Earlier this week we talked a bit about the Equifax hack and what you could do to immediately protect yourself if your Social Security Number was compromised.
Now it's time to talk a little bit about what services are available that can immediately protect your sensitive systems from a similar type of attack.
Ready? Okay, let's start with what exactly happened to Equifax and how this whole mess could have been avoided from the beginning
Equifax updated EquifaxSecurity2017.com on September 13, 2017 to let people know that a vulnerability in Apache Struts CVE-2017-5638 was exploited by hackers in mid-May to steal 143 million Social Security numbers, birthdays, addresses and driver license numbers.
Apache Struts is a framework used to develop web applications. Equifax employed the framework on their website. Apache Struts versions 2.3.x before 2.3.32 and 2.5.x before 126.96.36.199 are prone to a remote code-execution vulnerability. Specifically, this issue affects the Jakarta based file upload multi-part parser. An attacker can exploit this issue on un-patched systems through a malicious Content-Type value.
Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the affected application.
Apache released a patch in March to correct the issue, but Equifax didn't deploy it. We don't know that for sure, so don't quote us. However, it seems likely to be the case. Apache commented on this in a well written blog post that we definitely recommend you read.
All that being said, we have to acknowledge a sad truth: the Equifax hack was completely avoidable. Had Equifax patched their instance of Struts, none of this would have happened.
So why didn't they?
Brian Thomas, our CTO has a few ideas on that.
"The reasons why companies don't patch their systems are numerous, but top of that list is that business continuity, read commerce, generally trumps security," he said. "On top of that, businesses often don't employ proper vulnerability detection and patching procedures when it comes to critical vulnerabilities."
Brian also suggested there was a chance Equifax didn't even know about the vulnerability.
"In this instance, hypothetically, depending upon if or how often they perform vulnerability scans, they may not have even been aware of the problem," he said.
When it comes to being a Managed Security Services Provider, cloud security is a big part of what we do. When the Equifax hack was announced we started asking this question around the office: could we, at that very moment, protect our clients from something similar?
The answer to that question is YES.
Cloudflare has built in WAF rules for each of the Apache Strut vulnerabilities used in the Equifax hack. On top of that, CloudPassage and their Software Vulnerability Assessment (SVA) module regularly scans protected servers to detect known vulnerable packages.
Cloudflare’s enterprise-class web application firewall (WAF) protects your Internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to your existing infrastructure.
Meanwhile CloudPassage's SVA module scans and cross-reference the software installed on the servers against known vulnerabilities including the operating system, drivers, and applications. Information about installed packages is derived from the operating system’s package manager.
By default, SVA scans run automatically once per day and will flag vulnerabilities with a score of 5.0 or above as critical. Given the CRITICAL designation of this vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2017-9791), a security or operations team would have known that their infrastructure was in need of patching within 24 hours of the disclosure.
As an MSSP we understand the security limitations a business can face. Cost, availability and experience are all hard to come by. It's why we leverage services like Cloudflare and CloudPassage in our every day operations. We trust them implicitly because when it comes to stuff like what happened at Equifax, they're on the ball.
We leverage technology like this (and from other vendors) because they fit in with our Intelligence in Depth mentality. Intelligence in Depth allows us here at Security7 Networks the opportunity to protect our customers with an up to date, real time security solution. It allows our customers to focus on what matters; their business.
We'll worry about your security so that you don't have to.