Equifax lawsuit offers more evidence against passwords

0
24

“Grossly inadequate” data protection measures that “failed to meet even the most basic industry standards”, and the use of the username and password ‘admin’ to protect a portal used to manage credit disputes are just a few of the accusations levelled at troubled credit services provider Equifax.

These accusations are from a securities fraud class action lawsuit over the September 2017 breach that saw the personal details of millions of users compromised.

The lawsuit was filed with the Northern District Court of Georgia (Atlanta division) in the US in January 2019, and sets out in detail a myriad of dangerous cyber security deficiencies at Equifax which led to the 2017 exposure of the personal data of millions.

The subsequent repercussions have included fines of up to $700m levied in the US, and £500,000 in the UK, the highest possible fine pre-GDPR, as well as the trashing of Equifax’s reputation among its users.

The lawsuit sets out in detail how the data breach was the “inevitable result of widespread shortcomings in Equifax’s data security systems” that essentially ignored basic cyber security hygiene altogether.

Besides the use of laughably insecure usernames and passwords, these include failure to implement patching protocols, with one ill-informed individual tasked with managing patching across its entire network; failure to encrypt sensitive data, instead storing it in plain text on public-accessible servers; inadequate network monitoring and threat alerting practice; inadequate authentication measures; and use of obsolete software.

“Overall, according to cyber security experts, a ‘catastrophic breach of Equifax’s systems was inevitable because of systemic organisational disregard for cyber security and cyber-hygiene best practices’,” the lawsuit said. The failures also exacerbated the impact of the breach.

Passwords no longer appropriate

OneLogin vice-president of solution engineering, Stuart Sharp, said the latest fall-out from the two-year-old breach demonstrated yet again that the idea that passwords are an appropriate security measure needed to change.

“Humans are the still weakest link in our cyber security defence strategies, and the fact that nobody thought to change the default ‘admin’ username and password is another reason why passwords alone are ineffective,” said Sharp.

“Organisations are still too casual with sensitive data. IT departments need to implement processes to enforce the change of default passwords and blacklist the use of commonly used passwords. Another solution is to implement MFA [multifactor authentication]. If MFA has been implemented, then it doesn’t matter if your username and password have been compromised.”

Hugo van den Toorn, Outpost24 manager of offensive security, conceded it could be tough – indeed nearly impossible – to keep track of every system and its security posture, particularly in organisations with IT landscapes that had grown organically.

Though using admin as both a username and password “sounds easy for some”, he said, “there is a reason that on every pen test we still try to log in with default and easy-to-guess credentials”.

“Without forming any opinions about this case in particular, data classification and security assessments should play a large role in securing organisations. If a system is used to access, alter, transact or otherwise interact with data classified as sensitive, the organisation should think about setting up appropriate security measures,” said Van den Toorn.

“This should be done before the system is put into use, preferably already during the design phase of its lifecycle. Whenever a system is subjected to change or compliance changes the effectiveness of the security measures as a whole, they should be reassessed. When a system is affected by a breach, the same applies.

“When something has happened, go back and subjectively assess if you are still doing the right thing. This should include reviewing the password policy, access controls and data classification – which, in this case, should all cover the fact that ‘admin’ is not a strong password.”

Todd Peterson, identity and access management evangelist at One Identity, added: “Had the Equifax breach been the result of an extremely smart and motivated hacker doing something amazing to get the data, that would have been one thing.

“But since it’s the case of the target ignoring the bare minimum of best practices and paying a significant price for the oversight, what happened is alarming. In the case of Equifax, simply doing what’s right (which would have taken about one minute to implement) would have saved the company from a world of trouble.”

Peterson said enterprises cannot afford to treat database security any differently from any other aspect of their cyber security posture – including, obviously, not sharing admin passwords, and if they must do so, keeping track of who has it and why they need it.

Businesses should also do more to determine if and when someone has got into a database using admin credentials, with properly designed analytics in place.



Equifax lawsuit offers more evidence against passwords