School for Hackers

So Equifax was hacked not once, but twice? No way. I don’t believe it. If you’ve been hacked twice, you’ve been hacked at least 3.6 million times (or pick any other really big number you like). And notification of this new hack, like the last one, came at a languid pace. I’ve gotta give it to Equifax: if I did something like this, anything like this in my own business, I’d quickly go to prison. Their people are just walking out the door.

What irritates the devil out of me is that Equifax took an equally languid attitude toward the security of my personal information by violating three simple tenets of security. I know it’s not easy to manage a corporate network; I’ve been there. But there are fundamental measures anyone with a brain or responsibility has to take in this field, and Equifax outright failed to do these obvious things.

Principle One: Isolation

Not every system needs to touch the internet. Of those that do, none of them should have access to anything but the absolute minimal resources (meaning other systems) they need to do their job. Production networks should always be totally isolated: human resources, accounts payable, management, customer service and every other production operation should be utterly isolated from each other. Even if systems within them are compromised via email or the internet, they should provide no ingress – absolutely none – across functions. Your deepest assets (consumer records would qualify) should be deeply isolated.

“But customer service needs access to records, and so do the customers!”

Yes, and that functionality is still available. You’ll do it via strongly encrypted, strongly authenticated, highly secured connections. In other words, the segregation cannot be simply VLANs on a switch or even casually configured internal routers. No. Every production network should be encapsulated, firewalled, filtered and logged as an independent unit, one that considers itself surrounded by hostile would-be intruders. If I can walk through your DMZ to your online-data network, that’s a problem. But if I can then pivot to other production networks, it’s time for a firing squad.

Principle Two: Patch Management

All the mainstream security firms will hound you about this: stay patched right up to the minute! There is a tiny minority who would dispute this, arguing that proper isolation makes urgent patch management a useless exercise in anxiety. For my money, I’m going to do both (and a lot more).

The likely culprit here was an unpatched Apache Struts installation. Frameworks like Struts are popular with developers but eventually have to be managed by sysadmins, who may not love or follow them as closely. This is where tight collaboration between these teams has to ensure things that need to be patched (which includes practically everything that’s installed) are included in patch management lists and applications. I shouldn’t have to say it but those lists and apps must be intensively managed. That’s a pain, but lawsuits are a bigger pain, and really big lawsuits can be fatally painful for organizations.

Principle Three: Competent Management

Repeat after me: a degree in music does not qualify you to be CSO. (A degree in music does not qualify ….) Experian did not get this memo, and hired as Chief Security Officer one Susan Mauldin, music major, whose LinkedIn profile was edited and made private shortly after the hack was revealed, likely because she listed no relevant qualifications whatsoever.

I have been working, studying and teaching in this field for some 20 years, and I consider myself hardly qualified for a job like CSO. You’re playing with blood and money in that job. Even if you’re a brilliant poker player, this is 3D chess played with lions. If you can only play Whack-a-Mole on the computer, you should not be managing computer security for a major corporation. You’ll need to be a fanatical, deeply involved security fiend to play cop or Batman for a company like Experian.

This whole question of qualifications goes far beyond this field. A Chief Scientist should, for instance, be a scientist. This quickly gets political (at least for me), so I’ll stop now. But what Experian has done is not political, and not forgivable. They’re doing something that affects far too many people to approach it lackadaisically.

Now, the kernel: if you’re a malicious hacker, you’re going to be looking for exactly these weaknesses. During the Reconnaissance stage, finding a weak CIO or CSO would be a whiff of blood in the water. If a simple scan reveals unpatched vulns, bingo. And if weak or nonexistent network segmentation lets me go bounding through the corporate cyberverse, oh joy, oh glad (assuming I’m that malicious hacker). If I’m NOT a cracker, I’d be testing exactly these same limits because I’d be a pen tester or researcher or bounty hunter or whatever. Right?