What the Equifax Fiasco Means for You
By Stephen M. Soble
Oct 2017 Interview with Stephen Soble About Equifax
By now we all know that personal, financial and sensitive data relating to about 45% of the entire US population has been compromised in one of the largest scale cyber-attacks in the entire history of the Cyber War in which we find ourselves. It has been reported that Ernst & Young’s cyber risk assessment and advice on vulnerability management failed to protect their client, Equifax. (e.g., http://www.marketwatch.com/story/equifax-auditors-are-on-the-hook-for-data-security-risk-controls-2017-10-02 or see, https://krebsonsecurity.com/2017/09/heres-what-to-ask-the-former-equifax-ceo/ ) Looking backward, lawsuits and regulators will run their course. But what about the victims? Make no mistake, nation-states use data to track US individuals. Data correlations yield meaningful insights. Equifax is not the first major or meaningful data breach to occur. Many significant breaches are not well reported.
A Prelude to Equifax
A while back, one of our senior engineers was asked to conduct a cybersecurity assessment for an insurance company, as a precaution to an overnight doubling of the base of insureds in the client’s network.
The CEO met with our engineer and proudly announced, “This will be the easiest assessment you have ever conducted. No one is interested in us. We only have FSA data on insureds. We do not control any money and no one can access any bank accounts from any of the data we have. So, just issue the final report and feel free to knock off early.”
Our engineer rolled his eyes. “On my way to your office, didn’t I see a large US military installation?”
“Well, of course, and we are proud that about 45% of our current account holders work there,” patriotically explained the CEO.
“And aren’t you doubling the size of your membership by adding employees from two major US defense contractors?” asked our engineer, already knowing the answer.
“Well, Yes, that is True,” admitted the CEO.
“So, are you concerned that nation states such as China, Russia or North Korea might be inside of your network?” nonchalantly asked our engineer.
Turning pale, the CEO asked with apprehension, “What do you mean?”
Standard operating procedure for many nation state intelligence services is to try to identify all US personnel working in sensitive areas of every US military installation. That should not be a surprise. But now with the data readily siphoned from the insurance company, and a simple data correlation, the adversary could easily compile a list of those working at the base, in sensitive positions, who are also under family medical and financial stress. Seeing who uses up their annual family FSA allotment in the first couple of months of the year is a telltale sign. Voilà—a very useful recruitment list.
Had this insurance company been in NY State, under the current NY DFS cybersecurity regulations, the insurance company would have been required to file reports within 72 hours. The company also would have been required to initiate remediation efforts and to provide information concerning the penetration and its aftermath. Details of the incident and remediation efforts would have to be disclosed with the annual cybersecurity compliance report.
So, what does this story have to do with Equifax?
The Equifax Public Defense
As of October 1, at least three state and local governmental agencies have filed suit against Equifax—the Commonwealth of Massachusetts and the Cities of Chicago and San Francisco. Two federal agencies, The Federal Trade Commission and the Consumer Financial Protection Bureau, and at least 32 states, including New York, New Jersey and Connecticut, have initiated investigations. Dozens of private class action law suits have been filed. Congressional investigations have begun.
And more facts are coming out, almost daily. What we seem to know is that the cyber-attack against Equifax arose from the exploit of a Known Vulnerability, which Equifax failed to patch. Many reports cite sometime in May for the onset of the attack. One report states that the cyber-attack occurred initially in March, not long after the publication of a Known Vulnerability at the beginning of the month. The patch was released on March 8. The cyber-attack continued undetected and unimpeded for months, until discovered at the end of July. Then, for murky reasons, Equifax did nothing until September 7, when it notified authorities and the public of the massive data breach. The CEO has been forced out. The head of IT is gone. And so, too, other executives. In the media and before Congress, Equifax has floated several justifications:
- There are too many Known Vulnerabilities to patch and we can’t keep up.
- We expect our IT Department to remediate Known Vulnerabilities within 48 hours of discovery, and it was human error that they overlooked this one patch.
- No one can scan to find all Known Vulnerabilities.
- Remediation is difficult.
- No one can find an ongoing attack much faster than did Equifax. The average time between the onset of an intrusion and its discovery is nearly 200 days. So, Equifax was a bit better than average.
- The cyber risk inherent in our complex systems is everywhere, undefinable, unrecognizable, and immeasurable.
- Equifax timely filed every required compliance document, so they ought to be exonerated.
Any reader of The Insurance Advocate over the past few months, recognizes each of these excuses as Pugwash.
- A new class of scanners—Deep Software Scanners—Detects Known Vulnerabilities in all software—both proprietary and third party produced, without need for access to source code or any underlying data. And, Deep Software Scanning works quickly, locates each vulnerability and provides clear remediation instructions to address each vulnerability. (AssuredScanDKV® is such a scanner.)
- Human error is a given. Therefore, the wise use of automated tools, such as the Deep Software Scanner, in a serious programmatic fashion can reduce human error to an acceptable risk.
- We (and the readers of Insurance Advocate) know of a Deep Software Scanner which can find all Known Vulnerabilities and makes remediation easy and quick. Our company has vast experience with this class of scanners.
- There is also a new class of tools on the market commonly referred to as “hunting tools.” Again, our company has experience with a “Scout” product which can detect an ongoing cyber-attack within days of initiating the Scout program. We even have a sister product, a “Hawk” tool which continuously monitors intrusions and which can run daily in background. For the geeks among us, there is also an orchestration tool, “Maestro” which makes the cacophony of alerts, logs, inputs and outputs, sing a common tune. There is no reason for delay in detecting a successful attack with these tools available.
- Cyber risk assessment is becoming a hot button issue. Some (i.e., the Big 4 accounting firms) approach a cyber risk assessment as though it is a financial audit. Others have mysterious, haughty “predictive analytic models.” Some rely on chatter on the Dark Web to determine threats and this becomes the lynchpin of risk assessment. Still others keep the Wizard of Oz behind the curtain so that they can project some scoring system, often without even laying hands on a network, examining a system or digging into details—why work hard when you don’t have to? But the newly emerging “Gold Standard” in cyber assessment, a TripleHelix™ assessment, provides a Roadmap of cost-efficient improvements and a CyberScore® to benchmark and measure risk—both based on hard, detailed cyber engineering, and solid, defensible data. Finally, the TripleHelix™ system provides a Regulatory Compliance Dossier, populated with virtually any regulatory compliance report (including NYS DFS of course) all in a neat, one-stop package. So, cyber risks are definable, visible and measurable. Welcome to the New School of Cybersecurity.
- Compliance does not equal Security. Compliance does not equal Security. Compliance does not equal Security. Maybe saying it three times and clicking a pair of red shoes together will relegate the silly excuse of “compliance” to the refuse heap of Old School cyber history.
What to Expect in the Wake of Equifax
As we learn more facts and more incisively analyze what has happened, we can expect some key developments.
- In New York State, the Attorney General will take notice of readily available, cost-efficient new technologies. The NYS DFS regulations require twice a year regulatory scans, but don’t detail the type of vulnerability scan to be conducted. One should expect future regulations to set some standards for remediation of Known Vulnerabilities, since detection and remediation now are both straightforward and reliable.
- Encryption, which is a requirement in the NYS DFS regulations, is on the verge of a commercial revolution. Watch for this requirement to be more clearly defined.
- Hunting tools and continuous monitoring tools will become a standard part of tool kit for companies holding large amounts of data and sensitive data, because this new generation of tool helps to close the door on cyber-attacks in real world time.
- Cyber risk assessments will become the focus of lawsuits and extensive lobbying.
- Ernst & Young who conducted the cyber risk assessment for Equifax and who also seems to have had a role in the vulnerability assessment, will come under serious scrutiny. Do we really think that accounting firms sufficiently understand the cutting edge of cybersecurity engineering to allow our networks to operate safely in this Cyber War of the Digital Age? Only because people are operating under the misapprehension that “Compliance Equals Security”—when it doesn’t and can’t–do people think that accounting firms have deeper insights into cybersecurity than other experts in the field?
- The Old School is hard to displace. The filed and to be filed class action lawsuits, governmental inquiries, investigations and regulatory actions are most likely to spark a new awareness of New School Cybersecurity solutions which will permit proactive cybersecurity to offer genuine protection and which will empower insurance companies to define properly insurable risks in the form of high dollar cyber risk insurance policies at reasonable premiums. The marriage of New School Cybersecurity with actuarially sound cyber risk policies and programs, fair claims management and subrogation represents the silver lining which awaits. For those interested in the insurance industry and its role in risk management in the Digital Age, there are steps which can be taken today to achieve bold results. Adoption of these changes quickly would be a worthy legacy in the wake of the Equifax fiasco.
Mr. Soble, a graduate of Harvard Law School, is a member of the NYS bar. Nothing stated herein is intended to be and should not be construed to serve as legal advice. Please consult your legal counsel. Assured Enterprises is a premier Cyber Risk Assessment, Measurement and Mitigation company, inventor of innovative products and solutions for the US Government and private sector.