The epic Equifax breach highlights the urgent need for a system that eliminates central points of attack and protects businesses’ data even when servers are compromised. So, why doesn’t every business assume their server can be hacked and design a system built for that new reality?
You’d expect that Equifax would be at the extreme end of the security spectrum given it is their business to aggregate sensitive data and keep it secure. However, despite the likely millions in annual security budget and hundreds of security analysts, even their system can be compromised.
Randy Battat, cybersecurity expert and founder, President and CEO of PreVeil, recently sat down with Inside Counsel to discuss “waking up” businesses to the reality of their breach vulnerability. From end-to-end encryption of emails, to document storage, to file sharing, PreVeil has cracked the code of how to protect businesses and consumers against breaches.
“Hacking is the new normal,” said Battat. “Although it is certainly shocking to many Americans, to cybersecurity experts the Equifax breach is really just the latest of a rapidly escalating series of high profile hacks and breaches. This year alone has seen many high-profile breaches, with victims including Verizon, Blue Cross Blue Shield/Anthem, Kmart, OneLogin, and a collection of other retail, university, and government institutions. This year also saw huge phishing campaigns targeting Gmail users, which led to the compromise of Google accounts.”
Both the attack surface and volume of sensitive data being stored and shared online is increasing exponentially. As more devices are connected to the internet, the attack targets also increase exponentially—resulting in a rise in threats that IT must protect against. The increasing volume of sensitive data available online creates an incentive for hackers to go after this target-rich environment.
“Reliance on an antiquated security approach to protect data. Higher walls aren’t working,” he said. “The historical approach to protecting an organization has been to build taller walls around the perimeter, but hackers are still able to come through. There are new techniques—end-to-end encryption, for example—that can protect data even when the server is breached.”
Servers are high-value targets as servers are frequently used to store an organization’s data in a centralized location, which makes them appealing for hackers. A recent report shows that server-related IT systems were responsible for two-thirds of an organization’s data loss, compared to about 5 percent for laptops and desktops. Barriers to entry for hackers continue to be diminished as hacking tools are mostly free and the barriers to entry are minimal.
Why doesn’t every business assume their server can and will be hacked? They should, according to Battat. In fact, in 2015, more than 80 percent of all businesses reportedly suffered a type of computer hack, and 66 percent of U.S. law firms reported a breach in 2016. Battat said, “Keeping hackers out doesn’t seem to be a viable option.”
So, what exactly did Equifax do wrong to let their security be compromised?
Equifax has confirmed that hackers gained entry via an unpatched Apache Struts vulnerability, and given that a fix was available on March 6, 2017 , it seems that poor patching hygiene by Equifax was a contributing factor. However, we still know very little about what the hackers did and how they gained access to the data once they triggered this vulnerability. Data breaches often rely on exploiting multiple aspects of an organization’s IT infrastructure, so it is unlikely that the breach was due to a single factor.
Battat shared best practices for companies to protect themselves from breaches like this one. First, protect your data with end-to-end encryption—end-to-end encryption ensures that only the intended recipients can decrypt the encrypted information. This means that in order to read data, hackers must obtain the data and also the keys to decrypt the data. With properly implemented end-to-end encryption, the keys to unlock the data will not be located anywhere near the encrypted data.
Second, stay up-to-date on software patches and updates. Breaches frequently occur when hackers exploit software bugs, many of which are known and listed on the CVE page used to track them. According to a 2015 survey, nearly 80 percent of businesses use open source software—software of the same nature that potentially enabled the Equifax breach. Software vendors are patching their products to fix these bugs and prevent exploits but patching software is like building a higher wall to keep people out—it isn’t guaranteed to work.
Third, rather than giving individuals broad permissions, implement policies and technologies that limit accessibility to the bare minimum required. If possible, require group consensus to authorize privileged activities or access sensitive data. The average cost of a data breach is in the millions, with individual records being valued at $380 and $245 for health care and financial services organizations, respectively.
He added, “These values don’t even factor in the loss of intellectual property, which may take away long-term competitive advantages. The more businesses are aware of the financial downside, the more they may be willing to adopt the cost of implementing better data protection measures.”