[BreachExchange] Penny Wise, Pound Foolish: Why Don't Corporations Keep Their Systems Up-to-date

Tue Sep 26 19:12:25 EDT 2017

http://www.econmatters.com/2017/09/penny-wise-pound-foolish-why-dont.html

The Equifax hack, exposing 143 million people’s personal data to unknown
cybercriminals starting in March but not made public until mid-September,
was entirely avoidable. The company was using out-of-date software with
known security weaknesses. But it appears that with Equifax, as with many
organizations, those were just the beginning of the problems.

During the past three decades we’ve researched, developed and tested
millions of lines of software for many purposes, including national defense
and security, telecommunications, financial services, health care and
online gaming. Over the years we’ve observed that the technical means by
which a breach happens often reveal software vulnerabilities that need
fixing.

But when the digital weaknesses are publicly known before an attack happens
– as with the Equifax case – the more important element is why companies
don’t move more quickly to protect themselves and the people whose data
they store. As suggested by the sudden departure of three top leaders
(including the CEO) at Equifax, some of the problem is technical, but
another big reason has to do with management and organizational structure.

Interconnected complexity

Equifax, like most Fortune 100 firms, was using an open-source software
platform called Apache Struts to run parts of its website. Every major
piece of software has vulnerabilities, almost inevitably. When they’re
found, typically the company or organization that writes the software
creates a fix and shares it with the world, along with notifications that
users should update to the latest version. For regular people, that is
often as easy as clicking a button to agree to update an operating system
or software application.

For businesses, the process can be much harder. In part that’s because many
companies use complex systems of interacting software to run their
websites. Changing one element may affect the other parts in unpredictable
ways. This problem is especially true when companies use the same hardware
and software for many years and don’t keep up with every update along the
way. It only makes matters worse when businesses outsource their software
development and maintenance, denying themselves in-house expertise to call
on when problems arise.

The best practices of cyber hygiene suggest combining development and
operations (known as “DevOps”) to simplify the process of regular and
prompt patches and updates. Not practicing good cyber hygiene is like a
doctor not washing her hands – doing so may take extra time and energy, but
it protects thousands of patients from infection.

When cyber hygiene works well, it’s quite effective. In April 2017, news
broke of a major flaw in iOS and Android systems that allowed hackers to
remotely take over smartphones via Wi-Fi. Google and Apple immediately
addressed the issue and distributed patches to fix it. This quick response
indicates those companies have development and operations processes that
meet industry standards for rapid and reliable writing, testing and rollout
of software updates.

Trouble at the top

Beyond the inherent challenges in technology and in current business
practices, corporate management can play a significant role in whether
problems become disasters.

Companies that have systems for regular investment in software maintenance
and rapid reaction to security vulnerabilities can respond to problems very
quickly, as Apple and Google did. Equifax’s slow response suggests it
wasn’t well prepared that way. And the company’s history of outsourcing
development to remote off-shore locations suggests there may not have been
anyone in-house who had worked on the software needing updating.

Making matters worse, the chief security officer, who retired along with
the company’s chief information officer and CEO in the wake of the breach,
appears not to have a technical background. That could help explain why
Equifax experienced back-to-back breaches requiring outside assistance: the
first in March and another in July.

Well-run companies have top executives who know the importance of having
cybersecurity teams ready to work around the clock when vulnerabilities
arise. And leaders need to understand the risks of placing sensitive
information online, rather than the safer practice of storing it on
computers disconnected – or “air-gapped” – from the internet.
Unfortunately, when senior executives at companies aren’t tech-savvy, they
often lack understanding of what’s at stake and how to quickly protect
valuable information.

A long road ahead

It looks like Equifax’s troubles aren’t close to being over. After the
major breach was revealed, it didn’t take long for victims to discover that
even their attempts to freeze their credit would be thwarted by other
examples of Equifax’s poor cyber hygiene: The company-created PIN a
customer would use to unfreeze credit was based on the date and time of the
freeze request, and therefore potentially guessable by an attacker.

More recently, the company’s official Twitter account repeatedly directed
the public not to its own security site but to a phishing site seeking to
trick people into disclosing their personal information.

All these problems, on top of Equifax’s slowness in repairing the key
software vulnerabilities, point to corporate management as a crucial
element in preventing and recovering from security breaches – or making
them worse.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170926/61159b77/attachment.html>