The recent Equifax data breach may be the biggest and most devastating breach of all time. Around 143 million people are affected this time, and if companies were not taking information security seriously yet then they definitely should now. More importantly, there are two extremely important lessons learned from this catastrophe.
Patch, Patch, and Patch Some More
This may be the single most overlooked security measure in all of cybersecurity. Equifax was found to have put off patching a web application for two months. This patch included a fix for a known vulnerability. Instead of promptly taking care of it, Equifax put it off. As it turned out, that two months was all that was needed for the attackers to detect and exploit it.
Companies put off patches and updates for various reasons, many of them the same as any of us who are annoyed by sudden Windows updates. They sometimes require restarting the machine they are being applied to or the services the patch is intended for. For organizations as large as Equifax, this can be troublesome downtime.
Whether the patch is for a lone workstation’s software or a server hosting public services, the vulnerabilities should be taken just as seriously. This data breach is a perfect example of how an unpatched piece of software can prove to be the weakest link in the security of such a huge organization.
Penetration and Vulnerability Testing
The other, perhaps even equally, important lesson learned from this incident is that these vulnerabilities can be found with testing. This is especially true in Equifax’s case where the vulnerability was known and a patch was ready to be applied.
Most cyber and information security frameworks suggest, or even mandate, annual technical tests be performed. This refers to penetration and vulnerability testing. If an organization can afford it, they should really be done more often than that. For an organization as large as Equifax, it should be done quarterly or more.
When an organization has dozens or hundreds of servers they will be employing hundreds of different kinds of software and operating systems, and these may be running thousands of instances of software. Each and every one requires patching and updating, and each time a patch or update occurs it may be to fix a vulnerability or to add features. Either way, this can create new vulnerabilities that must be tested.
It is important to remember that penetration testing is different from vulnerability testing. In the former, the idea is to gain access to secure areas of a network while the latter is more about testing for weaknesses in public-facing or internal systems. In this case, either could have proven useful to Equifax. While the patch was only available for two months prior to the breach, the vulnerability may have been known and located sooner than that.
More companies need to implement patch management in their security frameworks. If updates that could potentially contain vulnerability fixes get lost and forgotten, it is almost a safe bet that they absolutely will be exploited. This is especially true if you are a massive organization known to store the most sensitive personal data. So check your machines and software for updates and get them installed before someone comes knocking and finds the hollow spot in your wall.