> Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains.
(on page 2 of the Executive Summary)
I've been following the Equifax breach story but this is the first I'm hearing about the expired certificates. That is shockingly bad.
I'm a little disappointed in the final "conclusion" of the report, though. The end of the executive summary basically chalks the breach up to two things: "Equifax's IT management structure was complicated" and "Equifax uses legacy software that is hard to secure". These are valid points, but these are also issues that nearly every single major corporation in the world faces, and yet many of them still manage to prevent (or at least mitigate) major breaches. These aren't good enough reasons to explain why Equifax failed so spectacularly compared to every other bureaucratic company with legacy software.
Also, I know this report isn't meant to be a remediation strategy roadmap, but it's also pretty disappointing that the recommendations section is basically just 3 pages of fluffy, vague, "X and Y should work together to increase cybersecurity" bullshit. Such a high profile incident would have been a great time for the federal government to really show some leadership (or at least strong guidance) in this realm, but they really didn't. I mean hell, at least link your recommendations to the NIST Cybersecurity Framework...
I'm pretty tired of companies telling me that it's fine for them to hoover up extremely sensitive information like my social security number and then turning around after a breach and saying, "well, there was nothing we could do."
It can't be both. If it's impossible to secure companies, then maybe Merriott shouldn't be asking for anybody's real name when they sign up for a hotel. Maybe we should stop using credit agencies for identity verification and start investing government resources into a separate 2-factor system. Maybe you should have a legally protected right to lie to businesses that ask for your personal information.
Equifax leaked personal information for 50% of the US population. If you were voting, and there was a 50% chance that your ballet and voting history was going to be leaked publicly after the election, you would expect either:
A) Someone is so incompetent that they're going to jail, or
B) The system we're using is so fundamentally broken that we need to rethink the core paradigms of how it's built.
To me, a report like this sounds like the House is saying that where corporate security is concerned, B is the answer.
It's important to distinguish that it wasn't actually Marriott that had the data breach. It was starwoods resorts, now a marriott owned entity, but at the time of the breach it was not a marriott property. Marriott is being attributed to the guilty party b/c they now own starwood, but Marriott's systems were never breached, so marriott should keep doing what they are doing (presumably) and transition all the starwood systems over to the more secure marriott systems (which I believe they already said they are doing).
Sending some fall guy to jail is shooting the messenger. The message from the stockholders is: we don't care about security or privacy. The message the feds should send back to them is: well you should.
Conversely, no one's going to "rethink the core paradigms" without some money on the line.
On this point, I can see no other explanation except that government and business are colluding against the people whose data is being leaked in order to normalize a lack of privacy. Token fines are handed out on the order of seconds worth of annual profit, sometimes minutes, but nobody's going to jail, certainly nobody in the boardroom or executive bathroom. Because fuck you that's why.
Not only this, but we certainly aren't going to be able to sue as individuals over it, but why not? Why does personal data only have a value when someone sells it, why not at rest as well? These leaks contribute to financial criteria that are used to determine interest rates paid on loans, e.g., so a number value is calculable. I'm not holding my breath.
Target should have had to close stores to close the shortfall from leak penalties, and Equifax and Marriott should have their corporate charters dissolved.
This is interesting. I almost always fudge my birthday a bit when asked for it. If I'm applying for a loan or opening a bank account or dealing with the government, of course I provide the correct information. But it feels like a really bad idea to provide my actual birthday to strangers whether on the Internet or not.
Gov't issued Yubikeys or a new gov't issued "smart ID" with a 2-factor system as part of it?
I can only imagine that this point becomes lawsuits that span decades.
It's absolutely ridiculous that any kind of a security team -- not to mention one that's supposedly safeguarding such an immense amount of data -- could let monitoring certificates expire at all. It's almost inconceivable that they could let seventy nine certificates that are required for security monitoring expire for months on-end.
I've worked in security for my whole career, and I'm firmly of the optimistic belief that someday, far fewer security-minded people will be needed to keep organizations secure. This is an excellent counterpoint to my argument, though: even the people who supposedly specialize in keeping things secure can apparently be absolutely clueless.
Even worse, the "seventy nine" figure was just the certs that were associated with "critical" systems. The total number of expired certs was at least 324.
> At the time of the breach, however, Equifax had allowed at least 324 of its SSL certificates to expire. Seventy-nine of the expired certificates were for devices monitoring highly business critical domains.
(from pg 70 of the report)
We don't really know what the certs were used for (eg, whether it was needed to decrypt traffic), or just as part of the reporting... And yes, the team is responsible for keeping them valid, but... this isn't the first time that cert expiration "broke" something and left us worse off than with no SSL at all.
It seems like these systems could only work by either using some heuristic like data volume to decide when something is being "exfiltrated", which isn't nearly as useful, or by whitelisting allowed communications, which seems absurd.
What am I missing?
On that proxy outbound traffic destination host or IPs would be compared to a list of known destination, and rejected if not match is found.
These methods are not 100%, but they do help add another layer to the security process.
This doesn't have to mean that they have full, unrestricted access. Access to data may mean that they could get raw records via some internal API. That API may still have logging, access control, DoS protection, etc.
Just like you can detect and prevent an external person from scraping your website in most cases, you can detect some internal service requesting way more than an average hourly number of records. Or with a better audit - specific verifiable entity (signed employee requests, external request id markers, etc.) requesting more than they should.
That assumes you have well designed system with multiple tiers and assume no trust. It's not possible if every service connects to the same database with yolo-root-access.
If you cannot store data securely then you should not profit from that data. Business models that insecurely store consumer data should not be viable.
* Network traffic capture for deferred analysis * Egress analysis (including decrypting SSL/HTTPS)
The first approach is, IMO, more realistic. Although you can't prevent the exfiltration, you can detect it lazily after it's happened, including where it went, what was sent, etc. Although I'm sure several companies support this, [Eastwind Networks](https://www.eastwindnetworks.com/) does a great job for Cloud and on-prem workloads.
The second option, while more thorough, requires big boxes to run, doesn't scale well, is hard to install on clients (the only way I know to "break" HTTPS is to install a custom CA on all clients and MITM all public traffic, which would break for sites using HSTS and HTTP Public Key Pinning). It's only vaguely feasible, and is fraught with issues.
It's of course much more difficult than that in practice, but that's the general idea.
Sure lots of companies can manage legacy software, arguably though Equifax's target on their head is substantially larger than most companies. They are the holy grail of personal data. Nothing should be legacy with them
This is like a loss of primary containment at a nuclear facility and the writeup saying "nuclear plants are hard".
Color me flabbergasted.
But what were you expecting? That the people heavily sponsored by large corps like Equifax will write a nasty report against people that are basically paying their salaries?
Have you ever seen 911 report? After all the investigations, time and money spent, the report basically stated that.. there was a terrorist attack and buildings fell.
Long time ago I gave up on buying popcorn when high caliber political committees reports come out. Bottom line is, "this is America and this is business," and Equifax is in business of making billions of dollars, even if someone forgets to renew expired certificate, the caravan goes on.
Their monitoring system might have been using TLS to communicate the events to their aggregation tool, and when the cert expired, you don't really want log data with potentially confidential/critical security information traversing insecure channels, so they may have had it configured to not send any data if the cert wasn't valid.
As for warnings about the cert, it's possible they (stupidly) configured it to not send warnings, or maybe it was sending warnings but nobody was paying attention. I've seen situations before where such warnings were set to go to XYZ person's mailbox, but XYZ person leaves the company and nobody remembered to update the destination address for the alerts.
> Second, Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Equifax ran a number of its most critical IT applications on custombuilt legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging. Equifax recognized the inherent security risks of operating legacy IT systems because Equifax had begun a legacy infrastructure modernization effort. This effort, however, came too late to prevent the breach.
As someone who works in Tech M&A, I often tell clients "hackers go after the weakest link and you just acquired a new link". They nearly unilaterally ignore this advice and ignored hardening even the smallest of acquisitions, because well, "growth". Someday people will learn.
Not convinced of this at all. There just isn't sufficient financial incentive.
A company like Bear Sterns got "killed", Enron and others got litigated out. But it looks like Equifax did not face any consequences. Its high time we treat data as an asset class and regulate accordingly. Particularly personal information is acquired by every company and is treated as a valuable commodity. Companies get acquired purely for the amoutn of data they have. The market has already declared it as an asset why is it not regulated?
Enron was convicted of massive, deliberate accounting fraud. The company wasn't viable without the fraud.
Not even remotely similar to the Equifax breach.
The security patch here is not a technical solution. It's to wipe out the stockholders of any company this negligent, and repossess the spare homes of the entire C-suite. That should cover most attack vectors pretty reliably.
Enron went out of business due to losing an enormous amount of money.
Neither of these things had much to do with government regulation.
I'm disappointed this is recommendation 6, but at least it is in there. I'm also disappointed that they suggest the executive fix this problem instead of legislating a solution. Hopefully they take some action on their own recommendation!
Come up with an alternative plan, give businesses some reasonable number of years to stop relying on them, and after that point they'll no longer be issued to anyone new who's born.
Or if you don't want to get rid of them, treat them like public information. Give businesses X years, and then say, "past this point, we're just going to make these searchable by anyone who makes a request." They're an ID number, not a password.
I hope some of the identity verification blockchain companies succeed for this sort of thing.
What we have now is laughably bad.
If Congress mandates a solution, then it'd be like the VHS stuff all over again. Congress writes a thingy about VHS in the 1980s, and its completely irrelevant 10 years later. (If a law states that something with VHS is done a certain way, will it apply to DVDs or BluRays when they are invented 10 years later? Or to streaming media 20 years later??)
The Executive Branch is the one that actually runs the government. Legislative Branch / Congress sets policies, but shouldn't set solutions. Law goes out of date incredibly quickly.
Ex: If Congress says that RSA Tokens are to be used instead of SSNs, what happens if a better invention (ex: Google Titan) comes out? Furthermore, even if Congress writes a certain policy down (ex: Two Factor Authentication is necessary to protect bank accounts), the Executive Branch is still the ones who enforce the matter.
So in the case of Two Factor Authentication (legal requirement of banks to protect your bank account), the Executive Branch says that "3-personal questions + Password" counts as two-factor security in the USA. And that's why you have so many banks implementing "3-secret questions".
------------
So regardless, the job will come down to the Executive Branch.
Right now, even if they wanted to, the executive can't force a national ID.
It is easy to fall in the trap of seeing the most miniscule of vulnerabilities and dismissing it as "no one could ever possibly utilize that as a vector, it's not critical."
But that miniscule vulnerability becomes a single link in a ladder to everything in the system. Every seemingly-small vulnerability matters, like this painfully shows.
[1] referenced here: https://blog.hellobloom.io/how-hard-was-the-equifax-hack-a3b...
Speaking of which... why is it only ~50% of the adult population in the U.S.?
If the intruders were going around the Equifax network at will (which from the report it appears they were). We should assume 100% of the data was breached.
[1] https://www.cnbc.com/2017/09/14/equifax-used-admin-for-the-l...
[2] https://www.bloomberg.com/news/articles/2018-03-14/sec-says-...
1970s? Am I reading that right? HTML wasn't even developed yet.
It was probably developed very quickly, possibly outsourced, and just stuck in front of the older system with minimal re-engineering.
Many years ago, I worked on a system that put an X Windows front end in front of a mainframe app that used a 3270 emulator to interact with parts of the legacy app. I imagine this is somewhat similar.
The recommendation is essentially "Try to convince the public and private sector to use them less." But I'd argue it is well passed time that SSNs be replaced by something fit for purpose. SSNs were never designed to be a unique form of ID, and using things like the cardboard card as further verification is almost comical.
I'd like to see an aggressive alternative that uses the best of our security knowledge and then have it vetted by everyone in the security industry with a pulse. We've seen other countries try this. But most of those countries outsource it to the lowest government bidder, who hide the inner workings behind proprietary claims, and never vet the resulting proposal.
Instead we need something more akin to the United States Digital Service, a publically created proposal (fully released specs) that is vetted by every academic and security expert they can find.
The hardest part will be saying "no" to requirements creep. Allow certain government agencies to continue to use SSNs for now, and have the new ID "flip" into an SSN behind the scenes. Better than needing five hundred different departments to adopt the new standard before it can go live.
It's gov, so they can do more. It can also be "By 202x using SSN for identification in non-SS purposes becomes illegal."
Another report from the committee's minority is also available.
https://democrats-oversight.house.gov/sites/democrats.oversi... Minority Report - FINAL 12-10-2018.pdf
https://democrats-oversight.house.gov/sites/democrats.oversi...
Key recommendations from the minority report:
"Based on the investigation conducted by the Committees, four key legislative reforms proposed by Democrats would help prevent future cyberattacks:
[A] hold federal financial regulatory agencies accountable for their consumer protection oversight responsibilities;
[B] require federal contractors to comply with established cybersecurity standards and guidance from the National Institute of Standards and Technology (NIST);
[C] establish high standards for how data breach victims should be notified;
[D] and strengthen the ability of the Federal Trade Commission (FTC) to levy civil penalties for private sector violations of consumer data security requirements."
On [B], they note that "Equifax was a federal contractor at the time of its data breach".
On [D], they note that "In the three years before the Equifax data breach, the company spent only about 3% of its operating revenue on cybersecurity—less than the company spent on stock dividends...Civil penalties would incentivize private sector companies to prioritize and invest in continually upgrading and deploying modernized IT solutions and applying cybersecurity best practices."
From my understanding of FEDRAMP, all of the things that Equifax failed to do should be already covered. Software patching, isolation of data, audit trails etc. etc. Seems more like a massive auditing fail.
One difference is that previously Equifax claimed a single employee failed to scan and patch a system. I don't see a reference to that in the report. All I see now is that someone scanned a system improperly:
> The scan did not identify any components utilizing an affected version of Apache Struts. Interim CSO Russ Ayres stated the scan missed identifying the vulnerability because the scan was run on the root directory, not the subdirectory where the Apache Struts was listed.
Now pardon me while I go route my patch management procedures through the nearest baffling and inane dependency.
A senior Equifax official was terminated for failing to forward an email – an action he was not directed to do – the day before former CEO Richard Smith testified in front of Congress. This type of public relations-motivated maneuver seems gratuitous against the back drop of all the facts
Ouch.
For the non physical world I have some ideas
- The entire infrastructure of IT can be rebuilt in an automated fashion and is done so in a prod-parallel equivalent at least weekly
- Any chnage to "vital" files on any server is audited
- err?
I feel for them (not!). BUT they shouldn't store any valuable data then. They should be not-insurable.
