Lessons from the Equifax Breach
The breach that exposed 145 million Americans was very easily preventable. Make sure you don't make the same mistake.
The image most people have of a hacker is that of an unusually skilled and smart individual that is able to penetrate hardened security systems – computer geniuses, masters of deceit and thievery. In reality, most hackers resemble an unsophisticated thief that walks around the neighborhood trying to open doors that have been left unlocked.
Last month, Equifax announced that hackers had stolen sensitive information of more than 145 million Americans. As details of the breach became public, it became evident that this attack was easily preventable, and that the attackers needed very minimal skills to gain access to Equifax systems.
Equifax failed to follow one of the most basic rules in cyber-security: keep your software up to date. Why is this so essential to protecting your data? Software is never perfect, and no developer can anticipate all possible combinations and situations that may expose a vulnerability. All respectable software manufacturers quickly correct their software when a vulnerability is detected, and release patches or updates. For example, both Windows and Mac OS had more than 400 vulnerabilities (each) detected this year alone.
Countless researchers, developers and IT administrators from around the globe identify and report vulnerabilities to the National Vulnerability Database (NVD). The NVD analyzes all vulnerabilities and make this information available to the public. This information is critical to organizations to assess their risk and take action to harden their systems. Making this information public encourages transparency and accountability from software developers, but at the same time, it allows any hacker find software vulnerabilities that they can exploit.
When new vulnerabilities are discovered, the software developer is contacted to ensure a fix is available before the vulnerability is made public. This gives software users time to update or patch their systems. The vulnerability that was used in the Equifax breach was published to the NVD on March 10, but the patch from the software vendor was already available on March 6.
Soon after vulnerabilities are made public, the most industrious and skilled hackers get busy developing an exploit – computer code or steps that take advantage of the vulnerability. In many cases, they make such exploits available for anyone to download. Once these exploits are publicly available, it is very easy for any hacker to try them on hundreds or thousands of targets. Targets that have not been updated will be open for the hacker to penetrate. And that's exactly what happened to Equifax: two months after the vulnerability was known, and a fix was available, Equifax had not yet updated their website, leaving it exposed to attackers. The thieves found a door that was left unlocked.
The lesson is simple: keep all your systems up to date with the latest software – your laptop, mobile phone, and websites alike. While software updates may seem like a nuisance, they are the easiest and most inexpensive way of maintaining your systems secure.