If a hacker can use just one CVE to break into your system and do a database dump (or equivalent), the system is architecturally wrongly designed and only being protected by a single layer of security. Which means, any one from the inside can access pretty much the info as the hacker, which is horrible.

For example, are the items in DB encrypted? Are database backups encrypted? Are different items encrypted using different keys? I don't think EFX did it right.

Wow, MarketWatch is right. They are trying to erase Susan Mauldin (the former CISO), she is not even mentioned in this article. Does anyone with Google juice have a way to recover the interviews that are referenced in [1]?

I watched them before they came down on Sept 10, and they were eye opening. I can say with certainty that the transcripts are not complete, because I remember "resistance to cloud is futile" and other such gems which are nowhere to be found in the partial transcripts that you can still find on the linked archive.is pages.

[1]: https://hollywoodlanews.com/equifax-chief-security-officer/

The CVE and the patch came out on March 7. Exploits were already being detected in the wild at the time by perimeter security vendors. See http://blog.talosintelligence.com/2017/03/apache-0-day-explo...

Equifax "believes" that the hackers got in on May 13. They had some kind of intrusion detection system that finally detected the intrusion on July 29. 5 months after the "Critical" CVE alert went out. During that time security vendors were adding firewall rules to stop the attack. But apparently Equifax didn't have any other security in front of the Struts server.

That just seems like unconscionable incompetence and malpractice for such a high value target.

- In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.

This looks really bad. I don't know what's the point of letting them operate anymore. They utterly failed on the single thing they were supposed to do.

Actually looking at the CVE made my stomach drop. That is a horrible horrible bug. Getting access to the shell while under the web app user's environment potentially means that all secrets were available either in the app server administration, the user environment, or in a readable file on the system. Effing yikes.

Also knowing how JNDI usually gets configured on app servers (sometimes with credentials and all) would have made recon ridiculously easy.

I think some have alluded to it, but what some people in the comments don't seem to understand is that RCE is an "all bets are off" type of situation. DEFCON 1 to be sure. Prevention is really the only good answer.

Failure to apply a patch for a two month old bug led to this entire nightmare scenario. What are some best practices to ensure that ones dependencies are always up to date?

-asking as a relatively inexperienced dev

They were able to use a subdomain for their announcement, but not for their Breach service which asks for your SSN.

For everyone patting themselves on the back for how much better they are at securing their data realize that for way over 80% of incidents the attack vector is email and social engineering. Look at Red team exercises of competent teams and try to honestly answer the question would have they succeed with that tactic at your company. So yes having much better practices vs what we see here is very important but will not really help much if you are being targeted by a competent adversary.

Gotta admire the artful way they gave the appearance of disclosure while avoiding answering the most damning question: why did it take so long for them to patch Struts?

"The particular vulnerability in Apache Struts was identified and disclosed by U.S. CERT in early March 2017."

"Equifax's Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure."

?????????!!!!!!??????

"While Equifax fully understands the intense focus on patching efforts, the company's review of the facts is still ongoing."

Having a remote execution exploit shouldn't mean keys to the kingdom. I find it hard to believe that this company whose whole business is electronic didn't adapt it's technology stack to remedy this type of attack limiting the scope of a data leak. I wouldn't be surprised if struts has another exploit of similar magnitude, what then?

They might as well be running their business on a cluster of tomcat servers sitting atop sqlite.

Hopefully they don't recover from this - they should not have the data they posses if they cannot mitigate risk.

They are really in deep trouble and need to manage the story carefully. If people on a broad basis start freezing their credit history (one of the most effective means to protect against abuse) their and their competitors ability to sell data to other parties will suffer (see also https://wolfstreet.com/2017/09/15/equifax-sacks-2-executives... )

What about storing sensitive data in something like a HSM, which rate-limits access rate, so you could only lets say access 10000 records per day.

Yes, developing against such a system might be annoying (think about updating a new piece of data for all records).

But it feels to me that we need a way to rate-limit access to sensitive data, to prevent wholesale dump in a short time. But you still need other systems in place, to prevent a hacker lurking around for months until it gets all the data.

I just had a scamming debt collector call me about a debt I already paid off to another collection company. They had all the right information. I suspect it has to do with the hack. Watch out for First Equity Alliance.

undefined

They should provide free credit monitoring for LIFE for affected individuals and not just one year...the individuals have been affected for life because now their SSN numbers are going to be out in the wild FOR EVER!!!!

Companies need to stop making CIO & CISO positions diversity quota hires. The CIO during the Target breach was originally a department store buyer.

Do they plan to change their Chief Security Officer who is a MA in Music Composition?