Welcome!

@CloudExpo Authors: Zakia Bouachraoui, Elizabeth White, Liz McMillan, Pat Romanski, Roger Strukhoff

Related Topics: @CloudExpo, Cloud Security, @DXWorldExpo

@CloudExpo: Article

Equifax Is an Enron Moment | @CloudExpo #AI #DX #SDN #Cybersecurity

What makes this specific breach even more damaging is the type of the stolen data

Equifax Is an Enron Moment, But Not the Way You May Think

Enron changed how U.S. public companies audit and report their financial data. There is also an opportunity to use the Equifax data breach to create a framework for better protection of our data in future.

The credit reporting agency reported one of the largest data breaches in the history. Hackers were able to steal sensitive information from its internal servers. The stolen data include name, Social Security Number (SSN), date of birth, and also credit card numbers and driver license numbers in some cases. A massive breach like this can haunt the victims for years to come.

What makes this specific breach even more damaging is the type of the stolen data. If someone steals your credit card number, you call your bank and get a new card hopefully before the hacker is able to make use of the stolen card. But, if a hacker gets your date of birth, good luck trying to change it. In fact, thieves are known to sit idle for months waiting for increased awareness after the breach to subside before hitting the underground market with stolen SSN and dates of birth. If you are one of the 143 million people affected by this breach, get used to the feeling of being haunted. Hackers may use stolen data tomorrow or in multiple years from now. They have all the data needed to reset bank passwords, access health records, open credit card accounts on your behalf, etc. You will never know when or how they will misuse your data.

Equifax has been less than forthcoming in describing how the hackers were able to get to the most sensitive data. Baird Equity Research attributes the breach to a flaw in Apache Struts, one of the most popular software for developing Java-based web applications. A new vulnerability was reported recently in Apache Struts that allows hackers to remotely run arbitrary commands on the server. It's conceivable and even probable that either this vulnerability or another one like it was used for this hack. What's troubling is these vulnerabilities have existed for long time but were identified and mitigated only recently. Such vulnerabilities provide hackers enough time to target organizations with prized data and steal the data for nefarious use.

Albert Einstein is credited with the saying that the definition of insanity is doing the same thing over and over again, but expecting different results. If we, as a society, are to get better at protecting our most critical data, we have to try something new. Obviously, the law enforcement agencies will be spending a good amount of time reviewing Equifax's security processes, response, and the unfortunate timing of their executives trading stocks. However, this data breach is just one of the many, and while it looks pretty jarring, there is this uncanny feeling there is worse to come.

Some have argued for not using SSN as a means of identification. SSN was designed to track income and not a way to identify or authenticate people. However, such a move misses the big picture. SSN is one of the sensitive pieces of information we have, but as past breaches have taught us there are plenty more - date of birth, passwords, health record, employment history, etc. How are doing to protect them? We need a method to protect all sensitive data. Fortunately, technology can now offer such a required solution and with a little bit of public help, we can make meaningful progress in stopping the incessant data thefts.

One approach to preventing some of these mega breaches, including Equifax, is an innovative use of encryption. Encryption already secures data at rest. For example, if you use self-encrypting hard drives, or Microsoft Bitlocker, you are securing your data using encryption when it's sitting idle. Similarly, encryption secures your data in transit. When you connect to your bank website using your browser or mobile phone application, Transport Layer Security (TLS) protects data as it moves from you to the bank servers. When the banks provide the data to Equifax, they also use TLS. However, once the data is used by Equifax, it's decrypted and exposed. The exposed data works like a magnet for hackers and they try all possible vulnerabilities to find and steal the exposed data. In the case of Equifax, Apache Struts provided the path for the hackers to connect to the exposed data.

Encryption during runtime keeps data encrypted when applications are using the data. This allows organizations to limit access to data to the actual business logic running on the server. Had Equifax encrypted data during runtime, even with vulnerable Apache Struts hackers would have accessed only encrypted data which they wouldn't be able to decipher. Encryption during runtime understands that hackers will always be able to use vulnerable applications to connect to the servers. The best strategy is to ensure that even when this happens, the data we care about remains encrypted and therefore undecipherable to hackers.

Encryption during runtime is certainly not a panacea and cannot protect from all threats. For example, if the business logic itself is vulnerable, the data could still be compromised. However, it protects the data from all vulnerabilities that are found in code other than the business logic. An approach that combines encryption with best practices in developing secure applications can reach new limits in securing data.

When the Enron scandal was reported in 2001, the Congress legislated the Sarbanes-Oxley Act that increased audit requirements and made it harder for companies to fudge their financial numbers. It has been effective in avoiding another Enron-like scandal. If you don't want to see a repeat of the Equifax data breach, a good place to start may be with your congressman. Ask him or her to strengthen data breach laws and to require organizations to disclose how they protect your data in use. Disclosure of the internal security practices along with regulatory requirements can create a virtuous cycle where the most secure organizations are rewarded with more business. No bank would dare to operate their website without TLS today. Otherwise regulators, customers, security analysts, social media, etc., all will publicly punish and shame them. We need encryption during runtime for processing sensitive data.

More Stories By Ambuj Kumar

Ambuj Kumar is CEO and Co-founder of Fortanix. Prior to founding Fortanix, he was lead architect at Cryptography Research Inc. where he led and developed many of the company's security technologies that go into millions of devices every year. Previously, he worked for NVIDIA where he designed the world's most advanced computer chips including the world's fastest memory controller. He has a Bachelor of Technology from IIT Kanpur and an MS from Stanford University, both in EE.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


CloudEXPO Stories
The precious oil is extracted from the seeds of prickly pear cactus plant. After taking out the seeds from the fruits, they are adequately dried and then cold pressed to obtain the oil. Indeed, the prickly seed oil is quite expensive. Well, that is understandable when you consider the fact that the seeds are really tiny and each seed contain only about 5% of oil in it at most, plus the seeds are usually handpicked from the fruits. This means it will take tons of these seeds to produce just one bottle of the oil for commercial purpose. But from its medical properties to its culinary importance, skin lightening, moisturizing, and protection abilities, down to its extraordinary hair care properties, prickly seed oil has got lots of excellent rewards for anyone who pays the price.
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected path for IoT innovators to scale globally, and the smartest path to cross-device synergy in an instrumented, connected world.
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
ScaleMP is presenting at CloudEXPO 2019, held June 24-26 in Santa Clara, and we’d love to see you there. At the conference, we’ll demonstrate how ScaleMP is solving one of the most vexing challenges for cloud — memory cost and limit of scale — and how our innovative vSMP MemoryONE solution provides affordable larger server memory for the private and public cloud. Please visit us at Booth No. 519 to connect with our experts and learn more about vSMP MemoryONE and how it is already serving some of the world’s largest data centers. Click here to schedule a meeting with our experts and executives.
Darktrace is the world's leading AI company for cyber security. Created by mathematicians from the University of Cambridge, Darktrace's Enterprise Immune System is the first non-consumer application of machine learning to work at scale, across all network types, from physical, virtualized, and cloud, through to IoT and industrial control systems. Installed as a self-configuring cyber defense platform, Darktrace continuously learns what is ‘normal' for all devices and users, updating its understanding as the environment changes.