Poor Certificate Management Practices Assisted Equifax Attackers

 

The Equifax data breach hit the news in 2017 as their executives took steps to advise the public the company had experienced a serious cyber attack for an unspecified period of time and were aware that sensitive data had been stolen. At the request of the US Congress, an agency called the Government Accountability Office (GAO) recently released an informative report into the intrusion and data breach which is worth reviewing. CLICK HERE to read the report.

Some of the key takeaways in the report are -

An Apache Struts vulnerability was not properly identified as being present on an Equifax online dispute portal when patches for the vulnerability were being installed throughout the company. The intruders exploited this vulnerability and had been accessing Equifax data for 2.5 months before being detected.

A SSL/TLS certificate that had expired 10 months prior meant the attackers’ had the ability to communicate with compromised servers and steal data without detection. The expired certificate prevented a network monitoring tool from properly detecting the malicious traffic and meant large amounts of data were removed without setting off any alarms.

The attacker’s gained access to a number of databases containing Personably Identifiable Information (PII). This occurred as a result of being able to gain access to a particular database containing the unencrypted credentials (username and passwords) for an unspecified number of Equifax databases. 

Proper Certificate Management Should Be In Place By Default 

Understanding that a flawed patching process allowed intruders initial access into Equifax’s systems, to then find a network monitoring solution did not work as expected because of an expired SSL/TLS certificate, highlights a common problem – certificate management.

As SSL/TLS certificates are often used across various parts of a business and sourced by different people it can be challenging to maintain oversight on their procurement, usage, expiry and renewal arrangements. An excel spreadsheet is often used by organisations in an effort maintain certificate information and stay secure with limited success.

Adopting a certificate management solution will provide the right level of oversight on the lifecycle of your SSL/TLS certificates and increases visibility to security loopholes, helping you to stay in compliance and prevent threats.

Entrust Datacard takes the guesswork out of certificate management and is available as a value add to all customers who purchase their SSL/TLS certificates. Accessible from any web browser an intuitive dashboard delivers critical insights in real-time reporting on actionable activity that helps you avoid security lapses and stay in compliance.

With the end of year and holiday season fast approaching now might be a good time to put a certificate management solution in place to limit the chance of any nasty surprises caused by an expired certificate.

View more information on certificate management from Entrust Datacard CLICK HERE.

For a more in-depth discussion on certificate management contact Sameer Shaikh.

Sameer Shaikh -
Consultant  

Sameer has over 11 years of experience in sales and customer service roles in the technology, financial, wholesale trade and retail sector in India, UAE, United Kingdom and New Zealand.

At MPA Sameer is applying his expertise in customer management and business development to maintain existing business relationships as well as developing new business opportunities.

He also shares responsibility in the sales and purchase order entry and logistics areas.

Sameer has a Bachelor of Science degree.


Latest Security Problems Solved

Internet of Things More >
HTTPS – Uptake Set to Accelerate in 2017 More >
Addressing Endpoint Security Challenges More >
Securing Blurred Boundaries More >
Our Solutions
Security Solutions

We work with leaders in the fields of data protection, authentication and perimeter security to protect your organisation and manage any threats with the most effective security systems. More >

Technical Services

MPA New Zealand Ltd provides a range of technical services to compliment the vendor technology our company brings to the local market. More >