Welcome!

@CloudExpo Authors: Zakia Bouachraoui, Yeshim Deniz, Elizabeth White, Pat Romanski, Roger Strukhoff

Related Topics: @CloudExpo, Cloud Security, @DXWorldExpo

@CloudExpo: Article

Equifax Is an Enron Moment | @CloudExpo #AI #DX #SDN #Cybersecurity

What makes this specific breach even more damaging is the type of the stolen data

Equifax Is an Enron Moment, But Not the Way You May Think

Enron changed how U.S. public companies audit and report their financial data. There is also an opportunity to use the Equifax data breach to create a framework for better protection of our data in future.

The credit reporting agency reported one of the largest data breaches in the history. Hackers were able to steal sensitive information from its internal servers. The stolen data include name, Social Security Number (SSN), date of birth, and also credit card numbers and driver license numbers in some cases. A massive breach like this can haunt the victims for years to come.

What makes this specific breach even more damaging is the type of the stolen data. If someone steals your credit card number, you call your bank and get a new card hopefully before the hacker is able to make use of the stolen card. But, if a hacker gets your date of birth, good luck trying to change it. In fact, thieves are known to sit idle for months waiting for increased awareness after the breach to subside before hitting the underground market with stolen SSN and dates of birth. If you are one of the 143 million people affected by this breach, get used to the feeling of being haunted. Hackers may use stolen data tomorrow or in multiple years from now. They have all the data needed to reset bank passwords, access health records, open credit card accounts on your behalf, etc. You will never know when or how they will misuse your data.

Equifax has been less than forthcoming in describing how the hackers were able to get to the most sensitive data. Baird Equity Research attributes the breach to a flaw in Apache Struts, one of the most popular software for developing Java-based web applications. A new vulnerability was reported recently in Apache Struts that allows hackers to remotely run arbitrary commands on the server. It's conceivable and even probable that either this vulnerability or another one like it was used for this hack. What's troubling is these vulnerabilities have existed for long time but were identified and mitigated only recently. Such vulnerabilities provide hackers enough time to target organizations with prized data and steal the data for nefarious use.

Albert Einstein is credited with the saying that the definition of insanity is doing the same thing over and over again, but expecting different results. If we, as a society, are to get better at protecting our most critical data, we have to try something new. Obviously, the law enforcement agencies will be spending a good amount of time reviewing Equifax's security processes, response, and the unfortunate timing of their executives trading stocks. However, this data breach is just one of the many, and while it looks pretty jarring, there is this uncanny feeling there is worse to come.

Some have argued for not using SSN as a means of identification. SSN was designed to track income and not a way to identify or authenticate people. However, such a move misses the big picture. SSN is one of the sensitive pieces of information we have, but as past breaches have taught us there are plenty more - date of birth, passwords, health record, employment history, etc. How are doing to protect them? We need a method to protect all sensitive data. Fortunately, technology can now offer such a required solution and with a little bit of public help, we can make meaningful progress in stopping the incessant data thefts.

One approach to preventing some of these mega breaches, including Equifax, is an innovative use of encryption. Encryption already secures data at rest. For example, if you use self-encrypting hard drives, or Microsoft Bitlocker, you are securing your data using encryption when it's sitting idle. Similarly, encryption secures your data in transit. When you connect to your bank website using your browser or mobile phone application, Transport Layer Security (TLS) protects data as it moves from you to the bank servers. When the banks provide the data to Equifax, they also use TLS. However, once the data is used by Equifax, it's decrypted and exposed. The exposed data works like a magnet for hackers and they try all possible vulnerabilities to find and steal the exposed data. In the case of Equifax, Apache Struts provided the path for the hackers to connect to the exposed data.

Encryption during runtime keeps data encrypted when applications are using the data. This allows organizations to limit access to data to the actual business logic running on the server. Had Equifax encrypted data during runtime, even with vulnerable Apache Struts hackers would have accessed only encrypted data which they wouldn't be able to decipher. Encryption during runtime understands that hackers will always be able to use vulnerable applications to connect to the servers. The best strategy is to ensure that even when this happens, the data we care about remains encrypted and therefore undecipherable to hackers.

Encryption during runtime is certainly not a panacea and cannot protect from all threats. For example, if the business logic itself is vulnerable, the data could still be compromised. However, it protects the data from all vulnerabilities that are found in code other than the business logic. An approach that combines encryption with best practices in developing secure applications can reach new limits in securing data.

When the Enron scandal was reported in 2001, the Congress legislated the Sarbanes-Oxley Act that increased audit requirements and made it harder for companies to fudge their financial numbers. It has been effective in avoiding another Enron-like scandal. If you don't want to see a repeat of the Equifax data breach, a good place to start may be with your congressman. Ask him or her to strengthen data breach laws and to require organizations to disclose how they protect your data in use. Disclosure of the internal security practices along with regulatory requirements can create a virtuous cycle where the most secure organizations are rewarded with more business. No bank would dare to operate their website without TLS today. Otherwise regulators, customers, security analysts, social media, etc., all will publicly punish and shame them. We need encryption during runtime for processing sensitive data.

More Stories By Ambuj Kumar

Ambuj Kumar is CEO and Co-founder of Fortanix. Prior to founding Fortanix, he was lead architect at Cryptography Research Inc. where he led and developed many of the company's security technologies that go into millions of devices every year. Previously, he worked for NVIDIA where he designed the world's most advanced computer chips including the world's fastest memory controller. He has a Bachelor of Technology from IIT Kanpur and an MS from Stanford University, both in EE.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


CloudEXPO Stories
Public clouds dominate IT conversations but the next phase of cloud evolutions are "multi" hybrid cloud environments. The winners in the cloud services industry will be those organizations that understand how to leverage these technologies as complete service solutions for specific customer verticals. In turn, both business and IT actors throughout the enterprise will need to increase their engagement with multi-cloud deployments today while planning a technology strategy that will constitute a significant part of their IT budgets in the very near future. As IoT solutions are growing rapidly, as well as security challenges growing exponentially, without a doubt, the cloud world is about to change for the better. Again.
While more companies are now leveraging the cloud to increase their level of data protection and management, there are still many wondering “why?” The answer: the cloud actually brings substantial advancements to the data protection and management table that simply aren’t possible without it. The easiest advantage to envision? Unlimited scalability. If a data protection tool is properly designed, the capacity should automatically expand to meet any customer’s needs. The second advantage: the cloud is the simplest way to centralize the storage of all secondary data sources while also providing unlimited compute that can be used to gain additional insight and business value from that data. Finally, the ability to do automated Disaster Recovery (DR) without maintaining a DR facility is unquestionably a major value of the cloud, and simply isn’t possible otherwise. Join W. Curtis Preston,...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throughout enterprises of all sizes.
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected path for IoT innovators to scale globally, and the smartest path to cross-device synergy in an instrumented, connected world.
As you know, enterprise IT conversation over the past year have often centered upon the open-source Kubernetes container orchestration system. In fact, Kubernetes has emerged as the key technology -- and even primary platform -- of cloud migrations for a wide variety of organizations. Kubernetes is critical to forward-looking enterprises that continue to push their IT infrastructures toward maximum functionality, scalability, and flexibility. As they do so, IT professionals are also embracing the reality of Serverless architectures, which are critical to developing and operating real-time applications and services. Serverless is particularly important as enterprises of all sizes develop and deploy Internet of Things (IoT) initiatives.