Equifax has disclosed further details of data that was breached in its cybersecurity incident in September. IT security experts commented below.
Gavin Millard, Technical Director at Tenable:
“Breaches such as Equifax are a stark reminder that, no matter how well we manage who we share our data with and the security surrounding it, when breaches occur, everyone can be exposed.
“The data exposed in the Equifax breach could easily be leveraged for targeted fraud against those 146 million who were caught up in it. Social security numbers, dates of birth and other personal information could be used by criminals to setup loans, credit cards and other methods of monetising the data lost.
“When a single vulnerability affecting a web application can be leveraged to swipe so much data, it’s time to take foundational security seriously.”
Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks:
“We’ve unfortunately made cyber breaches a whole lot easier for threat actors. There’s no need for a high-value zero-day vulnerability to breach a network, one only needs to read the NIST database of reported vulnerabilities.
“Eight days into May 2018 and there are already 156 vulnerabilities reported. Most of them will have patches available, but the vast majority of vulnerable systems will remain unpatched long enough for a cyber attacker to take advantage of the window of opportunity. Cyber threat actors understand this behavior and have developed processes for integrating exploit code as quickly as proofs of concepts are posted on Pastebin.com. Sometimes they don’t wait for a PoC and develop their own working attack within hours or days of a vulnerability being disclosed.
“It is criminal in my opinion to knowingly postpone a security update beyond a reasonable amount of time and suffer a breach as a consequence. EternalBlue does not have to be eternal, we have the power to turn it into LegacyBlue by patching our systems.”
Nick Bilogorskiy, Cybersecurity Strategist at Juniper Networks:
“Seven months should be enough time for organizations to install the necessary patches and it’s unfortunate that so many still choose to download the older vulnerable versions. There is really no excuse for this.
“Equifax vulnerability CVE-2017-5638 allowed unauthenticated remote code execution on Java web applications via the REST plugin with XStream handler to handle XML payloads.This vulnerability was fixed in the Apache Struts version 2.5.13 in September 2017.
“In 2016, known vulnerabilities were the leading cause of data breaches, accounting for 44 percent of all such incidents. I highly recommend that organizations apply critical security patches within one week of their release in order to reduce the known threat attack surface. Otherwise, it’s the same as buying expensive locks for the doors to your home but keeping the windows wide open.”