September 8, 2017, will forever be remembered as the day most American’s awakened to cybercrime. No longer can we depend on the security of "our" digital identities. On March 2017, the ApacheStruts2 vulnerability was discovered and Equifax became vulnerable to a cyber intrusion of historic proportions. It is important to note that data exfiltration began in May and yet a patch was available. On September 8, 2017, the breach was publicly announced (90 days post-mortem) and the company was punished by Wall Street when its stock plummeted 31%.
As we grapple with the impact this breach has on the financial sector and upon our personal lives we must come to Jesus with the functional reality that there is a governance issue here that contributed to the lack of preparedness of the company. For starters the CISO was reporting to the CIO. In 2017, we must awaken to the hostility of cyberspace and therein we must embrace the importance of security versus efficiency. The CISO must be elevated to a true C-level position who reports directly to the CEO and has a separate enhanced security budget outside of IT. From a tactical perspective, the company should have patched the system in a timely manner and deployed application white-listing. Once realization of the breach had occurred, they should have stood up a hunt team to augment incident response and attack path mapping.
Here we wait for the inevitable identity theft to occur. As a society, it is imperative that we de-commoditize the SSN. Cyber criminals have been profiteering with American identities for too long. Looking ahead, Social Security numbers were never intended to be an authentication measure. Advances in tecnology can help create a more secure digital to physical identity translation. Access to data files should require real-time adaptive authentication checks using strong credentials with multiple factors such as:
- Human Identity (including PII, credit, social profiles, biometrics);
- Environmental Context (device, location, network, behaviors); and
- Relationships (employment, background checks, certifications).
If deployed properly, these adaptive authentication checks could stop external and internal hackers before data is accessed. Once user attributes have been verified, they are typically bound to an authentication credential for user login. These user attributes need to be rechecked periodically using trusted data sources. This combination of services will strengthen access controls and make it extremely difficult for hackers to steal identities and create synthetic identities for accessing online services. September 8, 2017, was a day to remember – a day to remember that we must take back the security of our digital identities and challenge those corporations we entrust to invest more in cybersecurity.