By now you have heard that about 1 out of every 2 Americans has had their personally identifiable information exposed thanks to the breach at Equifax. This breach is more serious than most because the information that was stolen is the data that banks, credit agencies, insurance companies (among other types of organizations) use to verify your identity when you sign up a for a credit card, apply for a mortgage, start a new job, etc. The criminals behind the breach have all the information necessary to perform identity theft and open lines of credit in the names of unsuspecting individuals.
As of the writing of this article, Equifax has not disclosed the methods used by the attackers to breach their systems. I expect the breach will follow a sadly familiar pattern, the same one we saw with the Office of Personnel Management (OPM), Target, and Home Depot: First, a system is compromised, through a software flaw or malware. Often, this vulnerability should have been previously addressed with a patch or update, but the owner of the system failed to do so. Then the attacker seeks to escalate their privilege in the compromised systems, through flaws and by stealing or creating usernames and passwords. The attacker then establishes additional points of entry so that the attack can continue even if the first point of entry is discovered and closed. Finally, the attacker goes about collecting the information, and uses difficult-to-detect ways of transferring the stolen information out of the target systems.
Massive breaches are happening so frequently that people are beginning to tune them out. However, the severity of this breach, and the fact that half of our nation’s population could be affected, may change the conversation and increase the demand for secure systems. I predict that we’ll see consumer skepticism and mistrust spike. Many people will ask, “If a large organization like Equifax, whose very purpose is to collect and store data, can’t do it right, what businesses possibly can?”
If your business exchanges information with customers digitally, now is the time to double down on your security measures and demonstrate to your customer base that you take their information security seriously:
- Focus on security at speed by integrating security into all practices
- Educate your developers on security principles and secure coding methodologies
- Leverage a strong quality assurance (QA) team to perform security audits and assessments continuously
Finally, there’s no better time than now to evaluate your identity management practices. Verizon’s 2017 Data Breach Investigations Report found that 81% of breaches leveraged either stolen and/or weak passwords. Many companies worry about creating inconvenient login experiences for their users, but the truth is that usability doesn’t have to be sacrificed for security. It’s entirely possible (and, indeed, necessary) to have a great customer experience and implement advanced security measures.
Questions about how to get started? Contact us today.
Peter Hesse is 10Pearls’ Chief Security Officer. For nearly two decades, Peter has leveraged his passion for technology and experience in security to develop successful solutions to interesting problems. From an exciting start developing the reference implementation of a standards-based certification authority for the National Institute of Standards and Technology (NIST), to overcoming obstacles and successfully demonstrating the system that formed the basis of the Federal PKI, Peter has built his reputation tackling complex challenges and explaining them to others.
Peter founded and ran the successful information security consulting firm Gemini Security Solutions for over a dozen years. He now focuses on avoiding the common break/fix mentality around security, and instead finding ways to architect and build security into systems and products.