Equifax reports of 143 million Americans. Equifax is an

 

 

 

 

 

 

Equifax
Data Breach

 

By

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Samir
Patel

 

 

                            

 

 

 

 

 

 

Professor
Dr.Charles Pak

IS
680

November
28th 2017

 

Table
of Contents
ABSTRACT. 3
INTRODUCTION.. 4
ANALYSIS. 5
APACHE
STRUTS. 5
VULNERABILITY.. 6
VULNERABILITY
PROCESS. 6
SERIES
OF EVENTS. 7
IMPACT. 7
PROTECTION.. 8
DATA
SECURITY PRACTICES. 9
SECURITY
STANDARDS. 9
LESSON
LEARNED.. 10
CONCLUSION.. 10
REFERENCES. 12
 

 

 

 

 

ABSTRACT

                        Data
breaches exposing sensitive personal information are becoming commonplace in
recent years as the growing of cyberattacks outbreaks on the Internet.
Cyberattacks tends to target companies that possess relevance of Identity data
of the users. The personal data that lies in the hands of the companies are
always at a stake as these attacks grows. These companies should take proper
security measures in the prevention of those attacks. A security breach took
place in an Equifax company which exposed personal information and credit
reports of 143 million Americans. Equifax is an organization that handles
consumer information and credit services. The company possesses consumer data
that is irreplaceable. This type of companies should be engaged in the security
measure that they take in defending against this attack and the internal
auditing techniques those are performed on their systems and processes should
be well formed. The devastating thing about this breach is that the hackers
gained all the information that they need in order to commit identity and
financial fraud.

 

 

 

 

 

 

 

 

 

 

 

INTRODUCTION

             Identity
information is currently stored in numerous different places in many different
organizations such as government agencies, education institutes, hospitals and
financial data processing centers. Inconsistency of security measures, audit
techniques, data management, and inadequacy of existing technology has resulted
in data breaches of those organizations. Data breach is defined as a security
incident in which the confidential data has been exposed, disclosed or lost.
Confidential data typically includes Social Security numbers or financial
information. These data are considered to be kept by these companies in highly
secure environment and should be well protected. A cyberattack is one of the
first lines of attack that these types of companies should be aware of as they
are the main causes of the breach. Their initial target and motive is to gain
the access to the systems and steal the data. A similar breach was introduced
in Equifax which jeopardizes consumer’s sensitive information and affected many
Americans.

             On September 7th
2017, Equifax announced that they have been victimized of a cyberattack which
potentially impacted the sensitive information of nearly half of all US adults.
Equifax is a consumer credit reporting agency that offers credit and
demographic related data and services to businesses. It sells credit monitoring
and fraud prevention services to its consumers. It possesses extremely
sensitive information of over 800 million individual as well as 88 million
businesses worldwide. A data breach that affected majority of these consumers
resulted in jeopardizing in names, addresses, social security numbers, birth
dates, driver license numbers, credit card numbers, and dispute documents. The
data breach was due to application vulnerability. The company discovered the
breach in the end of July but it took around six weeks for the company to
release the report to the public that their systems have been breached. The
consequences would be disastrous as the companies hold the kind of information
that can be used in protecting against hackers.

ANALYSIS

            Cyberattacks can cause a lot of damage to the companies.
There are many different type of attacks used to breach the systems. The data
breach in Equifax was due to an unpatched vulnerability found in an Apache
Struts instance running on Equifax’s webservers. The vulnerability in Apache
Struts was known as zero-day which describes security bugs exploited by
attackers. Apache Struts is a widely used technology in many companies which
makes it the perfect source to attack as there was no patch released or the vendor
weren’t aware of the vulnerability.

APACHE
STRUTS

                Apache
Struts is an action based open-source Model View Controller (MVC) framework
used for developing java applications. An Apache strut is handled by an open
sourced community known as Apache Foundation. Apache Struts handle requests
made by the web browser and process through the server (See Figure 1). Equifax was
leveraging the Struts to provide users with an interactive experience of
allowing them to input data and receive responses. Vulnerability in the Apache
Struts known as CVE-2017-5638 was the cause of the breach.

                Figure 1. Apache
Strut Flow

VULNERABILITY

                The
instances running on Equifax’s webservers were vulnerable to the unpatched vulnerability
of CVE-2017-5638 which was announced in March of 2017. It was identified as a
critical severity with a score of 10. Critical vulnerability needs to be
patched immediately as they can cause security implications and possess the
risk to the environment. CVE-2017-5638 vulnerability allows remote code
execution on the backend systems of Equifax’s webservers which runs through
online form fields. Since, the vulnerability existed within Apache Strut MVC
framework; it was difficult for the management to identify the vulnerable
instance. The instance become vulnerable as it wasn’t patched and it open the
door through the system which has been outlined below.

VULNERABILITY
PROCESS

–         
Equifax customers interacted with a web
application that used a potentially vulnerable plugin.

–         
When a customer interacts with the
system, the plugin pulls information from a library program called XStream.

–         
XStream converts customer data into a
serial string of text characters suitable for web requests and replies.

–         
The XStream code includes everything
needed to build Java objects of almost any type.

–         
This enabled hackers to insert their own
code into Java objects and manipulate the server running XStream.

“Intruders were able to
access large amount of sensitive consumer data as the Equifax has fallen behind
in applying security updates to their webservers.”

SERIES OF EVENTS

 

Figure 2. Equifax Data Breach
Timeline

                Equifax’s
failure to patch the Apache Strut exploit lead to a series of events (See
Figure 2) which has been categorized as one of the largest security breaches in
recent years. Despite the patch that was released in March, Equifax IT experts were
unable to patch their systems which resulted in a crisis. This simply
demonstrates the importance of effective patch management.

IMPACT

            An enormous number of people have been impacted from this
Equifax data breach including some customers from United Kingdom and Canada.
The sensitive data that was exposed can cause a lot of damage to every affected
individual as the data was irreplaceable. The victim will need to be aware of
potential identity theft for an indefinite period of time as the most of it
been have been sold to unground marketplaces by now.

            Equifax has published a website which helps individuals
to determine if they have been impacted by this breach. The site (See Figure 3)
created by Equifax will let the users know if they have been impacted by this
breach. The site also lets consumer to enroll in TrustedID credit monitoring
service that includes identity theft insurance, credit reports and service that
crawls the internet and alerts you if your SSN number is posted somewhere
online. Equifax has included a clause where the subscribers of this service
will give up their right to sue Equifax.

Figure 3. Equifax Impacted Website

PROTECTION

            The Equifax data breach has increased the risk as the
sensitive data has been leaked. Victims are concerned in protecting their data
as the hackers can sell the data to other criminals which result in Identity
theft. Activities outline below have been recommended by the experts in
protecting against it.

Credit Freezes

–         
A credit freeze means potentials
creditors cannot access the credit report, making it less likely an identity
theft can open new accounts under your name.

Fraud Alerts

–         
A credit alert requires creditors to
take reasonable steps to verify your identity when anyone tries to apply for
credit in your name.

Credit Monitoring

–         
Credit Monitoring service tracks changes
on your account including applications for new credit card or loan.

It
has been recommended that affected individuals should check their credit
accounts for any suspicious activities and perform the activities listed above.

DATA SECURITY PRACTICES

                Equifax
is a well-funded organization which invest plenty amount money in their
cybersecurity program. Their internal cybersecurity and IT experts are
accountable for the proper cybersecurity measures and vulnerability management
process in identifying failed processes. The breach within the application
vulnerability should have been well prevented if the proper security measures
were taken. As the crisis highlights the importance in protecting the data, the
below standards and practice should be followed in terms of defining security
standards in every organization.

SECURITY
STANDARDS

–         
Comprehensive risk assessment

–         
Written policies and procedures

–         
Regular testing and monitoring of
systems, networks and applications

–         
Data security audits

–         
Incident response plans

–         
IT encryption protocols and access
controls

–         
Vendor management policies

–         
Employee training

LESSON
LEARNED

Every
organization is responsible for protecting consumer data and they should follow
security practices listed above. These are some of the procedures needs to be
followed to mitigate the risk. It’s not possible to prevent all the breaches
but implementing layers of protection around the data can minimize the data
even if there is a point of failure. Companies should be engaged in ongoing
audits and they should be consistently monitoring and testing the processes and
systems. Penetration testing is another technique that the companies should be
engaged in as the vulnerability within the systems can be found and remediated
within their environment. These are some of the techniques and activities all
of the companies should be assessing to their systems to ensure that their
systems are properly up to date and the best security practices are being
followed within the organization. 

CONCLUSION

                As
the data that lies within the different organizations, it is imperative that
these organizations are taking viable actions in protecting them against these
different threats. Equifax data breach was caused due to vulnerability in
instances running in Equifax’s webservers which affected millions of Americans
in exposing their sensitive data which cannot be replaced. The attack was
preventable if the company took proper actions against their security
infrastructure and in the management of their employees. Before the intrusion
occurred, the company had more than 2 months to apply the patch which was
already released. Company’s management vulnerability efforts could have
detected and addressed the vulnerability if the proper standards were followed
within the organization. Threats like this are never to be treated lightly as
the cyberattacks have increased over the past years.

Cyberattacks
are growing in numbers every year, it is essentials that the organization takes
proper actions to define and remediate the vulnerabilities that exist within
their environment. It is never safe that the data is completely safe from these
attacks. Security practices and standards needs to be followed in their daily
operations to mitigate the risks. Organization will never reach to the end of
these attacks as the new attacks will continue to be launched, however, it will
require them to adapt to their programs and defenses accordingly.

             

 

 

 

 

 

 

 

 

REFERENCES

NeuVector. (2017). Equifax Data Breach Analysis: Container Security Implications –
NeuVector. online Available at:
https://neuvector.com/blog/equifax-data-breach-analysis/ Accessed 28 Nov.
2017.

Kamat, P. (2017). The Equifax data breach: a case study on how NOT to handle a breach |
Persistent. online Persistent. Available at:
https://blog.persistent.com/index.php/2017/09/12/equifax-data-breach-case-study-not-handle-breach/
Accessed 28 Nov. 2017.

Krebsonsecurity.com. (2017). Breach at Equifax May Impact 143M Americans — Krebs on Security.
online Available at:
https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/
Accessed 29 Nov. 2017.

Infotransec.com. (2017). Analysis of the 2017 Equifax Data Breach | InfoTransec.com.
online Available at:
http://www.infotransec.com/news/analysis-2017-equifax-data-breach Accessed 29
Nov. 2017.

CNBC. (2017). Three
big lessons we all need to learn from the Equifax data breach. online
Available at:
https://www.cnbc.com/2017/09/20/cybersecurity-lessons-from-equifax-data-breach–commentary.html
Accessed 29 Nov. 2017.

Vox. (2017). The
Equifax hacks are a case study in why we need better data breach laws.
online Available at: https://www.vox.com/policy-and-politics/2017/9/13/16292014/equifax-credit-breach-hack-report-security
Accessed 29 Nov. 2017.

Lbmcinformationsecurity.com. (2017). The Equifax Data Breach: How Did It Happen?.
online Available at: https://www.lbmcinformationsecurity.com/blog/the-equifax-data-breach-how-did-it-happen
Accessed 30 Nov. 2017.

Cimpanu, C. (2017). Equifax Confirms Hackers Used Apache Struts Vulnerability to Breach Its
Servers. online BleepingComputer. Available at:
https://www.bleepingcomputer.com/news/security/equifax-confirms-hackers-used-apache-struts-vulnerability-to-breach-its-servers/
Accessed 30 Nov. 2017.

Roseindia.net. (2017). How Struts Works. online Available at:
https://www.roseindia.net/struts/how-struts-works.shtml Accessed 30 Nov.
2017.

Lexology.com. (2017). Equifax Breach: Good Data Security Practices Matter | Lexology.
online Available at:
https://www.lexology.com/library/detail.aspx?g=e8363dbc-b68e-4121-a8c3-c69e73ec8c7c
Accessed 30 Nov. 2017.

Cybersecurity Incident & Important Consumer
Information. (2017). Cybersecurity
Incident & Important Consumer Information | Equifax. online Available
at: https://www.equifaxsecurity2017.com/ Accessed 28 Nov. 2017.

Csrps.com. (2017). Equifax Data Breach Timeline | csrps.com – CSRPS. online
Available at: https://csrps.com/meticulous-timeline-equifax-data-breach
Accessed 28 Nov. 2017.

USA TODAY. (2017). Equifax data breach: What you need to know about hacking crisis.
online Available at: https://www.usatoday.com/story/money/2017/09/15/equifax-data-breach-what-you-need-know-hacking-crisis/670166001/
Accessed 29 Nov. 2017.

LifeLock. (2017). Equifax Data Breach Affects Millions of Consumers. Here’s What to Do. –
LifeLock. online Available at: https://www.lifelock.com/education/equifax-data-breach-2017/?promocode=LLART10
Accessed 30 Nov. 2017.