Lessons from the Equifax Security Breach: Why There’s No Absolute Information Security
Last Thursday, the world woke up to the latest in a series of massive data breaches across some of the world's most trusted data management organizations. Equifax, a US-based credit reporting agency, disclosed details of a data theft affecting approximately 143 million consumers in both the United States and the United Kingdom.
In addition to the exposure of personal information, including names and social security numbers, the company also disclosed that around 209,000 credit card numbers and personal information from approximately 182,000 dispute documents had found their way to the dark web. Overnight, the company's stock price plunged by almost 14%, wiping out over $2.3B of the company's market capitalization. (Yes, that's "B" for billion.)
In response, some competitors have immediately (and callously, in my opinion) moved to take advantage of this awful situation and market their identity theft and credit monitoring services to the public at large. I don't believe in profiting from the misfortune of others and my heart goes out to my many information security and technology peers at Equifax, who I am sure are scrambling to deal with the huge parallel challenges of remediation and forensic investigation.
It's personal for me too. I am one of the consumers affected by this breach and now have my own unwanted and uninvited set of tasks to ensure protection of my own online identity. That’s why this blog post will not promote Crownpeak or our products, despite that as CTO I play a lead role in building cybersecurity strategies for our customers.
That’s because this is not the time for narrow commercial self-interest, nor is it (ever) right to prey upon the insecurities and fears of many consumers who understand little of the technical challenges and operational complexities of running any reasonably-sized information technology organization. I do believe, however, that this event offers an opportunity to reflect on some of the lessons and principles that have been brutally reinforced by this news.
As I think about this latest violation of our most personal and intimate details, there are many conclusions to be drawn. Three, however, stand out in my mind:
Scope - This is not just an Equifax problem. Over the past few years, we have heard about massive credit card theft at Target a retailer, identity information theft at Yahoo, and account credential theft at Ashley Madison, an adult dating site. What do these companies have in common? Well, not much really, except that they all store, manage and process personal information as a vital element of their business models. In that respect, they're very much like you and me and the companies we work for.
In this age of personalized digital experiences, it's almost impossible for a company to avoid accumulating huge amounts of personal data and, therefore, assuming huge amounts of commercial and legal risk. So, their experience is the cautionary tale for the rest of us.
Luxury Tax - Companies today face unrelenting pressure to reduce costs and deliver ever-increasing levels of EBITDA. There's nothing wrong with that, but two maxims from history illuminate the challenge facing management and suggest why some teams come up short.
Albert Einstein is often credited with arguing that "Everything should be made as simple as possible, but not simpler." Niccolo Machivelli (in "The Prince, c. 1513") observes "... there is nothing more difficult to carry out ... than to initiate a new order of things; for the reformer has enemies in all those who profit by the old order, and only lukewarm defenders in all those who would profit by the new."
The problem here is that, while most companies take a strong, responsible position in their policies regarding threat protection, practical reality tells a different story. Comprehensive cyber defense programs are expensive and it's all too tempting to take a "risk-based" decision to defer, or even cancel, investment in information security practices.
Unfortunately, when it turns out that the downgrading of perceived risk was unduly influenced by the motivation to improve short-term financial results, the consequences can be tragic. Just witness the disruption to life-saving medical services in the UK's National Health Service, or the terrible loss of life as a result of the Grenfell fire in London.
Cyberthreat protection is not a luxury. It's every bit as important as the marketing investment in building the company's brand, and failure to allocate that investment wisely can wipe out brand equity in a heartbeat.
Attack Surface - Today's modern web applications expose a wide range of possible exploits and attack vectors. It's the nature of the beast. With more sophistication comes more potential for things to go wrong. The steam locomotive of the 19th century required careful management to deliver a relatively safe transportation experience (although accidents still happened).
By contrast, the United States Space Shuttle, arguably the most complex machine ever made, required orders of magnitude more quality assurance and testing procedures to provide an acceptable level of risk (and still accidents happened). Modern web applications are no different. The experiences of today bear little or no resemblance to their simpler ancestors of the Web 1.0 era. Scaling up vulnerability analysis and remediation programs to meet this new level of complexity is a daunting task.
There is another approach though, and one that not enough organizations recognize, in my opinion. The content delivery network (CDN) is not a new concept. Placing points of presence around the world to cache and serve content locally, instead of forcing browsers to go halfway around the world to communicate with the origin server, is a well-known technique for accelerating content delivery and enhancing the online experience.
What is less well-appreciated is that placing such a layer between your application and the outside world can also dramatically reduce the attack surface available to bad actors. A content delivery network eliminates the possibility of Layer 3/4 DDoS attacks at a stroke and can restrict Layer 7 traffic to HTTPS only, permitting only trusted protocols, such as TLS 1.2. That immediately reduces the scope of threats you need to deal with.
Supplementing that CDN with a quality web application firewall (WAF) permits even more control over the traffic pattern, allowing only approved URL patterns, intercepting attack vectors such as cross-site scripting and SQL injection, and blocking TCP/IP addresses originating malicious traffic. Using a CDN/WAF combination to protect your digital experiences is the ultimate "easy button". Not only can you deliver a faster experience for your customers (which any marketer will tell you drives conversions), you can also reduce the demand on your cybersecurity budget in the process.
If you are one of the victims of the Equifax breach (you can check the Equifax Security site to find out), you have my deepest sympathy.
Spare a thought though, for the many honest, hard-working staff, both there and at many other organizations, who are doing their best to deliver a safe, reliable service, despite the many challenges thrown into their path.
For those of you out there in management or other positions of influence, please muse on my observations and think about their applicability to your own sphere of activity. There is no "absolute information security", any more than there is "perfect airline safety" or "flawless counter terrorism". We haven't seen the last big data breach. There will be others.
However, with honest perception of risk, responsible allocation of resources and intelligent approaches to threat mitigation, we can all make a significant contribution to our companies' effectiveness and our customers' online safety.