Equifax was so unsure how much data had been stolen during its 2017 mega-hack that its IT staff spent weeks rerunning the hackers' database queries on a test system to find out.
That's just one intriguing info-nugget from the US Government Accountability Office's (GAO) report, Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach, dated August but publicly released this month.
During that attack, hackers broke into the credit check agency's systems, getting sight of highly personal information on roughly 150 million people in America plus 15 million Brits, and others.
Computer security breaches are rarely examined in this much detail, however, several departments of the US government are Equifax customers, which meant the Feds wanted the GAO to convince them it's not going to happen again.
The cyber-break-in happened on May 13 when criminals started exploiting a vulnerability in the Apache Struts 2 framework running on Equifax's online portal. The company didn't clock it until July 29. However, the report confirmed that failing to patch this flaw earlier was not the only screw-up.
Ironically, the security breach was only picked up when someone updated an expired certificate on a piece of kit that was supposed to be monitoring outbound encrypted traffic, and immediately noticed something was wrong. With that device effectively switched off for 10 months due to the expired certificate, “during that period, the attacker was able to run commands and remove stolen data over an encrypted connection without detection,” noted the auditors.
Had that been operational, history might have been different. As the auditors put it:
Specifically, while Equifax had installed a device to inspect network traffic for evidence of malicious activity, a misconfiguration allowed encrypted traffic to pass through the network without being inspected.
According to Equifax officials, the misconfiguration was due to an expired digital certificate. The certificate had expired about 10 months before the breach occurred, meaning that encrypted traffic was not being inspected throughout that period. As a result, during that period, the attacker was able to run commands and remove stolen data over an encrypted connection without detection.
Equifax officials stated that, after the misconfiguration was corrected by updating the expired digital certificate and the inspection of network traffic had restarted, the administrator recognized signs of an intrusion, such as system commands being executed in ways that were not part of normal operations. Equifax then blocked several Internet addresses from which the requests were being executed to try to stop the attack.
We’ll call that the “holy crap” moment but there were other failings, including a lack of segmentation, a technique that could have isolated the databases from one another, or at least triggered an alarm when the intruders tried to move sideways through the network.
Eight months after Equifax megahack, some Brits are only just being notifiedREAD MORE
It was a similar story for data governance – jargon for making it harder for an attacker to access certain fields within the databases. Even simple query rate limiting might have helped, “specifically, the lack of restrictions on the frequency of database queries allowed the attackers to execute approximately 9,000 such queries – many more than would be needed for normal operations.”
Equifax did get lucky on one score: had the attackers erased some of the logs, reconstructing what they’d been up to during all those weeks of easy access may have been much harder. Even getting that far required Equifax’s IT team to rerun the as much of the attack as they could using a test copy of the database against which the thousands of known queries were run.
While this is an excellent idea straight out of “we’ve been breached 101,” it was still a time-consuming way to have zero per cent fun. It might at least start to explain why Equifax took until September 7 to reveal the network breach despite knowing about it for weeks.
The GAO makes no recommendations on future security, which is not its remit. What’s striking from its report, however, is how small individual errors and oversights in a company with plenty of resources can lead to the data of nearly 150 million people ending up in the hands of bad people. ®