The recent Equifax breach, announced on September 7, exposed as many as 143 million customers —including names, addresses, social security numbers, credit card accounts—with an attack spanning from May through July 2017.
The company has been soundly criticized not only for the technical holes that allowed the breach, but also for their handling of the situation from a customer and public relations standpoint. Equifax says the breach occured after attackers exploited a vulnerability in its Apache Struts web platform that it failed to patch, despite a security update being available.
The company is now facing investigations by at least 40 state attorneys general, federal agencies and even regulators in the U.K. and Canada.
As New York’s March 1, 2018 deadline bears down on financial firms, requiring key elements of the cybersecurity plan, the Equifax case serves as an ominous and uncannily-timed flashpoint. This worst- case scenario may lead to Equifax’s demise—not to mention damage to consumer credit on a massive scale, inconvenience and wasted time related to necessary credit freeze-and-thaw procedures.
The scale of the attack also further damages the reputation of the United States on cybersecurity laxity.
In 2016, data-mining experts from two universities co-authored a report based on a two-year study comprising 20 billion auto-generated reports, collected from 4 million compute nodes which ranked the vulnerability of 44 nations to cyberattacks. Lead author V.S. Subrahmanian presented this research to the Foundation for Defense of Democracies in Washington, D.C. The United States ranked 11th.
With an already mediocre standing, Equifax most certainly erodes remaining goodwill in the U.S. and in the court of public opinion.
How could Equifax have prevented the breach?
The failure to deploy the needed patch is the obvious tactical reason, but the consensus seems to crystallize around a few factors:
- Their networks were not segmented to limit broad access of unauthorized users.
- User access controls were too lax and perimeter security appears to have been lacking around each node of the network.
- Auditing was not regular, rigorous, nor programmatic.
Experts are beginning to note that the use of multifactor authentication to lock down access could have blocked the damage caused by the Apache vulnerability.
Solving for Multifactor Authentication Challenges
At Crossmatch, our DigitalPersona composite authentication technology has been developed, tested and proven — going beyond traditional 2FA and MFA, composite authentication offers a broad array of authentication factors, including biometrics and risk-based factors.
The pariah Equifax case illustrates how a modest, incremental investment upfront could have saved untold dollars from consumers’ pockets, company coffers and shareholder value—now likely a permanently discredited entity that further shakes faith in the U.S. credit reporting system.
The devastating failures within the massive Equifax information systems architecture serve only to strengthen the position that New York State’s Department of Financial Services has taken on cybersecurity policy.
The implementation of a sweeping set of requirements began rolling out in 2017 and will culminate in hard deadlines in early 2018 for banks and financial providers that do business in the state.
These requirements include:
- Regular risk assessments and vulnerability testing
- Establishment of an accountable Chief Information Security Officer
- Certification of a formal cybersecurity program with the department
- Adoption of multifactor and/or risk-based authentication protocols to protect data, applications and networks
Other states—including California, Michigan and several others—are implementing more stringent cybersecurity standards that will no doubt roll out to the private sector in similar fashion.
Could New York State-style rules have fully prevented the Equifax breach? Perhaps and perhaps not. But without doubt, it would have mitigated the extent of the damage.
Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.