A mix of human frailty and lack of proper controls
On September 7 this year, the consumer credit rating company Equifax, announced a cybercrime incident. Also, the statement indicated that the event potentially affected almost 145 million US consumers, along with several records from consumers of other nationalities. Information accessed by the attackers included first and last names, US security social numbers, birth dates, addresses among other data. According to company’s CEO, the data breach begun in mid-May and finally detected in July.
What caused this security incident? According to the organization, the cyber criminals took advantage of a vulnerability in Apache Struts, a development tool. The Apache Foundation released the patch for the flaw on March, but Equifax failed to apply it to their systems. Also, Equifax missed to properly scan their systems to confirm patch’s application. Therefore, the company only detected the attack when saw unusual network traffic in mid-July.
But only a technical issue caused one of the biggest data breach in history? No. It was a combination of human frailty and lack of proper controls. A single technician failed to apply the patch, despite the fact that an email sent to the all internal IT team to request to fix the vulnerability within 48 hours. In addition, neither the automatic scan for software vulnerabilities nor other security tools detected the still unfixed application.
What lessons did we learn of this data breach?
We can say that, basically we learned two very important lessons:
- The importance to have a well trained and aware organization’s human universe. Note that, due to a failure of a single employee, the company faced their worst problem in its history. It proved the notion that the people are the weakest link in the cybersecurity chain. Therefore, to avoid that, organizations should have the proper IT and cybersecurity policies and processes in place. And education / training programs. And above all, execute them and control its results.
- The importance to control the systems. An organization can have the latest state-of-the-art security solutions in place. But, if nobody read their findings, they’re perfect useless. The IT and cybersecurity teams should carry out “mini-audits” over its processes, in order to know if the security systems work as planned, and their discoveries are properly reviewed and implemented if necessary.
A final word on this. Any organization – no matter its size – needs personnel educated / trained in cybersecurity and IT. And to apply that education in everyday’s activities. That way, the chance of a cyber security incident will be very low.