Equifax Breach Raises Questions Every Company Should Be Asking

As is the case in the immediate wake of most breaches, we don’t know a lot of details about the recent Equifax data breach. News breaks through the usual outlets, the world (or affected market) collectively gasps and screams out in unison “How dare you?” and everyone goes running to check their credit card statements, change their passwords, and whatever else is appropriate for the breach in question.

For the public, the reaction is very similar to that of a major storm like a hurricane or a blizzard heading your way. If the news is bad enough, people will run out, buy up bottled water and cans of food, and do what they can to survive. Sadly, we’ve seen that recently enough in the United States with the hurricanes hitting Texas and Florida.

Just like a major storm, there is also a period of reflection and analysis after the initial panic associated with a major breach. But we’re not even there yet; there is still a lot to come from the Equifax breach. This is a major opportunity for companies around the world to watch closely. In our opinion, the news is going to get a lot worse—it almost always does—and will likely lead to some of the most memorable post-breach legal action we’ve seen to date.

Oncoming Storm

What We Already Know

Before we get into what’s to come, let’s take a look at what we already know about the situation:

  • Equifax identified unauthorized access to its systems on July 29
  • The company followed up by hiring forensics firm FireEye Mandiant to investigate (that investigation is ongoing)
  • About 143 million Americans were potentially affected
  • An estimated 209,000 U.S. consumers’ credit card numbers were jeopardized
  • Equifax claims attackers exploited an application vulnerability
  • The company published a website dedicated to giving consumers and idea if they were affected or not.

We didn’t link to the website mentioned in the final bullet for a reason; mainly because it’s really not working as advertised (Read: It’s busted). Even more concerning, three Equifax executives sold almost $2 million worth of shares after July 29 and before the company announced the breach on September 7.

We’ve seen this before, personally. While we can’t name the company, we’ve seen situations where the President and the CEO of a failing company kept themselves busy telling staff that the company was taking positive strides and would be better off financially, all while selling off millions of dollars of stock on their own way out the door.

Interestingly enough, in a Washington Post article published on September 8, a University of Virginia Law School Professor indicated that this is precisely the sort of activity that would lead to a SEC inquiry.

“It certainly would be exactly the type of trading pattern before a high-profile event that the [Securities and Exchange Commission] would investigate,” said Brandon L. Garrett, a professor at the University of Virginia School of Law. “Even if they do not bring charges it is the type of conduct that a company should not tolerate in its executives. It sends a terrible message to the public and to customers.”
The SEC declined to comment on whether it was investigating the matter.

So Many Lessons to Learn

It’s safe to say that Equifax’s reputation is damaged, at least in the near term. Its stock price has dropped about $30, or about 21%, since it announced the breach and as of writing this article. But what can this scenario tell other companies who might find themselves in a similar predicament? More important, how can the Equifax breach help those companies make it less likely something similar will happen to them?

On a purely reputational note, we don’t really need to comment much more about executives selling off stock before announcing a breach to the public. They’ll almost certainly be getting a visit from the SEC in due time. Despite decades of cautionary tales about how insider trading really doesn’t pay in the end, it still happens. Did those executives know about the breach? We don’t know yet—but companies everywhere should ensure that they have prompt and clear internal communications to head off a situation like this. Even if there’s only the potential for a breach, the c-suite should think twice about making a financial transaction until the situation is settled.

Getting down to the organizational and technical side of this scenario, there are a number of points that bear mentioning. For starters, Equifax only just recently hired a VP of Cybersecurity (their equivalent to a Chief Information Security Officer). It’s concerning that such a large company tasked with protecting so much personally identifiable and payment card information would have let this role go vacant for any length of time. We can’t help but wonder if the VP of Cybersecurity has the clout, power, and ability to convey just how serious a situation Equifax faced before going public with it.

Window of Intrusion

Equifax reported that the breach was detected on July 29, and that the attack took place sometime in “mid-May”.  This is commonly referred to as the window of intrusion, and it’s well-documented that this window is often open for months before a company ”closes” the window by containing the breach, effectively prohibiting further intruder access. However, based on our experience with the way large scale breach investigations unfold, we would not be surprised if we found out later on that the attackers were in Equifax’s systems even longer than the company has currently admitted to. It’s still reasonably early in the investigation and chronology changes of this nature are common as more information comes out.

A company’s ability to detect an attack is one of the most important facets to judge their security team and posture on. Based on some of the circumstantial evidence we’ve already mentioned, we don’t have a lot of confidence that Equifax was able to catch the attackers quickly. So many times in incident response, we see companies that might have numerous tools in place to prevent and detect attacks, but with a severe gap between the abilities of those tools and the ability to use them effectively. This happens for a variety of reasons: Lack of proper staffing, insufficient training, small security budgets, and poorly configured tools are typical culprits. In our opinion, these are all the result of poor executive leadership and a fundamental lack of understanding regarding risk management.

Security teams have to look at and understand a lot of information. Honestly, corporate systems generate an insane amount of information that organizations can use to protect their networks and data, but only if everything is configured properly and optimized. Then, the individuals tasked with this monitoring must be able to properly correlate the alerts they are seeing with human activity; i.e., what do these alerts really mean? If they cannot do this at speed and scale, they won’t be able to mount any sort of respectable defense against an attacker. Companies really need to ask themselves what importance they place on security and how they are enabling their security teams. This ties directly back into our previous comment about executive leadership and risk management.

Understanding Left and Right of Breach

Back in June, I (Chris) wrote about how companies can approach cybersecurity by defining when they are Left of Breach and Right of Breach and acting appropriately in either case. Equifax is now very much in a “Right of Breach” scenario. The longer it stays there, the more money and resources it will have to spend, and it will be a while before it can return to the coveted and ideal “Left of Breach” posture.

There is always money after a breach. Decisions to not spend money on security may be influenced by other business drivers such as gross margins, profit/loss, and net revenue contributions. After a breach, you don’t have a choice. As Equifax will be learning very shortly, you will always pay outside counsel, forensic investigators, legal fees, class action penalties, and regulatory fines. It’s virtually guaranteed that this will always cost more than hiring a CISO, a good security team, and arming them with the knowledge and tools they need to be successful. It’s not just a little more expensive, either. It’s several orders of magnitude more expensive after a breach, especially a big one.

And that, ultimately, is why we’re here. Nuix ties together disparate types of information and allows security teams to make more accurate decisions faster, which in turn lets them protect their brand’s reputation and minimize the impact of the breach. When it comes to a massive breach, you can’t always stop the bad guys from getting in, but you can spend the shortest time possible spinning your wheels, not knowing which way to turn, and wondering just how bad things are.

Because, when the news breaks, you’ll almost always find out that it was worse than you thought. It’s happened far too often in recent history to discount, and it will happen here with Equifax. Hopefully it gives everyone else enough of a wakeup call to be better if, and when, it’s their turn.

Security & Intelligence
Chris Pogue

Chris Pogue

Head of Services, Security and Partner Integration

Chris Pogue has more than 15 years’ experience and 2,000 breach investigations under his belt. Over his career, Chris has led multiple professional security services organizations and corporate security initiatives to investigate thousands of security breaches worldwide.

Read More

Harlan Carvey

Harlan Carvey

Director of Intelligence Integration

Harlan began his career in information security 28 years ago. After serving on active duty with the United States military, he transitioned to planning, coordinating, and executing vulnerability assessments. He then went on to digital forensics and incident response, which in turn led to targeted threat hunting and response. Harlan is an accomplished public speaker and prolific author, particularly in the area of digital forensic analysis of Windows systems. He has written a number of open source tools, including RegRipper.

 

Read More