Verification Vs. Validation
Doing Right Things vs.
Doing Things Right
Today I would like to talk about verification versus validation. With respect to security, businesses are often focused on doing the right things but fail to do the things right. Equifax is an example of an organization that strategically was doing the right things but tactically was not doing the things right. The following information is from US House of Representatives Committee on Oversight and Government Reform.
The Equifax Data Breach
To recap the incident, in 2017, Equifax suffered a data breach that affected 148 million people. Strategically, Equifax embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data. However, they also inherited multiple legacy systems, some of which contained vulnerabilities which the organization failed to adequately patch.
Apache Struts Vulnerability
On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems. Equifax, however, did not fully patch its systems. Equifax’s Automated Consumer Interview System (ACIS), a custom-built internet-facing consumer dispute portal developed in the 1970s, was running a version of Apache Struts containing the vulnerability. Equifax did not patch the Apache Struts software located within ACIS, leaving its systems and data exposed.
The Cyber Attack on ACIS
On May 13, 2017, attackers began a cyberattack on Equifax. The attack lasted for 76 days. The attackers dropped “web shells” (a web-based backdoor) to obtain remote control over Equifax’s network. They found a file containing unencrypted credentials (usernames and passwords), enabling the attackers to access sensitive data outside of the ACIS environment. The attackers used these credentials to access 48 unrelated databases.
In addition to not patching the legacy the system used to monitor ACIS, network traffic had been inactive for 19 months due to an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic.
By then it was too late; the databases had already been compromised and management was unaware of the event for more than two months. Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyber attack, they could have prevented the data breach.
While the strategic vision of growing the company (Doing the Right Things) to become one of the largest consumer reporting agencies in the world, Equifax failed to adequately protect (Doing the Things Right) the information they were collecting.
Validation and Verification
This is the basic function of validation and verification. Many companies have patch management systems, but they fail to verify that the required patches have been applied correctly across all their systems and working as designed. Companies also fail to update applications on a timely basis, exposing the company and its customer base to potential compromise of sensitive data. Finally, many companies fail to maintain their licensing agreements, and controls in place are not being updated to reflect the latest vulnerabilities. This is similar to buying antivirus software but failing to pay for the service renewal. Thus, even though the application is still working, it is no longer protecting your system from known malware.
Why Choose ASCERTIS Solutions
Small companies need to have an assessment completed to determine if the protection for sensitive information has been considered in the IT design (Doing the Right Thing) and if this protection is working as designed (Doing the Thing Right). ASCERTIS Solutions provides an intuitive application to allow your security organization to perform this assessment. ASCERTIS Solutions also offers certified cyber experts to help assist with this assessment.