The Equifax breach was one of the most severe compromises of PII in history. The scope and sensitivity of data lost was beyond what many organizations had ever experienced. Congress investigated and released an incredible, detailed report.
I have thoroughly reviewed the content of the report, and created a presentation of my findings and specific points of interest. It provides a timeline of the breach and organizational response, as well as information about organizational and policy structure.
@uncl3dumby - Anatomy of a Megabreach: Equifax Report
1. Anatomy of a Megabreach
A review of Equifax’s organizational failures, and how it led to one of
today’s most severe compromises of PII
“Failure to maintain an accurate inventory undermines all
attempts at securing OPM’s information systems”
- Office of Personnel Management Inspector General
@uncl3dumby
2. Sources
▶ Vast majority of information is pulled from the U.S. House of Representatives
Committee on Oversight and Government Reform report on the Equifax Data
Breach
▶ Released December 2018
▶ Contains references and official sources for most of the information included in this
presentation
▶ This report is AMAZING. I have provided a thorough representation of the
information it contains, but I highly recommend that you review the full 97
page report if you get the chance
https://republicans-oversight.house.gov/wp-
content/uploads/2018/12/Equifax-Report.pdf
▶ A few corroborating documents that I failed to record, but are public record
Who Am I?
dumby - Blue teamer, security nerd
@uncl3dumby - Twitter
https://securedumby.science
3. Report Composition
Sections:
1. Consumer Reporting Agency Business Model
2. Regulations for Consumer Reporting Agencies
3. Anatomy of the Equifax Data Breach
4. Equifax Notifies the Public
5. Specific Points of Failure
6. Equifax Remediation Efforts
7. Recommendations
Sources:
▶ Internal Emails
▶ Congress Testimony
▶ Mandiant Report
▶ Equifax Disclosures / Situational Updates
▶ Investor Releases
▶ Public Speaking Appearences
▶ Government Consent Order
10. Incident Investigation
July 30 - August 01
▶ July 30 - Potential Incident Reviewed
▶ Vulnerability tests
▶ 12:41 PM - ACIS is shutdown, ending the direct cyberattack
▶ Executives informed
▶ July 31 – Equifax Initiates Incident Response
▶ Assigns a code name Project Sierra to the IR efforts
▶ ACIS developers provide WAR, vulnerable Struts confirmed
▶ August 1 – CIO is provided a brief update on Project Sierra.
▶ CIO leaves on vacation 08/02, and doesn’t return until 08/16.
15. Data Element Columns Analyzed Approximate # of Impacted Consumers
Name First, Last, Middle, Suffix, Full Name 146.6 Million
Date of Birth Full DOB 146.6 Million
Social Security Number Full SSN 145.5 Million
Address Address, Address 2, City, State, Zip 99 Million
Gender Gender 27.3 Million
Phone Number Phone, Phone2 27.3 Million
Driver’s License # Full # 17.6 Million
Email Address Full Email 1.8 Million
Payment Card Info CC Number, Exp Date 209,000
TaxID Full ID 97,500
Driver’s License Info Issuing State 27,000
Online Dispute Portal Uploaded Images 182,000
26. Mandiant Recommendations
▶ [QUICK REVIEW] Attacker Access Duration (Time To Dwell) - 05/13/2017 – 07/30/2017
▶ Mandiant Recommendations – 09/19/2017
▶ 1. Enhance vulnerability scanning and patch management processes and procedures
▶ 2. Reduce the scope of sensitive data retained in backend databases
▶ 3. Increase restrictions and controls for accessing data housed within critical databases
▶ 4. Enhance network segmentation, to restrict access from internet facing systems to
backend databases and data stores
▶ 5. Deploy additional web application firewalls and tuning signatures to block attacks
▶ 6. Accelerate the deployment of file integrity monitoring technologies on application and
web servers
▶ 7. Enforce additional network, application, database, and system-level logging;
▶ 8. Accelerate deployment of a privileged account management solution
▶ 9. Enhance visibility for encrypted traffic by deploying additional inline network traffic
decryption capabilities
▶ 10. Deploy additional endpoint detection and response agent technologies
▶ 11. Deploy additional email protection and monitoring technologies
27. Forced Action (Cont.)
▶ Former CEO Testifies On Progress of
Recommendation Implementation – 10/03/2017
▶ Mandiant and Equifax confirm all eleven remedial
recommendations had been implemented –
08/2018
▶ 09/19/2017 – 08/2018 - Time from Recommended
to Implemented
30. Consent Order – Effective 06/25/2018
▶ 90 days for the following:
▶ Written risk assessment that addresses:
▶ Foreseeable threats to confidentiality of PII
▶ Potential damage to company’s business operations
▶ Safeguards and mitigating controls to address each threat and vulnerability
▶ Board and Management Oversight:
▶ Approve a consolidated written information security program and policy that can be updated
annually
▶ Review annual report from management on adequacy of IS program
▶ Enhance level of detail within board minutes
▶ Review and approve standard IS policies to ensure they are up-to-date and applicable
▶ Ensure IR procedure guides are up-to-date and clarify roles and relationships of groups involved
in IR
31. Consent Order (Cont.)
▶ Vendor Management
▶ Monitor management’s documentation of efforts to comply with PCI DSS
▶ Review and approve policy/procedure for outsourcing management
▶ Oversee management’s development of a definition of “cloud service”
▶ Development of policies that provide guidance for when the use of cloud-based services is permissible
▶ Patch Management
▶ Identify a comprehensive IT asset inventory that includes hardware, software, and location of assets
▶ Formalize an identification process for patches that need to be installed
▶ Develop action plan for decommissioning legacy systems, including compensating controls until systems
are removed
▶ Formalize patch management policy
▶ IT Operations
▶ Ensure key processes of business continuity plans are independently reviewed at least annually
▶ Formalize emergency change standards
32. Consent Order (Cont.)
▶ 30 days to improve oversight of auditing
▶ A formal risk analysis process used to set scope and frequency of IT audits
▶ An audit schedule prepared on a multi-year basis
▶ Audit of critical and high-risk areas (at least) annually
▶ Issue tracking report and issue aging report submit quarterly to an Audit Committee
▶ Validation via internal audit that severe issues are resolved on a timely basis
▶ Guidelines for ensuring the internal audit is not involved in daily operations of enterprise
risk management
▶ By July 31 (Approximately 1 month)
▶ Submit to Multi-State regulatory Agencies a list of all remediation projects planned, in
process, or implemented in response to the breach
▶ Written reports outlining progress toward complying with each provision of the consent
order. These then must be submit every quarter.
33. Consent Order (Cont.)
▶ By December 31 (Approximately 6 months)
▶ Formalize a process to routinely identify what patches need to be updated and
installed
▶ Populate current metrics and data into a dynamic patch dashboard
▶ Prioritize and address outstanding critical, high, and medium-risk patch
management audit findings
▶ Provide programmers job-specific training covering secure coding
▶ Conclude process of removing system access of development staff to production
environments
▶ Equifax Board will require management to have an independent party test controls
relating to all remediation projects, and reported to Multi-State Agencies whether
controls are functioning effectively
34. Tallying Up The Damage
As of Q3 2018 – Report Release Timeframe