The Equifax Breach and the tale “The Emperor’s New Clothes”

The tale

H.C. Andersen’s tale “The Emperor’s New Clothes”, published in 1837, tells the story of a vain king, more concerned with his appearance and his clothes than with his kingdom and his subjects. The king is fooled by two weavers who promise him a new set of clothes, made from a magnificent fabric, which had this wonderful way of becoming invisible to those who are not fit for their positions, incompetent or stupid. In his vanity, the king pretends to see the non-existing clothes which two men weave and no one in the court dares to say that they don’t see the clothes. When the king parades in public wearing his “new clothes”, the crowd pretends they don’t notice that he is naked as they don’t want to seem unfit or stupid, until a little child screams: “But he hasn’t got anything on!” At this moment, the king gets a hint that maybe the kid was right, but he holds his head high and continues the procession.

The Equifax breach

The recent breach of Equifax, resulting in the theft of data from 143 million customers, is now confirmed to have been caused by the exploitation of a known vulnerability on Apache Struts 2 (CVE-2017-5638). The attack started more than two months after the fix for the vulnerability had been available, and Equifax came public with the story four months after the initial attack.

You have probably heard all sorts of criticism and excuses about this case by now.

The Apache Software Foundation, for example, published a blog to clarify that they had issued the patch at the same time as the vulnerability had been disclosed, and that the breach had been caused by Equifax’s failure to apply the patch.

Different blogs discuss whether it is acceptable that a critical vulnerability, in an open source component used to take in and serve up data, has not been fixed for two months.

Some claim it is very common that this type of vulnerability remains unpatched for months and sometimes for years…

At this point, you are probably asking: What does the Equifax breach and the H.C. Andersen’s tale have in common?

The day-in day-out news of breaches affecting companies we trust with parts of our personal data gives us a hint that the cybersecurity emperor hasn’t got anything on!

It is not that there is no concern or effort to improve security to avoid incidents and data breaches. Only when you scratch the surface and start digging it becomes clear that, security requirements are often neglected business priorities in favor of the wish to do things fast and under the false presumption that adhering to security requirements slows the business.

A very classical example is companies giving admin rights to users indiscriminately. This is one of the basic rules of security: no admin rights to end users. Yet, one would be surprised by how many companies out there still do it, despite the public knowledge of the risks it represents and despite the fact that access to admin rights does not make end users more productive.

And this is the main point of this blog: it’s time to reflect upon how we are securing our businesses, partners and customers.

Reports show that spending on security technology continues to grow and is expected to continue growing over the years to come.

The impression I have is that business leaders keep pouring money over security professionals in the hope that the acquisition of technology will make up for the fact that companies, more commonly than anyone dares to admit, neglect the basics of system configuration, hygiene and security best practices. The consequence is that , we continue to see incidents caused by the exploitation of known vulnerabilities, which could have been prevented by timely patching, despite all the investments in new technologies.

Ok, I can already hear: easier said than done! True. But the fact is that this is just another excuse and not an expression of the truth, like the one that justifies giving admin rights to end-users. As a consumer, I’m tired of having my credit cards canceled because my data was stolen from a major hotel chain or an airline. Many people like me are tired and feeling helpless as pointed in the Savage Security blog:

We’re resigned to the fact that companies will continue to make security a secondary priority, will continue to get hacked and will continue getting away with no serious consequences.

I’m tired, but I’m not numb. And I believe that it is time for business leaders to realize that there will be no magic solution for the challenges of security with the ever-increasing pace of change in technology. It’s a matter of continuously changing and adapting. What worked yesterday does not address today’s challenges. The mindset and strategies of the past do not help to solve problems we are facing today.

Vulnerability Management is probably a good example of what I am saying. Many continue to see it as the management of hardware and configuration vulnerabilities, while software vulnerabilities remain undetected and open for hackers to exploit. Gaps in vulnerability management processes are certainly one of the main causes for the high number of high profile breaches we see exploiting old, well-known, vulnerabilities.

Let’s not be fooled by the fear of facing the facts or exposing weaknesses. Let’s not watch the emperor parade with nothing on and pretend that we don’t notice it. The consequences of acting in this way will come back to bite us sooner or later.