If you’re not reading this on another planet or in a bunker somewhere, then you’re likely aware of the recent breach of data from credit agency Equifax. Reports indicate that unknown attackers took advantage of a vulnerability in an Equifax web application to purloin personal identifiable information from 143 million people, including Social Security numbers.
And shortly thereafter, all the industry pundits weighed in, pointing fingers in all different directions. The problem is they used open-source code. The problem is that their software development practices need to change. The problem is there is a talent gap that can’t keep up with business changes and technology advances. The problem is that leadership has never taken security as seriously as they should, as they are not up to speed on the amount and danger of the threats out there in the wild.
Sadly, many of those 143 million people are not aware that Equifax even had their data. As regulations allow businesses to sell their lists to other companies, a person downloading music could have his data sold to another company without his knowledge or consent.
One of the things that made this incident even more disturbing than Equifax’s complete disregard for the protection of private, personal data, is that it did not reveal the breach until months after it occurred. Cyber security company eSentire says that one thing being overlooked in many cases is that the breach notices would have required Equifax to report the incident to their clients in 24 hours, not weeks. And, because Equifax retains bigger clients in New York, they are governed by DFS NYCRR rules, which dictate 72 hours for breach reports – again, not weeks. Did their clients receive notification within this timeframe?
Mark Sangster, VP and Industry Security Strategist at eSentire, says, “Given the nature of Equifax data and the magnitude of the breach make this a watershed moment in breach detection and response. Many difficult questions will be asked and become the crux of numerous legal actions that will likely stem from this event. The most obvious, is why it took so long to disclose the breach. The risk to consumers begins to drop exponentially as soon as the breach becomes public, and affected companies and consumers can take defensive measures to protect their financial identity and funds.
Yet, Equifax waited over a month to respond and provide breach notice. Headquartered in Atlanta, Equifax is bound by the state breach notification laws of Georgia, which require a firm to report a breach, stating, ‘The notice shall be made in the most expedient time possible and without unreasonable delay.’ In some circumstances, notification is to be made within 24 hours. Did Equifax meet this requirement and do everything in its power to protect those affected by the breach?
But to fully understand what happened with the Equifax hack, businesses need to understand that software applications are not written from scratch. Rather, 80-90% of a modern application is built using open source components – like Apache Struts (the alleged culprit in the Equifax hack).
According to a recent Sonatype report, software developers download these components from repositories that house billions of open-source software components. Sonatype’s research shows that only 57% of organizations have a software governance
policy, which ensures that development organizations download only approved components, and 65% do not have meaningful controls over what components are in their applications. As Equifax learned the hard way, software components age like milk, not wine — the older a component is, the more likely it is to be either vulnerable or defective.
Wayne Jackson, CEO of Sonatype blames C-level executives. “For far too long, businesses have under-invested in software integrity, relying on network-based defenses that are incapable of protecting many exploit vectors, including those associated with open-source security defects. The Equifax breach and loss of 143 million records (including mine) serves as a painful reminder of why every link in the software supply chain must be automatically and continuously managed. To do otherwise is simply negligent.”
Lev Leshokhin, EVP of strategy and analytics at software quality measuring tool provider CAST Software, says developers today have too narrow a focus and do not consider the business implications of what they create.
“What Equifax brings to light is that we are under a shortage of talented developers and cannot keep up with business demand and tech complexity at the same time, creating further software risk. The solution is NOT to rely on the ability to hire good developers so they write good software – there just aren’t enough skilled developers with whole-system vision to go around. We need to take our most senior developers, have them design the architectures for data protection, and then ensure these architectural constructs are followed by the developer plebiscite with every build.
“What we saw in the CAST survey of developers just released in September,” he continued, “is that only about half (54%) of developers understand the architecture of their overall application. This means that the other half are working in silos and have little to no visibility into how their component can endanger the rest of the system. Combine that with the fact that more than 60% of developers report their dream job is at Google, and you can be sure that software engineers at financial institutions or retailers are bringing down these statistics.”
The harshest criticism of Equifax’s response and explanation was leveled by a software testing expert who wished to remain anonymous to comment on the case. “I heard that Equifax is blaming all this on a bug in some open-source web software. If true, then I call utter bull**** on that. The concept ‘defense in depth’ may have been conceived at night, but it wasn’t conceived ‘last’ night.”
Further, he said the main problem is not so much a lack of technical knowledge but rather a lack of caring. “Notice that immediately, I mean immediately, Equifax tried to turn this into a money-making opportunity, by offering ‘free’ credit monitoring that becomes not free after year… So, to them, this is not a bug, it’s a sales feature.”
The expert went on to say that ultimately, this comes down to Equifax and the other credit bureaus being able to pass on their costs of production failures to their customers. “Once software vendors and companies that use software are held fully accountable for the costs of bugs they put into production, this kind of nonsense will magically stop happening. In other words, once liability law catches up with the role software now plays in society, these problems will happen much, much, much less frequently.”
Fingers can be pointed in a lot of directions over this and other breaches, but the fact remains that these will continue until organizations start to elevate how they approach security and the investments they make in keeping our data secure. There are reports going around that Equifax hired a CISO with degrees in music and fine arts, but no mention of any formal education in software security. If the reports are true, that tells you all you need to know about how too many companies today still view security – as something to be merely fiddled with.