CYBEREYE
BY BRIAN ROBINSON
The Equifax breach is teaching the same old lessons
THE STORY OF THE BREACH at credit-rating company Equifax, which might have involved the personal details of nearly 150 million people, has probably just begun given the confusion that still sur- rounds events.
But the incident has brought the security of open-source software to the fore yet again and highlighted the ongoing struggle organizations still have with cybersecurity.
So far, there’s no indi- cation of how many U.S. government organizations might have been affected
by the software bug that apparently led to the Equi- fax mess. However, it has already been compared to some of the most damaging breaches in recent years, including the one at the Of- fice of Personnel Manage- ment in 2015, which could have leaked sensitive details on over 20 million U.S. government employees.
The nature of the Equifax breach has also revived elements of the debate after the 2014 Heartbleed bug exploited a vulnerability
in OpenSSL cryptographic software. That discovery launched an argument about the inherent security of open-source software and how much responsibil- ity organizations should bear for the security of ap-
plications that used it. The Equifax breach was
blamed on a vulnerability in the Apache Software Foun- dation’s Struts Version 2, an open-source framework for building Java web applica- tions. There have been a number of announcements about Struts vulnerabilities in the past few months, the most recent issued by the Center for Internet Security on Sept. 15.
Depending on the privi-
on an unpatched Equifax server or a zero-day exploit of an at-the-time unknown vulnerability was the culprit.
The timelines are confus- ing. There were detailed stories of attacks using a Struts 2 vulnerability as far back as March, with attack- ers carrying out a series of probing acts and injecting malware into systems.
Back in the Heartbleed days, detractors claimed
for innovation” was fueling the supply and demand for open-source components.
The Apache Software Foundation said its devel- opers put a huge effort into hardening its products and fixing problems as they become known. However, because vulnerability detec- tion and exploitation are now a professional busi- ness, “it is and always will be likely that attacks will occur even before we fully
10 GCN OCTOBER/NOVEMBER 2017 • GCN.COM
The incident has brought the security of open- source software to the fore again and highlighted organizations’ ongoing struggle with cybersecurity.
leges associated with an application, an attacker could “install programs; view, change or delete data; or create new accounts with full user rights,” accord-
ing to CIS, which rated the risk to medium and large government enterprises as high.
An earlier vulnerability, publicly announced on Sept. 4, is thought to have been the one that attack- ers exploited. However, the Apache Software Founda- tion said that because the security breach at Equifax had been detected on July 5, it’s more likely that an even older (and earlier announced) vulnerability
that open-source software was inherently insecure because developers didn’t keep as close an eye on security issues and weren’t as systematic in finding potential holes in code as proprietary developers were. Proponents argued that open-source software was inherently as secure as other software and safe for government agencies to use.
It’s not an academic is- sue. Sonatype, for example, claims that some 80 percent to 90 percent of modern applications contain open- source components and recently issued a report that said an “insatiable appetite
disclose the attack vectors,” the organization stated.
In other words, it’s up
to organizations that use Struts — or any other open- source product, for that matter — to treat security the way they would for a proprietary product: As- sume there are flaws in the software, put security layers in place, and look for any unusual access to public- facing web pages. It’s criti- cal that organizations look for security patch releases and software updates and act on them immediately.
That’s sound advice for everyone — if only every- one followed it.•