Equifax Risk Assessment of Information Security

Executive Summary

This paper addresses the information security issues of the credit reporting agency (CRA) Equifax that took place in 2017. Due to certain vulnerabilities in Equifax’s information security architecture, hackers were able to gain access to the personal information of approximately 145 million consumers. The purpose of this paper is to address what happened to cause this breach.  Second, question is what vulnerabilities can be exploited for events like these to occur. As well as present a risk profile will be presented and then how will those risks be mitigated.

Background

Equifax Ltd is one of the three largest credit bureaus (Transunion &Experian) that consumers can view their credit report, or businesses can check how well a customer can handle their business affairs. Equifax was founded under the name of the Retail Credit Company in 1899 in Atlanta, GA (Equifax, 2019). Equifax offers credit monitoring solutions for businesses, personal, and for the government agencies (Equifax, 2019). According to the Equifax website, operates in twenty-four countries, is on the Standard and Poor’s (S&P) 500 index, New York Stock Exchange (NYSE) and employs 10,400 employees’ worldwide (Equifax, 2019).

What Happened?

Over the past few years Equifax has had several information security issues occur that could have been avoided. Most recently was the breach that occurred in 2017 that effected a reported 145 million consumers.  This breach was a major blow to the consumers trust and one that could have been avoided by following protocol. Not following through with a minor adjustment caused millions of consumers from both the public and private sector personal information to be compromised.

 According to a report by the Government Accountability Office (GAO) in March of 2017, attackers became aware of a known software vulnerability within Equifax’s online dispute portal. This vulnerability would allow attackers to access the Equifax system (United States Government Accountability Office, 2018). Two months later the attackers began to utilize the Equifax vulnerability and began extracting data that contained customers personal identifiable information (PII) (United States Government Accountability Office, 2018). The Attackers were able to go undetected for a period of time because they used techniques to disguise their movements. The breach wasn’t discovered until July 29 of 2017.  The GAO report concluded that Equifax did do its due diligence to address the breach, as well as take steps to identify and then notify the victims of the breach (United States Government Accountability Office, 2018).

How it Happened?

Vulnerabilities and Predisposing Conditions

At the time of the breach Equifax was operating under an open source software programing framework called Apache Struts. According to Common Vulnerabilities and Exposures (CVE), “An error with Jakarta Multipar Parser in Apache Struts had an incorrect exception handling and error-message generation during file-upload attempts, which allows, remote attackers to execute arbitrary commands via a crafter content-type, content- disposition, or content-length HTTP header, as exploited in the March 2017 with a content -type header containing a #cmd=string (National Institute of Standards and Technology, 2018)”

 According to the Apache Software foundation, the reason this vulnerability occurred is that, “there was a vulnerability in the “REST” plugin for Struts that may have allowed the execution of malicious code, which then accessed data from internal systems (Apache Struts Project Management Committee, 2017).”  According to the article, “Lessons About Open Source Software from the Equifax hack we learn that “REST” is a format of web-services that consumers can use to help retrieve or to update their  login data (Upreti, 2017).  The REST format that was used by Equifax was their customer dispute website (Electronic Privacy Information Center, 2019).

 This is where the hackers were able to access millions of customers data. Though during the time Equifax security was alerted to the Apache Struts CVE-2017-5638 vulnerability it had been 145 days since the initial breach. The Electronic Privacy Information Center shared that during the initial breach, the security system that the information security department did run scans for Apache Struts vulnerabilities (Electronic Privacy Information Center, 2019).  Because they were aware of the issue with Apache Struts, however, the scans did not pick up this particular vulnerability.  Once the Equifax became aware of the breach information security department sent out a patch to all department heads. Once an outside firm hired to investigate the breach it was discovered that this breach not only affected 145 million Americans, 8,000 Canadians, and 693,665 consumers from the United Kingdom (Electronic Privacy Information Center, 2019). The information that was compromised was user’s PII such as social security numbers, names, birthdates, addresses, and some drivers’ licenses.

During this event Equifax created a separate domain to help customers find out whether they had been affected by this particular breach (Electronic Privacy Information Center, 2019). The customers that decided to freeze their accounts were given pin number to access the separate domain.  As customers tried to access this domain many of the customers browsers flagged this site for possibly being a phishing threat (Electronic Privacy Information Center, 2019).  This is because the pin numbers that were generated corresponded to the date and time of the breach so the pin number would be easy for hackers to figure out (Electronic Privacy Information Center, 2019).

Some other events that exposed Equifax’s information security is the lacked protocols in patch management, poor breach preparation, and lack of software inventory (Rothke, 2019). According

to a United States Senate briefing, an audit of Equifax’s information systems found that at the time of the breach there was poor patch management (Permanent Subcomittee on Investigations, 2017).  This is because the information system security practioners(s) (ISSP) did not follow their own protocol. This is evident by the delayed response in sending out a patch for the Apache Struts breach.

Equifax patch protocol states that a “critical patch should be distributed within forty-eight hours from the time of release (Permanent Subcomittee on Investigations, 2017).”  This particular patch was not distributed until five months later (Permanent Subcomittee on Investigations, 2017).” Equifax had a delayed response in applying the update and that was how the breach took place.  At the time of the breach Equifax relied on an honor system for patch management.  The departments involved were tasked with applying scans that would find vulnerabilities in their systems. If those particular scans found no vulnerabilities, there would be no patches distributed (Permanent Subcomittee on Investigations, 2017).

Impact to the Business

The impact to Equifax and its customers created a significant impact. For Equifax’s part some of the federal government contracts they held with the Internal Revenue Service (IRS), Social Security Administration (SSA), and the United States Postal Service (USPS) became in jeopardy. According to the GAO, the Internal Revenue Service (IRS) wanted to pull out of the contract that had with Equifax and use another vendor. Equifax protested this action and won a short-term contract with the IRS (United States Government Accountability Office, 2018). However, after further examination by the GAO, the IRS won their case to use another credit reporting agency, Experian (United States Government Accountability Office, 2018). This breach was also a hit to Experian financially through lower market values, lawsuits, potential investors. But the most important impact to Experian should be the affect this event has on its customers. With the exposure of personal identifiable information, some customers identities could potentially be stolen. Their social security numbers can be used to open credit cards and harm their potential purchasing power. 

Missing Controls

The missing controls in this breach were patch management governance, defense in depth, and Inefficiency in applying an intrusion detection system or an intrusion prevention system.

According to an article called “Patch Management”, “ patch management should be based on an assessment that balances the security and down time risk of a security breach with the cost, disruption and availability risks associated with frequent and rapid deployment of software patches (The Government of the Hong Kong Special Administrative Region, 2008).” Although Equifax had a patch system in place.  They did not have the web application that presented the vulnerability fully patched and that is why the attackers were able to access the personal information of the customers. Having a defense in depth strategy will ensure that there will be multiple layers of security in place for added protection.

If Equifax would had either an intrusion detection or prevention plan in place, the information security department would have had a quicker response to the breach. Having these particular systems in place will help the IT department detect any change in the systems behavior.

Recommendations

Table 1: Threat Sources

The following tables from the NIST SP 800-30 were used to assign values to likelihood, impact, and risk:

Table 2: Assessment Scale – Likelihood of Threat Event Initiation (Adversarial)

Table 3: Assessment Scale – Likelihood of Threat Event Occurrence (Non-adversarial)

Table 4: Assessment Scale – Impact of Threat Events

Table 5: Assessment Scale – Level of Risk

Table 6: Assessment Scale – Level of Risk (Combination of Likelihood and Impact)

Risk Assessment Approach

Determine relevant threats to the IS. List the risks to the IS in the Risk Assessment Results table below and detail the relevant mitigating factors and controls. Refer to NIST SP 800-30 for further guidance, examples, and suggestions.

Risk Assessment Results

* Likelihood / Impact / Risk = Very High, High, Moderate, Low, or Very Low