Could the Equifax Breach Have Been Avoided?

Posted on by Tony Kontzer

Much has been written about how Equifax could have prevented the recent breach that exposed personal information on 143 million Americans with one simple act that's supposedly on the to-do list of every corporate security practitioner: Stay up to date on patches.

We've read about how the Apache Software Foundation had released a patch to address a vulnerability in its Struts web app-building software in March, two months before hackers broke into Equifax's network and spent two months collecting data undetected. (We've also seen how Equifax exacerbated the blow to its reputation by inadvertently directing its Twitter followers to a fake web site to determine whether they'd been affected, but we digress.)

But before we jump on Equifax for its poor patch management, it's worth being reminded of how hopelessly overwhelmed many organizations are when it comes to keeping up with security patches.

Granted, a company that serves as steward for so many Americans' financial histories should be held to a higher standard, but let’s assume for the moment that Equifax was just slow on the patch front rather than negligent. There are still many security technologies that could have been leveraged here for further protection against such a catastrophic breach.

For instance, it's likely that the company has some shoring up of its application testing to do, and that it would have benefited from a more comprehensive approach to integrating secure practices into its application development and deployment, a practice known as SecDevOps. Doing so would have ensured that sufficient penetration testing or a code review might have identified the Apache vulnerability before it was exploited.

Likewise, more automated monitoring of Equifax's web application environment with artificial intelligence-infused tools might have helped the company to identify the suspicious behavior when it started occurring, thereby significantly curtailing the extended access the hackers had. The fact that the bad guys are behind most of the innovative uses of AI in security settings only makes this option more of a critical consideration.

There is, however, the possibility that none of these steps — and perhaps no security tools or strategies that are even available at this point in time — could have prevented the breach. The bitter pill companies must swallow is that breaches happen, period. Just as no amount of home security is going to keep a determined burglar out of your house, there also is no magic security bullet for organizations.

Which brings us to this thought: If a company with the level of cyber security responsibility that Equifax must adhere to can't keep data safe, then what hope do less security-conscious organizations have?

The best we can hope for is mitigation, and that's at the heart of the "layered" approach to security we hear so much about these days. The thinking here is that even when a breach can't be prevented, its impact can be minimized by throwing so many obstacles in front of it that the attack slows to a crawl, buying the security team the time it needs to stop a threat from reaching any deeper into the network and the precious data therein.

But given that there's no doubt Equifax had a layered security approach in place, one has to wonder, can we even count on minimizing the damage in this way?

There are a couple of decidedly non-technological approaches that can go a long way toward doing this, but they are definitely not on the wish lists of corporate security teams.

One would be the threat of clearer regulatory repercussions for those organizations that are sloppy with consumer data, and that would begin with tougher laws designed to enforce more responsibility with data.

Of more immediate impact is the threat of lawsuits, and Equifax is becoming quite familiar with this form of punishment, having found itself on the wrong end of more than 30 lawsuits related to the recent breach, including what is thought to be the largest class action suit in U.S. history. Nothing motivates a company to get its security together like the threat of multi-million-dollar legal judgments.

It's highly likely Equifax will learn much from this episode, and that it will be a long time before we see them victimized again. Here's hoping the lessons trickle down to other companies.

Tony Kontzer

, RSA Conference

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community