In 2017, Equifax reported two alarming incidents—one at its U.S. based operations, due to an Apache Struts vulnerability, and another one at their Argentine operations. Looking at the Equifax incidents, the concepts of defense in depth, layered controls, and managing risk to achieve the appropriate balance of confidentiality, integrity, and availability are all essential. You may have already learned that the CISO and CIO are both leaving Equifax. In this article, we’ll take a look at how the concepts from the Certified Information Systems Security Professional (CISSP Training) domain could’ve minimized the likelihood and impact of the Equifax incidents.
Current events such as the Equifax incidents bring to light the importance of the eight domains of the (ISC)2 Common Body of Knowledge (CBK).
Start With Risk Management
The concept of ‘defense in depth’ starts first with risk management, and ensuring that the organization has appropriate policies and standards in place. The U.S. based Equifax incident was tied to the Apache Struts vulnerability that was published in March 2017; policies could have stated how frequently vulnerability scans must be performed and subsequent follow-up. After a vulnerability is detected, a policy could state that systems must be patched within a defined timeframe, or that senior management would be required to assess the risk and make the decision whether to accept the exception to the policy.
The risk assessment would invoke the Software Development Life Cycle policy and procedures, charting out the necessary upgrades.
In their Argentine operations, a database left accessible with vendor default username and password should have been one of the first things that policies would dictate to be tested prior to being launched as a production website, or after a system change.
While we prefer preventive controls, patching the assets—in cases where we can't immediately address the risk one way—we look for detective or corrective controls. Without in-depth knowledge of the network infrastructure, we don't know if their chosen platform added signature-based detection at their Intrusion Detection Systems (IDS), but an IDS may have been able to detect abnormal usage of their web systems.
An Intrusion Prevention System (IPS) could potentially have blocked malicious requests. Security Information and Event Management (SIEM) systems could have also been utilized to aggregate and raise alerts based on excessive activity within a defined timeframe. The full story hasn't been brought to light yet, but that's where we need to remember that the concept of defense-in-depth wouldn't rely on a single control, but would use multiple controls to minimize the risk to the “acceptable level.”
Confidentiality, Integrity, Availability
Confidentiality, integrity, and availability interrelate with each other. We can maintain secrets if we cut off access, but cutting off access prevents the business from the data that they need. In today's society we often enjoy the ease of “instant credit” while standing at the counter or on our home computers to obtain a tempting discount, promotional financing, or great rewards with a special credit account; the instant decision requires that the bureau have a correct report, and make it available to the creditor immediately.
At least some of the records that were accessed inappropriately, however, were dispute records where an individual filed a dispute. These records weren't used by potential creditors, and due to the sensitive information contained in those disputes, (full social security numbers and even driver’s license information) the database was a prime example of a system where confidentiality perhaps should have been the driving factor over availability.
While the U.S. incident was related to an exploitation of the Apache Struts vulnerability, Equifax's Argentine operations had a web-facing database that had the vendor-provided default 'admin' as the username and 'admin' as the password.
The use of a default username that's in the vendor documentation, effectively ignored the confidentiality of the information, and the integrity of the information in the Argentine database is suspect. The sensitivity of the data is one of the key drivers for confidentiality requirements.
A newspaper website will restrict information to protect their subscription revenue, preventing others from copying their articles. Credit reports are used throughout our lives, not just today, but for years to come; the data in these credit reports is a prime example of the information that requires the highest level of controls to protect the confidentiality of that information.
When we look at the CISSP Common Body of Knowledge (CBK), we start with Security and Risk Management because it sets the tone for the rest of the domains, and how we will design, test, operate, and change Information Systems. We don't just rely on one single control but apply the optimal mix to protect the information at an appropriate level.
The Equifax incidents remind us that we adopt policies for a reason, to protect the Confidentiality, Integrity, and Availability of the information that we're trusted to protect. Students often ask why we study all of the domains, and the Equifax incidents demonstrate why we have multiple domains: because the domains help ensure we don’t forget to complete all of the necessary steps.