On September 7, 2017, news about one of the biggest security breaches in recent history was exposed to the public. Millions of Americans’ social security numbers, credit card numbers and other personal information were released to unauthorized hackers. People scrambled and panicked because their information was potentially compromised through one of America’s big three credit reporting agencies, Equifax. What we later found out was that this data breach was entirely preventable, if Equifax had followed security processes and paid attention to the security issues when the red flags first started to appear.
The Apache® Software Foundation is an organization that provides an open-source framework for Java Web applications called Apache® Struts™ and Equifax was known to be a user of Apache’s web-based software. Apache discovered that the Equifax security breach was caused by Equifax’s failure to install patches on time. Back in April, a patch for Apache® Struts™ was released and Equifax had failed to update its software with the patch, creating an opening for cyber hackers to start attacking. If Equifax had updated its software at the time the patch was released, the breach very likely wouldn’t have happened.
As we’ve previously discussed in another blog post about being proactive with firmware security, it is vital that security managers keep up-to-date with security patches and prioritize update processes so that they are done in a timely manner. Equifax’s latest security breach is a prime example of an issue that is persistent in the technology industry. It is important to stress to security/IT managers and companies (especially those who handle sensitive, confidential information) that security is always going to be an ongoing issue; despite having various protocols in place, you still have to constantly monitor your security processes. The cyber-attack on Equifax was on the web server application level; however, had the attack been on the firmware level, the cyber-attack might have gone undetected and the hackers would’ve been able to extract the sensitive information without being noticed.
As a reminder, here are some ways you can stay up-to-date with your security processes:
Security managers should always be on the defensive and prioritize active security processes and updates.
Regularly check up on the firmware/software/hardware and make sure nothing is out-of-place.
Update the systems as soon as patches are available to prevent future attacks and diagnose any bugs/issues that could arise.
An authorization process for security updates (such as a digital signature verification) will only allow authorized individuals to make changes and apply settings.
Get in the “being proactive” mindset!
We know when that sometimes when those update reminders pop up on your computer, physically and/or mentally, it’s easy to just press “remind me later” over and over again. But remember, there are updates for a reason and security updates are no exception. Let this cyberattack example be a lesson to everyone. We must be proactive about security!
Apache Struts, Struts, and Apache are trademarks of The Apache Software Foundation. All other trademarks and registered trademarks are property of their respective owners.