The Equifax Sh!tstorm & Those Pesky Security Updates

By September 28, 2017Lithyem Insights

Importance of Software Security UpdatesJust to set the stage… Cyber theft is the fastest growing crime in the United States by far. Cyber crime damage costs are reported to hit $6 trillion annually by 2021. Global security and ransomware damage costs are on track to exceed $5 billion in 2017. That’s up 15x in just 2 years to $325 from 2015… and expected to get much worse. Cheers.

So now that you’ve got your head wrapped in tinfoil and bought a tiny house off the grid… what the hell happened?

This post isn’t about what to do if you were affected by the Equifax hack, there’s plenty out there on that. The interesting point here is one of the main causes of the hack in the first place was the failure to make timely security updates to critical software.

What did happen exactly?

  • Equifax was informed about then failed to make a simple security update with one of their web applications, Apache Struts.
  • They were informed about the update roughly 2 months prior to the breach.
  • After hackers broke into Equifax’s servers and stole ~143m customers’ personal info, they set up a website where victims had to enter even more personal info. :/
  • On Twitter, the company then started accidentally directing people to a phishing site instead of their own site, thanks to a hyperlink typo. wow.
  • Oh and it took Equifax 6 weeks to notify the public after finding out about the breach in the first place.
  • According to a security firm Equifax hired to investigate the breach, hackers “roamed undetected” in the company’s network for four months before the breach.

The point I want to make here is the lead domino was a failure to make a security update to a piece of software. Now, I’m not at all clear on how that didn’t get done or why but I can tell you the percentage of companies that we work with that have unsecured and outdated software systems is in the high 90’s.

Why is that?

  • Not having a reliable technology partner.
    Sure, you probably have a web guy or a marketing guy who can rock photoshop and WordPress but a technology partner who can ensure your systems are secure, backed up, and up to date is a whole different thing. That’s exactly where we fit in and can help make sure your data and systems are safe and smooth running.
  • Having an “If it’s not broke don’t fix it attitude”.
    Software rots. It’s counterintuitive but it’s true. As time goes by and systems are not updated, patched and maintained, they become insecure as hackers have had more time to find the backdoors, and unstable as they platforms that they run on evolve and become incompatible. We’d much prefer you think “If it’s not broke, let’s keep it that way.”
  • Not doing regular and thorough audits and assessments of your technology systems.
    The average small business uses roughly 35 separate pieces of software. Are you 100% confident that they are all safe and secure? Suuuure you are. We offer a comprehensive software diagnostic to get you started quickly with shoring up your technology ecosystem.

If you’re at ll concerned that your data is at risk, and you should be, get in touch and let’s put a strategy together to keep you and your customers’ information safe.


Fun fact: Equifax’s CIO and Security Officer at the time of the hack, Susan Mauldin, studied music composition in college and had no security degree. She has since left the company.

Make sure you’re not going to the phishing site to find more information: https://www.equifaxsecurity2017.com/

 

Michael Trezza

About Michael Trezza

Michael Trezza is the CEO and founder of Lithyem. Since 1999, Michael has been solving complex technology challenges for some of the world's greatest brands. Connect with Michael on LinkedIn.