Story image

Equifax and its 143m customers just the ‘first known victims’

19 Sep 2017

​The colossal breach in Equifax’s soft underbelly has made headlines around the world of late, largely because of the monumental amount of personal data involved – up to 143 million customers.

It has now been revealed the most likely route cybercriminals used to gain access to the honeypot, exploiting an Apache Struts CVE-2017-5638 vulnerability.

The stolen data may include Social Security numbers, birth dates, driver’s licenses, addresses and 209,000 credit card numbers – all of which may now be putting these people at identity theft risk for the rest of their lives.

What’s even more concerning though, is that Flexera asserts that not only was the vulnerability well-known, but a patch was available long before the attack.

Flexera says Apache Struts is a popular and widely-used open source component used by companies in commercial and in-house systems to take in and serve up data, making it a prime target for cybercriminals.

The suspected vulnerability was disclosed on March 7 and the patch was available at the same time – but this is not a novelty, as Flexera asserts the availability of patches at the time of disclosure of vulnerabilities is actually very common.

A study from Flexera found that in 2016, patches were available at the time of disclosure for a staggering 81 percent of vulnerabilities.

The real problem comes down to the simple fact that it takes users substantially longer to patch vulnerabilities than it does for hackers to start exploiting them – WannaCry anyone? Organisations continue to leave their windows wide open for hackers to climb in.

In the Equifax case, the company has identified the breach and is taking care of it. However, vice president of product management at Flexera, Jeff Luszcz says they are probably just the first known victims.

“Once a case like this hits the news, it ignites the fire in the cybercrime community and hackers start poking around for new opportunities,” says Luszcz.

“We should expect a long tail of incidents and breaches in the months – and potentially years – to come. As we still see attacks targeting Heartbleed, a vulnerability more than three years old.”

If nothing else, this massive breach serves as a vital reminder for business leaders to radically rethink their vision of cybersecurity as the incidents we see increasingly reveal the neglection of basic security best practices – making the job easy for hackers and hard for security professionals.

Senior director of Secunia Research at Flexera, Kasper Lindgaard says patching this type of vulnerability is certainly not as simple as patching a desktop application, but it’s certainly something business leaders need to address sooner rather than later.

“When it comes to vulnerabilities affecting the software supply chain, it’s important to align software design and engineering, operational and security requirements. This isn’t an easy task,” says Lindgaard.

“However, the time frames of initial disclosure of the vulnerability and its patch on March 7 – up to two months before the first reported unauthorized access at Equifax, and the further delay of the actual detection of the breach on July 29 – currently indicates that the vulnerability was not handled with the priority that it should have.”

Kiwis know security is important, but they're not doing much about it
Only 49% of respondents use antivirus software and even fewer – just 19% -  change their passwords regularly.
Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.