The Equifax Breach + The GAO Report
On September 8th, 2018, one year after the Equifax breach, the General Accounting Office (GAO) filed an extensive 40 page report (PDF version here) on the details of the Equifax breach and the government’s response to it.
Here at Net Friends, we focus on providing IT expertise and solutions for businesses. There are many excellent lessons that Net Friends, our customers, and all businesses can adopt from this GAO report.
Details of the Report
The GAO report provides the most detail to date about the specifics of the breach summarized in the graphic below, such as how the attack started on the Equifax dispute portal servers, how they gained access to 51 databases and extracted data from them for over 76 days in small increments to avoid detection.
The report details that the attackers used network scanning tools on March 10, 2017, to detect and confirm the vulnerability in the Apache Struts Web Framework software only 2 days after the vulnerability was described and published by the US Computer Emergency Readiness Team (CERT) group. Interestingly, when the Equifax security office distributed information about this Apache Struts vulnerability using an internal mailing list, it was discovered during the investigation that the system administrators who are responsible for updating the software did not receive the notice because the mailing list was out of date. Additionally, the Apache Struts vulnerability was not detected in the weekly vulnerability scans that Equifax ran on their own systems, hinting that the quality, configuration, and/or design of the vulnerability scanning tools were not sufficient at Equifax prior to the breach.
It took another 2 months after this vulnerability was confirmed by the attackers before they began to actively work on exploiting what they had gained access to, initially gaining access to the 3 dispute portal-related databases and extending their reach to 48 other databases. Over the course of the breach, the attackers ran ~9,000 queries. Had the network at Equifax been more segmented, the attackers would not have been able to get to so many other databases and widen the scope of the breach.
Attackers were able to find clear-text credentials to gain access to additional databases on the systems they originally breached, which allowed them to run their queries on additional databases. Often inside databases or in configuration files, there are clear-text passwords and for full-control or full-access usernames. Had better data governance procedures been in place, credentials would have been encrypted and sensitive information more restricted, further limiting the scope of the breach.
Equifax admitted that because of an expired digital certificate on the affected systems, their Intrusion Detection System failed to work properly and did not detect the attackers activities until the digital certificate was updated – had they maintained their digital certificates, the initial attacker activity would have been detected much earlier.
It’s comforting to know that it took 1 day for the attack to be detected after the system administrator updated the expired digital certificate, and only 2 days after that for the company to formally engage the FBI to assist on August 2, 2017. It appears that their Incident Response Procedures were implemented and carried out properly.
We know so much now about the scope and details of the attack because the attackers thankfully did not erase the system logs that recorded their commands and activity.
Our Key Takeaways
There are many excellent lessons that Net Friends, our customers, and all businesses can adopt from this GAO report. On pages 20 and forward on the report, there is also a rundown of the specific changes Equifax has reported they are making:
- New tools that allow for continuous monitoring of network traffic
- New endpoint security tools to detect misconfigurations and alert on indications of potential compromise
- New vulnerability and patching management process, with confirmation steps
- Improved network segmentation to isolate from each other devices that have no need to communicate with one another
- Increased restrictions between internal servers and at the external boundary of the company’s network
- Improved risk awareness and reporting to senior management and board members to improve visibility of cybersecurity risks at top management levels of the company