It’s been a little more than a year since the world learned of the security breach at US-based credit reporting agency Equifax. Hackers had free reign within dozens of the company’s databases for months before being caught. It was months longer before the 145 million consumers in multiple countries learned that their personal information had been compromised.
The US Congress asked the Government Accountability Office (GAO) to study how Equifax and government agencies performed before and after the attack was discovered. It is a fascinating study of what appeared at the time to be a comedy of errors, but in hindsight looks to be more of a lesson in inevitability.
Source: GAO, based on information provided by Equifax. | GAO-18-559
The most startling fact that has emerged from the GAO report describes the Herculean task that all AppSec teams face:
Equifax has stated that, on March 10, 2017, unidentified individuals scanned the company’s systems to determine if the systems were susceptible to a specific vulnerability that the United States Computer Emergency Readiness Team had publicly identified just 2 days earlier.
Two days. Equifax was already under attack within 48 hours of the announcement of a flaw in the Struts 2 framework. By comparison, the average time to patch a known vulnerability is measured in months (if not years).
For organizations that rely exclusively on physically patching their web applications, the conclusion from this report is obvious: you can’t fix your code fast enough to stay ahead of professional or nation-state hackers. Your fingers on keyboards are no match for their automated scanners.
What does close the patching gap is virtual patching. Not pattern matching-based virtual shields or the so-called virtual patching of WAFs, but real virtual patching that fixes flaws in the compilation pipeline as the application runs. That is the fastest and most effective way to address known vulnerabilities without any downtime or source code changes.
Reading the GAO report makes it clear that someone was destined to become the poster child for failed/failing cybersecurity practices that have been SOP for decades. It just happened to be Equifax.
