• United States




Digital hijacking: My identity is gone

Oct 03, 20173 mins

Ever wonder why your identity got stolen? Post-Equifax this article highlights a modern security strategy for the credit bureaus.

hack hacker cyber thief theft stolen
Credit: Thinkstock

September 8, 2017, will forever be remembered as the day most American’s awakened to cybercrime. No longer can we depend on the security of “our” digital identities. On March 2017, the ApacheStruts2 vulnerability was discovered and Equifax became vulnerable to a cyber intrusion of historic proportions. It is important to note that data exfiltration began in May and yet a patch was available. On September 8, 2017, the breach was publicly announced (90 days post-mortem) and the company was punished by Wall Street when its stock plummeted 31%.

 As we grapple with the impact this breach has on the financial sector and upon our personal lives we must come to Jesus with the functional reality that there is a governance issue here that contributed to the lack of preparedness of the company. For starters the CISO was reporting to the CIO. In 2017, we must awaken to the hostility of cyberspace and therein we must embrace the importance of security versus efficiency. The CISO must be elevated to a true C-level position who reports directly to the CEO and has a separate enhanced security budget outside of IT. From a tactical perspective, the company should have patched the system in a timely manner and deployed application white-listing. Once realization of the breach had occurred, they should have stood up a hunt team to augment incident response and attack path mapping.

Here we wait for the inevitable identity theft to occur. As a society, it is imperative that we de-commoditize the SSN. Cyber criminals have been profiteering with American identities for too long. Looking ahead, Social Security numbers were never intended to be an authentication measure. Advances in tecnology can help create a more secure digital to physical identity translation. Access to data files should require real-time adaptive authentication checks using strong credentials with multiple factors such as:

  • Human Identity (including PII, credit, social profiles, biometrics);
  • Environmental Context (device, location, network, behaviors); and
  • Relationships (employment, background checks, certifications).

If deployed properly, these adaptive authentication checks could stop external and internal hackers before data is accessed. Once user attributes have been verified, they are typically bound to an authentication credential for user login. These user attributes need to be rechecked periodically using trusted data sources. This combination of services will strengthen access controls and make it extremely difficult for hackers to steal identities and create synthetic identities for accessing online services. September 8, 2017, was a day to remember – a day to remember that we must take back the security of our digital identities and challenge those corporations we entrust to invest more in cybersecurity.


Tom Kellermann is a cyber-intelligence expert, author, professor and leader in the field of cybersecurity. Tom is the co-founder of Strategic Cyber Ventures and serves as a Global Fellow for the Wilson Center.

Having held a seat on the Commission on Cyber Security for the 44th President of the United States and serving as an advisor to the International Cyber Security Protection Alliance (ICSPA), he has worked in the highest levels of cybersecurity. He has applied his expertise in the corporate world, as Chief Cybersecurity Officer for Trend Micro Inc. where Tom was responsible for analysis of emerging cybersecurity threats and relevant defensive technologies.

Prior to Trend Micro, Tom served as the Vice President of Security for Core Security. Tom began his career as Senior Data Risk Management Specialist for the World Bank Treasury Security Team, where he was responsible for cyber-intelligence and security policy as he advised central banks around the world about their cyber-risk posture.

In addition to his professional work, Tom believes in sharing his knowledge to benefit others in order to combat cybercrime. Tom was a Professor at American University’s School of International Service and the Kogod School of Business, and he co-authored the book “E-safety and Soundness: Securing Finance in a New Age.” He regularly presents at global cybersecurity conferences and is a contributor on cyber analysis for major networks. Tom is a Certified Information Security Manager and is a Certified Ethical Hacker.

The opinions expressed in this blog are those of Tom Kellermann and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.