Poor security design and how not to handle a cyber attack -- lessons from Equifax
The data breach at credit agency Equifax looks to be one of the biggest in recent times. Industry experts have been quick to criticise both the company's security and its response to the breach.
Once again we've seen a breach exploiting a web app vulnerability that has managed to go undetected for several months. There has also been criticism of Equifax executives actions in selling $1 million worth of stock before going public about the breach.
"This breach is totally inexcusable," says Mike Shultz, CEO of Cybernance, a cyber governance company. "This wasn't a technical assault -- this was a simple access by hackers through web application that was not properly secured. This critical breakdown of internal defenses is no different than every major breach of significance in the past two years, but the sensitive information accessed points to extreme danger for the personal wealth and financial health of our economy. This is the 9/11 moment that the NIAC has been warning about."
"With the personal details of up to 143 million Americans compromised, this breach acts as another reminder about the dangers of poor security design," says Andrew Avanessian, chief operations officer at rights management company Avecto. "Too often companies focus on features and functions and layer security on as an afterthought that must change. Hackers and cyber criminals can quickly exploit any flaw in a web application without too much trouble and this looks to be the case here."
The nature of the data stolen is also a major cause for concern since it could enable a further wave of targeted attacks. "This is a disastrous data breach, probably one of the most detrimental breaches of this year, capable of undermining trust in an already quite fragile online financial space," says Ilia Kolochenko, CEO and founder of High-Tech Bridge. "Many businesses and financial institutions rely on the compromised information. Now cyber criminals have a great wealth of opportunities to conduct spear phishing, fraud, identity theft, impersonation and social engineering attacks against the victims of the breach. We should be prepared for skyrocketing number of attacks targeting not only the victims, but their relatives, employers and partners. The breached database will likely be shared among various cyber gangs, exacerbating the damage."
Although Equifax was quick to set up a website to allow people to check if their data has been exposed, this too comes in for criticism. The site asks customers for additional information, yet was set up without a valid security certificate.
"It's akin to offering contents insurance to a person whose house has already been robbed -- and potentially putting them at risk even further," says Etienne Greeff, CTO and co-founder of cyber security firm SecureData. "What’s more, Equifax has been relatively tight lipped about the type of information that has been compromised, meaning if customers want to take advantage of the company’s Credit Freeze feature to prevent further credit theft, they have to use a PIN number that may or may not have been stolen by cyber criminals."
The nature of the breach and its handling is likely to lead to major repercussions says Richard Henderson, global security strategist at endpoint protection firm Absolute. "We have to expect that the fallout from this will likely be unprecedented. Many people are going to lose their jobs, including Equifax executives, people will be brought before Congress to explain what happened, and consumer trust in all of the credit reporting agencies will be eroded."