Skip to main content
banner image
venafi logo

GAO Report: Expired Certificate Allowed Extended Exfiltration

GAO Report: Expired Certificate Allowed Extended Exfiltration

Equifax Expired Certificate Breach
November 9, 2018 | Robyn Weisman

Last month, the U.S. Government Accountability Office released a comprehensive report on last year’s Equifax breach. The most noticeable problem shouldn’t be surprising, given that I work at Venafi. It’s that Equifax had a security device that was tasked to inspect network traffic for suspicious packets, and the device’s digital certificate was expired during the breach. In itself, that wasn’t a big deal because keys and certificates expire all the time. What blew me away was that it was not replaced for 10 months. 

I was not entirely surprised by the revelation of the role the expired certificate played. Nearly two years ago, Eva Hanscom wrote a blog that asked how the loss of 100 million+ records could go undetected in multiple breaches.  

She notes that, “During the aftermath of breaches that result in the theft of massive amounts of data, many people wonder how cybercriminals could exfiltrate so much data without being detected. Unfortunately, cybercriminals have become quite adept at using our most powerful security solutions against us.” Those “powerful security solutions” Eva refers to are the keys and certificates that identify machines to authorize connections and communication. In the case of Equifax, what should have been a secure tunnel for the safe transmission of legitimate data became a secure tunnel for exfiltrating stolen private financial records.   

This GAO report should silence anyone who questions the value of maintaining strong control over your entire inventory of machine identities. If the traffic inspection certificate had been replaced soon after if expired, the breach would very likely have been contained sooner, depriving the world of a ton of sensational headlines—not to mention lost business, clean up and investigation costs. And that’s just for starters. Not only were there ICO fines, multiple lawsuits and lost government contracts, half of the executive team was replaced. Yes. It’s a bit of a stretch, but this may be the first documented case of executives being fired (or retired), in part, over an expired certificate. 

While it could happen to anyone, exactly what happened at Equifax

My former ISMG colleague Mat Schwartz, executive editor of DataBreachToday, has written a great overview of the GAO report, going over the five key factors that led to such a damaging data breach. I’ve paraphrased his words below (but I recommend reading his article in full when you have a moment): 

  • Ineffective Identification: US-CERT’s March 2017 Apache Struts vulnerability alert failed to reach the proper recipient at Equifax because the list was out of date. As a result, the needed patch was not installed, giving the attackers a means to enter the Equifax network. 
  • Poor Detection: As already discussed, the digital certificate of the security device tasked to inspect network traffic expired 10 months before the breach. Because no one at Equifax noticed it had expired, no one was aware that encrypted traffic, including the attackers’ malicious traffic, was not being inspected. 
  • No Segmentation: Equifax did not isolate databases on separate network segments. This lack of segmentation made it easy for the attackers to move laterally across dozens of other databases that held personally identifiable information (PII). 
  • Poor Data Governance: The attackers succeeded in accessing a database containing unencrypted credentials for its administrators, which were leveraged in the attack. Clearly, proper data governance would have required that these credentials be stored in a secure, encrypted manner. 
  • No Query Limits: Equifax did not have any query restrictions in place that would have either stopped the attackers from performing beyond a set number. As a result, the attackers performed around 9,000 queries—a ridiculously high number. 

It will be years before we can completely quantify the damage caused by the Equifax breach. If you’re an American, the likelihood you weren’t affected by it is small, and the likelihood that you don’t know someone who wasn’t affected by it is nonexistent. Breaches like this usually result in an increase in spear-phishing scams, ominous robocalls from chatbots purporting to be the IRS and most recently, the increasingly sophisticated voice phishing scams that use real people and robots that sound more human than ever before (also known as vishing). Brian Krebs recently analyzed how these types of attacks can get a big boost after a breach like the one that occurred at Equifax. 

But I hope we also remember the real importance of machine identities to the security strategies of every organization. What may have seemed a relatively minor event—an expired certificate—turned into a key contributor that prolonged a major breach, and in all likelihood, allowed it to become one of the biggest breaches of all time.  

How well do you protect your machine identities?  

Related posts 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

small house model on a spiderweb of cracks in the pavement

Outages Are Like Earthquakes—Both Are Catastrophic and Hard to Predict

Privileged access management, certificate manager, NIST

An Interview with CISO Shawn Irving: Why Machine Identity Protection Is Critical to Privileged Access Management

An Interview with Phil Agcaoili: Why Financial Services Organizations Need Machine Identity Protection

An Interview with Phil Agcaoili: Why Financial Services Organizations Need Machine Identity Protection

About the author

Robyn Weisman
Robyn Weisman

Robyn is a Senior Content Writer at Venafi. She helps enterprise IT vendors pinpoint their marketing challenges and develop content marketing strategies. She worked for several well-known technology trade publications for over 15 years, and has a Master's Degree in Screenwriting from USC.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat