Executive Vice President, Security Best Practices Automation Group at CIS®
Equifax collects and retains large quantities of personally identifiable information (PII) about U.S. and Canadian citizens. Many other organizations collect and retain this data. Any party that handles our PII has the responsibility to do their utmost to protect it. When this information is lost, the responsible party should be contrite and forthcoming.
Full disclosure will:
- Allow other organizations to consider whether they, too, are making similar mistakes.
- Allow all of us to understand what reasons and rationalizations an institution engages and indulges in when they knowingly choose not to patch.
- Allow security experts to learn what happened and either point out what else Equifax could and should have done to protect the information or to refine the tools and guidance that already exist to prevent other mistakes.
Any breach of this size reflects a cultural and a technological problem. We know what needs to do be done: the CIS Controls spell out the technical actions that must be implemented to provide basic security.
Some examples of CIS Controls that address the Equifax breach and what should be done:
- CIS Control 2, understand what software is running. And be doubly certain if it is the software that handles or protects sensitive data.
- CIS Control 4, if you know what your critical software is and you know it has a vulnerability, patch it. If for some reason you are managing PII of third parties and you didn’t patch it, tell us why not. We all need to know if other organizations were able to patch their applications. Are other organizations equally vulnerable?
- CIS Control 6, audit everything, centralize it, and make sense of it. At a minimum, collect enough data so forensics experts can make full sense of it and help everyone else discover and prevent similar attacks.
- CIS Control 9, operate critical services on separate devices. That makes it easier to see malicious actions. How did the attackers exfiltrate the data? Did they open ports? Was there a host based firewall?
- CIS Control 12, defend the boundaries of your network. Was traffic to and from the compromised devices being inspected? Did a server initiate an unexpected connection?
- CIS Control 14, complexity is the cover used by attackers. Did Equifax segment its network so that critical business functions with user’s data could be monitored more closely for anomalies?
If you want to be trusted, be trustworthy and show good faith. It’s time for companies to ‘fess up’, to help everyone learn from these calamities, and to work with the security community to stop unintended information loss. In fact, this is long overdue.