{"id":9183,"date":"2017-09-08T09:00:09","date_gmt":"2017-09-08T17:00:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/09\/08\/news-2956\/"},"modified":"2017-09-08T09:00:09","modified_gmt":"2017-09-08T17:00:09","slug":"news-2956","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/09\/08\/news-2956\/","title":{"rendered":"Equifax Breach \u2013 an Example of Good Communications"},"content":{"rendered":"

Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Fri, 08 Sep 2017 15:50:25 +0000<\/strong><\/p>\n

\"\"<\/p>\n

Equifax announced a massive breach<\/a> that could impact at least<\/i> 143 million US consumers. That\u2019s 44% of the US population. This breach will have a significant impact on a lot of people.<\/p>\n

Companies in the financial sector take cybersecurity very seriously. Part of that work is accepting the reality of today\u2019s threat landscape. Security teams work to prevent as many attacks as possible but also practice and plan to recover quickly when a breach does occur.<\/p>\n

Cybersecurity incidents are complex in nature. Businesses that operate at the scale of Equifax have a lot of moving parts and many different teams that need to co-ordinate their work.<\/p>\n

All of this work has to happen while the day-to-day business of the company continues as undisturbed as possible. It\u2019s a difficult balance to maintain.<\/p>\n

Incident Response<\/h1>\n

Based on their current statement, we know a few of the facts:<\/p>\n

    \n
  • Attackers had access to the data mid-May to 29-July-2017<\/li>\n
  • Once the company detected the intrusion, they stopped it<\/li>\n
  • Once stopped, they called in an reputable outside firm to help with the forensics<\/li>\n
  • After assessing the impact to consumers, they\u2019ve taken steps to help protect them from further damage<\/li>\n<\/ul>\n

    From the outside, this shows us that Equifax has a strong incident response process in place and that process is working. Some may question calling in an outside firm to help with the forensics but they are a couple of significant advantages to doing so.<\/p>\n

    The first is to have more hands on deck. A true forensics investigation takes a lot of time and is a huge undertaking. Getting additional trained staff to take on this work allows the core team to continue to defend the network and help restore operations.<\/p>\n

    The second advantage is that an outside team approaches the problem with fresh eyes and no preconceptions about how various systems are integrated. They ask questions that existing teams may overlook.<\/p>\n

    Equifax hasn\u2019t released any technical details about the intrusion yet beyond that the attackers used an vulnerability in one of their applications to gain access. That\u2019s ok, that information isn\u2019t valuable to the impacted consumers at this point.<\/p>\n

    What is important is the communications around the breach and that\u2019s where Equifax stands out as a positive example.<\/p>\n

    Breach Communications<\/h2>\n

    Most breach notifications follow a very predicable pattern. It\u2019s one we\u2019ve seen used time and time again and it\u2019s long been a sore point for most people in the security community (myself included as I\u2019ve been complaining about it for years now).<\/p>\n

    The general pattern is this:<\/p>\n

      \n
    1. We\u2019ve had a breach<\/li>\n
    2. Don\u2019t worry & don\u2019t blame us<\/li>\n
    3. We\u2019re doing what we can to make this go away<\/li>\n
    4. Here\u2019s some basic coverage to protect your credit score<\/li>\n<\/ol>\n

      Breach communications are often written in legalize or least in bland corporate speak. Understandably so as they are designed to minimize liability as well as reduce panic or concern. It\u2019s an unfortunate example of good intentions getting pushed down by process<\/i>.<\/p>\n

      Equifax bucks this trend and\u2014while the language could still be less formal\u2014does a fantastic job of clearly explaining the issues at hand.<\/p>\n

      Clarity<\/h2>\n

      Their statement (which has already been updated to include new information) clearly states the:<\/p>\n

        \n
      • scope of the breach\n
          \n
        • 143 million US consumer records<\/li>\n
        • An unknown number of Canadian and UK consumer records<\/li>\n
        • ~209,000 US consumer credit cards<\/li>\n
        • Dispute documents relating to ~182,000 US consumers <\/ul>\n<\/li>\n
        • steps they taking to gather more information<\/li>\n
        • how that information is being communicated to affected consumers<\/li>\n
        • who they are working with to address the situation<\/li>\n
        • what they have already setup to help consumers deal with the situation<\/li>\n
        • that they accept ownership of the issue<\/li>\n<\/ul>\n

          It\u2019s this last point that really stands out. In the breach notification, they have a quote from their Chairman and CEO, Rick Smith. Having a senior executive quoted in a notification is somewhat common, though it\u2019s rarely the CEO. Equifax takes this a step further and has a video from Mr. Smith explaining the situation.<\/p>\n