Equifax: a year after the largest data breach

    Hi, Habr! We all remember the leakage of personal data from Equifax databases (145.5 million customers). A year later, in August 2018, the GAO (the United States Accounting Chamber (Eng. The Government Accountability Office, abb. GAO) is an audit, evaluation and analytical investigative body of the US Congress) released a report “Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach, you can read it here . I will only make excerpts that seemed interesting to me, and, I hope, will be interesting to readers.

    Equifax - credit bureaus. It is one of the three largest credit agencies in the US, along with Experian and TransUnion (together they are called the “Big Three”). The bureau has a base from more than 280.2 million credit histories of individuals and 749 thousand credit histories of legal entities.



    Chronology of events


    All the information was generally known a year ago, but I still want to go through the main stages of the attack once again. Here I want to draw attention to the processing of information security incident.

    On March 10, 2017, attackers scanned services available from the Internet for specific vulnerabilities, which US-CERT reported 2 days earlier. Vulnerability in the Apache Struts Web Framework (CVE-2017-5638, https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832). Vulnerability was found on the portal, which allows citizens to upload documents disputing the accuracy / correctness of Equifax credit reports. Using specialized software, attackers were able to exploit the vulnerability and gain unauthorized access to the portal. At that time, data theft has not yet occurred.

    May 13, 2017 data theft began. After the portal was compromised, the attackers sent requests to other databases in search of valuable information. So they found a repository with personal data along with unencrypted logins and passwords that gave access to other databases. In total, the attackers sent about 9000 requests, some of the responses to these requests were with personal data. The attackers used existing encrypted communication channels to disguise requests and commands. The use of existing encrypted communication channels allowed attackers to get lost in the normal network flow and go unnoticed. After successfully extracting information from the Equifax databases, it was transmitted in small portions to the outside, not standing out from the general encrypted traffic. The attack lasted 76 days, until it was discovered.

    On July 29, 2017, information security specialists, conducting a full-time check of the state of IT infrastructure, discovered penetration on the portal. Penetration could be detected when encrypted traffic began to be inspected. Commands were found that are not part of the standard system operation. Until that date, encrypted traffic was not inspected by intrusion detection systems, because the certificate had expired, and the new one was not installed. Moreover, the certificate expired 10 months ago, it turns out that encrypted traffic was not inspected for 10 months. Having found penetration, the specialists blocked the ip-addresses from which the requests came.

    On July 30, 2017, the Department of Information Security discovered additional suspicious activity, it was decided to close access to the portal from the Internet.
    On July 31, 2017, CISO informed the CEO about the incident.

    August 2 - October 2, 2017 Equifax launched an investigation, trying to determine how much data was stolen and how many people this leak will affect. Logs of systems that were not damaged or removed by intruders were studied. According to the logs, experts tried to reproduce the sequence of actions of the attackers in order to determine which data was compromised. On August 2, the company notified the FBI of the leak.

    Factors affecting the success of an attack


    Below are these factors from the report:

    • Identification. Apache Struts vulnerability has not been identified. US-CERT has sent a notification about a new vulnerability in Apache Struts, it has been redirected to system administrators. The mailing list was outdated, and those who are updating / patching did not receive this letter. Also, Equifax claims that they scanned resources a week after it became aware of the vulnerability, and the scanner did not detect this vulnerability on the portal.
    • Detection (Detection). The expired certificate allowed attackers to go unnoticed. Equifax has an intrusion detection system, but the expired certificate did not allow inspecting encrypted traffic.
    • Segmentation The databases were not isolated / segmented from each other, the attackers were able to gain access to databases that do not belong to the portal (penetration point).
    • Data Management (Data Governance). Data management involves the delimitation of access to the protected information, including accounts (logins / passwords).

      It was also additionally noted that there is a lack of mechanisms for setting limits on the frequency of queries to databases. This allowed attackers to perform about 9000 requests, much more than is required for normal operation.

    Taken measures


    Unfortunately, nothing is really revealed, the following measures were noted:

    • a new process is applied to identify and apply patches / updates for software, as well as to control the installation of these patches;
    • a new data and application protection policy is being applied;
    • new tools are used to continuously monitor network traffic;
    • Added additional rules for delimiting access between internal servers, as well as between external servers and internal ones;
    • Additional protection for end devices is used, which detects configuration violations, evaluates potential indicators of compromise (IoC), automatically notifies system administrators about detected vulnerabilities.

    Measures taken by Equifax main government clients


    Equifax main government clients:

    • US Internal Revenue Service (IRS);
    • US Social Security Administration - Social Security Administration (SSA);
    • US Postal Service - United States Postal Service (USPS).

    Measures taken by Equifax main government clients:

    • identified and notified clients affected by the leak;
    • Independent evaluations of Equifax protection measures have been made (for compliance with this NIST document most likely https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf );
    • Revised agreements with Equifax regarding alert in case of leaks;
    • changes were made to the procedures for identifying citizens;
    • canceled short-term contracts with Equifax regarding new services.

    Consequences and expenses of the bureau


    Below are the consequences found:

    • Fired by CIO and CSO with the beautiful American phrase “effective immediately” link .
    • Fired CEO, who has been in this position since 2005 link .
    • Equifax has spent about $ 243 million currently on legal issues, new protection tools, monitoring services offered to customers for free, and 8 states have placed additional requirements on the bureau link .

    Also popular now: