IT Briefcase Exclusive Interview: Equifax Data Breach – Protecting Privacy and Avoiding a PR Nightmare

Equifax, one of the major credit reporting agencies, maintains a vast amount of sensitive personal and financial information for residents of the United States and the United Kingdom, and this breach is reported to have compromised the information for nearly 150 million US and UK citizens.

Equifax issued a statement on September 13^th acknowledging that the breach was due to a vulnerability in Apache Struts, a free, open source framework for creating web applications, widely used by Fortune 100 companies to build corporate websites.

• Q. What do we know about the Apache Struts vulnerability?

A. According to Equifax, the vulnerability was CVE-2017-9805, which was reported in March of this year. That Struts flaw allows an attacker to execute requests to an Apache webserver and provides an easy way to take control of sensitive sites. Equifax states that the data breaches spanned from mid-May through July. The Equifax security team may have been aware of this vulnerability, but unaware that the applications hacked contained this open source component. This explains how an open source vulnerability disclosed in March could be used by hackers from May through July.

• Q. How do hackers find and use vulnerabilities?

A. Like Heartbleed, this incident shines a light on the issue of open source security. Essentially, once a vulnerability is reported the race is on between you and would-be open source hackers. Because open source is widely used and easy to access, it’s common for exploits to be available on YouTube and hacker sites immediately after a vulnerability is reported. Those exploits make breaking into thousands of websites and applications very simple, kind of like plug and play hacking. Immediately after a vulnerability is disclosed – typically when a patch is already available but hasn’t yet been applied – is when you are at the greatest risk of breach.Like many companies, Equifax has a large portfolio of applications to track and manage, filled with both open and closed source components that need to be maintained.

• Q. What can companies learn from the Equifax hack?

A. Aside from some very obvious privacy, litigation, reputation and even political fall-out from this breach, executives and security teams may be wondering whether they are at risk from this or other open source vulnerabilities. There are several lessons teams can learn to avoid this type of security lapse:

– Visibility is critical. You can’t protect yourself if you don’t know what’s in your code, where it is, and how to patch it.

– Automation and integration are key. Open source vulnerability management must be automated and integrated into development and DevOps tools and processes.

– Minimize exploitability time. Your greatest risk is between the first report of a vulnerability and when you apply patch or remediate the issue.

An average of at least 3,000 new open source vulnerabilities are discovered every year. That’s more than ten a day – which is a lot to keep up with. Unfortunately, you can’t rely on the National Vulnerabilities Database (NVD) to give you early warning of them. It can take three weeks or more for new vulnerabilities to get into NVD. Exploits are already available for the latest Struts vulnerability (CVE-2017-9805), but NVD does not have any impact or remediation data for it yet. It takes an average of three weeks for vulnerabilities to be documented in NVD. To solve this problem, Black Duck independently monitors and researches vulnerabilities using hundreds of sources to provide same day alerts for vulnerabilities like CVE-2017-9805.

• Q.  How can we prevent this type of breach in the future?

A. In order to build security into your applications and containers, you need a complete bill of materials – showing what components and versions are in use in all applications at your organization. Here are some general tips for securing any open or closed source supporting libraries in software products and services:

– Track and maintain the components and versions in your software. Be alert to security announcements impacting your software.

– Monitor continuously for new vulnerabilities. A clean bill of materials today does not mean that a new vulnerability won’t be disclosed and open to exploit tomorrow.

– Release security fixes as needed. Don’t wait; hackers will be ready to use available exploits.

– Build in security layers. A breach into one layer should not permit access to back-end information resources.

– Monitor your public Web resources. Unusual access patterns may be a clue to a breach in progress.

• Q. Who should be aware of open source vulnerabilities?

A. Equifax is not alone in their exposure to open source vulnerabilities. According to Black Duck’s analysis of over 1000 commercial applications earlier this year, the Open Source Security and Risk Analysis, companies used twice as much open source as they thought they were, while open source usage spans every industry vertical.

Integrating a solution like Black Duck Hub into your development/DevOps process makes it easier for teams to discover open source in their environment, prioritize their vulnerability and compliance management activities, and determine the best upgrade path for open source components that are vulnerable.

Patrick Carey, VP of Product at Black Duck Software