This document provides a detailed incident report and analysis of the Equifax data breach, including a timeline of events, technical analysis, assessment of threats and risks, and recommendations for future prevention.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Incident Report
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Contents INTRODUCTION...........................................................................................................................1 Time line of events and actions.......................................................................................................1 Technical analysis............................................................................................................................2 Assessment of threats and risks.......................................................................................................6 Organisational response...................................................................................................................7 Recommendations............................................................................................................................7 CONCLUSION................................................................................................................................9 REFERENCES..............................................................................................................................10
INTRODUCTION Equifax is one of the three largest credit rating agencies in US. It announced in September 2017 that their systems had been breached and data of approx. 148 million Americans was compromised. The data breached includes the information related to names, phone numbers, addresses, date of birth, social security numbers and driver’s license numbers. This was also admitted that credit card numbers of approx. 209000 consumers were also breached. There were many breaches were done in past within another organisation but the sensitivity of information holds by Equifax made the event more unprecedented. The attackers were able to breach because of vulnerability in Apache Software, inability of internal staff and non-renewal of encryption certification(Alavi, Islam and Mouratidis, 2016).This resultant into breach without any kind of detection. The investigation of breach was carried out by security firm named Mandiant. As future response, this organisation was also created separate domain equifaxsecurity2017.com and provide safety from phishing through purchase of similar domains. Time line of events and actions The number of events were performed during the occurrence of incident. This incident was started on March 7, 2017 where announcement was done regarding vulnerability. On march 9, 2017 internal e-mail was sent to Equifax for patching Apache. On 15 March, 2017 information securitydepartmentofEquifaxranscansbutnotabletofoundthevulnerability.This vulnerability unpatched till the date of July 29, 2017. This date Equifax information security department discovered the unsuspicious network traffic associated with its online dispute portal and applied the Apache patch. On July 30, 2017 another suspicious activity was observed and in action they closed the web application. After three days, organisation hired cybersecurity firm Mandiant to conduct investigation. This investigation further revealed that 145.5 million people were affected due to this data breach. The date on which they publicise this incident was September 8, 2017. Allegations was proposed regarding insider trading because top executive sold their stock in the month of August. It was assumed as the reason of one month delayed publication of information within the public. The precedent event that provided information about week security was the breach of tax and salary data of around 431000 people from Equifax (Anisimov, Zegzhda, Anisimov and Bazhin, 2016). 1
Inresponseofthisincident,Equifaxcreatedtheseparatedomainnamedas equifaxsecurity2017.com. This was prepared for the consumers regarding identification that information was compromised or not in this breach. Also, the developer Nick Sweeting bought thedomainnamedsecurityequifax2017.comtodemonstratethattheorganisationwas considerable towards elimination of phishing attacks. Technical analysis Equifax is credit report agency. This is also known as credit bureaus in US. This belongs from the three major credit reporting agencies in US. This organisation as information of 800 million individual consumers and more than 88 million businesses at global level. The main work of credit reporting agency is creating the reports on individuals that provides the detailed information upon history of person’s credit along with any due of loan and credit card payments. The CRA organisations does not collect the information from individuals directly. They grab the information from businesses, credit card companies, banks, employers, landlords and others. This information will be further used in case of credit application by an individual. Here, lender will apply to CRA organisations like Equifax for the ascertaining information about their payment history on repayment of earlier debts (de Gusmão and et.al. 2016).The positive history of debt payment has good impact that allows the lender to increase the amount of credit along charging of appropriate interest rate. Other than lenders, landlords are also calling credit reports before accepting the person as tenant and employers to hire within an organisation. This clearly states the impact of credit reports has major over the lives of people. On September 7, 2017, Equifax made the announcement that data of around 143 million US consumer was breached. In the same announcement, organisation was mentioned that the consumers of UK and Canada also get affected. It was stated by an organisation that this occurred in mid of the May and July 2017. The data was not only breached by hackers from the Equifax core consumer credit reporting data bases, but also from the organisational US online dispute portal web application. The data that was attained by hackers related to consumer includes; Names Social Security Numbers Birth Dates Addresses 2
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Driver’s License Numbers The emergency started in March of 2017. In that month, a powerlessness, named CVE-2017- 5638, was found in Apache Struts, an open source improvement system for making endeavour Java applications that Equifax, alongside a large number of different sites and employments use for operating their business operations. On the other hand, that invaders sent HTTP demands with malevolent code tucked into the substance type header, Struts could be fooled into executing that code, and conceivably opening up the framework Struts was running on to promote interruption (Han, Huang, Li and Ren, 2016).On March 7, the Apache Software Foundation discharged a fix for the vulnerabilities; on March 9, Equifax overseers were advised to apply the repair to any influenced frameworks, however the worker who ought to have done so didn't. Equifax's IT division ran a progression of sweeps that should recognize unpatched frameworks on March 15; there were in certainty different immobilised frameworks, including the previously mentioned web-based interface, yet the outputs appeared to have not worked, and none of the helpless frameworks were hailed or fixed. Panicked by a progression of occurrences in which lawbreakers had utilized Social Security numbers taken from somewhere else to sign into Equifax destinations, the credit organization had employed the security counselling firm Mandiant to survey their frameworks. Mandiant cautionedEquifaxaboutnumerousunpatchedandmisconfiguredframeworks,andthe relationship degenerated into in bitterness inside half a month. Crime scene investigation dissected sometime later uncovered that the underlying Equifax information break date was March 10, 2017: that was the point at which the web-based interface was first penetrated by means of the Struts powerlessness. However, the aggressors don't appear to have done quite a bit of anything right away. It wasn't until May 13, 2017 — in what Equifax alluded to in the GAO report as an "independent episode" — that aggressors started moving from the undermined server intodifferentpiecesofthesystemandexfiltratinginformationdecisively(Hoffmann, Kiedrowicz and Stanik, 2016). From May through July of 2017, the assailants had the option to access numerous Equifax databases containing data on a huge number of individuals; as noticed, various poor information administration rehearses made them cavort through Equifax's frameworks conceivable. Presently showed up at another shocking Equifax screw-up. In the same way as other cyber thieves, Equifax's assailants encoded the information they were moving so as to make it harder for 3
administrators to spot; in the same way as other huge undertakings, Equifax had instruments that unscrambled, dissected, and afterward re-scrambled inside system traffic, explicitly to track down information exfiltration occasions this way. However, so as to re-encode that traffic, these instruments need an open key endorsement, which is bought from outsiders and must be every year restored. Equifax had neglected to recharge one of their testaments almost 10 months already — which implied that encoded traffic wasn't being reviewed(Johnson and et. al. 2016). The lapsed authentication wasn't found and restored until July 29, 2019, so, all in all Equifax directors very quickly started seeing all that recently jumbled dubious movement; this was when Equifax first thought about the penetrate. It took another entire month of inside examination before Equifax promoted the penetrate, on September 8, 2017. Many top Equifax officials sold organization stock toward the beginning of August, raising doubts that they had stretched out beyond the unavoidable decrease in stock value that would follow when all the data came out. They were cleared, however one lower-level executive was accused of insider exchanging (Equifax data breach, 2020). It is clear from the above description that there were number of security lapses that allows the attackers to enter within secure systems and exfiltrate terabytes of data. The overall picture of breaching process understood from the above description is presented below: Initially, organisation was hacked via a consumer complaint web portal. Attackers are considered as widely known vulnerability that should have been patched on time. This was not done due to the failure of Equifax internal processes. The inappropriate segmentation of system allowed the attackers to move from the web portal to other servers. This was also provided the option of finding usernames and stored passwords through which they accessed further systems. The failure of Equifax to renew an encryption certificate on one of their internal security tools provided the option of data pulling from the network in encrypted form and undetected in nature. Equifaxalsohidetheinformationofbreachformorethanonemonthfromits identification. This was further used as insider trading where stocks are sold by top executives (Kim and Choi, 2020). The consumer reporting industry has poor history of cybersecurity. The scope of the activities like data breach is well extended towards another organisation beyond to Equifax. 4
There were many instances happened in past with Equifax and other organisations that showed the need of security development. No action was taken Equifax at that time which leads into data breach of 2017. The information about other past instances is provided below that happened with Equifax and other organisations; In May, 2016 thieves stole the data related to tax and salary of more than 431000 persons from Equifax. In October 2015, Experian breached the record of 15 million T-Mobile customers that included names, addresses, SSNs, date of birth and identification numbers. The three organisations simultaneously breached by thieves named Equifax, Experian and TransUnion where credit report of celebrities was exposed in march 2013 (Li and et. al. 2018).These were the few examples. There were many due to increment in the number of breach cases at global level. The information about these are provided below; ï‚·The yahoo breach in the year 2013 where hackers stole the names, birth dates and passwords of more than 3 billion users. This was considered as the largest on record data breach. ï‚·Databreachinyear2015attheofficeofpersonnelmanagementwherethey compromised the personal data along with biometric identifiers of more than 20 million people. The many of these were related to security clearances. ï‚·Activities of data breach that impacted Chipotle, Home Depot and Target through stolen of the credit card numbers relating to 100 million people. ï‚·The acts of data breach were also seen in large banks, educational institutions, healthcare providers and many other businesses. The theft of identity information is serious problem for consumers. In report of Federal Trade Commission mentioned that 39925 cases of identity theft were exist in year 2016. Out of this, 29% of personal data was used for the purpose of tax fraud. On the other hand, 32% of personal data is used for the purpose of credit card fraud which was 16% more the number attained in year 2015. One of the report of Department of Justice in year 2015 stated that 86% of the victims of identity theft experienced the fraudulent use of existing account information in respect to credit card and bank account information. The same report also stated that this had cost to the US economy up to $15.4billion(Semin, Shmakova and Los, 2017). The theft related to personal identify information derails the financial future of person. The criminals who theft such information is further used for the purpose of opening bank counts, 5
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
credit cards, taking out of loans and other financial activities on the name or identity of someone’s other. The negative consequences of these has to bear by consumers like; Not allowed in future to tale credit cards and loans Not allowed to rent a house or its finding at any other place Increment of the interest rates in existing credit cards Ascertaining difficulties in getting a job They have to suffer from sever distress and anxiety Assessment of threats and risks There were numerous vulnerabilities that created the security lapses within an overall incident. These are mentioned below: Failure of internal staff and processes to identify along with patching of vulnerabilities. Non segmentation of systems that allowed movement from one web portal to other servers Failed to renew the encryption certification that resulted into breach of information without any kind of detection (Shameli-Sendi, Aghababaei-Barzegar and Cheriet, 2016). Presence of vulnerabilities in Apache Struts. This is the open source development framework that uses for creating enterprise Java applications. All these vulnerabilities have contribution towards the occurrence of this incident. The major threat that resultants into harm in the case of Equifax was issue in Apache software and non- renewal of encryption certification. The vulnerability in Apache leads the breach in web portal via Struts and on the other hand, non-renewal allowed pulling of encrypted data without detection. The end impact was ascertained by an organisation in the form of losing identity data of around 145.5 million people. There are many other number of risks persist within information system environment that resultant into the breach of confidential information. The understanding of these risks is important for the purpose of improving security and brining stability within working of this industry. This will further provide the opportunity to create the trust of locals over this industrial functions and higher contribution towards development of an economy. The description of such different number of risks are provided below; Hardware and Software failure:This is the issue related to power loss and data corruption that further creates the risk of data loss or breach. 6
Malware:This is the software designed for the purpose of disrupting computer operation. This can be further used for the purpose of data breaching. Viruses: These are the computer codes that copy itself and spread from one computer to another. This resulted into disruption of computer operations that further creates the opportunity for data breach. Spam, Scams and Phishing:These are unsolicited e-mails to fool people regarding revealing of consumer personal details. This further can be used for ascertaining personal information (Singh, Joshi and Gaud, 2016). Human error:Human error like careless data disposal resulted into data breach. Hackers:These are the persons who illegally break the systems to ascertain private information. Fraud:The exercise of manipulating for taking illegal benefits. This further can be used for the purpose of data breach. Denial of service:These are online attacks that denied the access to authorised users. This can be done for ascertaining personal information. Security breaches:This is about physical breaks along with online intrusion. The role of these is also high towards personal information breach (Soomro, Shah and Ahmed, 2016). Organisational response Equifax made a different space—equifaxsecurity2017.com—for customers to see whether their data was undermined in the break. This made the site be hailed as a phishing risk by programmers.DesignerNickSweetingpurchasedthedomainsecurityequifax2017.comto exhibit that Equifax's was much concerned about the safety of consumers from phishing attack. Recommendations This section includes the recommendations to improve security within an organisation. The main purpose of these is to bring strong working culture so nothing will be happened in future that resultants into data breach. It includes both short term and long term recommendations which are defined below: Short term recommendations 7
This includes the activities related to recovery from the impact of breach and necessary amendmentssoimprovementwillbeascertainedinworkingatquicklevel.The recommendations in this respect are provided below: Training of cyber security staff:Training of cyber security staff is necessary because it help in development of their skills and knowledge. The breach was not occurred if internal staff able to identify the vulnerabilities and attacks on time. So, training is important to improve technical knowledge(Thomas and Galligher, 2018). Regular review of policies and procedures:The regular reviews of policies and applied procedure is important. This help in performance of work with effective focus so nothing will be missed. If, this was done within an organisation then able to protect themselves from breach because non-renewal of encryption certificate was one of the major cause of data breach. Deployment of annual staff training:This is important to get the feedback from employee’s over the working conditions and other possibilities of improvement. This help in acceptance of new innovations frequently within an organisation as per the needs along with removal of existing issues. Prioritise risk assessments:Prioritisation of risks is important. In information security industry, safety of data is prime. This is must for every organisation to give priority to this aspect instead of enhancing business or profit through removal of other hindrances (Webb and et. al., 2016). Assess and improve:This is the technique of regular assessment and improvement. This help in regular implementation of new changes as per the security needs for the protection of personal data of consumers. Long term recommendations This includes the activities, strategies and plan for ascertaining long term security within an organisational operation. These main purpose is to build strong working structure with safety that cannot be breached in future. The recommendations in this regard are provided below: Designing of safe systems:This is about the development of safe systems so no one is able to breach at any cost. Keeping all software up-to-date:This about regular updating of software’s. This will provide the opportunity that no bugs can be used for the purpose of breaching personal information. 8
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Use of security software’s:This about the use of security software for the purpose of tracing unauthorised activities. This will work in the direction of safeguarding the important data. Layering of securing software’s:Layering is important because this will provide the opportunityofsafeguardingagainstthehighnatureofrisks.Layeringhelpinfurther identification and protection(Wei,Wu and Chu, 2018). Contingency plan:The contingency plan helps to take effective actions in future as includes the development of actions on the basis of different risks. CONCLUSION It has been concluded from the above report that information system security is important towards minimising risk. This will provide the opportunity to an organisation work with level of competencies within a market where no one is able to breach organisational operation. Regular updating of software’s and training are the most important aspect that help in direction of improving safety. 9
REFERENCES Books and Journals Alavi, R., Islam, S., & Mouratidis, H. (2016). An information security risk-driven investment model for analysing human factors.Information & Computer Security. Anisimov, V. G., Zegzhda, P. D., Anisimov, E. G., & Bazhin, D. A. (2016). A risk-oriented approach to the control arrangement of security protection subsystems of information systems.Automatic Control and Computer Sciences.50(8). 717-721. de Gusmão, A. P. H. & et.al. (2016). Information security risk analysis model using fuzzy decision theory.International Journal of Information Management.36(1). 25-34. Han, Z., Huang, S., Li, H., & Ren, N. (2016). Risk assessment of digital library information security: a case study.The Electronic Library. Hoffmann, R., Kiedrowicz, M., & Stanik, J. (2016). Risk management system as the basic paradigmoftheinformationsecuritymanagementsysteminanorganization. InMATEC Web of Conferences(Vol. 76, p. 04010). EDP Sciences. Johnson, P. & et. al. (2016, October). Quantitative information security risk estimation using probabilistic attack graphs. InInternational Workshop on Risk Assessment and Risk- driven Testing(pp. 37-52). Springer, Cham. Kim,S.,&Choi,M.(2020).Educationalrequirementanalysisforinformationsecurity professionals in Korea.Journal of Information Systems Education.13(3). 11. Li, S. & et. al. (2018). An improved information security risk assessments method for cyber- physical-social computing and networking.IEEE Access.6. 10311-10319. Semin, V. G., Shmakova, E. G., & Los, A. B. (2017, September). The information security risk management. In2017 International Conference" Quality Management, Transport and Information Security, Information Technologies"(IT&QM&IS)(pp. 106-109). IEEE. Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information security risk assessment (ISRA).Computers & security.57. 14-30. Singh, U. K., Joshi, C., & Gaud, N. (2016). Information security assessment by quantifying risk levelofnetworkvulnerabilities.InternationalJournalofComputer Applications.156(2). 37-44. Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holisticapproach:Aliteraturereview.InternationalJournalofInformation Management.36(2). 215-225. Thomas, J., & Galligher, G. (2018). Improving backup system evaluations in information securityriskassessmentstocombatransomware.ComputerandInformation Science.11(1). Webb, J., Ahmad, A., Maynard, S. B., & Shanks, G. (2016). Foundations for an intelligence- driveninformationsecurityrisk-managementsystem.JournalofInformation Technology Theory and Application (JITTA).17(3). 25-51. Wei, Y. C., Wu, W. C., & Chu, Y. C. (2018). Performance evaluation of the recommendation mechanism of information security risk identification.Neurocomputing.279. 48-53. Online Equifaxdatabreach.2020[Online].AvailableThrough:< https://epic.org/privacy/data-breach/equifax/> 10