Another Day, Another Preventable Breach

Here we are, once again, in the middle of another HUUUUGE data breach, this time at Equifax. Breaches like this have gone past becoming all too commonplace. But should that really be the case?

Looking back over the past several years, we’re dangerously close to being desensitized to the loss of our personally identifiable information. After breaches at the Office of Personnel Management (OPM), NASA, Anthem, Yahoo, United Airlines, Mossack Fonseca, Ashley Madison, and now Equifax, I have to wonder if anyone still has an identity or privacy to protect!

The scope and magnitude of these breaches makes it difficult to comprehend their depth, gravity, or even frequency. We are talking about millions of individual customer records and terabytes of information lost. To put this in perspective, one terabyte is the equivalent of 250 million pages printed on both sides!

Because of these breaches, I’m under any more “identity watch” services than I thought would be possible. But what really chaps my hide is the fact that most of these breaches, if not all, could have been prevented with a wee bit of due diligence and data hygiene.

A Common Fallacy

I know what you’re going to say: These breaches were conducted by persistent actors with a determined agenda. No-one can stop a dedicated actor who’s intent on getting into an environment or system. And for the most part, I agree with you.

However, almost every breach is not the result of some fancy, high speed, crazy awesome pwnsauce or top-secret zero-day exploit. Sure, it happens, but in most cases the culprit is poor IT hygiene, system hygiene, and system maintenance. Typically it’s a combination of lacking system and application patching, user account maintenance, system hardening, etc.

I’ve spent many years investigating breaches as a former federal agent and as a civilian investigator. In all those investigations, one continual theme recurs: sloppy data hygiene. I can’t tell you how many sites I’ve run across still using end-of-life operating systems (here’s looking at you, Windows XP) or applications that have not been patched for known vulnerabilities with known exploits (here’s looking at you, WordPress plugins and Apache Struts).

How many times must you and I find out that the data we shared (were forced to share) to receive a service was lost because the organization chose profits and executive bonuses over protecting our private information? These organizations chose—that’s right, poor IT hygiene is always a choice—not to maintain a robust patch management program to rectify critical code or system vulnerabilities. (Forget robust; at this point I’d take documented and functioning patch management.)

Soap and sink

I understand that patch regression testing and implementation potentially mean short-term disruption or even loss of revenue. But I think the public would take the slight downtime, temporary hit to the stock price, or the all-important five nines of availability, to have a modicum of faith that the personal data we share is being protected. Complacency breeds breaches and there’s a buffet line out there right now.

No Superheroes Here

I take little solace in the idea that the government will swoop in to save the day with legislation or regulations to enforce some basic level of security. Unfortunately, the government is just as guilty as corporations, if not more so.

Take, for example, the OPM breach in 2015. OPM’s own Inspector General (IG) report noted deficiencies the agency’s data security measures in 2005—that’s 10 years before the breach that resulted in the loss of 23 million records of security clearance holders—very, very detailed records! Collectively, neither the security industry nor the government can come together on what “best practices” means in theory, much less to codify them into a legally enforceable framework.

That hasn’t stopped them from trying. But which of the myriad frameworks and best practices am I supposed to follow? Am I bound to a set of controls by decree or regulation such as the Federal Information Security Modernization Act, the National Institute of Standards and Technology, or the Federal Financial Institutions Examination Council? Or am I bound to one contractually, such as the Payment Card Industry Data Security Standard? Or do I just get to pick one cafeteria style in the Center for Internet Security top 20?

Ultimately, for most organizations it comes down to the following question: What can I do to establish a “defensible position of reasonableness”? What is the minimum I can do to get by or comply? Rather than do risk mitigation or a risk management, can I do a risk transference by insuring it?

The problem with this approach is it doesn’t secure our data or take the consumer into account.

Enough is Enough

Companies are too relaxed in their controls over our personal data. As a blatant example, Equifax Argentina used admin/admin for login credentials to one of its public-facing systems. This is beyond lax controls; it’s without defense. But we as consumers have also become too complicit in allowing it to become the status quo.

The situation for Equifax has certainly been painful, and its woes are nowhere near being over. Over the past few weeks, the company’s chief information officer, chief security officer, and later chief executive officer all stepped down or announced that they would. I have no doubts that the CEO’s golden parachute is expansive. He certainly won’t feel the sting, whereas you and I will be left fighting to protect our identities and secure our financial accounts.

What are we collectively going to do about it? What can we do about it? There are something like 20 lawsuits already filed against Equifax, including one by the whole city of San Francisco. But if history is any lesson, lawsuits won’t fix the problem.

We can’t fix what we don’t acknowledge. We have to acknowledge the need to build the processes, procedures, and instrumentation to combat our own failings.

If you forget to brush your teeth, take a shower, and put on clean clothes in the morning, it doesn’t take too long before you start to smell. We’re now at the stage where organizations’ networks, systems, and personal data protections really stink.

Organizations need to take stock of our precious data—personally identifiable and payment card information, electronic health care records, and intellectual property—inventory the systems that contain it and the applications and programs that run on it.

Tools such as Nuix’s Insight Analytics & Intelligence and Nuix’s Insight Adaptive Security can help organizations do a vastly better job of knowing what is happening within their systems, and enforcing policies on that data. Know your systems, know your software, and establish a means to maintain and keep them healthy.

Every second Tuesday of every month, Microsoft releases patches. If you’re running a Windows environment, are you tracking those patches? Are you testing them and putting them into production as quickly as you can? Does your technical or IT operations team track these for action?

Any system is only as strong as its weakest component. Do you know what yours is? Do you even care? As a consumer who has been on the receiving end of too many data breach notifications, I can tell you that I do.

It’s a shame that it took getting to a point where consumers don’t assume—or even expect—privacy anymore to drive this point home. Take back your environments, know what’s happening inside them, and become good stewards of the data we’ve shared with you!

/end rant

Security & Intelligence
Posted on October 6, 2017 by Jim Rouse