Would Better Risk Management Based on DFARS/NIST 800-171 or the NY Financial Institution Rules Have Thwarted the Equifax Breach?
By Colin Glover, Senior Security Analyst, Sera-Brynn, LLC.
Recently, the credit rating company Equifax announced a huge breach impacting up to 143 million U.S. consumers, including their names, social security numbers, birth dates, home addresses and some drivers’ license information and credit card numbers. According to the Equifax September 7, 2017 press release, Equifax’s database was breached through a vulnerability on its website. Other news reports indicate that it was an Apache Struts vulnerability which let attackers access the database. Apache released a statement stating that either it was a Zero-Day attack or a previously announced vulnerability that was unpatched and henceforth exploited.
How can compliance with a security framework, such as NIST 800-171, required under DFARS 252.204-7012, or the new New York cyber security regulation, Cybersecurity Requirements for Financial Services Companies, help prevent these types of incidents?
There are several other controls in the frameworks and industry-best practices which may have prevented or at least mitigated the effect of this breach. Key to all of this is understanding where sensitive data exists, the paths that an attacker could take to access the data, and what mitigations can be put in to prevent the loss of the data.
The C-Suite level may not understand why this is necessary and may not allocate the funds to properly resource this effort. Equifax provides an excellent case study on why these efforts should be implemented and maintained. Following the announcement of the breach, Equifax shares reportedly plunged the most in 18 years. Proposed class-action lawsuits have been filed. There are calls for state and federal investigations.
For additional information on Risk Assessments, DFARS 252.204-7012, NIST SP 800-171 or Cybersecurity Requirements for Financial Services Companies, please contact Sera-Brynn at firstname.lastname@example.org.
For more information, visit https://sera-brynn.com/dfars/.
Sera-Brynn is a FedRAMP-authorized assessor and leading cyber risk management firm. The Virginia-based company offers threat management, compliance and risk assessment, risk control, and incident response services that enable clients to secure their computing environments and meet applicable and mandatory cybersecurity regulatory standards. Founded in 2011 by former members of the U.S. intelligence community, Sera-Brynn is ranked #9 worldwide on the Cybersecurity 500 list.
About Colin Glover
As a Senior Security Analyst at Sera-Brynn, Colin provides risk management and compliance audits to clients across a wide variety of industries. He has over 15 years of experience in risk management, incident response, security policy, continuity planning, crisis communications, analysis, and collection. Prior to Sera-Brynn, Colin was a Counterintelligence Special Agent for the Defense Security Service focused on protecting technology and data within the Defense Industrial Base. Specifically, he sought to identify and protect against APT attacks directed at contractor networks. Amongst other certifications, he is a Certified Information Systems Security Professional. Colin holds a Bachelor of Science from Excelsior College and a Masters in Mechanical and Aerospace Engineering from the University of Virginia.