Weeks after the cover was blown about the Equifax breach, the incident has become established as one of the biggest and most detrimental attacks on online consumers ever. The actual volume of data exposed aside, what makes the Equifax hack so bad is not only the highly sensitive nature of the information, but that recovery and mitigation of the damage is moving at a sluggish pass, with thousands of customers still unable to reach the company in order to freeze their credit.
For security experts, the pressing question quickly became: How did it happen?
There is reason to believe that unpatched software was Equifax’s Achilles heel. In the most recent revelation on the Equifax breach, many experts are pointing to vulnerabilities in an old version of Apache Struts software as the point of entry for hackers.
Apache Struts is a software toolkit that creates Java-based web applications that run a website. The vulnerability that was announced by Apache in March, allows hackers to send an HTTP request to a system in a specialized syntax that fools it into granting administrative access.
Equifax uses the Apache program to support its online dispute portal where Equifax customers go to log issues with their credit reports. Obviously this portal contains the personal details of all the clients who use it including credit card and social security numbers.
And here’s where it gets a bit scandalous.
In March of this year, a cybersecurity arm of the U.S. Department of Homeland Security, US-CERT, identified and disclosed the Apache Struts flaw. Equifax, according to its own admission, was aware of the security flaw shortly after the announcement. This means that the company knew about the vulnerability a full two months before hackers first gained accessed to its data in May exploiting those very flaws.
Here Equifax is essentially admitting to delaying the patching of software they knew was compromised.
Understandably, news of the Apache Struts involvement in this massive hack prompted a response from the program’s creators. The Apache Struts Project Management Committee wrote in a blog post that development teams put “enormous efforts in securing and hardening the software we produce, and fixing problems whenever they come to our attention” and that hackers were able to breach the Apache program being used by Equifax only because the company had neglected to patch it.
The truth is, the Apache flaw in question was fully disclosed by the National Vulnerabilities Database in March, only strengthening the fact that it was on Equifax to have done their due diligence in their software upkeep.
Zooming out on the lessons for the whole industry:
Apache Struts is an incredibly popular platform for creating websites through Java. The program is known to be used by major tech firms and government contractors including names like Lockheed Martin, Citigroup, and Vodafone. The fact that the program is incredibly popular proves its effectiveness, both a logistical as well as a security perspective, however this popularity has a major down side. The fact that Apache Struts protects the data troves of such organizations makes it a prime target for hackers seeking to identify flaws in the program’s code.
The identifying and disseminating of program code has fueled an entire illegal industry, in which hackers sift through endless lines of code to pinpoint vulnerabilities and then sell them to other cyber criminals as tools to carry out hacks. The more common a program is, the more valuable an identified flaw becomes.
This only increases the responsibility of company using such a program, as well as the need to monitor code and requests being executed, something that according to many experts, was clearly not undertaken by Equifax IT.
The enormity of the Equifax breach will likely continue to produce effects over the next several months, most likely including Congressional investigations and legislation. As for the industry, this incredible hack will only serve as a wake-up call for firms and their cyber teams about the dynamic nature of data security and the need to stay one step ahead of the bad guys.
What’s the Difference Between Authentication and Authorization?