Equifax and Capital One: What Should We Learn?

Written by

In September 2017, Equifax announced a data breach exposing the financial records of over 147 million individuals. Following rigorous investigations and negotiations, the company agreed to a worldwide settlement of $425 million to help those impacted by the breach to provide free credit monitoring or a low sum of cash.

In July 2019, Capital One announced that a hacker gained access to more than 100 million Capital One customer accounts and credit card applications, including 140,000 social security numbers, one million Canadian social insurance numbers, 80,000 bank account numbers and an undisclosed number of names, addresses, credit scores and other personal information.

The Equifax attackers gained access through an unpatched Apache Struts web application, which the company failed to deploy the patch, despite it being available for almost three months prior to the breach. And the Capital One hacker was able to gain access by exploiting a misconfigured application firewall. These may seem like two unrelated attacks, but when you take a step back and look at the bigger picture from an enterprise security perspective, they’re surprisingly hyper related.

The link? Both were possible because of basic holes in the companies’ cyber hygiene practices: one related to endpoint patching and the other a cloud infrastructure configuration issue. These are supposed to be cybersecurity fundamentals that organizations have down pat, and they led to two of the most impactful breaches of our time at high-profile organizations.

Despite the negativity that has surrounded these incidents, they should serve as helpful case studies and hopefully shine a light on the importance of mastering cybersecurity fundamentals. To help organizations get a jumpstart on a broader conversation around cyber hygiene basics, following are some best practices that businesses of all sizes should consider implementing on their quest to nail down the fundamentals.

Hardware Asset Role Call

The first step in creating a strong security foundation is having complete visibility into the entire suite of hardware assets the organization is responsible for. How can you manage and secure an environment without knowing what’s in it?

An environment’s overall security becomes at risk as soon as an undocumented device connects to the corporate network, so any security program should start with understand what hardware assets the environment requires, along with the needs of end-users. This includes organizations that have remote workforces; every device is a critical asset that needs up-to-date security.

Proactively Patching and Updating Systems

As the Equifax breach showed, it’s incredibly important to apply patches as soon as possible. This problem is of a bigger scale than most people realize. A recent study noted that 57 percent of industry professionals who reported a breach said it was due to a vulnerability for which a patch was available and not applied, with 34 percent noting they knew the company was vulnerable before the breach occurred.

Attackers are constantly hunting for different ways to infiltrate organizations of all sizes and one of the easiest ways they can do so is by exploiting unpatched systems with critical vulnerabilities. So, it’s pivotal that organizations be vigilant in identifying and deploying critical patches to ensure hackers don’t have an easy way in. 

Apply Continuous Delivery to Endpoint Configuration

Reliable and secure endpoint configuration is a must. To improve the practice, it’s critical to identify the impact of all configuration changes before rolling them out to the endpoints in a given environment.

This is possible by applying a continuous delivery methodology to endpoint configuration management, which ensures incoming patches and configuration changes are validated against a test server to verify the expected behavior of the software installed on each device does not change. Following that, the changes can be automatically applied to production endpoints safely and securely – making configurations seamless.

Public Cloud Configurations and Controls

Recent data from McAfee states that 99 percent of public cloud configuration issues go unreported. When you consider how many leaky databases are discovered by security researchers each week, this data should be more than alarming. Enterprise environments are becoming more complex, with more tools and apps for security pros to manage, and cloud infrastructure configuration management is just as important as any other cybersecurity practice. The attack surface doesn’t stop at the endpoint; cloud infrastructure cyber hygiene is a must as well.

Overall, these tips should serve as a solid start to a cybersecurity foundation that aims to take care of the basics by reducing an organization’s exploitable attack surface. Flashy technologies that stop hackers in their tracks are definitely nice to have in parallel, but you can’t forget that even the best in the world became experts at their crafts by first mastering the fundamentals. 

What’s hot on Infosecurity Magazine?