When one of the nation’s largest credit reporting companies reports a breach involving the private financial data of over 145 million Americans, people take notice. That includes the U.S. Senate Permanent Subcommittee on Investigations.
Earlier this month the committee released its report on Equifax’s epic data breach, an event some experts believe wasn’t the work of criminals looking to steal identities but of a foreign government trying to “identify and recruit spies,” according to CNBC. The company failed to patch a known vulnerability, resulting in one of the largest data security breaches in U.S. history.
As part of its investigation, the Senate spoke to employees and former employees at Equifax. It also compared its actions unfavorably to competitors TransUnion and Experian, which promptly patched the vulnerability. (Think of a disgruntled parent complaining, “Your sister never forgot to do HER homework.”
What follows are highlights from the report explaining how a huge organization with tremendous resources failed to commit to basic cybersecurity practices and monitoring.
Patch management was, well, patchy. Equifax didn’t have an enterprise-wide policy for patching cyber vulnerabilities until 2015, and even then it was basically ignored. An audit of Equifax’s patch management uncovered a backlog of over 8,500 known unpatched vulnerabilities. More than 1,000 of them were critical, high, or medium risks that could be accessed by outsiders. Its reactive approach to patch management was done on an “honor system” with no regard for protocol requiring patches be made within 48 hours.
Equifax had no idea how many machines it had connected to its network. The same 2015 audit found Equifax had no comprehensive IT asset inventory, thus no way to know if there were unpatched vulnerabilities hiding on undocumented machines. That meant there was no way of knowing if there were vulnerable, unpatched versions of software on machines accessing its systems because it didn’t know those machines existed.
No findings follow up. Many of the concerns identified in the 2015 audit still weren’t addressed at the time of the 2017 breach. Equifax had known problems and didn’t take action to address them.
No accountability for patching. More than 400 Equifax employees received an alert about the vulnerability, which was given the highest possible criticality score. None of those people did anything to patch it. One of those people was the manager of the application owner responsible for the vulnerable software. Did that manager pass it on to that developer or anyone on the developer’s team? No. Did the developer follow Equifax policy and subscribe to vendor notifications of vulnerabilities? Again, no.
The CIO was above the basics. The CIO overseeing IT told the Senate committee that patching was a “lower level responsibility that was six levels down” from him. He seems to be right about “six levels down.” Senior managers, including those in IT or security, rarely attended monthly meetings to discuss cyber threats and vulnerabilities. None could specifically remember the March 2017 meeting where the vulnerability was discussed. BTW, the CIO also told the committee he doesn’t think Equifax could have done anything differently.
Key data was unencrypted. Hackers exploiting the vulnerability lucked into an unencrypted data repository with user names and passwords that let them into other Equifax databases. “Equifax told the Subcommittee that it decided to structure its networks this way due to its effort to support efficient business operations rather than security protocols.” After all, nothing says responsible business operations like leaving a bunch of usernames and passwords laying around.
No audit trail in files. “Equifax did not have basic tools in place to detect and identify changes to files, a protection which would have generated real-time alerts and detected the unauthorized changes the hackers were making.”
How The Equifax Breach Could Have Been Prevented
Looking at this list of cybersecurity weaknesses (and ignoring the committee’s equally shocking findings on how Equifax bungled the breach after it was discovered), one obvious solution immediately comes to mind: the FFIEC Cybersecurity Assessment Tool (CAT) or the NCUA Automated Cybersecurity Examination Tool (ACET).
These tools are designed to determine a financial institution’s overall cyber risk and preparedness. It ensures preparedness aligns with an FI’s risk appetite and reveals where controls or control enhancements are needed.
Just a quick glance at the five domains and assessment factors shows many areas where the FFIEC would have indicated much-needed improvements. This includes areas like governance, risk management, resources, training and culture, information sharing, detecting controls, and detection, response and mitigation, among others.
Equifax’s problems also might have been caught if it had committed to best practices for managing exam and audit findings. You’d think that 8,500 ignored patches, including over 1,000 relatively high priority patches, would grab someone’s attention. Clearly no one was tasked with responsibility for ensuring findings were addressed promptly and there was no system for proactively managing the process. Instead, findings fell by the wayside, leaving Equifax exposed to increased cyber risk.
3 Tips for Avoiding an Equifax-Style Breach
Equifax may have over 10,000 employees and revenues of nearly $3.5 billion, but that doesn’t mean it’s got a better handle on cybersecurity than regional or community financial institutions. Here are some tips to ensure your institution is doing all it can to prevent a breach.
- Know where the buck stops. Remember the CIO who was too important to think about patches? He promptly “retired” after the breach became public knowledge along with the chief security officer. His boss, the CEO, resigned soon after.Whether it’s the CIO, the CTO, the CSO or some other figure, someone at the C-level needs to be responsible for cybersecurity and ensuring that those below are minding the details. (And make sure the person hired has more experience than Japan’s new cybersecurity minister, who recently admitted to lawmakers that he has “never used a computer in my life.”)
- Regularly assess the strength of your cybersecurity program. Embrace the CAT or ACET as a tool for helping understand your FI’s cyber strengths and weaknesses. It’s much better for you to discover vulnerabilities than allow hackers the opportunity.
- Track findings. If an audit, exam, or other exercise uncovers a deficiency, make sure you have a clearly defined process for tracking that finding until it’s remediated. Make sure someone is assigned responsibility for resolving the issue and that the process takes a proactive approach for making sure findings aren’t lost in the shuffle.
While cybercriminals are getting smarter and breaches are growing more common, embracing these three actions will help limit cyber risk and the likelihood of ending up with Equifax-style headlines.