Monday, September 18, 2017

Equifax Equihaxed - How do we respond


I am still recovering from the magnitude of the equifax breach. Read the gory details of how it happened by Krebs and Anton Chuvakin. I am sure more details will emerge in the coming days.  As we start to recover from the shock of what happened a natural question for all of us to ask is what do we do? What can we do to prevent such occurrences in the future?

Consumers


    Image result for consumer
  • Request credit report from Equifax, Experian and TransUnion.
    Make sure there are no spurious accounts in your name. See https://Identitytheft.gov for next steps in case of a suspected identity theft.
  • Sign up for a basic Credit monitoring service.
    This is the minimal you should do. It is better than nothing.
  • Put a credit freeze on your credit report Do this with Experian, Equifax and Transunion. It is inconvenient no doubt. It is better than losing your identity and letting someone max out a credit card you might become liable for. 
  • Consider signing up for an advanced Credit monitoring service like lifelock.
    This is an expensive option. If you can afford it, consider having this service. It will be worth it when someone attempts to open spurious accounts in your name.
  • File your taxes earlyTax fraud has been on the rise for several years. There is a high likelihood, this breach will result in a further increase in spurious tax return filings to claim tax refunds.

Equifax 

Image result for equifax logoWe all understand the gravity of the situation. More details are going to emerge in the coming days and they will make you look bad. Own up to your mistakes and take genuine steps to make it better for your customers. Do something that will make us remember how you responded in the time of crisis and we will want to work with you towards a resolution instead of blaming you.

Here are a few ideas to get us started

  • Provide a definitive answer to individuals
    Allow people to know definitively if they are impacted or not easily. If we do not know who is impacted, then own it and put that out. Owning up to your mistakes gives you credibility. 
  • Free credit monitoring service for 10 years Allow the impacted people to sign up for a free credit monitoring service for 10 years with you or pay for their subscription with another monitoring service. It is fair to say that people's confidence in equifax is shaken. They would want to have an alternative.
  • Freeze credit files for freeAllow people to freeze their credit file for free. It is important for people to see that you care about safeguarding their interests. This will go a long way in preventing identity theft.
  • Share your learningsShare your learnings from the incident with the security community. We will get better collectively. You are very likely working with the best in the industry to get to the bottom of this incident. Encourage your vendor to share their learning.
Wouldn't it be great, if an year from today the Equifax CISO gives a talk in DefCon 2018 on how Equifax responded to the breach. The steps they have taken to secure themselves and they become an example of the best run security operations inside a corporation. 


Govt
What would we do if the IRS was breached and everyone's tax returns were tampered with? Some people will be very happy at losing their tax returns. We need to treat this situation as an issue of national security.

  • Equifax exec leadership accountability Hold the Equifax exec leadership accountable for the lapses of data breach. The accountability actions have to be meaningful enough to serve as a call to action for the leadership of all corporations.
  • Increase the risk for digital theftTake steps to increase the risk to reward ratio. The financial incentives of cyber crime are huge. If a person wants to break into my house, irrespective of how many security measures I put in they will break in. But the risk of doing that far outweighs the financial incentive. We have to get to a point where the risks for breaking in digitally are very high. 
  • Demonstrate leadership in cyber crime preventionUS has to take a leadership role in cyber theft prevention. Get the thought leaders in Cyber Security together to craft solutions. We have the best brains in the security industry working furiously to keep us safe. Use their collective wisdom to shape our policy and provide incentives for company boards to strengthen their cyber security posture.


CTO's 

Better products will reduce the odds of such instances happening again. 

  • Security is part of Software Development Life Cycle All companies producing software should incorporate security as part of Software Development Life Cycle (SDLC). Software vendors, open source or commercial have to step up their game and prevent these vulnerabilities before our products hit the market. There are plenty of tools available to help with finding vulnerabilities. The simplest of actions can start with static analysis of source code using vendors like veracode and coverity
  • Security as part of CI / CD
    All software development shops now heavily use CI / CD to speed up the pace of innovation. Consider using tools like cybric that do pen testing and integrate well with your CI/CD systems.
  • Security Training
    Security training by many functions in development is looked down upon and typically is an after thought. Institute security training for all Developers, QA, Product Management. 

CISO's 


  • Engage with security vendors.
    Spending money on shelfware is not enough. We need to actively engage with security product vendors and help them make their products better. Be vocal about your security needs with the vendors.
  • Try the Next Gen Security Products It is an open secret that AV does not protect us against the cyber threats of today. Try out the new vendors like CarbonBlack, CylanceCrowdstrikeThreatStack. There are plenty of cutting edge solutions like cyberhaven, greathorn. Try them out and provide feedback to make them better. 
  • SOC automation Every organization needs a SOC. It is expensive. Use automated solutions for SOC like Seceon. Automated solutions though nascent are starting to ease the SOC expense with AI and Machine learning.


None of the above solutions on their own will eradicate this problem. Defense in depth is the mantra for security. Each of the above will make it just a wee bit harder for the perpetrators to do this again.
Accomplishing all of the above is extremely hard and will take time and resources. It is worth the cost to restore our privacy public confidence in our institutions.

Don't tell me it's going to rain - help me get an umbrella. 
Posted by at No comments:
Labels:
Subscribe to: Comments (Atom)