![]() ![]() These don’t have to be vendor specific, there are plenty of open source tools as well. While configuring your tool properly (i.e run recursively) is the obvious suggestion here, I would also submit that it may be prudent to run a second tool to validate your findings. When we start to talk about vulnerability management, Equifax did actually scan their Apache Struts servers prior to the breach, however did not find any vulnerabilities as “the scan was run on the root directory”. Not to mention that this CVE was rated as critical, and by following best practice (example: ACSC publication), this should have been patched within 48 hours. It is an absolute necessity to have system owners who follow a clearly defined process when it comes to patches, and to assess each against your environment’s assets. Equifax data breach Patch#What this boils down to is poor and ineffective patch management. “Vulnerabilities were not adequately tracked, prioritized, and monitored to ensure timely remediation” “Failure to patch a known critical vulnerability left its systems at risk for 145 days” Let’s get some critical quotes out of the way: We hear about this time and time again, but that doesn’t mean we should stop talking about it. Why would an attacker choose to waste resources creating a custom exploit for a modern application/system that’s well protected, when they can target the low hanging fruit that hasn’t been properly secured in years? A system that stores sensitive customer and corporate data should not be built from legacy IT, but rather from tools or solutions that allow for upgrades, automation, security updates, and monitoring of it’s use. ACIS was a critical “internet-facing business system” built in the 1970’s, and was difficult for Equifax to patch, scan, and modify it. If you cannot invest in modernising critical IT systems, at least do the due diligence of ensuring legacy systems are protected. Equifax knew they were expired well before the breach, but a lack of roles and responsibilities here was the key failure. While there are some services such as LetsEncrypt that allows you to auto-renew certificates, the minimum baseline would be to have monitoring in place and a clear process to have them renewed. The system that was the target of the initial point of infection, ACIS, had their certificates “expire 19 months prior to the discovery of the breach” in addition to this system, “at least 324 SSL certificates” had also expired across the network. The biggest takeaway is to concentrate efforts on renewing SSL certificates well before they expire. The report can be found at the link below, however I wanted to highlight ten lessons learned for any organisation looking to prevent the somewhat inevitable. ![]() Equifax data breach full#While we already knew details of the 2017 Equifax data breach, the full report from the House of Representatives (House Oversight Committee) was released yesterday, which offers a technical deep dive into what occurred. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |