Life was so simple, then Equifax, SEC, Whole Foods, Deloitte all hacked!
by Brian Berger, EVP of Commercial Cybersecurity
I have been getting calls and emails for the last few weeks about all the hacks and cyber events. The central question is always, “what do I do to protect myself?” It’s actually an impossible question to answer. Why? We do not have control of our own identities and assets. They are managed and may even be owned by 3rd parties. How can this be true?
The Credit Reporting Agencies (CRAs) own and or sell our credit identity information as a business. Who owns your identity from a credit reporting perspective? Perhaps it is not you. But, let’s ask the question, how did I lose control of my credit identity to a 3rd party? The information in your credit report comes directly from companies that have extended you credit in the past or from those with which you have open accounts. Credit card companies, banks, credit unions, retailers, and auto and mortgage lenders all report the details of your credit activity to the credit reporting agencies (CRAs). The CRAs also receive information from debt collectors, and they purchase public records, such as bankruptcies, tax liens, and judgments, from public record providers. Now, we know how our credit identity was assembled, but, what obligation do the CRAs have, to protect this information?
The Federal Trade Commission (FTC) has published a Safeguards Rule for protecting consumer information. Institutions under FTC jurisdiction must have measures in place to keep customer information secure. The CRAs fall under the FTC jurisdiction by definition. The safeguards are designed to be flexible for implementation by each organization vs prescriptive in nature. The references for implementation processes to protect consumer information reference:
- Computer Security Resource Center National Institute for Standards and Technology (NIST) http://csrc.nist.gov
- National Strategy to Secure Cyberspace, Department of Homeland Security http://www.dhs.gov/files/publications/editorial_0329.shtm
- The SysAdmin, Audit, Network, Security (SANS) Institute, The Twenty Most Critical Internet Security Vulnerabilities sans.org/top20
- United States Computer Emergency Readiness Team (US CERT)us-cert.gov/resources.html
- Carnegie Mellon Software Engineering Institute CERT Coordination Center cert.org
The recent testimony and prepared statement from Equifax point to a failure in process and implementation of a standard software patching process. The other fact from the prepared testimony that was alarming was the lack of monitoring and process of a known vulnerability then the awareness (and lack of action), several months later, of a vulnerability through network traffic monitoring. The vulnerability identified led the forensics team back to the original software that had an identified vulnerability that was not patched. The contradiction and or lack of monitoring tools usage is a key message. Monitoring of critical systems, identified vulnerabilities and changes of behavior of the network traffic are critical controls of a cybersecurity program. In addition to training and process management, a cyber event can be prevented and/or observed in real-time based the network behaviors.
Back to the original question… “What do I do to protect myself?” Here are some helpful tactics that are just good cyber hygiene.
- Change your passwords to be unique, do not repeat the same password
- Use complex passwords or a password generator
- Set up identity service monitoring through reputable sources
- Set up monitoring and alerts of banking accounts for money movement
- Option to shut down all credit application services
- Run device anti-virus/anti-malware products on all owned devices
- Make sure you have a firewall and the settings are not set to “default”
- Make sure all connected devices are protected and not set to default, segment if possible
- Learn about phishing and ransomware best practices
- Don’t surf unknown web sites
- If it looks suspicious or you are questioning its authenticity- investigate vs act