Welcome!

Cloud Security Authors: Zakia Bouachraoui, Pat Romanski, Elizabeth White, Yeshim Deniz, Liz McMillan

Related Topics: @CloudExpo, Cloud Security, @DXWorldExpo

@CloudExpo: Article

Equifax Is an Enron Moment | @CloudExpo #AI #DX #SDN #Cybersecurity

What makes this specific breach even more damaging is the type of the stolen data

Equifax Is an Enron Moment, But Not the Way You May Think

Enron changed how U.S. public companies audit and report their financial data. There is also an opportunity to use the Equifax data breach to create a framework for better protection of our data in future.

The credit reporting agency reported one of the largest data breaches in the history. Hackers were able to steal sensitive information from its internal servers. The stolen data include name, Social Security Number (SSN), date of birth, and also credit card numbers and driver license numbers in some cases. A massive breach like this can haunt the victims for years to come.

What makes this specific breach even more damaging is the type of the stolen data. If someone steals your credit card number, you call your bank and get a new card hopefully before the hacker is able to make use of the stolen card. But, if a hacker gets your date of birth, good luck trying to change it. In fact, thieves are known to sit idle for months waiting for increased awareness after the breach to subside before hitting the underground market with stolen SSN and dates of birth. If you are one of the 143 million people affected by this breach, get used to the feeling of being haunted. Hackers may use stolen data tomorrow or in multiple years from now. They have all the data needed to reset bank passwords, access health records, open credit card accounts on your behalf, etc. You will never know when or how they will misuse your data.

Equifax has been less than forthcoming in describing how the hackers were able to get to the most sensitive data. Baird Equity Research attributes the breach to a flaw in Apache Struts, one of the most popular software for developing Java-based web applications. A new vulnerability was reported recently in Apache Struts that allows hackers to remotely run arbitrary commands on the server. It's conceivable and even probable that either this vulnerability or another one like it was used for this hack. What's troubling is these vulnerabilities have existed for long time but were identified and mitigated only recently. Such vulnerabilities provide hackers enough time to target organizations with prized data and steal the data for nefarious use.

Albert Einstein is credited with the saying that the definition of insanity is doing the same thing over and over again, but expecting different results. If we, as a society, are to get better at protecting our most critical data, we have to try something new. Obviously, the law enforcement agencies will be spending a good amount of time reviewing Equifax's security processes, response, and the unfortunate timing of their executives trading stocks. However, this data breach is just one of the many, and while it looks pretty jarring, there is this uncanny feeling there is worse to come.

Some have argued for not using SSN as a means of identification. SSN was designed to track income and not a way to identify or authenticate people. However, such a move misses the big picture. SSN is one of the sensitive pieces of information we have, but as past breaches have taught us there are plenty more - date of birth, passwords, health record, employment history, etc. How are doing to protect them? We need a method to protect all sensitive data. Fortunately, technology can now offer such a required solution and with a little bit of public help, we can make meaningful progress in stopping the incessant data thefts.

One approach to preventing some of these mega breaches, including Equifax, is an innovative use of encryption. Encryption already secures data at rest. For example, if you use self-encrypting hard drives, or Microsoft Bitlocker, you are securing your data using encryption when it's sitting idle. Similarly, encryption secures your data in transit. When you connect to your bank website using your browser or mobile phone application, Transport Layer Security (TLS) protects data as it moves from you to the bank servers. When the banks provide the data to Equifax, they also use TLS. However, once the data is used by Equifax, it's decrypted and exposed. The exposed data works like a magnet for hackers and they try all possible vulnerabilities to find and steal the exposed data. In the case of Equifax, Apache Struts provided the path for the hackers to connect to the exposed data.

Encryption during runtime keeps data encrypted when applications are using the data. This allows organizations to limit access to data to the actual business logic running on the server. Had Equifax encrypted data during runtime, even with vulnerable Apache Struts hackers would have accessed only encrypted data which they wouldn't be able to decipher. Encryption during runtime understands that hackers will always be able to use vulnerable applications to connect to the servers. The best strategy is to ensure that even when this happens, the data we care about remains encrypted and therefore undecipherable to hackers.

Encryption during runtime is certainly not a panacea and cannot protect from all threats. For example, if the business logic itself is vulnerable, the data could still be compromised. However, it protects the data from all vulnerabilities that are found in code other than the business logic. An approach that combines encryption with best practices in developing secure applications can reach new limits in securing data.

When the Enron scandal was reported in 2001, the Congress legislated the Sarbanes-Oxley Act that increased audit requirements and made it harder for companies to fudge their financial numbers. It has been effective in avoiding another Enron-like scandal. If you don't want to see a repeat of the Equifax data breach, a good place to start may be with your congressman. Ask him or her to strengthen data breach laws and to require organizations to disclose how they protect your data in use. Disclosure of the internal security practices along with regulatory requirements can create a virtuous cycle where the most secure organizations are rewarded with more business. No bank would dare to operate their website without TLS today. Otherwise regulators, customers, security analysts, social media, etc., all will publicly punish and shame them. We need encryption during runtime for processing sensitive data.

More Stories By Ambuj Kumar

Ambuj Kumar is CEO and Co-founder of Fortanix. Prior to founding Fortanix, he was lead architect at Cryptography Research Inc. where he led and developed many of the company's security technologies that go into millions of devices every year. Previously, he worked for NVIDIA where he designed the world's most advanced computer chips including the world's fastest memory controller. He has a Bachelor of Technology from IIT Kanpur and an MS from Stanford University, both in EE.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
Whenever a new technology hits the high points of hype, everyone starts talking about it like it will solve all their business problems. Blockchain is one of those technologies. According to Gartner's latest report on the hype cycle of emerging technologies, blockchain has just passed the peak of their hype cycle curve. If you read the news articles about it, one would think it has taken over the technology world. No disruptive technology is without its challenges and potential impediments t...
If a machine can invent, does this mean the end of the patent system as we know it? The patent system, both in the US and Europe, allows companies to protect their inventions and helps foster innovation. However, Artificial Intelligence (AI) could be set to disrupt the patent system as we know it. This talk will examine how AI may change the patent landscape in the years to come. Furthermore, ways in which companies can best protect their AI related inventions will be examined from both a US and...
Bill Schmarzo, Tech Chair of "Big Data | Analytics" of upcoming CloudEXPO | DXWorldEXPO New York (November 12-13, 2018, New York City) today announced the outline and schedule of the track. "The track has been designed in experience/degree order," said Schmarzo. "So, that folks who attend the entire track can leave the conference with some of the skills necessary to get their work done when they get back to their offices. It actually ties back to some work that I'm doing at the University of San...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...