Would Better Risk Management Based on DFARS/NIST 800-171 or the NY Financial Institution Rules Have Thwarted the Equifax Breach?
By Colin Glover, Senior Security Analyst, Sera-Brynn, LLC.
Recently, the credit rating company Equifax announced a huge breach impacting up to 143 million U.S. consumers, including their names, social security numbers, birth dates, home addresses and some drivers’ license information and credit card numbers. According to the Equifax September 7, 2017 press release, Equifax’s database was breached through a vulnerability on its website. Other news reports indicate that it was an Apache Struts vulnerability which let attackers access the database. Apache released a statement stating that either it was a Zero-Day attack or a previously announced vulnerability that was unpatched and henceforth exploited.
How can compliance with a security framework, such as NIST 800-171, required under DFARS 252.204-7012, or the new New York cyber security regulation, Cybersecurity Requirements for Financial Services Companies, help prevent these types of incidents?
- These frameworks require a Risk Assessment be conducted. These risk assessments should focus on understanding where critical data lies on the network and what mitigations should be in place to protect that data.
- Vulnerability scanning and remediation is a must. For those companies with a significant number of end points, it may be impossible to remediate all systems in a timely manner. Understanding where the critical data is and how it could be accessed allows the remediation plans to be prioritized. The prioritization would occur during the risk assessment.
- The cybersecurity frameworks have significant requirements for Identity and Access Management, Data Protection, and Auditing.
- A significant requirement under NIST SP 800-171 and the Cybersecurity Requirements for Financial Services Companies is Multifactor Authentication (MFA). Perhaps if the Equifax database required MFA, the attackers would have been stymied.
- Both frameworks require encryption for data at rest. Even if the attacker was able to access the database, the compromised data would have been worthless and unusable if it were encrypted with good encryption, such as that specified under FIPS 140-2.
- A truly determined attacker will find a way into the network. A good auditing program will identify malicious activity and stop it before too much damage is done. Even though attackers may only be taking a small amount of data at a time, a solid security system understands that a random IP should not be connected to the internal network and turn it off. Security staff should be encouraged to investigate these anomalies and empowered to take action.
There are several other controls in the frameworks and industry-best practices which may have prevented or at least mitigated the effect of this breach. Key to all of this is understanding where sensitive data exists, the paths that an attacker could take to access the data, and what mitigations can be put in to prevent the loss of the data.
The C-Suite level may not understand why this is necessary and may not allocate the funds to properly resource this effort. Equifax provides an excellent case study on why these efforts should be implemented and maintained. Following the announcement of the breach, Equifax shares reportedly plunged the most in 18 years. Proposed class-action lawsuits have been filed. There are calls for state and federal investigations.
For additional information on Risk Assessments, DFARS 252.204-7012, NIST SP 800-171 or Cybersecurity Requirements for Financial Services Companies, please contact Sera-Brynn at firstname.lastname@example.org.
For more information, visit https://sera-brynn.com/dfars/.
Sera-Brynn is a FedRAMP-authorized assessor and leading cyber risk management firm. The Virginia-based company offers threat management, compliance and risk assessment, risk control, and incident response services that enable clients to secure their computing environments and meet applicable and mandatory cybersecurity regulatory standards. Founded in 2011 by former members of the U.S. intelligence community, Sera-Brynn is ranked #9 worldwide on the Cybersecurity 500 list.
About Colin Glover
As a Senior Security Analyst at Sera-Brynn, Colin provides risk management and compliance audits to clients across a wide variety of industries. He has over 15 years of experience in risk management, incident response, security policy, continuity planning, crisis communications, analysis, and collection. Prior to Sera-Brynn, Colin was a Counterintelligence Special Agent for the Defense Security Service focused on protecting technology and data within the Defense Industrial Base. Specifically, he sought to identify and protect against APT attacks directed at contractor networks. Amongst other certifications, he is a Certified Information Systems Security Professional. Colin holds a Bachelor of Science from Excelsior College and a Masters in Mechanical and Aerospace Engineering from the University of Virginia.