Executive Summary
This paper addresses the information security issues of the credit reporting agency (CRA) Equifax that took place in 2017. Due to certain vulnerabilities in Equifax’s information security architecture, hackers were able to gain access to the personal information of approximately 145 million consumers. The purpose of this paper is to address what happened to cause this breach. Second, question is what vulnerabilities can be exploited for events like these to occur. As well as present a risk profile will be presented and then how will those risks be mitigated.
Background
Equifax Ltd is one of the three largest credit bureaus (Transunion &Experian) that consumers can view their credit report, or businesses can check how well a customer can handle their business affairs. Equifax was founded under the name of the Retail Credit Company in 1899 in Atlanta, GA (Equifax, 2019). Equifax offers credit monitoring solutions for businesses, personal, and for the government agencies (Equifax, 2019). According to the Equifax website, operates in twenty-four countries, is on the Standard and Poor’s (S&P) 500 index, New York Stock Exchange (NYSE) and employs 10,400 employees’ worldwide (Equifax, 2019).
What Happened?
Over the past few years Equifax has had several information security issues occur that could have been avoided. Most recently was the breach that occurred in 2017 that effected a reported 145 million consumers. This breach was a major blow to the consumers trust and one that could have been avoided by following protocol. Not following through with a minor adjustment caused millions of consumers from both the public and private sector personal information to be compromised.
Get Help With Your Essay
If you need assistance with writing your essay, our professional essay writing service is here to help!
Essay Writing Service
According to a report by the Government Accountability Office (GAO) in March of 2017, attackers became aware of a known software vulnerability within Equifax’s online dispute portal. This vulnerability would allow attackers to access the Equifax system (United States Government Accountability Office, 2018). Two months later the attackers began to utilize the Equifax vulnerability and began extracting data that contained customers personal identifiable information (PII) (United States Government Accountability Office, 2018). The Attackers were able to go undetected for a period of time because they used techniques to disguise their movements. The breach wasn’t discovered until July 29 of 2017. The GAO report concluded that Equifax did do its due diligence to address the breach, as well as take steps to identify and then notify the victims of the breach (United States Government Accountability Office, 2018).
How it Happened?
Vulnerabilities and Predisposing Conditions
At the time of the breach Equifax was operating under an open source software programing framework called Apache Struts. According to Common Vulnerabilities and Exposures (CVE), “An error with Jakarta Multipar Parser in Apache Struts had an incorrect exception handling and error-message generation during file-upload attempts, which allows, remote attackers to execute arbitrary commands via a crafter content-type, content- disposition, or content-length HTTP header, as exploited in the March 2017 with a content -type header containing a #cmd=string (National Institute of Standards and Technology, 2018)”
According to the Apache Software foundation, the reason this vulnerability occurred is that, “there was a vulnerability in the “REST” plugin for Struts that may have allowed the execution of malicious code, which then accessed data from internal systems (Apache Struts Project Management Committee, 2017).” According to the article, “Lessons About Open Source Software from the Equifax hack we learn that “REST” is a format of web-services that consumers can use to help retrieve or to update their login data (Upreti, 2017). The REST format that was used by Equifax was their customer dispute website (Electronic Privacy Information Center, 2019).
This is where the hackers were able to access millions of customers data. Though during the time Equifax security was alerted to the Apache Struts CVE-2017-5638 vulnerability it had been 145 days since the initial breach. The Electronic Privacy Information Center shared that during the initial breach, the security system that the information security department did run scans for Apache Struts vulnerabilities (Electronic Privacy Information Center, 2019). Because they were aware of the issue with Apache Struts, however, the scans did not pick up this particular vulnerability. Once the Equifax became aware of the breach information security department sent out a patch to all department heads. Once an outside firm hired to investigate the breach it was discovered that this breach not only affected 145 million Americans, 8,000 Canadians, and 693,665 consumers from the United Kingdom (Electronic Privacy Information Center, 2019). The information that was compromised was user’s PII such as social security numbers, names, birthdates, addresses, and some drivers’ licenses.
During this event Equifax created a separate domain to help customers find out whether they had been affected by this particular breach (Electronic Privacy Information Center, 2019). The customers that decided to freeze their accounts were given pin number to access the separate domain. As customers tried to access this domain many of the customers browsers flagged this site for possibly being a phishing threat (Electronic Privacy Information Center, 2019). This is because the pin numbers that were generated corresponded to the date and time of the breach so the pin number would be easy for hackers to figure out (Electronic Privacy Information Center, 2019).
Some other events that exposed Equifax’s information security is the lacked protocols in patch management, poor breach preparation, and lack of software inventory (Rothke, 2019). According
to a United States Senate briefing, an audit of Equifax’s information systems found that at the time of the breach there was poor patch management (Permanent Subcomittee on Investigations, 2017). This is because the information system security practioners(s) (ISSP) did not follow their own protocol. This is evident by the delayed response in sending out a patch for the Apache Struts breach.
Equifax patch protocol states that a “critical patch should be distributed within forty-eight hours from the time of release (Permanent Subcomittee on Investigations, 2017).” This particular patch was not distributed until five months later (Permanent Subcomittee on Investigations, 2017).” Equifax had a delayed response in applying the update and that was how the breach took place. At the time of the breach Equifax relied on an honor system for patch management. The departments involved were tasked with applying scans that would find vulnerabilities in their systems. If those particular scans found no vulnerabilities, there would be no patches distributed (Permanent Subcomittee on Investigations, 2017).
Impact to the Business
The impact to Equifax and its customers created a significant impact. For Equifax’s part some of the federal government contracts they held with the Internal Revenue Service (IRS), Social Security Administration (SSA), and the United States Postal Service (USPS) became in jeopardy. According to the GAO, the Internal Revenue Service (IRS) wanted to pull out of the contract that had with Equifax and use another vendor. Equifax protested this action and won a short-term contract with the IRS (United States Government Accountability Office, 2018). However, after further examination by the GAO, the IRS won their case to use another credit reporting agency, Experian (United States Government Accountability Office, 2018). This breach was also a hit to Experian financially through lower market values, lawsuits, potential investors. But the most important impact to Experian should be the affect this event has on its customers. With the exposure of personal identifiable information, some customers identities could potentially be stolen. Their social security numbers can be used to open credit cards and harm their potential purchasing power.
Missing Controls
The missing controls in this breach were patch management governance, defense in depth, and Inefficiency in applying an intrusion detection system or an intrusion prevention system.
According to an article called “Patch Management”, “ patch management should be based on an assessment that balances the security and down time risk of a security breach with the cost, disruption and availability risks associated with frequent and rapid deployment of software patches (The Government of the Hong Kong Special Administrative Region, 2008).” Although Equifax had a patch system in place. They did not have the web application that presented the vulnerability fully patched and that is why the attackers were able to access the personal information of the customers. Having a defense in depth strategy will ensure that there will be multiple layers of security in place for added protection.
If Equifax would had either an intrusion detection or prevention plan in place, the information security department would have had a quicker response to the breach. Having these particular systems in place will help the IT department detect any change in the systems behavior.
Recommendations
Table 1: Threat Sources
TYPE OF THREAT SOURCE
DESCRIPTION
ADVERSARIAL
Hackers
Individuals, groups, organizations, or states that seek to exploit the organization’s dependence on cyber resources (e.g., information in electronic form, information and communications, and the communications and information-handling capabilities provided by those technologies.
ACCIDENTAL
Negligent employees
Erroneous actions taken by individuals in the course of executing everyday responsibilities.
STRUCTURAL
Apache Struts (open source software)
Use of default pin numbers
Creation of a domain that was flagged a phishing site
Failures of equipment, environmental controls, or software due to aging, resource depletion, or other circumstances which exceed expected operating parameters.
The following tables from the NIST SP 800-30 were used to assign values to likelihood, impact, and risk:
Table 2: Assessment Scale – Likelihood of Threat Event Initiation (Adversarial)
Qualitative Values
Semi-Quantitative Values
Description
Very High
96-100
10
Adversary is almost certain to initiate the threat event.
High
80-95
8
Adversary is highly likely to initiate the threat event.
Moderate
21-79
5
Adversary is somewhat likely to initiate the threat event.
Low
5-20
2
Adversary is unlikely to initiate the threat event.
Very Low
0-4
0
Adversary is highly unlikely to initiate the threat event
Table 3: Assessment Scale – Likelihood of Threat Event Occurrence (Non-adversarial)
Qualitative Values
Semi-Quantitative Values
Description
Very High
96-100
10
Error, accident, or act of nature is almost certain to occur; or occurs more than 100 times per year.
High
80-95
8
Error, accident, or act of nature is highly likely to occur; or occurs between 10-100 times per year.
Moderate
21-79
5
Error, accident, or act of nature is somewhat likely to occur; or occurs between 1-10 times per year.
Low
5-20
2
Error, accident, or act of nature is unlikely to occur; or occurs less than once a year, but more than once every 10 years.
Very Low
0-4
0
Error, accident, or act of nature is highly unlikely to occur; or occurs less than once every 10 years.
Table 4: Assessment Scale – Impact of Threat Events
Qualitative Values
Semi-Quantitative Values
Description
Very High
96-100
10
The threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, organizational assets, individuals, other organizations, or the Nation.
High
80-95
8
The threat event could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation.A severe or catastrophic adverse effect means that, for example, the threat event might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.
Moderate
21-79
5
The threat event could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation.A serious adverse effect means that, for example, the threat event might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.
Low
5-20
2
The threat event could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation. A limited adverse effect means that, for example, the threat event might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.
Very Low
0-4
0
The threat event could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation.
Table 5: Assessment Scale – Level of Risk
Qualitative Values
Semi-Quantitative Values
Description
Very High
96-100
10
Threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, organizational assets, individuals, other organizations, or the Nation.
High
80-95
8
Threat event could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation.
Moderate
21-79
5
Threat event could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation.
Low
5-20
2
Threat event could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation.
Very Low
0-4
0
Threat event could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation.
Table 6: Assessment Scale – Level of Risk (Combination of Likelihood and Impact)
Likelihood (That Occurrence Results in Adverse Impact)
Level of Impact
Very Low
Low
Moderate
High
Very High
Very High
Very Low
Low
Moderate
High
Very High
High
Very Low
Low
Moderate
High
Very High
Moderate
Very Low
Low
Moderate
Moderate
High
Low
Very Low
Low
Low
Low
Moderate
Very Low
Very Low
Very Low
Very Low
Low
Low
Risk Assessment Approach
Determine relevant threats to the IS. List the risks to the IS in the Risk Assessment Results table below and detail the relevant mitigating factors and controls. Refer to NIST SP 800-30 for further guidance, examples, and suggestions.
Risk Assessment Results
Threat Event
Vulnerabilities / Predisposing Characteristics
Mitigating Factors
Likelihood
Impact
Risk
Apache Struts
Error in the Jakarta Multipart Parser
Apply a patch to catch the vulnerability
High
High
High
Default Pin
last four digits of an individual’s social security number and their four-digit birth year
Stop using this particular pin.
Have users create their own password but include a hash for Sha-512.
High
High
High
* Likelihood / Impact / Risk = Very High, High, Moderate, Low, or Very Low
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order formOnce we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignmentAs soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download