Network Critical - The Window to your Network

5 Protections Equifax Should Have Employed

What everyone likely already knows is that credit reporting agency, Equifax, has been hacked. Lost to the hackers was personal and permanent identifying information of over 143 million people. Lost to the hackers are government Social Security numbers and Driver’s License numbers among other credit and financial information. If you do not know, Social Security numbers are forever. These numbers will be floating in the internet longer than the owners will live making them potential identity theft victims for the rest of their life. Could Equinox had done a better job protecting this information? YES!

  1. Strong Passwords - A security research firm called Hold Security was able to acquire administrative access (highest level access) to the Equifax website in Argentina. The site contained employee records, consumer complaint information and other personal and confidential information. How did they do this? They simply tried using the default password that many manufacturers use when they ship product…user name - admin and password - admin. Manufacturers suggest immediately changing passwords as soon as the products are installed for security purposes. Amazingly, many small businesses and multinational corporations do not bother changing the information making it very easy for hackers to access systems. Note that this may or may not have been a factor in the latest hack. Not enough is known yet about that breach. However, it is reasonable to assume that the lack of strong password management policy in Argentina will be found at other sites. 
  2. Training - Network security is not exclusively an IT responsibility. Every person in the company who has access to network resources has the responsibility to protect those resources. This includes complying with corporate access management policy on personal devices such as smartphones, laptops and tablets. Non-IT employees should have endpoint security on their home networks if they access work resources from home as many employees do. All employees should be cautious when clicking links in emails regardless of how official or enticing they seem. If you did not ask for that link, do not click on it. Now, many non-IT employees are simply not aware of these and other safeguards. It is the responsibility of the CEO to be sure that someone is in charge of creating safe IT policies and training all employees that have network access about these policies. Further, the training should also include stiff penalties for breaching policy. 
  3. Access Management - Everyone in the company does not need access to all the information on all corporate systems. There should be multiple levels of access to corporate IT resources. Using Equifax as an example, what positions in the company require access to every piece of personal and confidential information of every single customer record in the system at any one time? It makes no sense to allow any employee full access to all records, not even the CEO. For even deeper protection, Data Loss Protection (DLP) appliances connected to network access links by intelligent TAPs can set and enforce policies determining what data formats are not allowed to be downloaded to certain devices. For example a policy could be set restricting the downloading of any USA Social Security number with the format XXX-XX-XXXX regardless of the users credentials. 
  4. Executive Training - Stuff happens. This is not the first major security breach in history. It may, however, very well be one of the largest. In order to maintain what customer credibility is left after a major breach of confidence, the company needs to very carefully navigate the post-breach waters showing empathy to the victims and a willingness to do whatever it takes to remedy the situation. The equifax response fell a little short. First they did not notify the public of the breech for about 5 weeks while executives were selling stock. Not exactly an empathic start. That was the start of a long list of post hack flubs that has the US Congress opening an investigation into the company, the breech and the response. The remedy offered to the consumer victims has been credit monitoring for one year. This stolen information can be used and sold by the hackers for thieves to open credit accounts, file fraudulent tax returns, obtain loans and buy products for life. Birthdays, Social Security Numbers, Drivers Licenses do not expire. Equifax is saying that their mismanagement that caused perpetual personal information to be in the hands of thieves will be protected for a year. After that we have some wonderful products that you can buy from us so we can profit from our mistakes. A little more sensitivity is in order hear. Perhaps a weekend empathy retreat is in order. 
  5. Encryption - Follow me here…Ransomware hackers encrypt data all the time. The data is not theirs but they get to it and encrypt it. Then they charge the victim for the key to decrypt the data. The victims data is worthless and unusable until the key is purchased. So, lets say the Equifax had the forethought to encrypt the personal, confidential and perpetually usable data in the files of 143 million of their customers. Let’s say that hackers got through the passwords, firewalls, IPS, DLP, and other access control and protections on the network. If the customer data was encrypted, it would be worthless to the hackers. Seems simple enough.

There is much more to this story and it will be in the news for a while. It touches virtually every US adult. There is already a US$70 Billion Class Action lawsuit being prepared against Equifax. Any company that holds confidential customer information in a networked environment, needs to be extremely vigilant in protecting that information. The cost of a breech, as we see here, is much greater than the cost of building a robust security platform and training all employees on security policy.

Posted: 01/09/2017 18:17:26 by Network Critical with 0 comments