How to Avoid Your Own Equifax Cybersecurity Meltdown in 7 Steps

Equifax reported on September 7, 2017 that there is "No evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases". This is a very important statement because the data in those core databases support every personal or commercial loan in the United States. Business in the U.S. grinds to a halt if credit data can't be trusted.

The Equifax hack is a “near-miss by cyber-weapon targeted at our financial system,” according to Ford Winslow, business, cybersecurity and IT expert, of ICE Cybersecurity.

Every interest rate on every personal or corporate loan could be called into question if the data used to underwrite the loan were to be compromised, according to Winslow. The securities market could turn upside-down immediately. Currently the federal reserve issues over $200 Billion in overnight loans every day. Over the period of the breach, that’s about $15 Trillion in loans that could be impacted: $150 Billion in interest payments were paid based on credit ratings.

What Happened

On September 9th, 2017, Equifax, one of the major credit reporting agencies in the U.S., reported a data breach affecting 143 million consumers. The company stated that criminals exploited a web app vulnerability to gain access to confidential files. The hack may have released the personal details of 44% of the U.S. population, and is one of the largest breaches ever recorded. These personal details include names, social security numbers, birthdays, addresses and driver’s license numbers. The hackers obtained 209,000 credit card numbers, and 182,000 documents with personal identifying information on them.

This breach has massive implications. Not only are the consumers in question at an increased risk of identity theft, but the security of countless other websites and organizations could be at risk. The information asked during routine identity verification checks is roughly the same information that was compromised in the hack. Equifax created a website after the breach to help consumers find out if their data has been compromised, www.equifaxsecurity2017.com The website asks for your information and lets consumers know whether or not their data was affected. It also prompts affected consumers to enroll in Equifax’s data protection service. At present, using the site might also prevent consumers from participating in any class action lawsuits against Equifax.

Cybersecurity is Mandated by GLBA

Two class-action lawsuits have already been filed against Equifax. The Financial Services Modernization Act of 1999, or Gramm-Leach-Bliley Act (GLBA) regulates how financial service institutions use and safeguard user information. While it is unclear whether or not Equifax violated the core tenants of GLBA provisions, some individual states have added provisions to the Act themselves. Oregon legislation requires that institutions notify the consumer “in the most expeditious way possible.” Since the breach was discovered on July 29, and Equifax didn’t notify investors of the breach until September 7, after selling a great deal of their own stock, things are not looking good for Equifax.

This is not the first time that Equifax has been compromised. Earlier this year, W-2 tax data was stolen from TALX, an Equifax subsidiary that provides online payroll and tax services to large U.S. corporations. In 2016, criminals stole W-2 tax and salary data from a different Equifax website. Since the sensitivity of the data compromised has become progressively more severe, and the amount of consumers affected has progressively increased, Equifax is now under a great deal of scrutiny for potentially negligent cybersecurity controls.

Cybersecurity Begins at the Top: Boards of Directors Should Be Worried

“Organizations need to understand the legal implications of cyber risk as they relate to their company’s specific circumstances,” said Henry Stoever, Chief Marketing Officer of the National Association of Corporate Directors (NACD). Companies need to ensure their boards have adequate access to cybersecurity expertise and regular discussions about risk-management are occurring with the frequency NACD recommends.

It is particularly important for companies to have multiple layers of cybersecurity controls. Many companies today house significant amount of personal and financial data, all of which may be at significant risk.

What can companies do to prevent cyber security data breaches?

Security breaches are inevitable. However, there’s prevention, detection and response. Ransomware alone is a $75 Billion industry. So have prevention measures as standard operating procedures is a critical first step. 60% of all attacks are carried out by insiders and 25% of those involve inadvertent incidents.

M-Trends latest report find the average incursion is 205 days before detection. So basic cybersecurity practices such as continuous monitoring could have detected the data breach in hours rather than months.

7-Point Cybersecurity Checklist For Any Organization

1) Integrate cybersecurity into web app development:

In almost every organization, security is not part of application development. Integrating security team members into application development has traditionally been seen as slow, expensive and ineffective. How much is too much to spend on securing data?

2) Continuous cybersecurity scanning for vulnerabilities:

We don't know if this vulnerability was something known that could have been patched or a "Zero-Day" vulnerability. If it turns out that the vulnerability was already known, continuous vulnerability scanning would have discovered the gap and allowed for detection, response and repair.

3) Full-Restore Data Backups: 

Backup all critical information, then make sure it can be restored upon demand. Backups should be stored offsite and offline. Backups should be tested for full restoration of data.

4) Staff Training:

According to Harvard Business Review, 60% of all attacks are carried out by insiders. 75% of those are malicious and 25% are inadvertent such as clicking on a phishing  email. Staff must be trained on best cybersecurity practices continually and during the onboarding of new hires.

5) Incident Response:

Ensure a company-wide, top-down-bottom-up incident response plan and handbook for staff is in place, up to date and tested regularly.

6) Continuous penetration testing:

Penetration tests (Pen tests) mock up attacks and discover where systems can be breached. Most financial organizations do penetration testing annually, or more. With modern tools and automation, penetration testing can, and should, be done continuously and randomly.

7) Data mapping and security architecture:

Many organizations don't have a good grasp on where and how sensitive data can be accessed. In this case, attackers were clearly able to exploit a user account that had significant privileges to view data. A good security architecture plan may have helped Equifax limit the damage by restricting how many records were breached.

If you’re not sure how to get started with a robust cybersecurity plan, ICE can help. For many companies, our Managed Security Services can cost-effectively solve these issues quickly and completely. Contact us today and let our experts help you improve your company's security and put your risk on ICE.

ChefConf 2017: Technical Artists at Work

In May, we spent three days in Austin, Texas, at ChefConf 2017 learning about DevOps culture, workflow, infrastructure automation, and continuous application delivery.  The event, hosted by Chef, was the best technology conference we’ve attended this year (for reasons both technological and not – see below! ;).

Keynote speakers included executives from Chef, Microsoft, Google, Verisk Analytics, and more. Workshops touched on managing DevOps teams, along with ways numerous Chef tools can help your organization remain compliant, secure your infrastructure, and take advantage of new automation features.

Here are three key things we learned from this year’s event.

Continuous Integration Solutions

We left feeling that, at this point, Chef's offerings have matured facilitation of a full CD pipeline approach to a very viable state. The latest updates to Chef Automate & Habitat have sharpened significantly for an end-to-end Continuous Development/Continuous Automation solution. Case studies from companies that implemented Chef, an exploration of new toolsets and features, and a look at their roadmap for the future provided a lot of insight into the latest DevOps trends.

A few key things we noticed in the breakout sessions:

  • Comprehensive dashboard views inside Chef tools
  • Compliance dashboard for a thorough overview of risks and compliance issues
  • Heavy focus on power and clarity in solutions
  • Habitat now includes a builder service, adding yet another capability for managing the CD pipeline with Chef tools
  • Habitat automatically incorporates all dependencies
  • Updates and point-in-time backups are applied automatically in AWS OpsWorks, a fully- managed Chef Automate service.

Sessions were also awesomely heavy on live demos, providing a richer learning experience than slides alone could offer. For instance, a demo of adding a compliance check for a new vulnerability took less than one minute to add a new test and re-test the infrastructure environment.  

In a session focused on Habitat, speakers stressed the key difference between a “choreography” and an “orchestration” in a tool. While the two terms share similar meanings, the differences in approach create different results upon execution.

Orchestration involves a top-down approach where a person issues a command and awaits a response. This approach is an older development model. Choreography, on the other hand, is a more collaborative process. Think of it as asking a band to play a song. You don't ask each band member what to play. Instead, you ask the musicians and let them self-organize to create beautiful music. This is Habitat!

DevSecOps Trends

We especially liked the focus on security and DevSecOps. A few highlights:

  • Inspec can be run on schedule, which means continuous compliance
  • Inspec declarative language is human readable and auditor compliant
  • Chef is now an official contributor to the “DevSec Project”  (http://dev-sec.io) to provide template cookbooks for hardening and compliance

Culture And Camaraderie

A final key takeaway from ChefConf is the ability to look inside company culture to reveal how it impacts employees. Chef takes cues from Google, both in being a hip company and treating employees like royalty.

To me, Chef’s team is a collective of technical artists. They’re among the best of the best in the ways they plugs into the open source community. By engaging with the greater community, the team is able to foster an environment of innovation and collaboration. Just as collaboration makes for a better experience with Chef’s tools, the company also creates an environment to foster innovation among the greater DevOps community. Chef’s roadmap, current project status board, and Dev team Slack channel are all public. Anyone is welcome to create recommendations and interact with the team to request the features and knowledge you want to have.

The company is totally transparent to the community and works with the community as peers. If we had to guess, we’d say Chef CTO/Co-Founder Adam Jacob had much to do with this community-first methodology.

This culture was reflected in the conference itself. Just like other leading-edge tech companies, there was no shortage of ping-pong tables, skee ball, giant Jenga, and bean bag chairs. In the Habitat lounge, you could enjoy a cold brew while checking out a demo.

Making each and every person at the conference feel welcome and valued was intertwined in the very fabric of ChefConf. The event’s code of conduct expressed diversity and inclusiveness among its core values, in addition to ensuring that no attendees felt discriminated against or harassed.

Commitment to creating a welcoming environment for all didn’t stop with the code of conduct. Dedication to inclusiveness was reflected everywhere from the specially made “inclusive bathrooms” signs to actions in each session.

Before a session began, everyone in the audience was asked to stand and clap to welcome the speaker to the stage. It may have been a small show of goodwill, but this simple action made a huge difference for everyone in the room. Every speaker mentioned how a warm welcome set the stage for a more engaging talk. And it showed. The speaker’s comfort was clearly reflected in the quality of the session.

Warm and friendly vibes carried through to the very end of the conference. Once the final keynote wrapped up, the more than 1,500 audience members stood up to partake in a giant group hug.  

Organizers also spared no expense for the Chef Community Party. They reserved the entire Stubbs venue. For those of you familiar with Austin, you know this was no small feat or budget. Bands and DJs performed on outdoor and indoor stages, and there was plenty of food and drink for all.

The result of the focus on culture? Chef attracts the best talent and encourages unique people, which leads to true innovation. After spending time with the Chef team, we couldn’t help but think, "Ok, THESE are our people." After this year’s informative, inclusive, and downright fun event, we’re counting down the days to next year’s conference.

Ford Winslow Presents at ITAC 2016 - How did Cyber go so Wrong?

Thursday, 12/8/2016, 11:00 AM - 12:00 PM

Session Title: B9: How Did Cybersecurity Go So Horribly Wrong and How Do We Get it Back on Track?
At the IT Auditors Conference in New Orleans, LA, Ford Winslow closed the track with a session on the history of cyber and what we can expect in the coming years.  

The presentation closed with several recommendations for the industry to get back on track:

#1 - Use a Risk-Based Approach

A common-sense approach to implementing security makes security practical and attainable. Overkill leads to complexity and risk, under-funding leads to gaps and risk as well. Justifying your security program based on risk is the only way to sped the right amount at the right time on the right thing. 

#2 - Better Auditing

Not only do auditors need to be better educated on the latest trends, technologists need to be better educated on audit and the needs of auditors. Both sides need to come together to come up with pragmatic audit approaches that yield trust. 

#3 - Make Cyber Cool

Consumer technology gets adopted because it's "cool". If cybersecurity is something you have to do because your parents, your doctor or your teacher says you have to, you will resist. Once being secure is cool, we won't have to try to be secure anymore. It'll just happen. 

#4 - Speed

The #1 resistance to security is speed. Security is "slow". Security is "expensive". These are all things I hear constantly. In fact, the opposite is true. Not taking a secure approach is slow. By not having a framework or requirements, teams don't know what to do. Practical security requirements teams can use from the first day help teams go faster. Brakes on cars help you go faster....