This question was recently answered, as Equifax announced, “We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638.”
What’s so bad about this disclosure? Well, as it turns out, the patch for this vulnerability had already been made available — months before the breach occurred.
This brings with it multiple concerns. For one, Equifax is not going to win back any consumer confidence with the admission that they willingly either chose not to or failed to notice they needed to update their systems when a patch was available. And two, if this could happen to a huge company like Equifax, then who isn’t at risk?
Year After Year Growth
2016 was the biggest year on record when it comes to data breaches, but 2017 is shaping up to be even worse. A selection of large data breaches this year includes:
- FAFSA: IRS Data Retrieval Tool – Up to 100,000 taxpayers had information stolen via a compromised data tool used in connection with the Free Application for Federal Student Aid (FAFSA)
- UNC Health Care – Roughly 1,300 women who completed pregnancy home risk screening forms at prenatal appointments between 2014 and 2017 had their personal information sent to incorrect county offices, exposing this data
- Gmail – An estimated 1 million users were affected by a phishing scam in which users received official-looking emails from an attacker impersonating Google
- Verizon – Verizon suffered a data breach that could affect up to 14 million subscribers
Keep in mind, this is just a sampling of breaches that have been reported this year. There are many, many more. These examples range from truly enormous — like the Equifax breach — to smaller cases like UNC Health Care. Collectively, these demonstrate that any organization, regardless of size or industry, can fall victim to cyber attackers whose tactics are constantly evolving. So, what should you do?
When you read about how these breaches occur, they may seem so simple that you can easily tell yourself that your organization won’t make those same mistakes. Equifax missed a patch? That won’t happen to you; that’s so basic!
Unfortunately, humans make errors like this all the time. The only way to truly protect yourself is to build a cybersecurity infrastructure around your organization that will catch and fill in these inevitable cracks.
BAI Security’s Red Team Assessment is an example of a service that performs an in-depth evaluation of the real-world efficacy of your security controls in the same way a motivated hacker would — but with a white-hat approach. The assessment includes an array of attack methods used in modern-day breaches to uncover weaknesses in the design, technology, procedures and personnel associated with your overall security posture.
We strongly recommend that all organizations undergo this or similar testing. As seen in recent breaches, even a 100% compliant organization can be vulnerable due to a wide range of overlooked weaknesses. It’s far better to realize and remediate those weaknesses before a major incident sidelines your organization and forces your good name into the headlines.