EAC3214 – Accounting Information Systems Information Technology (IT) Failures Paper and Presentation

Name:
Course Code:
Date:
Information Technology (IT) Failures: Equifax
Failure Summary and Company profile
On September 7th, 2017, Equifax acknowledged to the public that they had suffered a security breach and data of at least 140 million Americans, Canadians and British citizens had been compromised. By the time of discovery, the hackers had compromised the Equifax system for 76 days and exfiltrated terabytes of data. The hackers accessed and exfiltrated data of names, addresses, date of birth, social security numbers and driver's license numbers. Additionally, they also access nearly 200,000 credit card information. This breach was second in a few months following the earlier one which had taken place in March 2017.
Equifax is one of the largest credit reporting agencies in the united states. The company collects information on over 800 million consumers and 88 million businesses around the world. The company is headquartered in Atlanta Georgia and has about 10,000 employees worldwide. It is also a publicly-traded company in the NYSE.
Equifax was hacked through their consumer complaint web portal. The web portal had a vulnerability that had been publicized earlier and a patch for the same developed. On March 6th Apache Software Foundation discovered a vulnerability that hackers could exploit in web applications developed using Apache struts. The vulnerability allows a remote attacker to inject operating system commands into a web application through the “Content-Type” header and open the system to further intrusion CITATION Mia17 \l 1033 (Joskowicz). Hackers could tuck malicious code into the content-type header and the server could be tricked into executing it. Apache software released a patch on March 8th 2017 and Equifax administrators were told to apply it on 9th March CITATION Jos19 \l 1033 (Fruhlinger). Investigations revealed that the initial intrusion to Equifax systems was done on March 10th. Equifax did not apply the patch and hackers scanning the internet for the vulnerability came across Equifax and infiltrated the system. Equifax also hired a security company Mandiant to find any vulnerabilities with their system to which they discovered several and warned Equifax of the unpatched web portal.
In May, the hackers moved from the web portal to other servers. They had laid low for nearly two months. Equifax had not segmented its servers appropriately from one another. It had also overlooked important security features such as encrypting passwords. The hackers came across some plain text usernames and passwords as they continued exploiting Equifax servers CITATION Jos19 \l 1033 (Fruhlinger). The breach went on for nearly two months undetected as they moved encrypted data from the servers. The hackers encrypted the data to avoid detection by the intrusion detection systems in Equifax. Equifax had failed to renew its encryption certificates 10 months earlier and the hackers encrypted their data to tunnel it out of the servers undetected. Unencrypted data could have triggered red flags and the breach detected.
Information systems/technology controls that could have prevented and/or detected the failure.
Equifax breach was entirely preventable. One of the ways in which the breach could have been prevented was applying the patch released by Apache Software Foundation on March 8th to fix the content-type header vulnerability. Since the initial intrusion on the system was carried out on March 10th, Equifax could have averted the hack had they installed the patch and protect its systems from intrusion. Additionally, other vulnerabilities were identified by Mandiant security company including the afore-described problem pertinent to enterprise java applications developed using Apache struts. Additionally, Equifax had come across several vulnerabilities in its routine systems scan it had carried out its own IT system audit on March 15th and still identified the same problem and recommended that it should be fixed CITATION Jos19 \l 1033 (Fruhlinger). Thus, Equifax breach had been flagged twice by internal system auditors and Mandiant security group and it had not been fixed. Apache software had released the patch and the Equifax administrators were aware of how to fix the problem and did not fix it.
Secondly, one of the ways in which the breach could have been detected was by their intrusion detection systems that were supposed to flag any unencrypted data in the system. Equifax had failed to renew the encryption certificate on one of its internal security tools CITATION Jos19 \l 1033 (Fruhlinger). As a security measure, Equifax had installed a system that decrypted, analyzed and re-encrypted internal network traffic. This tool was designed to specifically sniff any data exfiltration. Crucially, Equifax had failed to renew the license that re-encrypted the traffic because the tool needed a public key certificate that was purchased from third party companies. Equifax had not renewed this license and therefore this internal tool was virtually ineffective in detecting the data exfiltration. The hackers were also extra cautious and also installed systems that encrypted the exfiltrated data as they moved it over the internet and make it harder for Equifax admins to spot it CITATION Jos19 \l 1033 (Fruhlinger). Thus, Equifax had failed to renew the license to a crucial security tool which could have helped ensure that the information in the servers was protected against exfiltration by attackers.
Thirdly, Equifax overlooked one of the old school security approaches that could have prevented their system against the breach. Segmenting servers helps contain intrusion into one system. The hackers were able to gain access to Equifax systems through the consumer complaint portal and navigated to other areas where more sensitive information was stored. Segmenting servers is a simple approach to security systems that can slow down attack...