The aftermath of the Equifax breach continues. First, the Ugly:
Music Major? Really?
The hoi palloi apparently find it offensive that Equifax’s Chief Security Officer, fired in the breach’s wake, had a music degree. The implication is that someone formally trained long ago in music is clearly incompetent to have a career in IT or Infosec, much less to be a CSO. That must be a surprise to Jennifer Widom (data management researcher, computer science professor, and Dean of Stanford University’s School of Engineering), who somehow, despite her undergraduate music degree, managed to help lay the foundations for active database systems architecture, crucial for such uses as security monitoring. Or to countless others who came to Infosec after formal education in other disciplines – check out #unqualifiedfortech on Twitter.
Yesterday’s thoughtful Washington Post piece was well-titled: Equifax’s security chief had some big problems. Being a music major wasn’t one of them. And if your ironic sensibility remains unsated, see the 10/20/2016 article Musicians May Be the Key to the Cybersecurity Talent Shortage.
Next, the Bad:
At this early point it appears that the Equifax hackers’ entry was through an unpatched vulnerability (CVE-2017-5638) in certain versions of Apache Struts, a software platform widely used for web applications. This vulnerability was published in NIST’s National Vulnerability Database by March 10, 2017, but Equifax apparently had not yet executed appropriate patching two months later, when it says the intrusion occurred.
For context, CVE stands for “Common Vulnerabilities and Exposures,” an agreed-upon, global listing that, since its genesis in 1999, has provided common identifiers and descriptions for specific cyber security vulnerabilities. The “2017” portion of CVE-2017-5638 reflects the year that the CVE ID was assigned or that the vulnerability was made public. The “5638” portion is a sequence identifier – in other words, as of early March, there was already a massive boat-load of identified 2017 security vulnerabilities for companies to address.
Patch currency is a huge challenge, and an equally huge problem. Verizon’s 2016 Data Breach Investigations Report has interesting stats on patch/vulnerability management (pages 13-16): of 920 CVEs that were successfully exploited by bad guys in 2015, 92% of the vulnerabilities were publicly known in or before the prior year, and half of the vulnerabilities had been publicly known for five or more years.
But despite the deluge, companies handling sensitive data must have a reasonable approach to managing software vulnerabilities, by both patching vulnerabilities in third-party software and being vigilant for vulnerabilities in software they develop themselves.
Last (for now), the Good:
Will New York step up?
There’s been (charitably speaking) some confusion over who regulates data security for the major credit bureaus, including Equifax. The credit bureaus do not currently fall under the oversight of the functional regulators for banks, which is quite stringent, and the payment card industry’s standards for data security (PCI DSS) would only apply to security controls for cardholder data within the cardholder data environment at such companies. The result is little prospective regulatory oversight. And as upset as folks are about the Equifax breach, the prospect of changes in federal law seem dim, given the state of things in D.C.
But change may nevertheless come, at the state level. On Monday, New York Governor Cuomo announced proposed regulatory changes that would require credit reporting agencies, such as Equifax, to annually register with the state and be subject to New York’s sweeping cybersecurity requirements for financial institutions. Such agencies would face a variety of compliance dates in 2018.