BY JOSEPH KOVAL
Everyone should know all too well, it’s not a matter of IF but rather a matter of WHEN a network will be compromised. Our personal identifying information (PII) is a “high value” target to hackers. The recent Equifax hack where over 145,000,000 people had their PII (Personal Identifying Information) stolen is a perfect case study. This cyber-attack shines a spotlight on the mistakes that were made by Equifax.
Time-line reported by USA Today:
Mid-May to July 2017 – Criminal hackers carry out an attack and infiltration of Equifax servers. It resulted in unauthorized access to the personal information of nearly 44 percent of the U.S. population.
Sept. 7 – Breach publicly announced.
Sept. 8 – Equifax shares plunge 13.7 percent in first day of trading after breach announced.
Sept. 12 – Equifax announces two senior computer security executives at the company are retiring.
Sept. 12 – Equifax CEO apologizes in USA TODAY op-ed.
Sept. 11 – Sen. Orrin Hatch, R-Utah, who chairs the Senate Committee on Finance, and Sen. Ron Wyden, D-Oregon, the panel’s ranking minority member, ask the credit-reporting giant for a timeline of the breach, along with details of Equifax’s efforts to quantify the scope of the intrusion and limit consumer harm.
Sept. 15 – Equifax announces its chief information officer, Susan Mauldin, and chief security officer, David Webb are retiring “effective immediately.”
Sept. 21 – Equifax admits it sent victims of the data breach to a bogus website that shared a similar address to the one it set up to help victims.
Sept. 26 – Equifax announces its CEO, Richard Smith, retires. Paulino do Rego Barros, Jr., a seven-year veteran of the company, is appointed interim Chief Executive Officer.
MISHANDLING OF INCIDENT
1 – A known vulnerability in their web software was left unpatched for two months. There were numerous announcements concerning this vulnerability and security patches made available to remediate the software vulnerability but the company took no action.
2 – The company failed to announce the hack in a timely manner.
3 – Several high ranking managers made large sales of their company stock just prior to the announcement. The SEC is currently investigating.
4 – If there were policies in place that governed a responsible and effective response to the hack were they followed? Did policies even exist?
5 – Were all safeguards in place and updated with the latest threat management software?
6 – Any entity that has electronic records containing PII, or any other valuable data, needs to have network vulnerability and penetration testing done on a regular basis. If Equifax had run regular penetration and vulnerability tests they would have detected the vulnerability in their web software and patched it immediately.
THE LATEST EQUIFAX NEWS
Equifax told the US Senate Banking Committee that more data may have been exposed: Hacking News reports:
Equifax spokesperson Meredith Griffanti told News Friday that the initial list of vulnerable personal data was never intended to serve the full list of potentiality presented information.
The new documents quickly bring Equifax’s credibility into even further problem following numerous other damaging announcements, including a malware-infested website, executives who dumped stock after the company noticed the hack, and the news the business was warned months before about security vulnerabilities and did nothing.”
Whether you are a large corporation, a small to medium business, government, or just a home with PC’s, laptops, smartphones, etc. you need to take due diligence and secure your electronic assets.
At a recent North Rockland Chamber event an owner of a local business asked me, “I only have two PC’s and a couple of smartphones that connect to my business network. Do I need a threat assessment?” My answer was, “if you turned on your computer one morning and the screen had a message saying all of your business files have been encrypted and a bitcoin ransom was demanded and you couldn’t access your customer data, invoicing, etc. what would you do”? His eyes widened and he understood that no business or personal network is too small for cyber security planning.
My future articles will cover many cyber security steps for you to take: human, physical, endpoint, network application and data.
Joseph Koval is the owner and president of Syber3 – Syber Security Solutions located in Rockland County. He has over 27 years of Cyber Security experience and project management. Check out his web site: www.syber3.com and Syber3 Facebook