Why we should patch things as soon as possible after they are reported -- Equifax

1,058 Views | 9 Replies | Last: 6 yr ago by AtlAg05
eric76
User Profile Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
1:28p, 11/15/17
AG
From Bruce Schneier's newsletter:

Quote:
This was not a sophisticated attack. The security breach was a result of
a vulnerability in the software for their websites: a program called
Apache Struts. The particular vulnerability was fixed by Apache in a
security patch that was made available on March 6, 2017. This was not a
minor vulnerability; the computer press at the time called it
"critical." Within days, it was being used by attackers to break into
web servers. Equifax was notified by Apache, US CERT, and the Department
of Homeland Security about the vulnerability, and was provided
instructions to make the fix.

Two months later, Equifax had still failed to patch its systems. It
eventually got around to it on July 29. The attackers used the
vulnerability to access the company's databases and steal consumer
information on May 13, over two months after Equifax should have patched
the vulnerability.
Reply Quote
1
1 edit
flakrat
User Profile
Private Message
Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
2:22p, 11/15/17
AG
Yikes and they poses most of our critical data
Reply Quote
6
AtlAg05
User Profile Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
5:42p, 11/15/17
AG
Let me get this straight, the company publishes that there is a critical update, which hackers then exploit.

Sounds like the company did most of the work for the hackers by releasing the criticality. Seems like an easy way to look for targets by following software patches and noting 'critical' releases.
Reply Quote
Azariah
User Profile
Private Message
Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
12:24a, 11/17/17
AG
Re: releasing vulnerabilities: Bad guys already know. Telling people about them speeds up the fixing process.

Re: Equifax: We are no the customers. We are the product. Also from Bruce's testimony, "Wall Street actively discourages companies from investing in security because it negatively impacts the bottom line."
Reply Quote
7
tamusc
User Profile
Private Message
Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
In reply to Azariah 6:00a, 11/17/17
AG
Azariah said:
Re: releasing vulnerabilities: Bad guys already know. Telling people about them speeds up the fixing process.

Re: Equifax: We are no the customers. We are the product. Also from Bruce's testimony, "Wall Street actively discourages companies from investing in security because it negatively impacts the bottom line."


Yep, releasing known vulnerabilities is about the only way to force some companies to do anything about them.
Reply Quote
3
ntxVol
User Profile Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
3:45p, 11/17/17
Web applications have become so complex that applying these kinds of patches are often not very easy. If you have multiple systems at multiple sites that need to be patched and tested before bringing it all on-line, I could see where a couple of months could be a reasonable time frame.

The problem here IMO is, there should have been security measures in place to detect this attack in front of their web servers. If they had implemented intrusion detection this could have been prevented. Those things get updated like anti-virus SW and the attack signature was likely available almost immediately.

Given the sensitive nature of the data in this case, Equifax was being criminally negligent IMO.
Reply Quote
3
ABATTBQ11
User Profile Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
In reply to AtlAg05 3:51p, 11/17/17
AG
AtlAg05 said:
Let me get this straight, the company publishes that there is a critical update, which hackers then exploit.

Sounds like the company did most of the work for the hackers by releasing the criticality. Seems like an easy way to look for targets by following software patches and noting 'critical' releases.


Pretty sure that customers like Equifax are notified before public statements.
Reply Quote
6
1 edit
eric76
User Profile Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
In reply to AtlAg05 5:11a, 11/19/17
AG
AtlAg05 said:
Let me get this straight, the company publishes that there is a critical update, which hackers then exploit.

Sounds like the company did most of the work for the hackers by releasing the criticality. Seems like an easy way to look for targets by following software patches and noting 'critical' releases.
If they keep the vulnerabilities secret, then they don't get patched.

The general practice is to provide the vulnerabilities to the vendors to give them time to figure out how to fix it and to issue a patch. Some vendors won't even bother issuing a patch, but many will.

Any large company should have someone working on their computer security who will check for patches every day and start work to patch anything found. There is no excuse for Equifax to take so long before patching their system. That they didn't patch it for so long is on Equifax, not whoever found the vulnerability.
Reply Quote
1
Phat32
User Profile
Private Message
Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
5:34a, 11/19/17
AG
This vulnerability was a well known "all hands on deck" patching situation at any company with any half-brained security team.

The fact that Equifax got popped by it shows they were too incompetent to patch or too dumb to, or both.
Reply Quote
Knucklesammich
User Profile
Private Message
Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
7:58a, 11/19/17
Apache isn't a company it's a foundation that acts as a governing body for many open source software products.

These kinds of vulnerabilities and their fixes are pushed out across all of the various Apache projects be it Spark, Struts or any number of products.
Reply Quote
AtlAg05
User Profile Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
In reply to eric76 2:49p, 11/19/17
AG
Completely agree that this is on Equifax, I was just thinking about the side of the hackers and how they go about finding companies without a critical patch.

Having been on an IT team at a large corporation, I can understand how this happens. Years of patching, custom code, and not modernizing systems has lead to this. Unfortunately it took events like this to get people investing in security, something without a direct ROI.
Reply Quote
Refresh
Page 1 of 1
 
×
subscribe Verify your student status
See Subscription Benefits
Trial only available to users who have never subscribed or participated in a previous trial.