I recently wrote about the hard lessons learned in risk as a result of the Equifax breach. Having watched and read parts of the ongoing Congressional hearing with former CEO Richard Smith, I wanted to revisit those issues I posed in my original article as the crux of Equifax’s problems, as I believe that much of what I have heard in the testimony has proven me to be right.
Broken escalation process
In my last article I argued that either Equifax had no escalation process, or, if they did, that it was severely broken and reflected a systemic problem with their information security program. Smith testified that while he heard rumors of “suspicious activity” on July 31st, he didn’t ask for a briefing, nor did anyone recommend one to him, until August 17th. Smith also admitted that after that briefing, he still “did not know the size, the scope of the breach.” It took another week before the Board of Directors was briefed, showing a complete lack of concern for the privacy of the customers’ data from the top down.
Security starts at the top and it’s clear that if the person at the top isn’t making it a top priority, neither with the organization. But we are talking about a company that holds the most sensitive financial information for most American adults.
Broken patching process
So, given the approach Equifax took in the handling of this breach, would it surprise one to learn that out of the 250 “security personnel” that Smith testified they employ, only one employee was responsible for patching? No it wouldn’t. Nor does it surprise me that the company relied on scanning software to determine if there were any vulnerabilities in their infrastructure. Nor does it surprise me that sensitive data was left unencrypted and that there was no consistent handling of data.
This demonstrates the difference between “checkbox security” and “defense in depth.” The checkbox security approach asks Do we have a scanner? Check! Do we have someone to patch things? Check! Do we encrypt stuff? Check! What do we do when one of these fail? What if these things are not actually sufficient to safeguard the data we have? No one is really sure, but let’s agree to meet once a quarter and talk about our posture.
Equifax, like so many other companies, was not committed to of Defense in Depth. In Defense in Depth, you apply “overlapping systems designed to provide security even if one of them fails...Defense in depth provides security, because there's no single point of failure and no assumed single vector for attacks.” (Bruce Schneir, Security in the Cloud)
If there were a better system to apply defense in depth strategies to, it might be the one that stores consumers’ financial information without their direct consent.
Smith said forensic investigators are now looking at why the scanner failed to identify the vulnerability. Forensic investigators should instead be looking at how Equifax could spend $250M in 3 years and apparently not have an inventory of software used, established redundancy in the personnel responsible for managing patches, and a consistent encryption policy across all systems for sensitive information.
So, as the Equifax investigation continues to unfold, and blame and potentially penalties are dealt out, what of the 140+ million people whose data has been lost to the darknet?
Time to kill the SSN?
I believe we are witnessing a tipping point for the archaic framework that needs to die and be reborn in something that is built from the ground up to operate in the highly connected world we live in.
Social Security numbers have been passed around from businesses to hospitals to banks to car dealerships. They are the keys to our lives and yet are less secure than a username and password.
Will the answer be found in some form of 2-factor authentication tied into a blockchain technology? I don’t know. What I do know is we as 21st century netizens need a way to identify ourselves that upholds non repudiation while providing little or no trust to the person on the other end that needs to know who we are. Credit freezes should be standard - not optional and at a cost. No one should ever be able to pull a credit report without that person’s explicit consent. Perhaps the application of a current technology coupled with guidelines like those found in the EU’s General Data Protection Regulation (GDPR) could combine to create the system and processes we need to protect ourselves.