You are here

Open sign

Why the Equifax breach should never have happened

public://webform/writeforus/profile-pictures/mike_pittenger_980x653.jpg
Mike Pittenger, Vice President, Security Strategy, Black Duck

Last week, the consumer reporting agency Equifax disclosed a major cybersecurity incident potentially affecting approximately 143 million US consumers.

The breach should never have happened.

Equifax acknowledged on Wednesday, Sept. 13, that a patch for the Apache Struts CVE-2017-5638 vulnerability—the culprit—was available in March, well before the attacks began. However, Equifax had not updated the vulnerable software at the time of the breach, more than two months later.

As a result, criminals were able to exploit the vulnerability and gain access to Equifax files from mid-May through July of this year, more than four months after the vulnerability had been disclosed publicly.

Here's what you need to know about the causes of the Equifax breach and what your team can do to prevent something similar happening to your organization.

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide. Plus: Get the 2019 State of Security Operations report. ]

Open source in the hot seat?

Apache Struts is a free, open-source framework for creating web applications. It is widely used to build corporate websites by Fortune 100 companies in sectors that include education, government, financial services, retail, and media. Many of those companies are likely scrambling right now to determine whether they are at risk.

Although open-source software, such as Apache Struts, comprises 80% to 90% of the code in modern applications, many organizations do not have good visibility into the open source code they are using. Because most companies lack automated processes for identifying and monitoring their open source code, they are often unaware that they are using a vulnerable open-source component or that there is a fix available.

Not patching known open-source vulnerabilities puts companies at considerable risk, and has many potentially negative ramifications for their customers.

Unfortunately, ineffective open-source security and management are widespread worldwide.

From spreadsheets to automation

Last year, Black Duck’s Center for Open Source Research & Innovation (COSRI) analyzed more than 1,000 applications that were audited as a part of merger-and-acquisition transactions. The audit analysis found that 96% of the applications contained open-source software and that more than 60% of those applications contained known open-source security vulnerabilities.

Notably, 60% of the financial industry applications that were audited contained high-risk open vulnerabilities.

Additionally, the COSRI analysis showed that 83% of audited applications in the retail and e-commerce industries contained high-risk, known open-source vulnerabilities.

On average, the open-source vulnerabilities identified in the audited applications had been publicly known for more than four years.

It would seem counterintuitive that, at a time when high-powered automation systems can execute stock trades in real time, many large, successful enterprises that rely on open source to drive their business are tracking their open-source use on static spreadsheets.

There are a variety of companies that help organizations address this growing challenge.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

Open source is on the rise

Open-source software, once a speck on the technology landscape, is ubiquitous in today’s software applications because it lowers development costs, enables innovation, and speeds time-to-market. Companies such as Netflix, Uber, and Amazon leverage open source to disrupt and revolutionize their markets, and the use of open source will continue to accelerate.

Effective management and security of open source will become increasingly important.

Push versus pull updates

Unlike commercial software—Microsoft’s, for example—critical open-source security updates are not pushed to users as they become available. It is up to users to know what open source they are using and stay on top of patches, fixes, and upgrades to their open-source packages. As the COSRI audit analysis shows, many companies are not at all effective in doing this.

There are ways to fix the problem. Tracking vulnerable (or defective) parts is a problem solved 100 years ago by the automotive industry. Automakers maintain a bill of materials—a listing of every part used in every vehicle. When a defective part is reported by a vendor, the OEM is able to track its use to specific vehicles.

The most effective way for companies to gain visibility into and control over open source in their applications and websites is to use automated processes to scan applications for open source, create a bill of materials—an inventory of their open-source components—and then map that open source to open-source vulnerability databases. This enables them to identify any known vulnerabilities, monitor the threat landscape for any newly reported open-source vulnerabilities, and map those to each of the applications using those now vulnerable components.

Think visibility and vigilance

With visibility and vigilance, organizations can effectively protect themselves and their customers from the types of open-source exploits that affected Equifax and nearly 150 million of its customers.

Open-source software is growing in importance in all areas of technology: application development, containers, the cloud, and the Internet of Things.

Winning companies will be those that manage and secure open source effectively.

[ Find out how to take control of credentials privilege in your organization in this Oct. 31 Webinar. You'll learn best practices, more. ]