According to a statement issued on September 15, 2017, Equifax, noticed “suspicious activity on July 30, 2017” and “took offline the affected web application that day.” The impacted web application was a web application supporting framework, Apache Struts, ultimately used to create java-based web applications. After patching, Equifax brought the application back online.
Equifax claims it first became aware of the vulnerability sometime in May 2017.
By way of background, this vulnerability was widely disclosed on March 13, 2017. At that time, both the United States Computer Readiness Team and NIST issued “high vulnerability” warnings. More importantly, Apache actually released its open source Struts 2.5.10 General Availability release that fixed this vulnerability a month earlier on February 3, 2017.
All of this is significant given that many mid-sized and large enterprises run Open Source Software (OSS) products and unless they hire staff or retain an outside vendor specifically tasked with tracking security announcements of their deployed software products – including any OSS web-facing tools, these products will likely not be promptly patched and scenarios like what befell Equifax will continue. In other words, what happened to Equifax can very easily happen again to any number of large enterprises. There are ways to mitigate this risk that may likely prove a boon to the security industry.
In addition to relying on a battle-tested CIO, CISO, and IT team, there are numerous ways companies can mitigate against an Equifax sort of incident from knocking on their boardroom door.
For example, companies can hire inside staff or an outside vendor who considers patch management not merely a compliance check off item; evaluate how OSS is deployed and confirm who has final responsibility for patching known vulnerabilities; deploy tools to scan source code on an application level; and most important of all – trade up security priorities from being compliance driven in favor of a proactive security risk management approach that takes into account the type and amount of sensitive data processed, maintained, and transferred. There are many other ways of mitigating an Equifax risk but the above approach tends to be the one that best follows a cost-effective 80/20 approach that also satisfies regulators. Information security funds can also be wisely spent deploying a kill chain approach that actually works given it deliberately considers the evolutionary nature of security threats.
And finally, be mindful that when going out to market for new technical vendors, firm size has little correlation to the beneficial capabilities of the vendor. Some smaller security vendors have the capacity to deploy unique skills and tools unavailable to larger vendors – that has always been a little known secret of the security industry. The most effective players in this industry prefer working in small packs so it is no surprise vendors employing them often lose them within the first year after getting gobbled up by a larger vendor.
Update: July 23, 2019
On July 22, 2019, Equifax entered into a global regulatory settlement that is valued “at least $575 million, and potentially up to $700 million.”