Credit: Dado Ruvic/Reuters
The Equifax hack exposed the personally identifiable information of 143 million people and has created a tremendous ethical, public relations, and legal dilemma for the company. Stakeholders are looking for information to understand what happened. The key question: How was the Equifax data compromised? We still don’t know, and that has led to a great deal of criticism and speculation.
Compounding the problem for Equifax (and everyone else) is that the company has made tremendous mistakes in its response efforts. Equifax executives dumped stock after the breach. The company offered free credit-monitoring services to those affected when they attempted to learn if their data was compromised, but only if they sign away their rights to sue for damages.
The cost of the Equifax breach is likely to be greater than the Target breach. A class action lawsuit has already been filed that seeks as much as $70 billion in damages. While the Equifax infrastructure is likely smaller than Target’s, the financial exposure is greater.
Marketing, security, and disaster recovery professionals will be analyzing Equifax’s initial response as a case of what not to do. However, security professionals need to focus on how not to become another Equifax.
In my book, Advanced Persistent Security, I discuss a systematic process of learning from failure and that you can learn from other people’s failure as much as, if not more than, your own. That process involves breaking down the phases of protection, detection, and reaction.
Any minimally capable security program considers that protection will fail, so detection is as important, if not more important, than protection. While failing to keep the attackers out is forgivable, not planning for that inevitable failure is not.
Protect the data
Initial reports claim that a bug in the Apache Struts application was the root cause of the compromise. Even if this is true, it might not be the only vulnerability that existed or enabled the attack. A single point of failure should not result in a compromise of 143 million highly valuable records.
You should be asking questions like these of the Equifax breach:
- Why was that volume of data so readily available to a web application?
- What protections should have been in place to prevent such a compromise of information?
- What protections should have been in place with the assumption that a web application would have an inevitable vulnerability?
- Was there data leak prevention in place?
The questions you might ask are infinite, and they need to be answered as fully as possible. Ask questions about not only what failed, but also what else should have been in place that could have stopped the data compromise. These questions are related to every step in how data is collected, created, stored, accessed, edited, transmitted, and so on. This involves looking at the entire architecture to ensure that if one component is compromised, such as the web server providing data access, that other components of the architecture minimize the data compromise.
Sign up for CIO Asia eNewsletters.