As an effort to reduce confusion regarding Equifax and provide a perspective on the hacking event, our cybersecurity experts put together this update regarding the:
- Scope of the attack
- Root cause of the attack
- Recommendations on how to protect yourself
First and foremost, Equifax has disclosed a series of hacks in the last year exposing at least half of the US population to having their identity compromised. Overall, the scope of this disclosure is most likely optimistic and the final forensics will most likely show a larger number of individuals have been compromised through this effort.
In terms of the hacks, earlier this year in the February / March timeframe was a compromise of tax records in an Equifax company that exposed several million people to tax fraud. This hack was related to social engineering and poor implementation of authentication controls. It is completely unrelated to the most recent data breach.
The larger hack which happened in the May / June timeframe compromising the credit information of a disclosed ~143 million individuals was due to failure to patch the middleware (Apache Struts – http://blogs.flexerasoftware.com/ecm/2017/09/an-analysis-of-the-apache-struts-2-vulnerability.html) used to power Equifax’s various consumer properties.
An estimated 65% of Fortune 100 companies could be vulnerable to the bug discovered in Apache Struts, due to failure to keep up on patching. The critical bug in the Apache Struts’ REST plugin was identified as CVE-2017-5638 and was fixed by the community in March. The vulnerability has been identified in several software platforms to include solutions from major vendors such as Cisco (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2).
Please note this indicates the importance of patching not just the servers; but also, the middleware and applications which run on various servers. It is worth double checking with whoever is hosting your data, as to who exactly is maintaining patching of the operating systems for your servers, and who exactly is maintaining patching your middleware or applications.
On a personal level, it is recommended to place a credit freeze on your accounts with each of the nationwide credit reporting companies:
- Equifax — https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
- Experian — https://www.experian.com/freeze/center.html
- TransUnion — https://freeze.transunion.com/sf/securityFreeze/landingPage.jsp – Make sure you pick the Credit Freeze Links
Be advised, that each of the agencies may attempt to steer you towards a “Credit Lock” or some other type of product. These are services which do not actually freeze your credit and are not recommended. The reason for steering you towards this product is it still allows third parties to make credit inquiries against you, which is how these agencies make their money. Every credit inquiry generates some amount of revenue for the credit reporting company. By putting a freeze on your account you deny them this revenue.
Placing a freeze on your accounts will not impact your ability to pursue legal remedies against these organizations for their data breaches. When placing your freeze, ensure you save the PIN number provided for future reference. This may be in a PDF you are prompted to open and download.
When placing a freeze, you may be prompted for a fee per agency depending on your state of residence. Currently, Equifax is waiving the fee, but the other agencies are not. When submitting a freeze request, be patient in the submission and do not click repeatedly or you may be charged multiple times. The sites for these agencies are not scaled to handle the current load of requests coming into them. Some recommendations are to consider placing the freeze during the off hours (e.g. Sunday evening) when load is lighter if you encounter any issues.
For more information on credit freezes: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
To discuss extending your security team with a managed security service provider to improve your organization’s security posture, please contact Fpweb at firstname.lastname@example.org or 866-780-4678.