Equifax data breach — here’s what we can learn from it

Although data breaches and cyber attacks have flooded the news for several years, the revelation that 143 million Equifax customer records were breached still raises eyebrows and a lot of concern.

While it is too early to fully understand the Equifax breach, many people question how, despite thousands of brilliant people developing cybersecurity capabilities, we still have so many data breaches.

What exactly is a data breach, why are they so common, and how can we stop them?

A data breach is the unauthorized viewing, access of, retrieval or theft of data; you also may have read about data “exfiltration,” the unauthorized transfer of data from a computer, which is a type of data breach.

{mosads}According to Risk Based Security, which tracks data breaches worldwide, more than 2,200 data breaches occurred in the first half of 2017 alone. These cyber incidents are so common because our online exposure is vast and a single method of entry can start a chain of events that leads to a data breach.

The most common method for a cyber criminal to attack an organization is via “phishing” — a targeted email that may contain malware or a link to a site that asks the user to enter personal information that the cyber criminal intercepts. An average of more than 200 billion emails are sent each day worldwide, and it only takes one successful phishing attempt to potentially expose an organization to a data breach.

Not all hope is lost, however. In fact, we can look to other recent events for analogies on how to handle cybersecurity: The devastation of hurricanes Harvey and, now, Irma provide vivid reminders that relate to shortcomings in our cybersecurity capabilities.

In many cases, much like we need to prepare for and recover from hurricanes, we are failing to do two critical things in cybersecurity: 1. Prepare for events by applying concepts of basic cyber hygiene, and 2. Enable organizations to better respond to and recover from events by considering cybersecurity needs as an integral part of the enterprise and not as solely the concern of information technology (IT).

Organizations tend to put greater focus on threats (e.g., a malicious hacker or cyber criminal) when they should have increased focus on the impact that a disruptive event like a data breach could have on their objectives. Basic risk management and operational resilience concepts can help to prevent, detect, respond to or recover from cybersecurity (and other) incidents.

Taking the analogy of hurricanes a bit further, it is essential that a governance structure is in place to handle cybersecurity. We have national, state and local resources with a chain of command and communication to handle natural disasters. The same type of governance approach is required to successfully implement cybersecurity as a business enabler in an organization. Consistent management policies, user training, and a defined crisis-communication plan addressing cybersecurity must be developed and maintained as part of governance; this includes determining how the organization will handle risk.

Risk is the uncertainty surrounding a condition-driven impact that affects an organization or individual, both of which possess attitudes for accepting or avoiding risks. Organizations may qualify and quantify their willingness to take on enterprise risk, also called tolerance, by documenting it in a risk-appetite statement; such statements set boundaries for an organization to operate without exceeding the capacity to recover from a realized risk. This concept represents the basis of resilience when considering how to insulate people, information, technology, facilities and raw-material assets from catastrophic failure.  

Cyber risk represents one of many possible categories of risk that threaten an enterprise. And cyber risk has become one of the paramount threats to enterprises and citizens, as processes and products become globally interconnected through technology.

The Software Engineering Institute (SEI) at Carnegie Mellon University, in Pittsburgh, is a federally funded research-and-development center solving the nation’s toughest software and cybersecurity challenges. SEI’s CERT Cybersecurity Division developed the CERT Resilience Management Model (CERT-RMM), based upon fundamental risk principles.

CERT has published and continues to refine a process and associated training to properly identify and control risks, called the Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) which helps enterprises may raise their confidence in withstanding cyber or other catastrophic events.  

Operational resilience is the ability of an organization to meet its mission before, during and after a disruptive event, whether it is a significant data breach or a hurricane. Resilience is not a definitive end state, but is a property that emerges as we make necessary organizational adjustments. It is imperative that an organization understand and manage its assets required to meet the mission, protecting those assets from harm and sustaining or restoring them after a disruptive event.

CERT-RMM divides critical assets into five basic categories: information, technology, people, facilities and raw materials; each has unique requirements for protection and sustainment. These requirements should be articulated as measures of required confidentiality integrity and availability. Organizations need to weigh the costs and benefits of investing in the practices required to protect and sustain critical assets. This does not mean endlessly requesting more funding for cybersecurity, but rather the objective is to ensure risk is managed to an acceptable level in alignment with risk appetite.  

The interaction between these assets results in processes important to the organization. The CERT-RMM terms these processes “critical services.” Disrupting, or impairing, a single category of asset has the potential to disrupt the critical service and, ultimately, the mission of the organization.

For example, news reports over the weekend told of Memorial Hospital in Tampa, Fla., moving its most critical physical assets to higher floors of the hospital due to the risk of flooding — an effort to be resilient in the face of a potential storm surge. Events like the Equifax breach demonstrate how shortcomings in the protection of confidential information assets can result in a profoundly negative outcome.

The best safeguard against future data breaches is preparation, like the Tampa hospital’s preemptive steps. Such preparation requires a governance structure and analysis to identify the most important assets and services; ensuring the operational resilience of these fundamental building blocks of success creates confidence that an organization will not only survive a disruption but continue to meet its mission. This preparation extends beyond basic regulatory compliance and requires risk-informed decision-making.

While none of this information might be as compelling as splashy headlines about nefarious cyber criminals, it leads back to two points.

First, organizations must practice basic cyber hygiene, such as inventorying assets and the software running on them. Failure to do this led to a 2014 data breach at JPMorgan Chase, where a neglected computer server was not updated with the latest software patches; the subsequent breach exposed 83 million customer records. The Center for Internet Security has long identified cyber hygiene as No. 5 on its list of 20 cybersecurity controls.

Second, and of equal importance to cyber hygiene, enterprises must take steps to avoid impact to assets in a disruptive event like a data breach. They must protect assets by assuming bad things will happen, and use methods to sustain those assets despite the disruption or breach. Failure to consider sustainment activities, or assuming that nothing will ever penetrate your defenses, is a losing proposition — much like assuming that a hurricane will never strike a coastal area.

Summer Craze Fowler is the technical director of Cybersecurity Risk and Resilience at Carnegie Mellon University’s CERT Cybersecurity Division of the Software Engineering Institute. She is the technical sponsor of CMU’s CISO and CRO Executive Certificate Programs and teaches graduate level courses in cybersecurity. She developed and teaches the CERT Certificate in Cybersecurity Oversight offered through the National Association of Corporate Directors and is a Fellow in Advanced Cyber Studies with the Center for Strategic and International Studies. 

The views expressed by contributors are their own and are not the views of The Hill.