11/9/2023 0 Comments Equifax security ze credit![]() ![]() Lesson: Organizations should consider the use of an IT Asset Management solution that accurately tracks version numbers of deployed technologies. However, the scans did not detect the vulnerability on the online dispute portal. IT Asset ManagementĮquifax did have scanning technologies in place to identify unpatched systems. Patching via email notices isn’t good enough. Lesson: Patch management systems need to be integrated with security notices and threat feeds. “However, the recipient list for the notice was out-of-date and, as a result, the notice was not received by the individuals who would have been responsible for installing the necessary patch.” “Equifax officials stated that they circulated the notice among their systems administrators,” the GAO report stated. However, when Equifax sent out a notice to its system administrators to patch the issue, the individual responsible for the online dispute portal, which was the attackers’ initial point of entry, didn’t get the notice. Much has been made of the fact that Equifax had left one of its servers unpatched to a known vulnerability, but what is clear is that while the lack of patching was a problem, it was only one of many.Įquifax was, in fact, notified of the Apache Struts vulnerability in March 2017. ![]() The attack lasted for about 76 days before it was discovered.” Key lessons from the Equifax breach “After successfully extracting PII from Equifax databases, the attackers removed the data in small increments, using standard encrypted web protocols to disguise the exchanges as normal network traffic. The GAO report noted that the attackers attackers ran approximately 9,000 queries to find PII data sources on the Equifax network. “The use of encryption allowed the attackers to blend in their malicious actions with regular activity on the Equifax network and, thus, secretly maintain a presence on that network as they launched further attacks without being detected by Equifax’s scanning software,” the GAO report stated.Įven with the vulnerable system and the encrypted data channel, it still took a lot of effort from the hackers to find and get the Personally Identifiable Information (PII) data they were after. When the hackers began to exfiltrate data, they used encrypted data channels to avoid detection. The simple initial vulnerability was not the point at which the attackers began to siphon off the data of 145 million consumers, which didn’t actually start to happen until May 13, 2017, roughly two months after the initial breach. The attackers were able to identify that Equifax was at risk from an Apache Struts vulnerability that was only publicly disclosed two days before the attackers began scanning. The attack began as many do, with the attackers first conducting reconnaissance by scanning Equifax’s publicly accessible systems to look for any known vulnerabilities. The length of time it took before Equifax discovered the breach enabled the attackers to move around within the company’s systems for months, relatively unimpeded. While public disclosure of the Equifax data breach did not occur until September 2017, Equifax system administrators had in fact discovered the unauthorized access in July 2017 - months after the attackers first gained entry to the company’s servers in March 2017. The retrospective look at the breach provides insights into how the breach occurred and what types of controls and technologies might have helped prevent it. Government Accountability Office (GAO) has released a 40-page report outlining what happened. 7, 2017, and details on the breach slowly trickled out for months afterwards. The breach was publicly disclosed on Sept. The Equifax data breach that exposed the sensitive personal information of more than 145 million consumers was one of the worst data breaches of recent years, both for the amount of information exposed and the ease with which hackers moved about the company’s systems. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |