Securing business data

News Article

The Equifax breach - CNS Cyber Security guru Chris Leppard speaks on what really went wrong...

by Chris Leppard | 25 Sep 2017

shutterstock_547173853What Equifax highlights is the fallibility of people – for as long as people are involved in IT security (or just generally involved in companies), there will be weaknesses. It is easy to sneer at the failings reported and believe that it could never happen to you, but this is not the case. There have undoubtedly been some very poor practices – even bordering on negligent, but they are far from unique. Despite all the advances in detection techniques, threat analysis, firewalls etc, some of the oldest concepts, such as defence-in-depth are still relevant.

Equifax perfectly demonstrates that doing the basics of IT security are still important and would almost certainly have prevented the breach in the first place or at least ensured that the customer databases were not compromised, even if the breach occurred. It has been reported that the customer databases were routinely encrypted, but the private keys necessary for decryption were stored in the administration panels of the same databases. This is a monumentally stupid thing to do and fatally weakens the encryption to the point where it is useless.

The earlier breach on an Equifax subsidiary (TALX) that has now been picked up by the mainstream press also shows a lack of basic security practices. Relying on 4 digit PINs to protect accounts is extremely weak and hackers can easily exploit knowledge-based authentication questions (‘What was your mother’s maiden name?’, ‘What town were you born in?’ etc.) to reset PINs and gain access to customer records. There are websites that specialise in collecting this kind of data and ever wondered who was behind those games on Facebook and other social media sites that ask you to use personal details, such as the name of your first pet and birth place, to make up ‘fun’ names and what happens to all that information you give them?

Again, this is exploiting the weaknesses of people in all areas and not just those involved with IT security or working for Equifax.  But by practising basic security hygiene such as enforcing proper security for accessing customer files, ensuring that patching is up to date, restricting the use of privileged access accounts and segmenting internal networks – all would have either prevented or greatly reduced the impact of a breach. The fact that major companies are failing to do this either means that they are remarkably complacent, ignorant of the threats they face, or have failed to invest in the necessary staff and resources to implement these practices. Yes, good security costs money and takes time and effort, but it is far from impossible and this is by no means, the first large scale attack of this nature. Ignorance can really be no excuse.

Regardless of the long term fallout and fines imposed on Equifax by the authorities, the drop in share price (wiping approximately $6 billon off the value of the company) and reputational damage could have dealt a fatal blow. I would expect the departure of more ‘C’ level executives before this incident is concluded.

call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere