We all my have heard about the Equifax security breach. The core of the issue was an attacker was able to exploit a known vulerablilty in one of their web servers. This exploit allowed the hacker to gain access to the internal network and ultimately steal personal information such as social security number, driver license number, name and address among other personal information for roughly 143 million customers.
The vulnerability was discovered and a patch was released in March of 2017. This means that the Equifax patching team had over two months to patch the vulnerability which would have thwarted hackers attempts to comprimise the system. Hoevere, Equifax did not patch their systems and the data was stolen sometime in mid May of 2017. Things got worse from there. The company did not report the breach for another six weeks and there were also reports of seniro executives selling Equifax stocks prior to the public being notified of the breach.
In investigation is still ongoing, but it is clear, all security architecture, processes and procedures completely broke down at this company. As we move faster with the implementatiions of technology and with machine learning and AI becoming more pervasive in our personal and professional lives. It is imperative that not only individuals, but companies step back and take a hard look at their security architectures and risk management. This was a completely avoidable event and should never have happened.
With the increase in devices that create data and the systems that use data, there has been a paradigm shift in how to security data. Typically, in the past, data has been secured in siloed application or file share. Users with access would then consume the data form those locations. IN this model there were many security measures in place, but limited to the systems and file stores. Now, we must look at how to secure the data itself, regardless of its location.
Data classification is almost as elusive as big foot, companies like the idea but rarely implement such a process. As we explode with data, we need to understand the type of data we are generating and what type of risk it opens. For example, data that may be generated from systems that show general health or telemetry data should not be protected in the same way as some financial or intellectual property data. Therefore, there should be a multi-layer approach and security should be applied to the data regardless of its location.
Security controls need to adapt to the new way data is used and how it is transferred. Companies should start taking a more risk based approach to data security. Additionally, they should start leveraging technologies such as application firewalls, certificate and multi-factor based authentication. Ensure backups are stable and solid and test restores. Encrypting all data, data should never be stored or transferred un-encrypted. Lastly companies should constantly test their controls. You never know where your weaknesses are until you test and you never know what can be possible until you test against that threat. This helps fortify areas that may otherwise be weak.
Encryption is the process of changing the presentation of information in a way that is unreadable to others unless they have a key which deciphers the data back to its readable format. With the explosion in the amount of data created; encryption has become more popular because a lot of this new data could be very damaging if it were to be compromised. Companies, governments and individuals have been using encryption to secure data for years. The challenge has always been keeping up with the encryption algorithms. Because faster computers and more intelligent algorithms keep cracking the encryption. For example; DES was one of the first encryption standards used, and has since been replaced by triple DES and other encryption standards due to its vulnerability to be cracked by high performing computers.
With the recent data breaches and more ransomware attacks, companies will begin to escalate their encryption competencies and start to use this as a strategic position to protect their customers data and their intellectual property.
Chicago Tribune. (September, 2017). The Equifax Breach: What lesson will other companies learn?. Retrieved from https://search-proquest-com.ezaccess.libraries.psu.edu/docview/1938147054?pq-origsite=summon&https://search.proquest.com.ezaccess.libraries.psu.edu/usmajordailies?accountid=13158
Wikipedia. (September, 2017). Retrieved from https://en.wikipedia.org/wiki/Equifax
Gerber, S. August 23. 13 Ways companies should improve their data security in the age of IoT. Retrieved from https://thenextweb.com/entrepreneur/2016/08/23/13-ways-companies-improve-data-security-age-iot/