Pardon the pun 😊. Although the ‘official’ root cause for the hack hasn’t been published yet, there is a lot of chatter about the reasons for the breach. The current contender suggests that the likely cause for the breach is a previously known exploit of Apache Struts, a popular open source framework to develop Java web applications. See below for relevant links on the source of the vulnerability.
What is WAF?
Specifically, this previously known vulnerability appears to be one where remote hackers can execute remote commands through an HTTP header, Remote Code Execution. So, the answer to the title of this blog, it looks like WAF (Web Application Firewall) did not happen at Equifax. Not only was this increasingly common tactic to damper the efforts of the malicious to attack the applications that hold deeply sensitive data not in place, but it appears that the system had not been patched, a patch that potentially could have thwarted this attack in the first place. Normal security patch management practices were ignored.
Now understandably, the full detail and the circumstances of this breach is not out yet, but the keepers of our data, whether it be banks, hospitals or any other institution that we entrust with our data have an obligation to maintain such data to the best of their ability such that trust is retained. Adding fuel to fire, the response was less than impressive, what with the shady sounding website (www.equifaxsecurity2017.com) that was hastily put together to enable consumers to check if they were compromised or to the response (or non-response) the automated system came back with.
Simply put, there has been a breakdown of the system at Equifax, top to bottom, trust has been lost and that has consequences. Maybe it’s time to evaluate your relationships, especially one’s that could make or break the trust consumers place in you.
Evaluate us @ www.solutions-ii.com
Apache Foundation Statement on Struts and Equifax
ZDnet Reports that Equifax Blames Apache Struts
NPR Reports Equifax Executives Sold Stock Three Days After Hack