Claimed by many to be the “worst data breach in history”, the Equifax breach drives home the point that cyber security can’t be taken lightly by any business – even small business.

Why is the Equifax breach worse than Yahoo’s or Target’s or LinkedIn’s?  After all, the Yahoo breach affected more than a billion users which is way more than the 143 million affected in the Equifax breach.  The difference is that Equifax exposed really vital information like social security numbers, driver’s license numbers, and birthdates.  Instead, the Yahoo breach exposed birthdate, name, email address, and phone number along with Yahoo password and security questions. 

Cyber criminals acquired everything they need to open new credit accounts with the personal information stolen in the Equifax breach which is why critics are labeling the Equifax breach the “worst data breach in history”. 

What does the Equifax breach have to do with small organizations?  Simple.  Two really important things: 

  1. Everyone is susceptible to attack. 
  2. Patching matters. Don’t ignore it.

Big companies with big data and big defenses are always going to be big targets.  Small companies with smaller data and smaller defenses may seem like small targets, but those smaller defenses translate to easier pickings for cyber criminals.  Ultimately, small business cyber security is more critical than ever to protect your organization.

Equifax released a statement on its site that reads as follows:

Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.

Here’s what that means in regular English:  Equifax needed to apply a software patch to their web servers to eliminate the Apache Struts CVE-2017-5639 vulnerability.  According to the National Institutes of Standards and Technology (NIST), the vulnerability was published on 3/10/2017.  It appears that the attack on Equifax occurred sometime in mid-May.  That implies that Equifax had around two months to patch the server before the attack occurred that wasn’t realized until July before it was publicized in early September. 

Take out the fact that the Equifax public relations team let the corporation down, this was an avoidable catastrophe.  Servers and data repositories for stored data need to be kept fully up-to-date.  It is no longer optional.  It is required. 

Monitoring patch levels on critical servers and workstations might seem like overkill.  Patch monitoring is going from overkill to requirement very quickly.  Most advanced monitoring systems can be configured to review operating systems for known security holes.  When a production operating system isn’t current with necessary security updates for a server, the monitoring system should trap that issue, create a service ticket and, at the very least, contact the system administrator and then proceed to get those servers patched in an automated fashion.

It’s hard to imagine that Equifax disaster could have been avoided with a little better attention to server patch status combined with a consistent, reliable remote monitoring and management tool that would have communicated the diminished status to the system administrator.