Ever wonder why your identity got stolen? Post-Equifax this article highlights a modern security strategy for the credit bureaus. Credit: Thinkstock September 8, 2017, will forever be remembered as the day most American’s awakened to cybercrime. No longer can we depend on the security of “our” digital identities. On March 2017, the ApacheStruts2 vulnerability was discovered and Equifax became vulnerable to a cyber intrusion of historic proportions. It is important to note that data exfiltration began in May and yet a patch was available. On September 8, 2017, the breach was publicly announced (90 days post-mortem) and the company was punished by Wall Street when its stock plummeted 31%. As we grapple with the impact this breach has on the financial sector and upon our personal lives we must come to Jesus with the functional reality that there is a governance issue here that contributed to the lack of preparedness of the company. For starters the CISO was reporting to the CIO. In 2017, we must awaken to the hostility of cyberspace and therein we must embrace the importance of security versus efficiency. The CISO must be elevated to a true C-level position who reports directly to the CEO and has a separate enhanced security budget outside of IT. From a tactical perspective, the company should have patched the system in a timely manner and deployed application white-listing. Once realization of the breach had occurred, they should have stood up a hunt team to augment incident response and attack path mapping.Here we wait for the inevitable identity theft to occur. As a society, it is imperative that we de-commoditize the SSN. Cyber criminals have been profiteering with American identities for too long. Looking ahead, Social Security numbers were never intended to be an authentication measure. Advances in tecnology can help create a more secure digital to physical identity translation. Access to data files should require real-time adaptive authentication checks using strong credentials with multiple factors such as:Human Identity (including PII, credit, social profiles, biometrics);Environmental Context (device, location, network, behaviors); andRelationships (employment, background checks, certifications).If deployed properly, these adaptive authentication checks could stop external and internal hackers before data is accessed. Once user attributes have been verified, they are typically bound to an authentication credential for user login. These user attributes need to be rechecked periodically using trusted data sources. This combination of services will strengthen access controls and make it extremely difficult for hackers to steal identities and create synthetic identities for accessing online services. September 8, 2017, was a day to remember – a day to remember that we must take back the security of our digital identities and challenge those corporations we entrust to invest more in cybersecurity. Related content opinion Big D: The importance of middle linebackers in cybersecurity Offense informs defense. By Tom Kellermann Aug 29, 2017 2 mins Technology Industry Cloud Security Data and Information Security opinion Crossing the Narrow Sea: mitigating island hopping Your supply chain is being invaded. It's time to discuss how best to manage risk to your supply chain and reputation in 2017. By Tom Kellermann Jul 24, 2017 3 mins Hacking Risk Management Security opinion Your brand is under siege CMOs must prepare to defend their brand and company with tools and strategies to combat almost inevitable cybersecurity events. By Tom Kellermann Jun 30, 2017 4 mins Security opinion May 18th: The birthday of the DPO The importance of the European Global Data Protection Regulation and its implications for cybersecurity in America. By Tom Kellermann Jun 06, 2017 2 mins Government IT Technology Industry Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe