Equifax breach and security basics in a digital world
- Breach was discovered on July 29th 2017
- The breach method was via Apache (a web server application) using a vulnerability known as Apache Struts CVE-2017-5638
- This was considered a critical vulnerability and should have been patched within 72 hours or 1 week maximum.
- 150 million + effected by the breach that is known at this time
- Personal data that was breached includes birth dates, credit card numbers and more
- Possible insider trading from executives 1-2 days prior to the announcement of the breach
- The breach was easily preventable. The software vulnerability used in the hack was announced on March 7th and patched the same day (some modifications to that patch were made on March 10th). Equifax IT didn’t start to even work on looking into what needed to be patched and how to implement the patches until mid-May and still hadn’t implemented any patches by September!!!
- Find out if you have you been compromised.
1a. Here is how you can do it: http://www.businessinsider.com/equifax-data-breach-how-to-check-if-youre-affected-2017-9
1b. Equifax is offering a credit monitoring service through TrustedID if you agree to the terms of service and accept the monitoring service you are giving up your right to sue Equifax in the event that the breach affects you.
- Use secure passwords and don’t keep using the same password over and over.
2a. Use a different password for every email and every financial institution you interact with. Your e-mail account is your central hub if anyone gains access to it they can reset passwords for any website you have that e-mail account connected to. Use a password manager like Last Pass, Dash Lane, True Key, Keeper, Sticky Password, etc.
2a.1. Make sure you encrypt these password databases and password protect the database and then make a paper backup of your password and a digital backup of the database and decryption key.
2b. Do not ever store usernames, emails addresses or passwords in your browsers on any computer you use personal, work and especially not public or multi-user accessible. Clear your browsing history and cookies regularly.
2c. You know this one: Keep your passwords complex…no easy to guess information like birthdays, last 4 digits of your social security number, license numbers, membership club numbers, addresses, dictionary words, names, etc. Use a combination of number, upper case letters, lower case letters and symbols and at least 8 characters long preferably 12 (is becoming the new standard).
- Things to watch for and other facts
3a. Watch for suspicious activity on your credit cards, bank accounts and use a credit monitoring service. At this point with so many data breaches happening (we only hear about a few major ones) everyone should be on a credit monitoring service. It’s a sad reality but large corporations don’t take IT security serious enough and neither do state or federal governments.
3b. The data will most likely be sold on the dark web for bitcoin or another coin on a website similar to Alpha Bay (recently shutdown) which is a successor to the famous Silk Road and Silk Road 2.0.
3c. The big problem with large corporations in IT besides the constrained budgets and extremely long working hours is the inability to keep track of the hundreds and sometimes thousands of applications being used. That is one of several reasons why it took Equifax so long to even figure out what needed to be patched. This is now an emerging market in IT and only a couple of companies are offering a platform for tracking all open source and some closed source code used in various applications at the enterprise level. Those companies are SonaType (USA based) and JFrog (Israel based).
If you need any assistance setting up and securing your home or business networking, passwords or having a security evaluation I would be happy to help you!
Joe@TurboTechnicians.com or 860-874-7719