Oct 5, 2017

Lessons Learned From Equifax

After watching some of the Congressional Hearing on the Equifax breach,  and reading articles such as https://www.engadget.com/2017/10/03/former-equifax-ceo-blames-breach-on-one-it-employee/ a few things come to mind.

One, it is a powerful reminder on how vigilant you need to be with keeping all products patched that are running on your server.

Make sure you your security team is being notified of all products security alerts, including ColdFusion.

Second, I think an area that is being missed is that the application that was breached was the Credit Score Dispute application.  That type of application should not have access to the Personal Identifiable Information, PII, database. If Equifax would have sandboxed that application better, the malicious hackers would have not been able to get to the honeypot of data.

It appears like the Credit Dispute application had a JDBC connection to the database storing the PII and thru that connection they retrieved that database schema and soon were running queries.  The congressional hearing never went into this line of questioning, I would say that this is more likely the reason the breach was so large.  If the PII database was better protected the Credit Dispute application would never been able to query the PII information.

One account I have worked with implemented an Application Tier and a Data Tier API for exactly this type of protection  If an application needed to get data it needed to send its application based credentials  for every call.  This gave them controls at the application level,  nobody could talk directly to the database, they had to go thru the Data Tier with all the security rules and tracing in place.

 If you store PII, it might be a good time to review your public sites,  make sure your DSNs are properly protected.  Think about ways to sandbox customer facing applications so that if they are breached, you still have additional barriers before they can access your PII.

No comments:

Post a Comment