How hard is it to find security holes (like Equifax’s)?
How hard is it to find security holes — like the one Equifax had — in your computer system?
Not as hard as you might think, according to some security experts.
You might even be able to find one yourself!
Watch our report here:
You and 143 million people are now in the crosshairs of crooks after malicious hackers hit credit agency Equifax.
They did it through something called Apache Struts, a framework for developing apps.
Developers use it to create their projects, kind of like scaffolding.
Of course, you want to keep your projects protected.
But experts say the security hole that took down Equifax is like a ladder — bad guys can use it to get over the fence and into your scaffolding.
There, they can pilfer your good stuff, like people’s valuable info, and take off.
How hard is it for a company to find out if it has one of these security holes in its system?
Not that hard, according to Contextual Security’s Slade Griffin, a penetration tester who checks systems to see if there are vulnerabilities and if malicious hackers can exploit them.
“I think this is a very simple process,” Griffin told Archer News. “It should be easy for them to do it, and I think everyone should be doing it.”
Slade explained the basics of scanning for vulnerabilities.
Use a tool called Nmap to see how many hosts you have.
Then use a scanner to look for security holes.
He uses a scanner called Nessus, which costs money.
Nmap allows you to discover which computers are on your network with its Zenmap interface. Image credit: Nmap
“I don’t consider this to be rocket science or splitting the atom,” said Griffin. “But it is work, and it’s technical work. But it is not overly difficult.”
Scanning can cause some side effects, he warned.
For example, scanning printers has caused them to spew out “reams of gibberish” in the past, he said.
And with the computers that run factories, power plants and other industrial systems, scanning without planning can cause major problems.
But for the office side, Griffin said people can and should learn how to do it.
“We actually want people to be secure,” said Griffin. “And we know that we can’t test everybody.”
Once you find that security hole, how do you fix it?
That can also be complicated, Griffin said, because you can break other things in the process.
So you have plan very well to make it work.
Some scanning has caused printers to spew out “reams of gibberish” in the past, according to Slade Griffin. Image credit: Archer News
How long should it take to fix a vulnerability?
The Equifax security problem took months.
The announcement about the security hole came out at the beginning of March.
Equifax said it found out about the attack at the end of July.
It turns out they hadn’t fixed that security hole.
And the attack had been going on since May.
They finally fixed it — after it was too late.
The announcement about the Apache Struts vulnerability came out in March 2017. Image credit: US-CERT
We asked Griffin if, after planning, it should take months to fix this kind of security hole?
“A months-involved installation?” Archer News asked.
“No,” he answered. “Like a day-involved. Like a day and a half.”
Planning for the fix and possible breaks, however, could take longer — especially if you have a system that many people depend on like Equifax’s, said Justin Jett with cybersecurity company Plixer.
“If your system breaks and then, say, it prevents all of the banks from being able to access credit profiles, you could have a really serious issue,” Jett said. “People who are trying to purchase a house or purchase a car or whatever, they might be being denied or being delayed because of this.”
On the other hand, not fixing the security hole in a timely manner can cause problems, too — more than 140 million people now vulnerable to identity theft, mass amounts of personal data floating in the hands of attackers, company executives losing their jobs and more.
“I think all companies, not just Equifax, but all companies, when they learn of a vulnerability, they should make that at some level a priority to resolve. Because the consequences can be quite severe,” Jett said.
Penetration tester Slade Griffin recommends you put together an inventory of your systems as he did in this sample chart. Image credit: Slade Griffin
Why doesn’t the vulnerability get fixed?
Some experts say people do a lot of meeting to plan out their patching road map, but never actually get in the car and drive.
“What I often see is, people make plans and policies — and they don’t ever do the work,” Griffin said. “Sometimes you need to put your head down and get stuff done.”
Some companies don’t make testing systems and fixing security holes a priority, said Jett.
“If you have a team that was doing this then there wouldn’t be this type of problem,” Jett told Archer News. “Businesses have other priorities within their IT teams.”
What happened in Equifax’s case?
The company said it knew about the hole back in March.
“Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure,” an Equifax statement said.
The efforts did not appear to work.
Equifax did not explain why, but said it is continuing to investigate.
Make your own plan
You can create your own scanning plan for your organization’s computers, Griffin said.
The Federal Trade Commission has advice and examples for businesses in this post.
Griffin wrote a blog about it, recommending you:
—Identify what you have in your system
—Look at a “hardening guide” like this one from the Center for Internet Security
—Develop a way to scan your system for vulnerabilities
—Make a plan of how to fix them
—Create a policy on when to apply patches
“Something as simple as we’ve outlined above could give someone like Equifax visibility into their current vulnerabilities and a plan to deal with them as they are discovered,” Griffin wrote in his post.
“You need to have a plan,” he told Archer News. “You need to have a process, and how you’re going to execute it.”
You can create a grid like this one to lay out your policy on when you will patch security holes in your system. Image credit: Slade Griffin
Make a team
Some companies have thousands of systems with many different kinds of software, Jett said.
They should identify what software they have, which version they are using and whether they have any vulnerabilities, he said, and have a regularly-scheduled upgrade window to fix the vulnerabilities.
If companies don’t have their own team, they can bring in an outside team to help, he added.
All this can cost money, of course.
“It does, but at the same time,” Jett said, “maybe it’s a matter of, ‘Do you pay the cost to prevent your users from being exposed, or do your users have to pay the costs?’”
In the case of Equifax, you and up to 143 million other people may have to pay, possibly for the rest of your life.