Learning from Equifax
In this article
We are not new to security breaches in large companies.
Organizations like Target, Home Depot and even Experian have dealt with the fallout from a major data breach. However, with the recent exposure of Equifax effecting 143 million Americans, it is easy to see why it is at the forefront of most of our newsfeeds.
The information obtained by hackers from Equifax includes names, birthdates, credit card numbers, emails, driver's license information and social security numbers, that's a lot of personally identifiable information (PII). The most frightening aspect, perhaps, is that Equifax found out about the breach in late July, and held off with a public announcement until nearly a month later.
Unlike hacks of Target or Home Depot, attackers have more information than just credit card numbers. With this amount of PII, hackers have struck gold and can begin to target important aspects of consumers' lives. Most of the information stolen ends up being sold in the underground markets and then depending on the type of information it can be used for identity fraud, fraudulent tax return filing and loan applications, the creation of counterfeit cards or phishing attacks.
Being the largest hack involving PII, it will be interesting to see how not only Equifax and the public reacts, but how it is handled by other organizations and even government agencies.
What organizations should take away from this
Visibility into your network is crucial for threat prevention.
One thing I found interesting is that Equifax stated that the breach lasted from mid-May until July, meaning they had some amount of visibility into their network to do post-intrusion analysis and see when the breach initially started. Enterprise network visibility is something that our customers struggle with, and something we continuously recommend when creating or improving incident response plans. If your organization doesn't have a way to see how threats pass through your network, consider inline security solutions like firewalls, IPS and SSL or out-of-band solutions like IDS, DLP and SIEM. These security tools are important to implement within your security posture.
If you house a lot of data within your organization, you should be on top of encrypting that data.
Data is one of the most important things in any organization, and is the main asset that hackers are going after. When thinking about the sheer amount of data these hackers were able to obtain, I can't help but think that encryption would have at least provided another layer of security for this sensitive data.
In this case, hackers were able to gain access to Equifax's large data repository and also able to extract the right information from it. Protecting data at rest using encryption at the point of application entry (tokenizing, hashing, etc.) might have protected clear text information sitting at rest from hackers, or at least prevented the amount of exposure from gaining this much PII.
Don't neglect employee education, risk assessments and executive support. These are key for a mature security posture and should be ongoing.
At the very least, a cyberattack of this magnitude shows, once again, the importance of having a mature security posture for any organization in any industry. Security should be at the forefront of any solution, since data is vital no matter what operations go on in a company.
Having an incident response plan is crucial for any company, which is why it is chilling to see the number of organizations who admit to having no plan regarding incident response. Security planning and practice might not be the sexiest thing about business, but it can save a lot of time and money in the long run – just ask Equifax how they're feeling now.
Next steps for consumers and key takeaways
There are many things we know about the Equifax security breach, but there is still some confusion about the best steps to take as a consumer.
One way that Equifax and other organizations have recommended for those wanting to know if their information was part of the breach is to visit sites that ask for additional information, such as parts of your social security number, which tell the user if their information is safe or unsafe. I would be wary of this report. Avoid the risk of giving away even more information, especially since this check has been proven useless in telling whether or not your information has been included in the breach.
A simple way to protect your data is to change or update your challenge questions that are protecting your accounts. It can be easier than you think to guess the answers to generic security questions using your name, birthday, address and other information that hackers can easily obtain once they have access to this amount of PII. Strengthening your challenge questions can be one more layer of security between your financial accounts and those who are trying to steal information or money.
Another thing I would recommend is to take advantage of credit reporting. Equifax has offered a year of free credit monitoring, in addition to other free credit report websites that will monitor your credit for unusual activity. Make sure to use your free annual credit report on annualcreditreport.com and other reporting sites, that way you are fully aware of your credit activity. One of the most effective ways to protect yourself is to freeze your credit account. Keep in mind, though, that once you do this, you cannot open any accounts or see your credit report without unfreezing.
As a security professional, I am usually the one my family and friends turn to when things like this happen (my phone has been very active the past couple of days). Take this opportunity to educate and check up on those you know, especially those who might not be very tech-savvy. Both older and younger generations could be more vulnerable, as hackers might think they could go unnoticed by those who do not use technology, like mobile applications, to manage their financial accounts.