Security Central: Equifax Struck Down in Spectacular Breach, U.S. Bans Kaspersky Lab

Written by Allison Francis
September 16, 2017

This week’s Security Central takes a peek inside Equifax’s massive security breach, explores the ban on Kaspersky software, and takes a look at the true cost of a worldwide data breach.

So, not a great week for credit-reporting company Equifax. If you’ve set one toe out of the house or even glanced at any form of media since last Friday, you know about the Equifax security breach that exposed the personal information of 143 million customers in the U.S., Canada, and the U.K. That is a lot… of people.

The attack is being classified as one of the most intrusive security breaches in history, the stock falling the most in almost two decades. Hackers drilled into a website application and were able to access names, addresses, Social Security numbers and driver’s license numbers, Equifax said in a statement last Thursday.

“This is massive,” said Paul Martini, chief executive officer of Iboss, a cybersecurity firm. “This overshadows any other breach that we’ve seen to date — not just the volume, the size, but the type of data that was in that database.”

According to Wired, the vulnerability that attackers exploited to access Equifax’s system was in the Apache Struts web-application software, a widely used enterprise platform. The Apache Software Foundation wasn’t too remorseful about this, however. The company said in a statement on Saturday that, though it was sorry if attackers exploited a bug in its software to breach Equifax, it always recommends that users regularly patch and update their Apache Struts platforms.

“Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years,” Rene Gielen, the vice president of Apache Struts, wrote.

After the breach became known, security experts wasted no time reminding the world of the risk of consumers’ personal data being exposed online. And Equifax really, really stepped in it with this one – another case of a lesson being learned the hard and embarrassing way. The hackers laid bare the company’s critical vulnerabilities and not-up-to-snuff security practices – errors that left the company wide open to being breached.

This is a particular problem for the huge number of people who trust credit-reporting agencies like Equifax to handle and protect their sensitive financial information. (As reported by Talkin’ Cloud).

“It’s a huge deal,” said Tim Crosby, senior consultant with security-assessment firm Spohn. “You would expect these guys to have compartmentalized this data far enough away from a web server — that there would not be any way to directly access it.”

Equifax’s breach sets things back a bit in terms the financial industry’s attempts to boost security measures and prevent attackers from gaining access to financial information,” said Ferruh Mavituna, President and CEO of Netsparker, a web application security company.

“The Equifax hack is a perfect example that highlights how businesses can get bitten if web application security is not taken seriously. Researchers identified a cross-site scripting vulnerability on their website back in 2016, yet Equifax never responded to their reports and never fixed it.” (As reported in a previous article about the breach by The VAR Guy).

A real head-scratcher for those of you in the IT channel. There are countless examples of companies – both big and small – foolishly leaving themselves open to these kinds of attacks. When will organizations get smarter and take the proper security measures? What’s the solution?

Our second story revisits an old one – our Russian pals at Kaspersky Lab. There has been some heated back and forth between the U.S. Government and the cybersecurity and anti-virus provider, and it has finally reached a resolution. Well, sort of…

According to The Washington Post, the U.S. government has banned federal agencies from using Kaspersky Lab security software over suspicions the company may be tied to state-sponsored espionage. Yesterday, Homeland Security Secretary Elaine Duke issued a directive giving six federal agencies a timeline to get rid of the software from government networks.

The Department of Homeland Security “is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the department said in a statement. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

Kaspersky of course fired back, saying in a statement Wednesday that it “doesn’t have inappropriate ties with any government, which is why no credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against the company.”

It also said that the Russian law requiring assistance does not apply to the company.

“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues,” Kaspersky said. “The company looks forward to working with DHS, as Kaspersky Lab ardently believes a deeper examination of the company will substantiate that these allegations are without merit.”

In a briefing with The Independent, R. David Edelman, who leads a cybersecurity project at MIT’s Internet Policy Research Initiative and Centre for International Studies, said that the move signals “the idea that we’re in a chilly period for U.S.-Russia relations, especially on cybersecurity matters.” I mean… what else is new…

Our final story this week digs down into the true cost of a worldwide data breach. To start things off, here’s a fun number: $53 billion. That is the current prediction of the true cost of a worldwide data breach. Yikes.

Crosby says the actual costs of security breaches aren’t just financial – they’re also in the court of public opinion.

“Where companies turn for help after serious data breaches must include a sizable public relations crisis management component to contain potential firestorm of financial and perception losses, says Crosby.”

Per Crosby, companies must be diligent in their monitoring and vigilant for security breaches. It is a constant duty to ensure their data and that of their customers is safe. So, what can be done to stem these attacks and minimize the data? Crosby says utilizing big data analytics to ensure any anomalies are quickly detected and shielded is the key. “A cybersecurity team must be vigilant about the activity on the network,” advises Crosby.

For providers, to prevent permanent damage to data and network systems, businesses should employ a host of protection programs that notify personnel when a threat exists.

The views expressed in this column do not necessarily reflect the views of Penton Media or The VAR Guy editorial staff.