Adam Bannister

Editor, IFSEC Global

Author Bio ▼

Adam Bannister is editor of IFSEC Global. A former managing editor at Dynamis Online Media Group, he has been at the helm of the UK's leading fire and security publication since 2014.
September 21, 2017

Sign up to free email newsletters

Download

The Intruder Alarm Report 2020

PATCHING PROBLEMS

Equifax will be first of many victims of Apache Struts vulnerability, says cyber specialist

Equifax is “probably just the first known victim” of a software vulnerability that could take years to remedy, a top cyber expert has warned.

Credit monitoring company Equifax recently revealed that hackers gained access to names, social security numbers, dates of birth, addresses and driver’s license numbers of 143 million Americans between mid-May and July of this year. Credit card numbers for about 209,000 US consumers were also accessed.

Traced to a vulnerability in a web app framework called Apache Struts CVE-2017-5638, the Equifax breach is the biggest-ever theft of social security numbers, eclipsing the 2015 hack at health insurer Anthem Inc that exposed the personal data of 80 million people.

While it isn’t the biggest data breach in history – Yahoo claims that mantle – it could be the most damaging, because the data stolen is routinely used to verify people’s identity by banks and other institutions.

A patch for Apache Struts, a commonly used open source component used by companies to absorb and process data, was apparently available at the time of the breach.

“We should expect a long tail of incidents and breaches in the months – and potentially years – to come.” Jeff Luszcz, vice president, product management, Flexera

Unpatched systems

According to Flexera Vulnerability Review 2017, patches were available at the time of disclosure for 81% of the vulnerabilities in 2016. The WannaCry attacks in May also exploited unpatched systems, which hackers can do faster than organisations can patch them up.

“Equifax is probably just the first known victim,” said Jeff Luszcz, vice president of product management at Flexera, which provides tracking for open source components, vulnerability intelligence and tools to simplify remediation.

“Once a case like this hits the news, it ignites the fire in the cybercrime community and hackers start poking around for new opportunities. We should expect a long tail of incidents and breaches in the months – and potentially years – to come, as we still see attacks targeting Heartbleed, a vulnerability more than three years old.”

Offering tips on how organisations can protect themselves, Kasper Lindgaard, senior director of secunia research at Flexera, said: “Patching this type of vulnerability is certainly not as simple as patching a desktop application. When it comes to vulnerabilities affecting the software supply chain, it’s important to align software design and engineering, operational and security requirements.

“This isn’t an easy task. However, the time frames of initial disclosure of the vulnerability and its patch on March 7 – up to two months before the first reported unauthorised access at Equifax, and the further delay of the actual detection of the breach on July 29 – currently indicates that the vulnerability was not handled with the priority that it should have.

“This is a common issue across industries that business leaders need to address rather sooner than later.”

Free Download: Cybersecurity and physical security systems: how to implement best practices

Discover the five-step process for strengthening your cyber and physical security systems with this free resource from Vanderbilt. Learn how to choose the right equipment to stay diligent and protect your systems against cyberattack, and learn what cyberattacks mean in an interconnected world.

Related Topics

Leave a Reply

avatar
  Subscribe  
Notify of
Topics: