Recent revelations about the Equifax data breach can be used as a learning moment for managers and business leaders both in terms of specific causes and, perhaps more importantly, as a way of developing systems to prevent similar vulnerabilities.
Criminals appear to have accomplished the Equifax data breach by exploiting a website vulnerability for which a patch had been issued but not implemented for more than two months. The vulnerability involved Apache Struts 2 a framework commonly used to develop web server applications. On March 10, 2017, the vulnerability was entered in the National Vulnerability Database (“NVD”) maintained by a division of NIST as vulnerability CVE-2017-5638 (LINK) with a 10.0 severity score – the highest ranking in the system. Here is the entry in the NVD for that vulnerability:
According to reports, the unauthorized access occurred in mid-May, more than two months after the vulnerability was posted and a patch made available. While we don’t know exactly why the vulnerability wasn’t patched in time, one article explained that implementing the patch was not a simple matter, it involved changing and then testing each implicated web application.
“As Ars warned in March, patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions. Some websites may depend on dozens or even hundreds of such apps, which may be scattered across dozens of servers on multiple continents. Once rebuilt, the apps must be extensively tested before going into production to ensure they don’t break key functions on the site.”
IT staff can do only so much, and like any other business unit or function it is constrained by time and resources. One potential lesson from Equifax is that when an organization cannot resolve known high severity vulnerabilities it should notify management of the potential issue and outline the costs and timelines for fixing it. We don’t know if that was done in this case.
Systematic Vulnerability Reporting
Another logical step to take in managing vulnerability patches is to subscribe to services like Solar Wind or Splunk that will inventory an organization’s software and notify it when vulnerabilities relating to that software are posted in the NVD. Policies should be in place about how long the organization has to install patches or implement fixes. Policies should also specify internal vulnerability reporting to management based on severity of vulnerabilities and potential impacts.
Don Goodin, “Failure to patch two-month-old bug lead to Equifax Break,” Ars Technica, September 13, 2017, https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/
NIST Computer Security Resource Center, National Vulnerability Database, https://nvd.nist.gov/