Not surprisingly to security experts, the Equifax hack was likely caused by the two most common errors a company can make. The surprising part is that a massive organization who has a tremendous risk of attack would be so lax in their security.
One of the best articles I’ve read appeared in today’s Wall Street Journal. (We’ve Been Breached: Inside the Equifax Hack, September 18, 2017) I suspect there will be more information to come and definitely inquiries by a number of governmental agencies.
The two common security mistakes even big businesses make:
- Failing to update your platform software.
- Failing to enforce your employee password policies.
These two mistakes could be the downfall of a massive company whose entire reputation and most of their revenue is based on the safeguarding of personal data.
Take Security Updates Seriously, Patching Protocols
Cisco Systems provided much of the server software used by Equifax Inc. On March 8 the Cisco security team reported an online security gap in their software to their customers. At the same time they urged users to patch the software immediately and provided the security fix.
More than two months later, from mid-May until July 30, hackers had access to data using this security flaw on servers that had yet to be patched. It’s hard to tell whether the security patch had been implemented partially or not at all, but regardless, with the amount of time elapsed and the importance of security to this firm, there should’ve been no opportunities for the breach.
Employee Password Policies Must Be Enforced
If this security flaw was known, why wasn’t it all over the news? Well, most security flaws are very tiny, and they are very difficult to detect let alone understand how to use them. Every software has some potential security flaws, and security companies as well as hackers are constantly searching for them.
Most security flaws aren’t inside easily accessible areas such as your company website. Therefore, gaining access to critical data often means attacking a much more vulnerable target, your employees.
In the case of Equifax Inc., apparently a high-level user account (known as an admin, or administrator) was using the default username/password combination (admin/admin).
I’m certain that Equifax has a password policy for all employees. Unfortunately, often the highest level employees are the ones that write these policies and are responsible for policing them. In no circumstances should an administrator account ever use the password “admin”. It boils down to ease-of-use and/or employee laziness.
Hackers depend on laziness. They make their bread-and-butter, not by knocking over armored trucks, but by wandering through the parking lot at the mall checking for unlocked cars.
In this case, Equifax left their armored truck unlocked with the keys in the ignition.
This is the first in a three-part series on data security.
Next week we will examine how Mediastead protects its clients from potential data breach, and how they can further protect themselves.
The following week we will take a hard look at your employees. We will show you the importance of using secure employee passwords and actively policing those protocols.
Until then, stay secure.