On Monday May 6, Equifax sent a letter to the SEC detailing the total numbers of each breach type. The number of total affected customers remain unchanged. The stats are as follows: “name (146.6 million); date of birth (146.6m); Social Security number (145.5m); address info (99m), gender (27.3m); phone number (20.3m); driver’s license number (17.6m); email address (1.8m); payment card number and expiration date (209,000); TaxID (97,500); and driver’s license state (27,000). “ Equifax also revealed just how many US Government-Issued Identity documents have also been compromised: “38,000 driver’s licenses; 12,000 Social Security or taxpayer ID cards; 3,200 passports or passport cards; and 3,000 other government-issued ID docs including military IDs, state-issued IDs and resident alien cards.” Note that these are US affected customers only. Equifax has not released the data on the breach type for the Canadians affected.
Equally scary, security vendor Sonatype claims that 10,801 organizations are still running old, insecure versions of Apache Struts: the open source framework that was exploited by the Equifax hackers after the firm failed to patch promptly. According to Fortune, “The Apache Software Foundation released patched versions of the software employed by Equifax on March 7, 2017 as well as six other subsequent times throughout the year.” Still, companies are downloading the “broken” copies of the software. Sonatype claims that some of the companies include Fortune Global 100 tech companies, Fortune Global 100 automakers, and Fortune Global 100 financial services or insurance firms. Given the severity of the Equifax breach, and that if Senator Warren’s ‘Data Breach Prevention and Compensation Act of 2018’ becomes law, a similar breach could cost an organization $1.5 billion.
So why would companies continue to use “broken” software? Do they not care about the integrity of their data? While it seems like a no-brainer to keep systems patched and up-to-date, it’s not always simple. “Updating Struts tends to present a greater challenge for companies than applying other software fixes, such as simple Microsoft Windows updates. Because Struts libraries are often bundled with disparate web applications, fixing the issue requires, among other things: knowing which applications use these components; updating so-called build scripts so they fetch the latest versions of the software; rebuilding the applications; and running quality assurance tests to make sure the mended applications work as intended.” So even though a problem like this requires swift remediation, ensuring that the patch works adequately does involve some tech know-how and time. Even still, you would think that most companies would spend a little time and effort in the short term, to avoid a much larger catastrophe later.
It is obvious that IT Security departments are overwhelmed. Remediation management is an even stronger tool to help combat remediation overload. A risk-based approach will help you manage the results of a vulnerability scan report more effectively. By breaking tasks into bite-sized pieces, it makes remediation an ongoing process. It’s easier to do a little every day than it is to deal with 500 or 1,000 items in the span of a few days. It’s also more effective in terms of security, as keeping your systems safe isn’t really a task you can “set and forget. Uzado’s Platform is a tool organizations can use to help them keep track of these needs. Contact Uzado to request a demo.