Still Making Headlines – Struts 2 and the Equifax Breach

Yes, we have all seen the headlines.  But, don’t think that the issues that arose from the Equifax breach and the Struts 2 vulnerability will disappear any time soon. Last time I checked, there were 34 articles published that Contrast was either quoted or referenced. Below are just a few article links pertaining to the event that include insights from one of Contrast Security’s cyber security experts. 

CBS News
Equifax ex-CEO: Hacked Data Wasn’t Encrypted

"That situation is common among large companies, which mostly don't encrypt their databases, said Jeff Williams, co-founder of Contrast Security. ‘That probably is a best practice, but I'd say most organizations don't really do that.’Even if the data were encrypted, however, the application that the hackers exploited would still have had access to it, said Williams. So encryption wouldn't have stopped the hack.”

Here's a list of the highlights that function as a topline summary of the activity surrounding the event:

• Equifax ex-CEO: Hacked Data Wasn’t Encrypted
• Former Equifax CEO testifies before House Energy Committee - as it happened
• Risk Limited with Latest Apache Bug
• Equifax Shares More Details About Breach
• It’s official, the Equifax data breach case was caused by the exploitation of the CVE-2017-5638 Apache Struts vulnerability.
• More questions than answers in Equifax hack
• Equifax has Confirmed that an Unpatched Critical Apache Struts Vulnerability was Exploited in the Breach which Compromised the Personal Data of 143 million U.S. Citizens
• Equifax Hack Exposes App Patch Vulnerability
• Equifax Says Unpatched Apache Struts Flaw Behind Massive Security Breach
• Equifax Confirms March Struts Vulnerability Behind Breach
• FTC Opens Probe into Equifax Data Breach
• Equifax had patch 2 months before hack and didn’t install it, security group say

CBS News 
Former Equifax CEO testifies before House Energy Committee - as it happened

"The problem is that there aren't any laws and regulations forcing companies to provide a certain level of cyber security.”

USA Today
Equifax had the patch 2 months before hack and didn’t install it, security group says

“Patching can take time, even for large corporations with dedicated security staff, which Equifax presumably had, noted Jeff Williams, co-founder of Contrast Security. Williams identified a different Struts vulnerability earlier this year. Still, not doing so is “absolutely unreasonable,” he said.”

Security Week
Equifax Shares More Details about Breach

“The word patch is a bit inappropriate for this problem, since what Equifax would have had to do is replace the vulnerable Struts library with the latest one,” explained Jeff Williams, co-founder and CTO at Contrast Security. “Because this flaw has been in the Struts library for many years, there have been many other changes. That means that Equifax would have had significant rewriting to do in order to update. The process of rewriting, retesting, and redeploying can take months.”

“I think it’s outrageous that companies haven’t deployed the technology they need to protect applications from vulnerabilities during development and from attacks in operations,” Williams told SecurityWeek. “Companies that have been relying on legacy application security tools from the early 2000’s to protect their enterprise have a very false sense of their security. Those tools are simply too slow, inaccurate, and manual intensive to provide protection for modern applications and modern threats.”