Last Updated on January 16, 2024
On an April 2023 episode of The Virtual CISO Podcast, our guest Huxley Barbee, Security Evangelist at runZero, revealed how multiple shortcomings in Equifax’ cyber asset management enabled the massive data breach that impacted almost 60% of the US adult population.
“Equifax to my mind is the prime example of what happens when you don’t have good asset inventory or asset management,” Huxley states. “I feel like this happens all the time, but we just typically don’t hear about it.”
When a vital security control is lax or missing, bad things happen.
When we hear about data breaches, the reports focus on the basics of the attack, e.g., was it data exfiltration, denial of service (DoS), etc. And sometimes we hear some details about how the hackers initially breached the network. But it’s rare to get details on what supported the attacker’s lateral movement within the compromised environment or the “underlying conditions” (e.g., lax or missing security controls) that allowed the breach to unfold.
In the case of the Equifax hack and many others, according to Huxley, a critical factor was weak cyber asset management. For example, one thing we know from post-breach US Department of Justice (DoJ) indictments was that Equifax didn’t maintain an accurate, up-to-date inventory of its public-facing assets that ran Apache Struts. They had a vulnerability scanner that they used for asset discovery, but they didn’t know where to scan.
“This goes back to the idea of does your asset inventory cover the unknown devices as well,” Huxley notes. “They were scanning stuff, but they weren’t scanning the right things.”
Incomplete asset ownership data caused the root cause to be overlooked.
Another misstep that enabled the breach was that, when the Equifax security team found out about the Apache Struts vulnerability, they emailed an alert to “owners of devices.” But the one person who would’ve known about the compromised device with Apache Struts on it and how to remediate it was not on the email list. Equifax’s asset ownership tracking unfortunately wasn’t current.
“Security teams don’t have time to go around tracking down who is the right person to go fix things,” Huxley says. “Because security teams usually don’t own the devices—either IT or some business function owns them.”
Gaps in knowledge of “risky settings” was the final straw.
Another contributing factor in the breach was weak asset classification (aka “fingerprinting”) that caused a critical security control to fail.
“Equifax had some packet inspection technology that would have caught the attackers exfiltrating data,” Huxley relates. “But this packet inspection technology was configured improperly to deal with expired certificates. If the encrypted traffic was using an expired certificate, it just wouldn’t inspect the traffic at all, and just let it pass through.”
A key part of modern cyber asset inventory is the ability to identify risky settings within assets. The ability to track devices with expired or soon-to-expire certificates is an example of how security teams could use this data.
In fact, among the first events that enabled Equifax to discover they’d been breached happened months later when the expired certificate was finally replaced. The packet inspection technology started working again and flagged the ongoing data exfiltration.
“Then they realized, ‘Uh-oh, we’re screwed,” remarks Huxley.
What’s next?
For more guidance on this topic, listen to Episode 115 of The Virtual CISO Podcast with guest Huxley Barbee from runZero.