Making a bad situation worse: how Equifax mishandled the breach

Companies must respond to data breaches properly to limit the damage. Unfortunately, Equifax did not.

There have been some very high-profile data breaches in the last few years, but the latest disaster to hit the headlines concerns one of the largest credit bureaus in the United States. It’s estimated that the Equifax data breach exposed 143 million consumers, with cybercriminals accessing birth dates, addresses, and even Social Security, credit card and driver’s license numbers, making it one of the worst corporate data breaches ever.

The global average cost of a data breach is $3.62 million, according to the Ponemon Institute, which also estimates the average cost for each lost or stolen record containing sensitive data at $141. But mishandle a breach and that cost can rise. The lax security that led to a breach of this magnitude must be investigated, but in the immediate aftermath of an attack like this, how a company responds is crucial in limiting the damage.

Unfortunately, to say Equifax responded poorly would be an understatement.


Delayed disclosure

Any company that suffers a data breach has a duty to those affected to inform them quickly. Equifax claims it learned about the breach at the end of July. It took around six weeks to disclose it. During that time three senior executives sold shares, according to Bloomberg, which has prompted an investigation by a New York law firm. Questionable trading aside, at the very least you would assume that Equifax might have used the time to plan a response and create a system to allow its customers to check whether their data was exposed. Instead, it announced the sudden retirement of its CEO.


Misdirecting potential victims

Naturally, the first thing people want to do when they hear about a breach like this is to check whether their data was accessed. Instead of building pages on its main, trusted website to allow people to check, Equifax directed potential victims to a new domain – – which was bug-ridden and flagged by some browsers as a phishing threat.

Equifax asked people to enter the last six digits of their Social Security number in order to check if their data had been exposed. Some people entered their information via computer and were told they were unaffected, but got a different answer about exposure when they logged in from a smartphone with the same details, according to KrebsonSecurity.

Even if this site had worked properly, the reason why creating a separate domain is a bad idea became obvious when the official Equifax Twitter account mistakenly and repeatedly directed people to a phishing link instead of its own site. Luckily for Equifax the site had been set up by software engineer, Nick Sweeting, as proof of how easy it is for cybercriminals to set up phishing scams. It got 200,000 hits before he took it down.


Head in the sand

The attackers gained access to the Equifax system by exploiting a vulnerability in the Apache Struts web-application, which is widely used in the enterprise. The thing is, that bug had been disclosed back in March and a patch to fix it was available. Equifax had ample opportunity to update, it was aware of the patch, and yet several months later it had still not managed to successfully apply it.

It later transpired that Equifax had also suffered a breach back in March, though the company did not share any details on what, if any, data was exposed. It’s unclear if there’s any link between the two incidents, but the first attack should have been a warning signal. Although, it should be obvious that a credit bureau holding all the data cybercriminals need for lucrative identity theft is always going to be a major target.


Looking for a silver lining?

They say every cloud has one, but it’s not easy to find one here for the millions of Americans whose data has not been properly protected. What’s so galling about the Equifax breach is how avoidable it was.

Security isn’t arcane knowledge, simply applying NIST’s Cybersecurity Framework could have prevented this. And to exacerbate the situation by delaying and then misdirecting potential victims shows a staggering lack of care. An investigation by the Federal Trade Commission is underway. And deservedly so.


This article was originally posted on CSOOnline >

Join Sophos for a “Future of Endpoint Protection” Event

Join Sophos CEO Kris Hagerman and SVP Dan Schiappa at the Revere Hotel in downtown Boston to learn more about the latest development in Sophos’ innovative approach to endpoint protection.

Seating is limited; reserve your seat today to discover:

  • Sophos’ vision on the future of cybersecurity, direct from our CEO and SVP of Products
  • How the Ransomware epidemic is evolving and how you can stop it
  • Predictive endpoint protection fueled by Artificial Intelligence and deep learning
  • Live demo of the new release of Sophos’ award-winning Intercept X


Register Now >



Let’s Meetup and learn about Phishing and the threats to your organization

Wednesday, October 11, 2017
6:00 PM to 8:00 PM
319 Speen Street, Natick, MA

Despite record investments in cyber security technology, the data continues to paint a bleak picture:

  • 91% of breaches start with spear phishing
  • 146 Days – the average time to identify a breach
  • 82 Days – the average time to contain a breach
  • $4 Million – the global average cost of a data breach

Our heavy reliance on technology to protect against constantly evolving cyber threats ignores the most critical element— the human element. Phishing targets people and with 92% of global information workers using email regularly as part of their job, it’s no surprise. By targeting employees, attackers are playing the odds and hoping for an easy mark. The powerful combination of PhishMe’s Human Phishing Defense Solution disrupts the core of the adversary’s attack chain – their targets and tactics. PhishMe focuses on engaging the human–your last line of defense after a phish bypasses other technologies and enables incident response teams with automation tools to quickly analyze and respond to targeted phishing attacks.

Click here to Register >

MassBay Receives $10,000 Donation for Cyber Security Scholarships

WELLESLEY HILLS, MA (September 20, 2017) – Massachusetts Bay Community College is pleased to announce it has received a generous donation of $10,000 from this year’s annual Information Security Summit to support student scholarships in the field of cyber security.

The Information Security Summit, held each year on MassBay Community College’s Wellesley Hills campus, was established in 2013 to help professionals advance their programs and knowledge base on the latest network security and technology issues. The net proceeds from the Summit are awarded to students in the form of two scholarships in support of Cyber Security education.

To date, the Information Security Summit and its attendees and sponsors have raised a total of $38,000 to support student scholarships.

Towerwall CEO Michelle Drolet, whose Framingham-based cyber security company is one of the co-sponsors of the Information Security Summit, along with MassBay’s Chief Information Officer Michael Lyons were on hand to present this year’s scholarship check to President Dr. David Podell, Computer Science Professor Shamsi Moussavi and to Mary Shia, the Executive Director of the MassBay Foundation and the College’s Vice President for Institutional Advancement and Alumni Relations. Drolet is also a member of the MassBay’s Foundation Board.

Sponsors of this year’s Information Security Summit also include: Varonis, Alien Vault, GovConnection, LogRhythem, Securonix, SnoopWall, Sophos, RSA, CDW, CyberSN, Darktrace Ltd, Gigamon, Juniper Netwroks, PhishMe, SHI, Stealthbits, SuperCom, TCG Network Services, Big Switch and Xerox Corporation.

Scholarships are available to full-time and part-time MassBay students in the form of Information Security Summit (Cyber Security) scholarships and given out by the MassBay Foundation

The MassBay Foundation gives 100% of donations back to students in the form of student scholarships. The Information Security Summit Scholarship was created and is supported by the generous sponsors of the Information Security Summit established by Towerwall and MassBay Community College to support student’s studying in the Cyber Security field. Anyone interested in donating to student scholarships, learning more about our student scholarship program or getting involved with the MassBay Foundation can contact Mary Shia at

*Attached is a photo of the check presentation (left to right) MassBay President Dr. David Podell, Towerwall CEO Michelle Drolet, MassBay Computer Science Professor Shamsi Moussavi, MassBay Vice President for Institution Advancement and Alumni Relations and the Executive Director of the MassBay Foundation Mary Shia, and MassBay Chief Information Officer Michael Lyons.

To learn more about the Information Security Summit, visit

MassBay Community College was recently ranked by the Brookings Institution as one of the top schools for value added and earned salaries in the workforce. Ranked #1 for 2-year colleges in Massachusetts, #2 in New England and ranked #16 nationally. The College’s facilities in Wellesley Hills, Framingham and Ashland house day, evening and weekend classes that meet the needs of degree-seeking students and career minded life-long learners. Online options provide convenience and allow faculty to facilitate the learning process. Since its founding in 1961, MassBay has been accredited by several governing bodies and strives to meet the needs of the diverse local communities it serves.

Achieving long-term resilience with NIST’s Cybersecurity Framework

The need for continuous monitoring, effective metrics and skilled workers.

The laudable aim of the National Institute of Standards and Technology (NIST) is to build a common language through a set of best practices and security principles that any organization can apply to combat cybercrime. We’ve looked at what NIST’s Cybersecurity Framework can do for you. We’ve also drilled a little deeper to reveal the importance of solid analysis in assessing your risk and requirements to ensure that you built it right first time.

A solid foundation is a great start, but you also need to implement continuous monitoring and find a way to measure how successful your efforts have been. Because security is a race, rather than a destination, it’s vital to keep identifying gaps, making improvements, and validating your activities. To do that, you’ll need the right attitude and the right talent.


Change is constant

Cybercriminals and would-be hackers are constantly developing new techniques and uncovering fresh vulnerabilities, so defenses must be monitored and updated continually. While the Cybersecurity Framework offered up is a great starting point, with lots of useful advice, it’s not easy to assess how effective it has been within organizations.

That’s the main reason why, at the beginning of the year, the NIST Cybersecurity Framework, Assessment and Auditing Act of 2017 was passed into law. It’s an attempt to ensure that progress is measured, but establishing metrics to measure the effectiveness of security policies is a tricky business. Different organizations have different priorities.

The framework provides a skeleton that you can flesh out with your own organization’s requirements, and the metrics you adopt to measure the efficacy of your efforts are no different. If you don’t take the time to build a solid set of metrics, then you really don’t know if your efforts are paying off.

Later this year, there will also be a major revision to the document, which is available in draft form right now. Collaborators have been working to integrate privacy and cyber controls and align them with NIST’s cybersecurity framework recommendations. You can currently review and comment on this document, ahead of a final draft at the end of the year.


A very large skills gap

One of the biggest challenges facing any organization that’s trying to put NIST’s cybersecurity framework into practice is the lack of workers with the right skillset. Take a look at the interactive map at for an overview of the problem. There were 112,000 InfoSec analyst job openings last year in the United States, but only 96,870 workers to go around.

Another 200,000 openings requested cybersecurity-related skills. Cloud security skills were apparently the hardest to find, with jobs remaining open an average of 96 days. This worrying shortfall has prompted the creation of the National Initiative for Cybersecurity Education (NICE). Just as the cybersecurity framework creates a common language for discussing security issues and best practices, NICE aims to help you assess workforce skills and identify certification and training requirements.

Many organizations struggle to find people who possess the right knowledge, skills and abilities, and worse, they often can’t fully articulate precisely what they need. This is one of the reasons that a virtual CISO can be a real boon for an organization trying to get its cybersecurity polices on track and recruit an effective team.


Security for all

Because the cybersecurity space is developing so quickly, it’s understandable that some of the risks caught some organizations unawares. But ignorance can no longer be used as an excuse. Data breaches and other cybersecurity incidents can often now result in regulatory fines and serious reputational damage.

While there seems to be a general acceptance about the level of threat, we are still not seeing the positive action required to nullify it. Verizon’s 2017 Data Breach Investigations Report found that 88% of breaches still fall into one of the nine patterns it identified back in 2014. The difficulty organizations are having is in validating implementation and building resilience.

The fact that NIST is working hard with the wider community to pool resources and knowledge is very encouraging. The importance of this endeavor comes into sharp relief when you consider the bi-partisan cooperation in a generally combative political climate. The government and wider cybersecurity community are committed to effecting real change and tightening our collective defenses, but we all need to pitch in.


This article was originally posted on CSO Online >

Introducing “Lunch with a vCISO” A Webinar Series from Towerwall

Each session will provide unprecedented access to the industry’s top Virtual Chief Information Security Officers and cover critical issues in the field. The interactive series will cover a variety of topics, such as aligning information security policies with your firm’s culture and how to prepare for an audit.

Attendees will be given the opportunity to ask questions of these experts during each session. Sessions will be held every other month and are designed to fit into your lunch hour.


Join us for our first live webinar:

Do you know your risk tolerance?
The role of a vCISO

Tuesday, September 19, 2017   |   12:00 PM EDT – 1:00 PM EDT

Featuring Michelle Drolet,
Founder & CEO of Towerwall


Session will discuss:

  • What is a Virtual CISO?
  • Who needs a vCISO?
  • How a vCISO integrates into your security culture.
  • Why an experienced second set of eyes matters.


Register Now > 



Build it right with NIST’s Cybersecurity Framework

Diving into NIST Special Publication 800-53 for practical advice.

We’ve already laid out a broad overview of what NIST’s cybersecurity framework can do for you, so today we’re going to drill into Special Publication 800-53. Published by the National Institute of Standards and Technology, and based on important research from the Information Technology Laboratory, this publication offers a comprehensive set of security controls to help you protect your data.

The document refers to Federal information systems, but this terminology will be removed in the forthcoming fifth revision, because the advice here is applicable to all organizations.

It may seem dense and inaccessible at first, so we’re going to break down some of the key elements and explain their importance.


Establishing a baseline

It’s not easy to calculate the business impact of a cyberattack, because there are many knock-on effects that take time to reveal themselves. The latest research from the Ponemon Institute suggests a global average cost of $3.62 million for a data breach. The level of potential risk is your starting point in developing and building solid cybersecurity defenses.

Before you can select the right set of security controls, you must consider the importance and sensitivity of the data. The FIPS 199 document explains how you might go about categorizing your systems, taking into account confidentiality, integrity, and availability to figure out if the potential impact of a breach is low, moderate, or high risk.

Having established the potential impact levels, you can select a security control baseline. It’s deliberately called a baseline, because it’s something to build on.


Tailoring your security controls

The guidelines are broad and make certain assumptions that might not apply to your organization, so the next step is to tweak your security control baseline to ensure that it’s aligned with your business functions, systems and operating environment. You may be able to drop some controls, but will probably have to add or enhance others.

Part of the aim during this process is to arrive an approach that strikes a good balance between security and cost. There’s no such thing as a perfect set of security controls. You must weigh in regulations, emerging threats, new and legacy technologies and systems, plus your business goals, to arrive at the right blend for your organization.


Implementation and assessment

Detailed documentation laying out the design, development and implementation of your security controls is vital for regulatory bodies to be able to audit your efforts. It also provides a sound rationale that can be continually applied for the future, because cybersecurity is a travelling cliché – it’s not a destination, but a journey.

Being able to refer to this documentation could be hugely valuable for the long haul, particularly if you have a new system to integrate, or your CISO resigns, or you hired a virtual CISO for the short term.

A common mistake that organizations make is to draft the plan, implement it, and then trust that it’s working as expected. Without in-depth, regular assessments you have no idea if your security controls have been implemented correctly, if they’re operating as intended, or if they’re meeting your expectations for security. Get an outside party with no vested interest to put your security through its paces and don’t forget to test your third-party service providers to ensure they meet your standards.


Continuous monitoring

You’ve set a baseline, tweaked it to fit your needs, implemented it and tested to ensure that it’s working properly, now you can take it easy, right? Wrong!

Your work is never done when it comes to cybersecurity because things change. You might adopt a new system, integrate a new third-party service, or change your business goals. To comply with your legal requirements, you need to be up to date with the latest regulations. And all the while, new software vulnerabilities are being discovered, and hackers are probing your defenses and developing new techniques to gain entry.

At the heart of NIST’s holistic approach to infosec and risk management are two simple ideas – “Built it right” and “continuous monitoring.”

Take your time and create a solid cybersecurity foundation, but accept that you’ll need to be vigilant for cracks in your defenses and continually make improvements if you want to ensure that your data is truly protected.


This article was originally posted on CSO Online >