is provided a second time, it would report that same consumer is
the standard External Penetration Test, is has become essential to
affected. To check your breach status, you are asked to provide
ensure the testing process includes a Web Application Assessment.
your last name and last 6 digits of your social security number.
This assessment uses special tools that focus on identifying and
Providing parts of your SSN on a website that looks phishy to
exploiting vulnerabilities in the actual web application itself, such
a company that was just breached ­ and already has your data
as insecure code, not just focusing on the networking and services
anyhow ­ doesn't seem like a great idea.
layer that a traditional penetration test does.
If you do check Equifax's site to determine your status, you can
Vulnerability Assessment
automatically enroll in Equifax's TrustedID Premier which is
Inadditiontothesetwoexternalassessments,itisalsoabestpractice
their credit monitoring service and identify theft protection. This
to conduct an independent internal Vulnerability Assessment of
service is free for a year, but there is a cost for you to continue
your network. A Vulnerability Assessment (VA) provides another
the coverage beyond the next 12 months. Initially, it also had
layer of security in detecting missing security updates, insecure
a clause in their terms and conditions that limited a consumer's
or default security settings, or other vulnerabilities. It has also
ability to litigate against Equifax. The company has since made
become a common practice to conduct regular vulnerability
adjustments to these terms, and the website now reads, "We've
scans using a Continual Vulnerability Assessment process. Most
added an FAQ to our website to confirm that enrolling in the free
Vulnerability Assessment software is fairly affordable and can be
credit file monitoring and identity theft protection that we are
easily configured to run a weekly or month scan of your network
offering as part of this cybersecurity incident does not waive any
to give you a more frequent snapshot of its security health.
rights to take legal action."
Asset-Based Risk Assessment
Also, Equifax has adopted an insecure practice for issuing PIN
Systems similar to this suspected vulnerable web application system
numbers that allowed you to manage your credit freeze. It is
should have been evaluated in an IT Risk Assessment. An IT Risk
reported that these pin numbers were generated in a non-random
Assessment should capture the value of the system and the data it
and apparently sequential method; based on the current date/time
stores, transmits, and processes, as well as threats against the asset,
stamp. This insecure PIN practice appears to have been updated,
and current risk-mitigating controls implemented. This would
according to their website. Those who already have a PIN should
have allowed for a risk assessment of the system and a comparison
ensure it is changed to a more secure number that can't be easily
against the institution's risk appetite. If the risk was outside the
brute-forced or guessed.
institution's risk tolerance, then additional security controls could
Last but not least, at least 23 class action lawsuits have been
have been added. Many things from patch management, intrusion
proposed against Equifax. These lawsuits allege security negligence
prevention, encryption, system hardening, network segregation,
by Equifax, damages from a delay in notification of the public, and
SIEM, and other control considerations could be selected to
concerns around the free credit monitoring service offered, which
manage and mitigate the risk.
is a service owned by Equifax and, it could perceived, promoted to
Improve Vendor Management
sell its service to those affected by this breach.
There has been a debate in the past if you should include your
Lessons Learned
credit bureau in your vendor management program or not. SBS
would suggest that if you are publishing data to a credit bureau,
Patch Management
you include the credit bureau in your vendor risk assessment,
Regardless of the issues in this particular data breach, there is
scoring them appropriately and following your standard process
value in examining what went wrong so that we can all learn
according to the appropriate vendor's risk level. They may not be
and improve our own processes to protect against cybercrime.
a critical vendor but having customer data would likely mean you
As we learned from the WannaCry Ransomware worm, patching
are requesting SOC 2 reports and evaluating if adequate controls
our systems is critical. In this case, there is the possibility that an
are in place.
externally facing web application system was not fully patched
and could have allowed the cybercriminals access to the sensitive
Incident Response Program
data. Given the rate at which vulnerabilities are detected and
This is also an ideal time to take a look at your own institution's
exploited by hackers, patching cycles need to get shorter so that
incident response procedures. While this type of incident might
security gaps are closed in days or weeks, not months.
not require you to notify your customers, it does pose a good
question; should we notify customers proactively as an advisor,
External Web Application Testing
to help them be prepared for potential fraud and identify theft?
It has been a best practice for years to ensure your institution has an
Other considerations could include: template notifications, a
annual independent Penetration Test conducted on its externally
designated public relations person, offer of credit monitoring (or
facing systems. In this case, such an assessment might have
alternative solution), procedures for incident investigation, and
identified that a vulnerable webserver was exposed to the Internet.
forensic resources.
It's a vital auditing process to ensure your institution is truly
implementing a strong patch management program. In addition to
Equifax Lessons Learned continued on page 34
The Champion for Minnesota Bankers
17

---