Monitor What You Can't Fix (or Haven't Fixed Yet)

On September 7 Equifax announced it had suffered a major breach exposing very sensitive information (names, Social Security numbers, birth dates, addresses, and, in some instances, driver's license numbers) on almost all Americans who participate in the economy. Unlike passwords or credit cards, this is information that cannot be changed.

As of this writing, Equifax's stock price has dropped 33%.

In an update on Sept 13 from Equifax, they claim attackers exploited a vulnerability in Apache Struts, CVE-2017-5638. Still, there is a lot of information we (or probably Equifax) don't know, 

However, based on that data point, here are some relevant dates:

  • 2017-03-06 - RedHat announces the vulnerability. Link
  • 2017-03-10 - CVE-2017-5638 announced in National Vulnerability Database. Link
  • 2017-03-15 - Exploit posted. Link
  • 2017-03-19 - Apache releases additional patch details. Link
  • 2017-05-?? - "Mid-may", unauthorized access of Equifax data apparently begins. Link
  • 2017-07-29 - Equifax discovers unauthorized access. Link
  • 2017-09-07 - Equifax announces compromise. Link

So there were exploits in the wild and a patch available approximately 2 months prior to when Equifax believes the compromise began. The compromise continued for approximately 2.5 months before being discovered. More than a month passed before the compromise was announced.

While this delay by Equifax to patch their system seems like a dereliction, the reality is not so clear cut. As reported in Bloomberg's "Equifax Falls After Signs It Was Slow to Fix Flaw Hackers Used" article:

But security professionals say many companies take weeks or even months to apply software patches, as applications need to be tested to ensure the updates don’t break existing code. Apache Struts software is especially time-consuming to update because each application needs to be fixed individually. But a delay of several months to remove a high-priority vulnerability is generally considered a dangerous security practice.

This, however, points to a necessary capability every organization should have - monitoring their systems for possible exploits. Fix what you can, and monitor what you can't.