Perhaps no organization is entrusted with more highly sensitive consumer data than the credit bureau Equifax. So when it suffered one of the most massive data breaches in history in 2017, the result was catastrophic for its millions of customers, their trust in Equifax—and consumer trust in credit reporting agencies in general.
The breach, which led to the theft of 147 million people's personal information, left us asking how something on that scale and with such far-reaching implications could happen. There seemed to be an illusion that because Equifax is so big, so ubiquitous, and holds so much data that they were taking better care than most organizations to protect it. They were invincible, right?
With the recently-released Senate Committee on Homeland Security and Governmental Affairs' report on its investigation into the breach, the reason is painfully clear. Equifax, like most organizations, was unaware of the scope of its attack surface—especially that which resides outside the firewall—and therefore was unable to maintain an adequate patch-management policy.
It seems to be a terrifying trend, as many of the large-scale breaches that now surface in the news all too regularly are a result of compromised external assets that organizations weren't aware existed. According to Senators Rob Portman and Tom Carper, who authored the report, that is precisely what happened to Equifax. What's even more terrifying? The audit report mentioned that Equifax lacked a comprehensive IT asset inventory and did not fully understand the scope of the digital assets it owned.
Equifax was hacked via a consumer complaint web portal with a widely known vulnerability their security team should have patched. Once the attackers moved laterally into their network, they exfiltrated encrypted data for months because Equifax did not renew an encryption certificate on one of their internal security tools--which meant that this encrypted traffic wasn't being inspected.
"[Equifax] lacked a complete understanding of the assets it owned," the report states. "This made it difficult, if not impossible, for Equifax to know if vulnerabilities existed on its networks. If a vulnerability cannot be found, it cannot be patched."
In today's hyper-digital world, organizations must have a full inventory of digital assets connected to them outside their internal network to determine what may be vulnerable to attacks. In the case of Equifax, this would've included assets with known vulnerabilities, such as the customer complaint portal. This visibility would also have surfaced and flagged assets with expired certs, like the one in Equifax's security tool that allowed the attackers to exfiltrate encrypted data.
Discovering Unknowns and Investigating Threats
For years, vulnerability management was synonymous with vulnerability scanning and pen-testing. These were the keys to understanding which of your organization's digital assets are susceptible to threats and where those assets' vulnerabilities lie. However, widespread cloud migration and the explosive growth of online businesses fundamentally changed what security teams need to protect. For vulnerability management, only scanning and pen-testing assets you know about are not nearly sufficient to protect you now. What was once a small area to defend is now an expansive attack surface—a universe of digital assets scattered across the web, cloud, and mobile app stores.
RiskIQ helps uplevel vulnerability management programs and penetration testing teams, allowing them to find digital assets connected to their organization outside their internal network, providing visibility into assets that may be vulnerable to attacks. Just as an attack surface continues to evolve, so does the RiskIQ solution. Our discovery engine continuously scours the Internet to identify new assets, and alerts you to vulnerabilities or suspicious activity.
If a threat is identified, RiskIQ provides security analysts and incident responders with extensive investigative capabilities, powered by petabytes of Internet data. RiskIQ users don't have to worry about stitching together data sources and can instead focus on making connections, accelerating their response efforts, and getting the most from their existing security investments. Over 85,000 security professionals have placed trust within RiskIQ and joined the community platform to make the Internet a safer place.
Rethink Vulnerability Management
If we do not rethink our attack surfaces and how we appear to attackers, breaches like the one that took down Equifax will happen again and again. The modern attack surface expands from the network across the Internet and the cloud, where traditional security controls lack visibility. Unfortunately, the landscape of this new front in the war against data breaches currently favors attackers. With the visibility afforded security teams by the internet data sets collected by RiskIQ, we can turn the tide back into the good guys' favor.