CIS Controls foundational best practices could have prevented the Equifax® and other high-profile breaches.
Sept 22, 2017
East Greenbush, NY
Equifax® breach could have been prevented by CIS Controls best practices.
Equifax has acknowledged their recent “cybersecurity incident” occurred due to the exploitation of a known vulnerability that had been identified in March 2017 in Apache® software called “Struts.” Visit https://www.equifaxsecurity2017.com/ to read Equifax’s account of what happened. This vulnerability had been identified as a critical vulnerability with a remedy being provided by Apache almost immediately.
The May 2017 WannaCry cyber-attack was a similar story in that the ransomware in this case exploited another known vulnerability, this time in the Windows operating system. Most other high-profile breaches follow the same pattern: failure to implement basic cyber hygiene.
Attacks such as WannaCry and Equifax could have been prevented with a diligent implementation of CIS Control 4: “Continuous Vulnerability Assessment and Remediation.” CIS Control 4 calls for IT managers to assess enterprise vulnerabilities on a regular basis, typically using automated tools, and fixing most critical vulnerabilities. It may be that Equifax also failed to properly inventory all of their hardware and software (CIS Controls 1 and 2) as well as conduct monitoring and analysis of audit logs (CIS Control 6).
“Unfortunately, the Equifax breach is yet another example of what can happen if organizations are not vigilant about foundational cyber practices such as patching known vulnerabilities,” said Tony Sager, CIS Senior V.P. and Chief Evangelist for the CIS Controls.
The CIS Controls were developed through a consensus process to prioritize essential technical actions all organizations should take to protect their systems and networks. The CIS Controls represent a foundational list of specific actions that can be used to implement the higher-level objectives in the NIST Cybersecurity Framework as well as cyber frameworks from the Payment Card Industry, International Organization for Standardization, and Institute of Electrical and Electronics Engineers. The State of California has already identified the CIS Controls as an expected practice for companies doing business within the state. The CIS Controls are available as a free download.
“Organizations will continue to be at risk for cyber-attacks and breaches, but the solution is not rocket science; it’s basic cyber hygiene like patching and scanning,” according to Sager.
CIS is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. Our CIS Controls and CIS Benchmarks are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals. CIS is home to the Multi-State Information Sharing & Analysis Center® (MS-ISAC®), the go-to resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities. To learn more, visit CISecurity.org and follow us on Twitter: @CISecurity.