A brand new Equifax breach investigation report by the U.S. Senate is downright harsh toward the company, starting with the title of the document itself: "How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach."
Rhetoric aside, since SecureWorld is a community that serves security leaders and teams across North America, we are most interested in some new lessons that can be shared based on what's in the report. Here are four of them.
4 lessons from new Equifax breach report
1. Do you have a written corporate policy governing patching of known cybersecurity vulnerabilities? Equifax did not, until 2015, and look what the company found when the policy went into effect:
"After implementing this policy, Equifax conducted an audit of its patch management efforts, which identified a backlog of over 8,500 known vulnerabilities that had not been patched. This included more than 1,000 vulnerabilities the auditors deemed critical, high, or medium risks that were found on systems that could be accessed by individuals from outside of Equifax’s information technology networks."
2. Are you measuring your progress in this area to verify you are actually making progress? The Senate report found that Equifax did not:
"Equifax never conducted another audit after the 2015 audit and left several of the issues identified in the 2015 audit report unaddressed in the months leading up to the 2017 data breach."
3. Have you included the right people on patching distribution lists, including the application owners? Equifax did not:
"The Equifax developer who was aware of Equifax’s use of Apache Struts software was not included in the 400-person email distribution list used to circulate information on the vulnerability. The developer’s manager, however, was on the distribution list and received the alert, but failed to forward it to the developer or anyone on the developer’s team. As a result, the key developer never received the alert. Equifax added application owners to the list after the breach."
4. Your ability to successfully implement a governance program around vulnerabilities will be limited by what you don't know about your technology assets:
"The lack of an IT asset inventory limited the effectiveness of scanning tools and other processes used to identify and remediate known cybersecurity vulnerabilities. For example, when the U.S. Department of Homeland Security (“DHS”) provided notification that Apache Struts contained a critical vulnerability, Equifax had no inventory to determine where or if it used Apache Struts on its network."
Read the Senate report on the Equifax breach for yourself, which has additional cybersecurity analysis and insights.
The subcommittee that published the report reviewed over 45,000 pages of documents from Equifax, Experian, and TransUnion, and did interviews and received briefings from key personnel at each of the three credit reporting agencies.
[RELATED: Our top 5 Equifax stories of 2018]