Equifax Breach Postmortem: Top Mistakes Enterprises Should Avoid
Equifax hack needs no introduction. One third of American lost their social security number due to this single breach. Here’s some of the top mistakes/learning from Equifax breach from my perspective. I would invite all of you to also add your comments and thoughts.
1. Patch on time (Yawn ..)
Most of the breaches happen not because of zero days but because of known vulnerabilities. Build a strong vulnerability management and patching program in place. It is the low hanging fruit in terms of finding the vulnerabilities. It is much tougher to patch due to operational reasons despite knowing due to potential business downtime.
2. If you can’t patch, build compensatory controls
Sometime patching could be difficult or less feasible. However you can have compensatory controls like having a Web Application Firewall configured. You can create special rules for your SOC to detect early triggers related to the known unpatched vulnerability. There are other new and emerging technologies like RASP and many more.
3. Ensure Data Encryption
Getting hacked is common and we should assume that it will happen. Encryption is an absolute must.
4. Use Open Source with Care
If you are using open source then conducting analysis on source code, or software composition analysis is a good idea. Open source doesn’t necessarily mean that you are more or less secure. It is how you handle it.
5. Keep an eye on Open Source Intel
Equifax was known to have poor patching records, poor security score based on various open source intelligence platform. Keeping an eye on OSINT and Threat Intel can help to get a picture of how you look like from outside.
6. Measure/Benchmark your security program
You can measure and benchmark your security program based on various models like that of NIST or use expert solution providers. Understanding your security from a holistic perspective is the first step towards defining your security strategy.
Your business can be impacted due to your vendors and partners. Keeping an eye on on risks in your ecosystem is possible through various models like questionnaire (less effective), audits or using threat intelligence providers.
8. Invest in Detection, Response and Recovery
You cannot always protect. You should assume that you will be hacked. So you need to have strong capability to detect attacks. and respond and recover from it in case you are breached.
9. Invest in Application security program
Application security program can have as many as 70+ activities. Check out OWASP OPENSAMM. It is not just about pen testing. Consider other aspects like vendor risk management, Testing like SAST/DAST/IAST, Architecture Review, Training and many more.
10. Hire strong security leadership
Hiring an experienced team is a must. It is necessary but not sufficient though. Whatever you do you cannot ensure that you will never be hacked. However having a poor team will enhance your risks.
11. Management Awareness and Involvement
CEO, Board and the management needs to be aware of the security risks. It is important to create an alignment in terms of understanding the risks, deciding on the acceptable risks so that the technology and business is aligned. Management should ask the right questions to the CISO. It may not be a bad idea to have an advisor/board member who is experienced in security.