Last month, the U.S. Government Accountability Office released a comprehensive report on last year’s Equifax breach. The most noticeable problem shouldn’t be surprising, given that I work at Venafi. It’s that Equifax had a security device that was tasked to inspect network traffic for suspicious packets, and the device’s digital certificate was expired during the breach. In itself, that wasn’t a big deal because keys and certificates expire all the time. What blew me away was that it was not replaced for 10 months.
I was not entirely surprised by the revelation of the role the expired certificate played. Nearly two years ago, Eva Hanscom wrote a blog that asked how the loss of 100 million+ records could go undetected in multiple breaches.
She notes that, “During the aftermath of breaches that result in the theft of massive amounts of data, many people wonder how cybercriminals could exfiltrate so much data without being detected. Unfortunately, cybercriminals have become quite adept at using our most powerful security solutions against us.” Those “powerful security solutions” Eva refers to are the keys and certificates that identify machines to authorize connections and communication. In the case of Equifax, what should have been a secure tunnel for the safe transmission of legitimate data became a secure tunnel for exfiltrating stolen private financial records.
This GAO report should silence anyone who questions the value of maintaining strong control over your entire inventory of machine identities. If the traffic inspection certificate had been replaced soon after if expired, the breach would very likely have been contained sooner, depriving the world of a ton of sensational headlines—not to mention lost business, clean up and investigation costs. And that’s just for starters. Not only were there ICO fines, multiple lawsuits and lost government contracts, half of the executive team was replaced. Yes. It’s a bit of a stretch, but this may be the first documented case of executives being fired (or retired), in part, over an expired certificate.
My former ISMG colleague Mat Schwartz, executive editor of DataBreachToday, has written a great overview of the GAO report, going over the five key factors that led to such a damaging data breach. I’ve paraphrased his words below (but I recommend reading his article in full when you have a moment):
It will be years before we can completely quantify the damage caused by the Equifax breach. If you’re an American, the likelihood you weren’t affected by it is small, and the likelihood that you don’t know someone who wasn’t affected by it is nonexistent. Breaches like this usually result in an increase in spear-phishing scams, ominous robocalls from chatbots purporting to be the IRS and most recently, the increasingly sophisticated voice phishing scams that use real people and robots that sound more human than ever before (also known as vishing). Brian Krebs recently analyzed how these types of attacks can get a big boost after a breach like the one that occurred at Equifax.
But I hope we also remember the real importance of machine identities to the security strategies of every organization. What may have seemed a relatively minor event—an expired certificate—turned into a key contributor that prolonged a major breach, and in all likelihood, allowed it to become one of the biggest breaches of all time.
How well do you manage your machine identities?