, “breach fatigue” is a real thing. With so many massive data breaches over the years, what’s the harm in just one more? A cynic might point out that most of us have already been victimized by a data breach, and that detailed records about the majority of us can already be purchased for a sum on the Dark Web. If you haven’t already raised your own defenses to protect your identity from cybercriminals, then you were exposed before Equifax was hacked.
But this would be letting Equifax off too easy. Obviously, all companies that store sensitive data have a fiduciary obligation to protect it from hackers. Equifax broke that trust and will be held to account. In the coming months, there will be many investigations into the breach and Equifax could be forced to pay big fines as a result of the breach. Senator Elizabeth Warren has already announced an investigation, and the Federal Trade Commission, which has sued about 60 companies for data breaches, is also investigating.
If companies would just apply security patches, follow best-practices in configuring their servers, and then be transparent and helpful in admitting to mistakes when it makes them, the world would be a better place.