The 2017 data breach at Equifax was a huge deal — both because of the number of customers affected, and the types and volume of information that Equifax maintains on those individuals. It may seem easy to point fingers and cast judgment on Equifax for not adequately patching and protecting its vulnerable web applications — that is until you face the fact that thousands of organizations are still using vulnerable Apache Struts just like Equifax, and thousands more have web applications, content management systems, and application plug-ins that make them vulnerable.
Equifax was a very high-profile example of what happens when critical vulnerabilities in public-facing platforms and applications are not patched. The danger is in thinking this was somehow a problem unique to Equifax rather than taking the opportunity to look in the mirror and examine your own patch management and security practices.
Vulnerable Web Appls Were not Unique to Equifax
A report from Sonatype found that in 2016 more than 45,000 organizations have downloaded a version of Apache Struts with known vulnerabilities despite a more current and secure version being available. More than 3,000 organizations downloaded the exact same version of Struts2 that allowed attackers to compromise Equifax.
The issue is also not limited to Apache Struts. Yahoo just revealed that new information indicates that 3 billion — with a “B” — accounts were compromised through known vulnerabilities and custom PHP flaws in WordPress. WordPress is a widely used web content management system (CMS) that at the time was estimated to be used for about 28 percent of all websites around the world. A flaw in TimThumb, a WordPress plugin used to resize large images into thumbnails, led to the compromise of a couple million WordPress sites.
Did Equifax drop the ball? Probably. Evidence suggested attackers exploited the vulnerable Apache Struts framework about two months after the vulnerability was disclosed and a patch was made available. In any event of this magnitude there is generally a cascade effect of poor processes and human error with plenty of blame to go around. While you’re shaking your head at how such a thing could happen at a company like Equifax, though, take a look at your own patch management processes and security posture and consider whether or not you have room for improvement.
Understand Your Full Attack Surface
While your attention is focused on your perimeter and mission-critical assets, attackers are using automated tools to identify and exploit known vulnerabilities in web applications and sneak in the back door. Cyber criminals are targeting weaknesses in trusted third parties to infiltrate your network undetected. You have to be aware of your entire attack surface and take steps to identify and defend against attacks no matter what the entry point is.
The issue wasn’t with Equifax; rather, it lies in many organizations’ misunderstanding of their actual attack surface. Traditional security practices tend to concentrate on perimeter defense and risk analysis to prioritize security measures according to asset criticality and the potential consequences of a breach. While this approach seems reasonable in theory, it has become ineffective in today’s evolving threat landscape.
Ensure your web apps are protected with Fortra Managed WAF.
