Last month, the U.S. Government Accountability Office released a comprehensive report on last year’s Equifax breach. The most noticeable problem shouldn’t be surprising, given that I work at Venafi. It’s that Equifax had a security device that was tasked to inspect network traffic for suspicious packets, and the device’s digital certificate was expired during the breach. In itself, that wasn’t a big deal because keys and certificates expire all the time. What blew me away was that it was not replaced for 10 months.
I was not entirely surprised by the revelation of the role the expired certificate played. Nearly two years ago, Eva Hanscom wrote a blog that asked how the loss of 100 million+ records could go undetected in multiple breaches.
She notes that, “During the aftermath of breaches that result in the theft of massive amounts of data, many people wonder how cybercriminals could exfiltrate so much data without being detected. Unfortunately, cybercriminals have become quite adept at using our most powerful security solutions against us.” Those “powerful security solutions” Eva refers to are the keys and certificates that identify machines to authorize connections and communication. In the case of Equifax, what should have been a secure tunnel for the safe transmission of legitimate data became a secure tunnel for exfiltrating stolen private financial records.
This GAO report should silence anyone who questions the value of maintaining strong control over your entire inventory of machine identities. If the traffic inspection certificate had been replaced soon after if expired, the breach would very likely have been contained sooner, depriving the world of a ton of sensational headlines—not to mention lost business, clean up and investigation costs. And that’s just for starters. Not only were there ICO fines, multiple lawsuits and lost government contracts, half of the executive team was replaced. Yes. It’s a bit of a stretch, but this may be the first documented case of executives being fired (or retired), in part, over an expired certificate.
While it could happen to anyone, exactly what happened at Equifax
My former ISMG colleague Mat Schwartz, executive editor of DataBreachToday, has written a great overview of the GAO report, going over the five key factors that led to such a damaging data breach. I’ve paraphrased his words below (but I recommend reading his article in full when you have a moment):
Ineffective Identification: US-CERT’s March 2017 Apache Struts vulnerability alert failed to reach the proper recipient at Equifax because the list was out of date. As a result, the needed patch was not installed, giving the attackers a means to enter the Equifax network.
Poor Detection: As already discussed, the digital certificate of the security device tasked to inspect network traffic expired 10 months before the breach. Because no one at Equifax noticed it had expired, no one was aware that encrypted traffic, including the attackers’ malicious traffic, was not being inspected.
No Segmentation: Equifax did not isolate databases on separate network segments. This lack of segmentation made it easy for the attackers to move laterally across dozens of other databases that held personally identifiable information (PII).
Poor Data Governance: The attackers succeeded in accessing a database containing unencrypted credentials for its administrators, which were leveraged in the attack. Clearly, proper data governance would have required that these credentials be stored in a secure, encrypted manner.
No Query Limits: Equifax did not have any query restrictions in place that would have either stopped the attackers from performing beyond a set number. As a result, the attackers performed around 9,000 queries—a ridiculously high number.
It will be years before we can completely quantify the damage caused by the Equifax breach. If you’re an American, the likelihood you weren’t affected by it is small, and the likelihood that you don’t know someone who wasn’t affected by it is nonexistent. Breaches like this usually result in an increase in spear-phishing scams, ominous robocalls from chatbots purporting to be the IRS and most recently, the increasingly sophisticated voice phishing scams that use real people and robots that sound more human than ever before (also known as vishing). Brian Krebs recently analyzed how these types of attacks can get a big boost after a breach like the one that occurred at Equifax.
But I hope we also remember the real importance of machine identities to the security strategies of every organization. What may have seemed a relatively minor event—an expired certificate—turned into a key contributor that prolonged a major breach, and in all likelihood, allowed it to become one of the biggest breaches of all time.