Information Security, Web Application Security

What Can We Learn from the Equifax Breach?

Andrew Peterson

Founder & CEO @signalsciences. O’Reilly author of Cracking Security Misconceptions http://goo.gl/XGEbfR. Formerly @etsy, the clinton foundation, & google.

Time to take notes to avoid the next breach. Photo Credit: The Climate Reality Project on Unsplash

Here we go again. Another massive data breach has exposesd extremely sensitive personal information, leaving millions of consumers feeling helpless to defend themselves. This time it was Equifax’s turn to be victimized, but it won’t be long before another successful attack takes its place in the headlines—unless we learn from this incident, and use that information to better protect ourselves.

Here’s what Equifax has disclosed about the breach so far:

  • Some time in the middle of May, attackers gained access to Equifax files via a web application vulnerability. Equifax discovered the breach on July 29.
  • The compromise potentially impacts approximately 143 million U.S. consumers—a truly vast breach.
  • The information accessed primarily includes names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers. Credit card numbers and other personally identifying information were also compromised for a smaller number of U.S. consumers.

Detecting Account Takeovers and Defending Your Users  Organizations are under attack, but today’s attacks aren’t focused on  attacking just servers - today’s attacks focus on attacking your users. Account  takeovers are on the rise, putting critical company data at risk. Free ReportAs one of the most devastating data breaches in history, the Equifax hack will bring new attention to the attack vector through which its data was compromised—and rightly so. Although this was by far the highest-profile attack to exploit a website vulnerability, web application breaches are in fact responsible for more successful breaches than any other type of attack. According to the annual Verizon Data Breach Report, this has been the case for over half a decade—yet most non-security professionals remain unaware of the dangers they pose.

In 2016 alone, successful breaches via flaws in websites and mobile apps accounted for 30% of the nearly 2,000 disclosed data breaches worldwide. It would be reasonable to expect that companies would align their security budgets accordingly—but the average company spends only 3% of its security funds on protecting the websites and mobile apps so frequently targeted by hackers. Instead, the majority of their security budgets remain allocated to tools and services to protect legacy network or hardware systems that pose less risk, and that play a diminishing role in modern IT strategy.

Why the disparity?

Technology practices have been changing quickly over the last 10 years as enterprises embrace new trends such as:

  • Connecting with their customers via web and mobile technologies
  • Shifting some or all of their on-premises hardware and software systems to cloud technology platforms
  • Adopting new software development practices such as DevOps and Agile

These changes enable companies to create new products and services that are easier and more attractive for their customers to access and use. However, they also make it easier and more attractive for attackers to access sensitive data through the vulnerabilities they introduce. This is especially true when—as is usually the case—investments in new business-enabling technologies are not accompanied by timely changes to security budgets. The resulting misalignment leaves the innovative technologies so central to modern digital business dangerously underprotected, offering an irresistable target for hackers to exploit.

There is hope. The same new technology practices and platforms that have left companies more vulnerable in the short term also enable them to adopt new security protections and practices more quickly and easily than before. Still, companies need to be careful about where and how they redirect their security budgets. A common pitfall—in security as in many other areas of IT—is trying to solve modern technology problems with legacy solutions. It’s important to take a fresh look at the situation to understand the nature of the risks the company faces, and how they can best be addressed.

Here are three things your organization can do to learn from this latest devastating breach.

  1. Spend smarter. Review how you’re allocating your security budget and make sure it aligns with your technology strategy. Have you invested in building cloud services and web applications? Have you equaled that investment in the corresponding defensive technologies?
  2. Keep your eyes open. Do you have the tools and monitoring in place to know when someone is trying to breach your website? You can’t stop attacks you don’t know are happening.
  3. Get technologists at the table. As your security team is making decisions about new investments in defensive technology, keep in mind that your application developers are the ones actually adopting the new platforms and methods that alter your risk profile. They’ll know better than anyone else in your organization what’s new that needs protecting, and how to protect it in a way that still enables the business objectives they’re tasked with achieving.

Today, Equifax is living through every company’s worst security nightmare—but it easily could have been any of countless other similarly vulnerable organizations. Don't let your business appear in tomorrow’s headlines. By learning the lessons of the Equifax breach and making sure your security strategy keeps up with your technology strategy, you can keep hackers at bay in the new era of digital business.

The DevOps Roadmap for Security  This Signal Sciences report provides a playbook to help bridge the gap between  DevOps and Security tribes in your organization. Free eBook  <https://info.signalsciences.com/book/>