The recent data breach at Equifax is a huge deal—both because of the number of customers affected, and the types and volume of information that Equifax maintains on those individuals. It may seem easy to point fingers and cast judgment on Equifax for not adequately patching and protecting its vulnerable web applications—that is until you face the fact that thousands of companies are still using vulnerable Apache Struts just like Equifax, and thousands more have web applications, content management systems and application plug-ins that make them vulnerable as well.
Equifax is a very high-profile example of what happens when critical vulnerabilities in public-facing platforms and applications are not patched. The danger is in thinking this was somehow a problem unique to Equifax rather than taking the opportunity to look in the mirror and examine your own patch management and security practices.
Vulnerable web applications are not unique to Equifax
A report from Sonatype found that in the last year more than 45,000 organizations have downloaded a version of Apache Struts with known vulnerabilities despite a more current and secure version being available. More than 3,000 organizations downloaded the exact same version of Struts2 that allowed attackers to compromise Equifax.
The issue is also not limited to Apache Struts. Yahoo just revealed that new information indicates that 3 billion—with a “B”—accounts were compromised through known vulnerabilities and custom PHP flaws in WordPress. WordPress is widely-used web content management system (CMS) that is estimated to be used for about 28 percent of all websites around the world. A flaw in TimThumb, a WordPress plugin used to resize large images into thumbnails, led to the compromise of a couple million WordPress sites.
Did Equifax drop the ball? Probably. Evidence thus far suggests that attackers exploited the vulnerable Apache Struts framework about two months after the vulnerability was disclosed and a patch was made available. In any event of this magnitude there is generally a cascade effect of poor processes and human error with plenty of blame to go around. While you’re shaking your head at how such a thing could happen at a company like Equifax, though, take a look at your own patch management processes and security posture and consider whether or not you have room for improvement.
Understand your full attack surface
While your attention is focused on your perimeter and mission-critical assets, attackers are using automated tools to identify and exploit known vulnerabilities in web applications and sneak in the back door. Cyber criminals are targeting weaknesses in trusted third-parties to infiltrate your network undetected. You have to be aware of your entire attack surface and take steps to identify and defend against attacks no matter what the entry point is.
The problem isn’t Equifax. The reality is that most organizations fail to understand the true attack surface. Traditional security practices focus on defending the perimeter and using risk analysis to allocate security based on the criticality of the asset and the potential impact of a successful compromise. That makes logical sense on paper, but is no longer an effective approach in today’s threat landscape.