Web security folks, any insight? Also curious why it took them 2 months to find out they were being fucked by hackers?
Security is very hard, usually an afterthought and non-tech companies have a harder time attracting the best and brightest engineers in this field. It's about writing software that doesn't have gaps, it's about your infrastructure not having backdoors, sometimes less critical machines for eg testing that are neglected in this regard or where devs install crap insecurely contain certificates or passwords or have exemptions on the firewalls, it's about being current on all security updates in your server infrastructure, it's about encrypting data in flight and at rest and then there is social engineering and fishing and employee laptops that get lost or stolen and all your employees employing good security practices... And then you probably still run software that has a security bug that is undisclosed, google for CVE and see how many bugs get found all the time. Once someone get's inside, how quickly can you detect that and how many hoops do they have to jump through to get to actual critical data. It's just impossible to be 100% secure, but you can put up many lines of defense and eliminate weak links as much as possible and hope for the best.
When you focus on devsecops instead of secdevops..Security should always be first, but it never is.
Equifax is a very incompetent company who is more focused on selling bogus stuff, than actually trying to help out people. So no one cared if the data is insecure, because securing it costs money and resources - which'd rather be spent on marketing.
Security is really hard, mainly in large companies. The good and focused people get tired of the pompous people getting promos for doing presentations. After a while, the good white hats leave. Gray and black hats just need one chance to succeed. If you have no good mechanism to prevent intrusion, then you also cannot detect it promptly. I know of a large company (not current one) that had a bad agent in their network for a couple of years! They found the intrusion and cut access, but never really knew how much was taken away.
From my experience in the financial field (before current job), most of the problems stem for companies refusing to put money into security. Now there is a fine line from bleeding cash to security but it's often overlooked until the company is directly compromised. Also with that being said, most companies like that do not like to spend $$ on quality engineers,as well as have very bad practices for staying current on patches, OS versions, ect. The other part of it alot of those companies are Linux/Unix driven systems and most of the engineers supporting it do not take the time /implement best practices for their environment. Also most people I have seen there also focus more on windows due to exchange, AD , and keeping everyone reports going and just not overly familiar with non windows OS.
That and legacy code that people are scared to update/ refuse to put money into in order to rework it .
It's always insiders
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
A 0-day vulnerability in Struts. 0-days happen, but this was still their fault. The web tier was opening a direct connection to their critical database(s). There should've been another tier that vends expiring access tokens on behalf of the user in exchange for authentication. This token is required for accessing any critical data and the internal service would then be able to enforce authorization. What was in their control was the lack of monitoring/alarming/auditing that would have detected all the 500s the attackers probably caused when exploiting this, would have detected the mass exfiltration of data, and would have flagged unusual access patterns. What was in their control was running legacy application frameworks. Even if it's a zero-day vulnerability, you probably shouldn't be running fucking Struts in 2017. JSP, okay maybe, but definitely not Struts. There's been countless RCE bugs from java-serialization crap. Most recently 2 years ago when jenkins and spring remoting was suddenly a huge vulnerability hole. Prior to that dating back to fucking browser applets. Relying on java serialization from untrusted sources has caused many serious vulnerabilities over the years.
The other question would be " why wasn't the data encrypted?" I love how they said their core credit reporting data isn't impacted. Great that you can still do business after fucking everyone over.
They are a huge company with valuable data and there are very determined people out there.