In the wake of the Equifax Data breach and the litany of issues regarding potential insider stock sales, insecure database applications, and finger-pointing between Apache and Equifax, there are some valuable lessons we should all take heed of.
- Trust no one, and no entity: I hate to sound overly dire but even the old “trust, but verify” adage is insufficient in the world of cyber. One should assume that their information is insecure, that it has been breached, and mitigation then becomes the name of the game;
- data: both in-flight; and at-rest should be encrypted. Seriously, who puts data on an accessible server and then leaves the data unencrypted. While given enough time and resources encryption can (generally) be broken, companies should at least try to appear as though they are interested in making hackers earn their keep;
- humans continue to be one of the weakest links in any cybersecurity chain. Take a look at the Argentinian Equifax web portal connected to a RDBMS accessed using admin/admin credentials. Seriously?
- with respect to point #3, above: companies really need to embrace the fact that IT and IS are equal, yet separate disciplines. While one is focused on availability and uptime, the other is (should be) focused on protecting data and ensuring that proper access controls are implemented and continuously monitored;
- in the infantry the common mantra is “embrace the suck”. In cyber, the mantra should be “embrace the SOC.” Build one in-house, or use an outsourced Security Operations Center but please, please allocate the necessary resources to identify, assess, secure, and monitor your data and information flows.
For our continuing Equifax breach coverage, please check here.
Leave a Reply