Market Trends

The NY State Cybersecurity Rule: Does It Go Far Enough to Prevent a Future Equifax-Type Breach?


The recent Equifax breach, announced on September 7, exposed as many as 143 million customers —including names, addresses, social security numbers, credit card accounts—with an attack spanning from May through July 2017.

The company has been soundly criticized not only for the technical holes that allowed the breach, but also for their handling of the situation from a customer and public relations standpoint. Equifax says the breach occured after attackers exploited a vulnerability in its Apache Struts web platform that it failed to patch, despite a security update being available.

The company is now facing investigations by at least 40 state attorneys general, federal agencies and even regulators in the U.K. and Canada.

As New York’s March 1, 2018 deadline bears down on financial firms, requiring key elements of the cybersecurity plan, the Equifax case serves as an ominous and uncannily-timed flashpoint. This worst- case scenario may lead to Equifax’s demise—not to mention damage to consumer credit on a massive scale, inconvenience and wasted time related to necessary credit freeze-and-thaw procedures.

Attend the webcast: A Bridge to 23 NYCRR 500 Compliance

The scale of the attack also further damages the reputation of the United States on cybersecurity laxity.

In 2016, data-mining experts from two universities co-authored a report based on a two-year study comprising 20 billion auto-generated reports, collected from 4 million compute nodes which ranked the vulnerability of 44 nations to cyberattacks. Lead author V.S. Subrahmanian presented this research to the Foundation for Defense of Democracies in Washington, D.C. The United States ranked 11th.

With an already mediocre standing, Equifax most certainly erodes remaining goodwill in the U.S. and in the court of public opinion.

How could Equifax have prevented the breach?

The failure to deploy the needed patch is the obvious tactical reason, but the consensus seems to crystallize around a few factors:

  • Their networks were not segmented to limit broad access of unauthorized users.
  • User access controls were too lax and perimeter security appears to have been lacking around each node of the network.
  • Auditing was not regular, rigorous, nor programmatic.

Experts are beginning to note that the use of multifactor authentication to lock down access could have blocked the damage caused by the Apache vulnerability.

Solving for Multifactor Authentication Challenges

At Crossmatch, our DigitalPersona composite authentication technology has been developed, tested and proven — going beyond traditional 2FA and MFA, composite authentication offers a broad array of authentication factors, including biometrics and risk-based factors.

The pariah Equifax case illustrates how a modest, incremental investment upfront could have saved untold dollars from consumers’ pockets, company coffers and shareholder value—now likely a permanently discredited entity that further shakes faith in the U.S. credit reporting system.

The devastating failures within the massive Equifax information systems architecture serve only to strengthen the position that New York State’s Department of Financial Services has taken on cybersecurity policy.

The implementation of a sweeping set of requirements began rolling out in 2017 and will culminate in hard deadlines in early 2018 for banks and financial providers that do business in the state.

These requirements include:

  • Regular risk assessments and vulnerability testing
  • Establishment of an accountable Chief Information Security Officer
  • Certification of a formal cybersecurity program with the department
  • Adoption of multifactor and/or risk-based authentication protocols to protect data, applications and networks

Other states—including California, Michigan and several others—are implementing more stringent cybersecurity standards that will no doubt roll out to the private sector in similar fashion.

Could New York State-style rules have fully prevented the Equifax breach? Perhaps and perhaps not. But without doubt, it would have mitigated the extent of the damage.

Jonathan Sigel is a product marketing professional with 15 years of experience in the high-tech sector – spanning infrastructure, services, and software within security, web content management, and data storage segments, among others. He has held managerial positions with IBM and NEC Corporations and is currently Market Segment Manager at Crossmatch. In his current position at Crossmatch, Jonathan is evangelizing and guiding an evolution of Crossmatch DigitalPersona – a composite authentication solution portfolio that that addresses the data and systems security needs of financial services organizations – with use cases that meet regulatory compliance and go beyond, to support business continuity and growth.
Market Trends
Time to Establish Trust
Market Trends
Refugee Identity: Making a Difference Through Biometrics
Authentication
Crossmatch Supports NIST Guidance on SMS OTP
There are currently no comments.