Equifax Hack — One Patch Could Have Stopped it

Hacks these days can be so huge, it is hard to call any one of them stunning. However, the Equifax breach that compromised the data of 143 million consumers, and was based on a vulnerability known (and repairable) for two months, is truly gigantic. And it never would have happened if Equifax installed one simple patch for its Apache web server, one it had in had in mid-July, that was actually written way back in March.

In all, some 209,000 credit cards were compromised.

If that wasn’t bad enough, now there is a threat of phishing, with cybercriminals convincing consumers they were victims of the Equifax, and they need to click a link for help. Bad idea, as the links are thoroughly malicious. The tragedy is the Equifax hack strikes twice.

The hack follows a well-known pattern. Security researchers, hackers, the software vendor or open source organization find a flaw, and then a patch gets written. That patch is a blueprint for cybercriminals who know that not everyone installs these fixes.

In the case of ransomware, such as Petya, hackers go after unpatched Microsoft-based systems. Microsoft has a rigorous and public system for patching its software, giving hackers ample opportunities for attack. In the case of Equifax, the flaw was with the open source Apache web server, a leading solution for websites and web farms.

Whether the software your commercial or open source, it is critical to keep it updated, as the majority of successful breaches are against unpatched machines. If a massive credit reporting company, with so much consumer data, can be hit so hard, it can happen to anyone who fails to patch.

Be Smarter (and Safer) than Equifax

No matter how large your shop, you can be smarter than Equifax and avoid the majority of breach attacks. The answer is to keep all systems patched. To do it properly, patching should not be a manual, case-by-case approach, but an automated system that encompasses all your servers and endpoints.

Phishing with Equifax Bait

As if the compromise of 209,000 consumer credit data records wasn’t bad enough, phishing attacks are a new worry. Eric Schneiderman, New York Attorney General, says the 8 million New York State residents impacted by the breach should beware of Phishers.

“In addition to taking measures to protect their credit cards and bank accounts, New Yorkers should also think twice before clicking on any suspicious links claiming to be from Equifax or financial institutions,” Schneiderman said in an announcement. “Hackers are resourceful criminals who are constantly looking to exploit any vulnerabilities, and I encourage everyone to educate themselves about how to best protect their personal information.”

Here are some things to watch off for, the Attorney General said:

  • Phishing emails that claim to be from Equifax where you can check if your data was compromised.
  • Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information.
  • Calls from scammers that claim they are from your bank or credit union.
  • Fraudulent charges on any credit card because your identity was stolen.

The Answer is Automated Patch Management

The good news is the answer is simple – keep your network and machines fully patched and updated.

How you chose to do so can be simple or hard. If you go the old manual route, there is a slim chance you will be able to identify all the needed patches on all the systems and get them installed properly. Meanwhile, you can spend your whole week trying.

The simpler, more complete route is to automate all steps in the patch process.

The first step in patch management is conducting an inventory of all your machines, even mobile devices. This asset management audit should include information on operating system and status, and all applications – with their patch and update status.

This inventory process should be regularly and easily repeatable so that new devices and software are quickly and automatically discovered – and patched.

Next, the tool should gather all needed patches, and based on policies and priorities you define, automatically install them. In some cases, you may want to test the patch before deploying to avoid software conflicts, and this should be automated as well through acceptance testing and the ability to do rollback.

Let Kaseya Help

Kaseya understands the difficulties of patch management, and our Kaseya VSA solution fully automates every aspect of patch management, including:

  • Comprehensive Discovery and Audit to find all devices in the first place, as well as monitoring operating details (to know what needs to be patched)
  • Policy-based Management and Control Automated Patch Deployment that you set up, controlling exactly which patches get deployed, as well as when and how to match your business’ specific needs
  • Remote Management to access and patch all devices, including off-network devices sitting on an employee’s countertop. If laptops need to powered on or powered off, VSA can automatically take those steps to ensure the patch is fully installed.
  • Real-time, comprehensive reports with drill-down and the extensive ability to use filters

Learn more about proper patch management with our piece on Patch Management Best Practices.

Don’t have time to read. Tune into our Eight Steps to Better Security Patch Management Webinar.

dougbarney

Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.

Leave a Reply

Your email address will not be published. Required fields are marked *