Like my high school coach always said, “Stick to your basics”.
The Equifax and CapitalOne breaches reminds us that cyber-attacks don’t always come from sophisticated hacking groups. I’m sure these companies were using the best cybersecurity software that money could buy. They probably had good internal and external IT support.
However, the data breaches they suffered could have been easily prevented by applying the most basic cybersecurity functions.
What went wrong at Equifax & CapitalOne?
In September 2017, Equifax disclosed that the personal information of up to 147 million people had been compromised as well as 147 million US consumers’ names and dates of birth, 145.5 million social security numbers, and 209,000 payment card numbers and expiration dates. This data breach is in the news again because they agreed to a settlement that will compensate those affected by the breach.
On July 29, 2019, CapitalOne reported that the personal data of over 106 million customers in the US and Canada were compromised. This data was stolen by Paige Thompson, an ex-Amazon employee who accessed the data between March and July this year.
How did these breaches happen?
The data at CapitalOne was stored on Amazon Web Services cloud. Investigators found that Thompson found a misconfigured firewall on a web application and used it to gain access to data stored on the cloud.
A few months before Equifax was hacked, US-CERT issued a warning that companies should apply the Apache Software Foundation’s patch for the flaw 2017-CVE-5638. The FTC alleges that Equifax failed to patch this flaw and to “undertake numerous basic security measures.” Hackers used the flaw in Apache Struts & default credentials on one of their apps (Admin:Admin) to gain access to customer’s personal data.
How could they prevent the breaches?
If these organizations had applied the appropriate security patches or had measures in place that notified them when a breach occurred, these events could have been prevented.
I see companies making the fundamental mistake every day. They spend thousands of dollars on top of the line security products that promise “instant security.” But these AI and ML programs that guard their data are pointless if their IT staff aren’t applying patches or making sure their firewall is secure.
While security compliance standards are a great benchmark for organizations to adhere to, it’s important that we remember that cybersecurity is an ongoing process that always needs to be upgraded in this dynamic threat landscape.
How to “Lock your front door”
As a company managing risk, you should ask yourself these 5 basic cybersecurity questions
- Are you applying patches to your security firewall regularly?
- Are regular penetration tests and vulnerability scans being conducted by a qualified, compliant third party?
- Are you reviewing permissions of your users & revoking excessive privileges?
- Are you applying two factor authentication and encryption of your primary & secondary data storage?
- Do you have an Incident Response Workflow that you would follow in case of a breach?
So, before you think about your next big cybersecurity spend, please make sure that you, your IT team and third party company are following the basic cybersecurity actions.
It’s critical to speak to an expert organization that understands your business & security needs. They should be concerned with your company’s protection instead all the time instead of occasionally.
The security experts at Accorian have helped several companies discover critical vulnerabilities by performing simple Penetration Tests. Contact us today if you would like us to help you improve your cybersecurity.