Lessons (Re)learned: the Congressional Report on Equifax

By Curtis Dukes, Executive VP and GM – CIS Security Best Practices

The recently released House Oversight and Government Reform Committee Congressional report discusses how the Equifax data breach led to the disclosure of significant amounts of consumer personally identifiable information (PII). If an organization with the resources and sophistication of Equifax can be compromised, how can smaller organizations hope to defend themselves? This is a complex problem, but one with straightforward steps that can be taken to address cyber risks. Unfortunately, too often we see examples of organizations that have not taken basic actions that could prevent most intrusions.

The lessons to be learned are familiar ones.

Those organizations that are ahead of the problem:

  1. Maintain a database of installed software that is updated by each person in the IT department who installs it.
  2. Use an architecture that enforces least privilege. In this case, the Congressional Report observed Equifax’s failure to restrict the reach of middleware to databases it wasn’t serving.
  3. Implement intrusion detection software positioned to inspect traffic. Also essential is an administrator who has the responsibility to ensure that new detection rules and signatures are updated.

Those organizations that are ahead of the class:

  1. Ensure there are no legacy systems running critical software. This can be a challenge when major system upgrades are needed and the experts who designed those systems are long gone. Y2K should have taught us that a cradle to grave plan for any critical system is essential to maintain and migrate vital systems.
  2. Utilize file integrity software. This goes along with having up-to-date systems. How many organizations run this software on every critical host? How expensive is to buy and maintain?

Those protecting IT infrastructures should also update your security certificates on network devices needed to monitor your traffic. Why is it, though, that the default is to have the service stop? What is the more likely problem – a compromise of a private key or an attack that goes undetected?

Attacks happen

The Majority Staff Report indicated Equifax had event logs that only dated back 30 days. Was that reasonable, especially for systems that handled or connected to databases with millions of consumer PII records? What are the costs of storing this data?

Most of these practices correspond to the safeguards in the CIS Controls. With a community of cybersecurity experts, CIS has identified 20 prioritized controls that can be implemented to help defend your organization against cyber threats.

We think it is time to have a public discussion about the costs of implementing even the most fundamental safeguards. The security community must find more cost-effective ways to integrate sound security practices into the work practices of an organization.

In my next post, I want to start the discussion with an overview of the advantages of the new Internet Engineering Task Force (IETF) and ISO standards for software management. The National Institute for Standards and Technology (NIST) is incorporating into these specifications into their Security Content Automation Protocol (SCAP). We’ll discuss how the new specifications could drive down the costs of maintaining an accurate software inventory by being supported out of the box and by the developers.

To learn more about SCAP, check out the latest blog post from Curt.