Why the Equifax security threat isn’t over yet

Here's what you can do to make sure your company isn't negatively affected and to protect your company's use of open source code

Close to 150 million consumers were affected by the recent Equifax hack. While most of the media attention has been focused on protecting individual consumers from identity theft, this article focuses on protecting businesses. Because this hack is just the beginning of what’s to come, three things are likely to happen:

  1. More companies will be exploited through Struts in the coming months due to old versions of Struts still present in applications.
  2. Larger scale attacks, affecting multiple companies at once, will occur, leveraging vulnerable open source components.
  3. Regulation will ramp up across multiple industries forcing tighter security management.

Before we get into what’s likely to happen, here’s a quick recap of the Equifax situation.

Equifax was hacked through the application layer meaning that bad actors were able to access data remotely via Equifax’s web application. The opening in the application was made possible by a security vulnerability present in the open source framework called Apache Struts, which Equifax was using. Struts allows developers to build web applications faster by reusing features that someone else has already coded.

The simplest solution would have been for Equifax to patch the vulnerability when an updated version was released by Apache, back on March 7, 2017—two months prior to the hack occurring. However, that is easier said than done. Knowing that your company is vulnerable to a hack via open source components is a very hard task since most companies’ developers integrate thousands of open source components. The lack of complete accountability of what open source was being used may be why Equifax was left exposed. And Equifax isn’t the only company guilty of this.

It’s hard for companies to know what to update

At least half of the Fortune 100 companies are also using Struts as a framework for their applications. Less than 10 percent of companies are monitoring open source in their company, so even if these companies wanted to update their versions of Struts, they would have a hard time figuring out which applications were using Struts. That is why many companies are still vulnerable to the same hack that Equifax is suffering from, and we are likely to see more copycats in the coming months.

Easy exploitation of open source vulnerabilities

If someone were to give you a key that opened a specific lock used by many different stores, all you would have to do is find which stores use that lock. When open source vulnerabilities are announced, bad actors are given a metaphorical key to a company through its applications/websites. Sometimes the exploits to these vulnerabilities are packaged into an exploit kit found on the dark web, which requires simply the press of a button to execute.

Because open source vulnerabilities can be repeatedly exploited across many applications if they are left unpatched, we are likely to see larger scale attacks on popular open source components against multiple companies at once.

Increase in regulation

Equifax is currently undergoing multiple investigations into their process and procedures for securing their applications and data. The Federal Trade Commission took the unusual step of announcing it has opened a probe into the company’s practices. The Consumer Financial Protection Bureau also announced its own investigation, and the House Financial Services Committee plans to hold hearings on the breach in early October when Equifax’s CEO is scheduled to testify.

Equifax has opened the door to a new kind of scrutiny, specifically around the use and management of open source. Every company, but especially companies in highly regulated industries like finance and healthcare, should brace themselves for the new scrutiny that will be placed on their organizations. The first question I could see being asked is “Are you using Struts? If so, what are you doing to ensure it is up to date and secure?”

What can you do?

If you have application security colleagues in your organization that haven’t realized the potential problem of using open source, they have their head in the sand. Almost every security professional knows that there is a risk, but most have not had the pressure (or support) from management to address it. Now, the pressure is on and there is a newly born call to arms against the vulnerabilities that open software can sometimes present.

Start figuring out what open source components (and respective versions) your developers have integrated into your applications. Then track updates to versions and published security vulnerabilities. The process you implement is important because open source can propagate quickly within your organization. On average, a developer will use five new open source components a month. If possible, find a software solution to embed within your development process to build a live inventory of your open source components so that every time headlines like Equifax occur (and there will be more), you know exactly if and where you are affected.

Copyright © 2017 IDG Communications, Inc.

How to choose a low-code development platform