The Equifax breach: preparations and incident response.
September 18, 2017.
By The CyberWire Staff
Equifax has not received good reviews for its incident response. Indeed, the company is being widely and harshly criticized in social media. The credit bureau is offering its identity protection and credit monitoring services free to affected individuals. Why affected individuals would sign up for such monitoring is unclear to many observers: journalists and security experts have looked into the proffered service and found it dodgy, hard-to-use, generally insecure, and probably an opportunity to be hit up for a paid renewal when the free offer expires (Bleeping Computer).
The company's response has struck most as tone-deaf. In most large-scale cyber incidents, there are varying degrees of sympathy for the victim and an acknowledgment of the victim's difficulties. Not so here. The Twitterstorm over the incident is massive and utterly unsympathetic. A great deal of this is Schadenfreude from those who have found themselves at some point in their lives caught up in the iron web of credit evaluation. More comes from security experts who are aghast at the apparent degree of carelessness with which personal data were handled. (Forbes points out that Equifax had had problems with data security before.) And no one appears to think that a forty-one-day delay between discovery and disclosure is acceptable (Business Insider).
It will be difficult for the credit-rating industry as a whole to continue in its present form. One representative tweet can stand for the others: "If @Equifax survives this catastrophe then there is obviously no moral hazard in the US data economy after all."
Equifax breach: lessons for incident response.
It might be useful to consider Equifax's experience from an after-action point-of-review. There will be as many if not more lessons to be learned from this episode as a case study in incident response as there will from the forensic post mortem itself.
As many other companies in breach trouble have done, Equifax has brought in Mandiant to mop up its systems (ZDNet). But Equifax has fumbled its response on at least three points. First, the delay in disclosure seems unconscionably long—forty-one days. There would have to be some time between discovery and disclosure if only to be sure one had attained some realistic understanding of what happened, but to take more than a month argues a lack of preparation. Yahoo!'s breaches took longer to come out, but that's been the exception rather than the rule, and Yahoo! was also experiencing a significant internal failure to communicate.
High-Tech Bridge's Ilia Kolochenko said, "Such a delayed public disclosure of the breach is quite dubious. Probably the disclosure was reasonably postponed in the interests of investigation, but it still could endanger the victims. Most important now is to make sure that we do not underestimate the scale of the breach, and have properly identified every victim and the integrity of data that was stolen.“
Second, the public relations appear to have been very poorly handled (a "dumpster fire," as KrebsOnSecurity called it) and it's worth recalling that public relations are a real and important part of any incident response plan. The offer of free credit monitoring (to be conducted by Equifax's own service) struck many observers as insultingly inadequate, with further insult added by the company's poorly-executed website telling people who sought to apply for free monitoring to come back on September 13th (Motherboard). (Also see the comments section of the FTC's online advice to consumers for a taste of what visitors have encountered.)
It gets worse—the agreement Equifax required consumers to enter upon receiving their free monitoring included a clause committing them to submit any claims against Equifax to arbitration, an attempt to limit the size if not the inevitability of class action suits (Bloomberg). That last clause has now been removed, but the delayed and clumsy response brings out, again, the importance of planning for incident response. It also highlights the importance of exercising and testing such plans, and of drawing and applying lessons learned from those exercises. It's difficult to believe a well-crafted plan would have permitted a forty-one day gap between discovery and disclosure.
Viewpost’s Chief Security Officer, Chris Pierson, liked the Equifax CEO's gesture of personal accountability, but not other aspects of consumer care. "It was less heartening that the credit monitoring sign-up process appears to be convoluted. You can check to see if you are affected, but the system does not give you a reply other than to check back in 4 days. This is a miss from an operational and reputational perspective where consumers should be able to access the free credit monitoring being offered at the point in time the notice is provided."
Finally, at least three senior Equifax executives are known to have sold stock in the company worth about $1.8 million on August 1st, 2017, three days after the breach was discovered and more than a between the time the breach was detected and the time it was disclosed. Equifax told Bloomberg that none of the three—they included the CFO—knew about the breach when they sold, and that anyway they didn't sell all the shares they owned. So the company claims this wasn't a case of the C-suite pulling the ripcord on a golden parachute. "Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans" (Bloomberg).
Those who doubt that executives could have been unaware of the incident at the time they sold stock point to Equifax's claim that its board was promptly informed of the breach. If that's the case, that the CFO would have remained in the dark for three days strikes observers as too curious to be believed (MarketWatch).
What should companies do to prepare their defenses and incident response?
So claims of ignorance have been met with widespread incredulity, but that may be unfair. What does seem fair to say is that Equifax faces a dilemma: either the executives sold on material non-public knowledge in illegitimate insider trading, or the executives weren't involved in responding to the breach until much later than they should have been. In any case, this should serve as an object lesson in the importance of developing and exercising sound incident response plans.
"It's troubling to hear personal data belonging to 143 million people were compromised by the Equifax cyber attack. Our trust in the security is being questioned because an organization who prides itself on protecting sensitive data has been brought down. From our research, we know a large organization on average spends over $2 million per year fixing the damage caused by cyber breaches and it looks like the cost for Equifax will be higher than that. Enterprises are still missing out on the basics when it comes to protecting their networks and data, almost all US organizations (98%) we spoke did not apply the necessary security patches (compared to 83% globally) and only 86 percent applied half of the required patches on their DNS servers."
Javvad Malik, security advocate at AlienVault, said, “Companies like Equifax should know very well that data is the lifeblood of the organization and its crown jewels. As such, robust threat detection and response controls need to be implemented in order to thwart such attacks. Complimenting detection capabilities with threat intelligence and orchestration for response can help close out gaps, as well as speed up response times.”
Michael Figueroa, Executive Director of the Advanced Cyber Security Center (ACSC), shared some advice from his organization. (The ACSC is "a regional collaborative focused on building a stronger community defense by harnessing its members’ collective resources to solve common cyber security problems." It's also a federally-registered regional Information Sharing and Analysis Organization (ISAO).) According to the ACSC:
"Identity protection services such as that offered by Equifax are ineffective. Consumers should consider locking their credit accounts at the top three bureaus instead.
"Equifax should have had the resources and preparation to prevent this. They are likely amongst the most sophisticated security operations. Yet, it took them 40 days to detect the attack. Something is wrong with the way that we practice security, not just with the attention it gets from business.
"To show leadership, Equifax should fully disclose what happened, the threat indicators, the response, and the impact. Unfortunately, no company does that for fear of legal ramifications. Alternatively, working within the legally protected confines of an ISAC and/or ISAO community (such as the ACSC) would enable organizations like Equifax to gain the benefit of collective attention while also increasing the cost to the hackers for repeating the attack.
"I can understand not publicly announcing the breach immediately, hopefully they had a disaster response plan that included determining the full extent of the data compromised, but I would not expect it to take more than a few days or a week given the resources available to Equifax.
"I think is a reasonable response to be upset with Equifax. Today we rely on others to keep us secure – there is a Web of Trust that we expect applies to everyone who has our personal information. We did not sign up with Equifax – they gathered our data to “make sure we get the credit we deserve” and make sure creditors only give credit to those that deserve it – protecting us from sharing bad debt. We trust/expect/assume they are doing everything to protect our data."
"As belatedly realized by Equifax, websites are vulnerable to not only known code--web application tools in this instance--but also unknown code. This breach is yet another example of a large-scale security incident that could have been detected much earlier through continuous monitoring of all code executing on a website.It's time for enterprises to grasp the reality of the highly-dynamic digital environment, which needs a continuous security approach.
"To re-establish consumer trust, enterprises need to better control the executing code that renders content on their digital properties. The first step is to identify all partners involved in website operations, a process that will yield valuable insight into enterprise-specific ecosystems. From there, enterprises must clearly communicate their policies for executing on their site and enforce those policies. Partners that violate the policies should be blocked from the website. It's that simple."
Chris Doman, threat engineer at AlienVault, doesn't like what he sees in the credit bureau's care of consumers:
"It’s a shame to see that despite waiting six weeks to tell customers, Equifax's website telling customers of the breach is broken.
"Unfortunately, in this case there isn't much customers can do. Now that the data is out there, it’s out there. There are reports that the data is already available on the black market - though they may be fake.
"Equifax is offering free credit monitoring in response to the breach, which ironically has been a growing service of theirs in response to other cyber security breaches. But frankly, I wouldn't take them up on the offer as they aren't capable of protecting the additional data you would need to give them.”
Update: involving senior leaders in incident response exercises.
There's been talk, recently, about the need for companies to adopt "nation-state quality cyber defenses," and there may be something to that advice (CSO). Here's one nation-state practice that's worth consideration and emulation: conduct exercises that test your response plans, and that involve your leaders. The European Union just concluded such an exercise in Tallinn, where EU Defense Ministers were closeted for two hours in a tabletop exercise that simulated a major cyber attack on EU assets (ZDNet).
Update: how soon should disclosure follow detection?
We've received some informed commentary from eSentire about the time that elapsed between discovery and disclosure. They point out that Equifax probably falls under state rules that expect notification within a specified period of time.
Mark Sangster, VP and Industry Security Strategist at eSentire, summarized the issue as follows, concentrating on Georgia and New York State laws and regulations:
"Given the nature of Equifax data and the magnitude of the breach make this a watershed moment in breach detection and response. Many difficult questions will be asked and become the crux of numerus legal actions that will likely stem from this event. The most obvious, is why it took so long to disclose the breach. The risk to consumers begins to drop exponentially as soon as the breach becomes public, and affected companies and consumers can take defensive measures to protect their financial identity and funds.
"Yet, Equifax waited over a month to respond and provide breach notice. Headquartered in Atlanta, Equifax is bound by the state breach notification laws of Georgia, which require a firm to report a breach, stating, ‘The notice shall be made in the most expedient time possible and without unreasonable delay.’ In some circumstances, notification is to be made within 24 hours. Did Equifax meet this requirement and do everything in its power to protect those affected by the breach?
"Moreover, other state laws might come into play. Major banks based in New York no doubt rely on Equifax for credit information may have clients affected during this breach. New York has very stringent and proactive cyber regulations through the state Department of Financial Services. As such, these banks would have 72 hours from the determination of a cybersecurity event to provide notification. Did Equifax clients receive notification within this timeframe?
"Many financial companies have much to lose, and numerous protection laws will be tested. And of course, through all the inevitable finger pointing, will be the consumers who have been affected by this breach and will struggle to find reasonable resolution through this highly complex, highly charged, game changing event.”
Eyal Aharoni, COO of Cymulate, offered some advice about how companies might prepare to avoid and respond to an attack on sensitive data:
“In this day and age, all organizations should expect cyber attacker/s to attempt to breach their security system especially those handling Private Identifiable Information (PII). For companies, like Equifax, that are dealing with extremely sensitive information - like social security numbers -there needs to be multiple barriers protecting that information from an attacker in case one of those barriers is breached. Companies also need to constantly test and review their security posture and how they are perceived from an attacker point of view and mitigate the vulnerabilities exposing them. Unfortunately as seen in some cases such as this one, companies should also be prepared and have a plan on how they will handle a breach so that they can resolve the issue immediately and protect their customers from cyber attackers.”