The United States General Accounting Office (GAO) recently released their assessment of the Equifax hack from last summer. The article is summarized here:

We have reviewed the details of this case very closely, and there are many things that happened at Equifax that CCC actively mitigates. The article explains:


  1. Equifax IT administrators circulate this advisory on an internal mailing list. Unbeknownst to its IT administrators, the mailing list was out‐of‐date and did not include all its systems administrators, indirectly leading to an incomplete patch of Equifax’s servers.

CCC mitigates this largely by being a small IT shop; it is easy to make sure everyone knows what’s happening. Our security policy strictly defines which employees have responsibility for staying on top of alerts, and our annual SOC II will validate that key IT personnel, including the CTO, IT Compliance Manager, SysAdmin and Director of IT Services are kept up‐to‐date on vulnerabilities.


2.  Equifax told GAO that on March 10, two days after the US‐CERT advisory, it detected attackers scanning its servers for that particular vulnerability.

CCC utilizes AlertLogic to monitor all network traffic, both internal and external. AlertLogic, in turn, keeps its scanners up‐to‐date to detect both existing and newly‐discovered vulnerabilities. Had this exploit occurred at CCC, an alert would have been sent to the Lead Software Developer, CTO, IT Compliance Manager, and SysAdmin. It is the responsibility for each of those recipients to follow up on this item until we were certain it was resolved.

Further, CCC runs a scheduled, weekly penetration test that looks for vulnerabilities such as the Apache STRUTS hack that impacted Equifax. Any item that is identified as a CRITICAL or HIGH priority risk – as this STRUTS vulnerability most certainly would have been – is flagged for follow up, investigation, and resolution by the Lead Software Developer, CTO, IT Compliance Manager, and SysAdmin.


     3.  During this second intrusion, Equifax says attackers issued queries from the online dispute portal systems to other databases in search of personal data. “This search led to a data repository containing PII, as well as unencrypted usernames and passwords that could provide the attackers access to several other Equifax databases,” the report says.

The GAO report says this happened because Equifax failed to segment its databases into smaller networks. This, in turn, allowed the attacker direct and easy access to all of its customers’ data.

CCC segregates our database behind a secondary firewall to prevent the type of cross‐server access described in the GAO report. CCC does maintain one database of data, and contrary to the GAO’s assessment, we find that by concentrating all this information into one place, securing it is much easier. The database is encrypted at rest. In addition, and perhaps most importantly, all passwords are encrypted in the CCC database.


    4. Equifax said that the reason hackers were not detected for 76 days was because a device meant to inspect network traffic had been misconfigured and didn’t check encrypted traffic for signs of malicious activity. The reason the device didn’t work, Equifax said, was because a digital certificate that would have helped the equipment inspect encrypted traffic had expired about ten months before the breach, preventing the equipment from doing its job.

Simply put, CCC benefits from our smaller, self‐contained, completely proprietary IT environment. There are no “unidentified” servers, and no missing employees on distribution lists. Whereas in the past being a “small” company was a disadvantage, tools such as virtualization, and hosted services, have leveled the playing field, making top‐of‐the‐line security an option for every company.

 


Contact CCC to see how we can save your organization time and money.
Contact our Sales Team
(800) 207-6926

Featured Videos

View All Videos

Latest News

Close

Sales

Your Name:*

Title:

Company Name:*

Company Address:

Company City:

Company State:

Company Zip:

Number of Employees:

Your Email:*

Phone Number:*

Fax Number:

Check the boxes below if you wish to receive information on any of the following:

Unemployment Cost ControlTax Credits & Incentives (WOTC)Employment / Wage Verification

Your Message:

Employment & Income Verfication

Your Name:*

Title:

Company Name:*

Company Address:

Company City:

Company State:

Company Zip:

Number of Employees:

Your Email:*

Phone Number:*

Fax Number:

Your Message: