It’s Big, Bad, and Ugly
It’s happening again. Equifax, the credit rating agency giant for private and corporate entities, was breached, and sensitive information of half of US citizens – 143 million Americans – was exposed. The company waited two months to report the breach, which actually occurred in May.
In 2014, a break-in into Yahoo! servers affected approximately one billion customers, but in the case of Equifax, US social security numbers, dates of birth, addresses, licenses, phone numbers, and credit card numbers were all exposed. This is sensitive data required for secure identification with any official entity, and now this information is available on the network to any criminal or body of interest. It’s quite possible we will soon see the American version of “Agron 2017”, and then the party will really begin. (“Agron” is a software database built from the information leaked from Israel’s Ministry of Interior in 2006 and includes information on all citizens from that year – IDs, parents’ names, siblings’ names, and other sensitive information.)
A few days after the report (on August 2nd), Equifax brought on the services of cyber company Mandiant, which is owned by FireEye International, to conduct a comprehensive investigation. But the damage is beyond repair.
First-Responders: Calling All Cyber Forensic Specialists on Deck
For those who don’t know the field of cyber world forensics, it’s a wide range of areas including the investigation of operating systems (Windows, Linux, Mac), mobile data, network traffic, malware, and more. When forensics researchers approach the investigation, they have to check everything. They start by backing up data, listening to network traffic, and checking logs (of all systems), to discover whether suspicious activity can be identified. They then go on to identify and analyze suspicious files. This is a hot, advanced and internationally in-demand specialization, especially among military and police units that need this knowledge to carry out investigations and to identify when an attack began, exactly what happened, and how to track the thieves.
What’s interesting is that a few days before Mandiant was brought on, a group of hackers called “31337” (a number that represents the word ‘elite’) published numerous files belonging to an Israeli analyst, Adi Peretz, who works for the same company – Mandiant. Of course, this prompted many questions from the cyber community, including whether FireEye itself was breached – thus resulting in sharp declines on Wall Street.
Who Dunnit? Who’s to Say
The attack on Equifax’s system was actually quite simple and didn’t require any special talent to carry out. The crippling weakness in Apache Struts (a platform for creating web pages written in Java) allowed hackers to run commands remotely on company servers and access sensitive information despite the safeguards that had been implemented. The point of vulnerability was already known in the community by the official name CVE-2017-5638, and even received a security update at the beginning of last March. Unfortunately, Equifax implemented the security update only at the end of July, leaving them exposed to attacks in the meantime.
From a hacker’s point of view, this database penetration required no special effort. The weakness was so well known that it could be identified by a simple scan, showing the intruder how to breach the organization. This facility raises additional questions. Was Equifax hacked even before May? For sure. How easy is it to find servers with these weaknesses? Very. Today, for example, Shodan–a global scanner used by hackers to find weaknesses in just a few seconds—is readily available. Are there other organizations that are vulnerable to the same attacks? Definitely. A simple scan will show that thousands of servers are continually hacked.
From the point of view of a Chief Information Security Officer (CISO), or anyone with experience in the field, this kind of breach is common among large organizations that invest capital in acquiring the best defense tools, but don’t perform basic protections such as authorization and, in the case of Equifax, the implementation of security updates. In addition, among the most important steps that most organizations miss are the regulation of processes to prevent cyberattacks and determining procedures for how to respond to and recover when an attack takes place.
From an ordinary citizen’s point of view, there is certainly cause for concern. Many of these innocent civilians are often the prey in hackers’ playgrounds – identity theft, stolen credit card purchases, and other horror stories that are revealed long after the crime was committed or, in some cases, are never discovered at all. Many citizens find themselves frustrated by the fact that large companies and organizations, such as Equifax, fail to deal with cybercrimes, and more often than not, it’s impossible to know who committed the crime.
The bad news is that these attacks will only get worse with time. This is an endless war between those who use their knowledge to achieve personal goals and illegal activities (“Black Hat Hackers”) and those who use their knowledge to protect against cyber criminals (“White Hat Hackers”). This war is almost impossible to win. The number of attacks increases every day, and the statistics speak of a huge deficit of 1.5 million experts who by 2020 will be needed to deal with the threats in this field. The high level of sophistication and the ability to perform “Advanced Persistent Threats” is the bane of large organizations that find themselves paying three times more to adopt a “post-hacking” thinking pattern to recover from these cyberattacks than would have paid to set up the necessary defense structure.
More than once, columnists have referred to the idea of a “wild west,” a parallel reality that only some of us can understand and grasp. The Equifax case teaches us that we must not remain indifferent to these threats. Each and every one of us has the responsibility to protect the information in their possession and to seek professional assistance if necessary.
What We Can Do
So what does the future hold? The surge in cyberattacks is not good for national security. Every organization is subject to cyberattacks each day, a fact to which, sadly, some organizations are oblivious. In Israel, the Ministry of Finance requires every company that holds sensitive information about citizens to conduct information security checks at least once every 18 months, with the aim to find security holes before hackers find them and to check the efficacy as well as efficiency of the information-security products that an organization uses. In the US, there is still no coordinated standard for implementing cybersecurity protections.
Penetration tests are like a medical examination of an organization’s systems that is run from the point of view of the attacker, examining existing security measures and providing targeted recommendations for improving information security and closing gaps against hacks, ransom attacks, and more. According to recent data, 60% of the world’s largest organizations have been affected by various types of ransom attacks (an encrypted virus that demands money in virtual currency in exchange for decryption). Over half of the affected companies found themselves helpless and unable to serve their customers for more than 24 hours – causing them unprecedented damage. 70% of those companies paid for the release of encryption (about $2 billion in 2016), but in many cases to no avail, as most were left without money or access to information.
The good news is that awareness of cyber threats is on the rise – from private citizens all the way up to government officials. Last June, Thomas Bossert, Homeland Security Adviser to the US president, announced the establishment of a joint cyber headquarters between the State of Israel and the United States in order to better deal with the growth in the frequency of cyber threats. The establishment of the joint cyber headquarters is paramount on the international level, in that it will increase cooperation among other countries, enabling information sharing and advances in cyber-level defense.
David Shiffman, CTO at ThinkCyber, Lecturer and Head of Information Security and Cyber at HackerU College. In the past, he was the Information Security and Cyber Security Manager of the Shirbit insurance company.