Equifax security breach: Another victim due to missed patching
The recent security breach at an Equifax online portal left data for more than 143 million customers vulnerable; credit card details of approximately 209,000 consumers were also remotely accessed. A vulnerability (CVE-2017-5638) in the Apache Struts framework that supports the Equifax online dispute portal was the one hackers exploited.
This hack continued for a period of more than one and a half months until it was noticed by Equifax’s security team on July 30, 2017, on account of suspicious network traffic. The key part is that the vulnerability in the Struts framework was identified and disclosed by the Apache foundation in early March 2017. Equifax had more than two months to apply the patch and prevent the entire security incident.
With the high prevalence of the Struts framework, many enterprises are left susceptible just by having the affected library bundled in their application. To secure your application, you must upgrade to Apache Struts version 2.3.32 or 18.104.22.168. The other alternative is to switch to a different implementation of the Jakarta based file upload Multipart parser that is found to be vulnerable to attack.
In view of the Equifax situation, there is a need to explore how such breaches can be avoided. This is where next-gen endpoint management and detection tools come into play. These unified tools go beyond managing just the endpoints and give a 360-degree visibility of the system, including server infrastructure, such as the one affected at Equifax. These vulnerabilities need to be detected and proactively managed in real-time as they can be exploited to create massive impact in a matter of minutes. In addition to having real-time information, these unified next-gen tools have the ability to take quick action when a vulnerability is disclosed.
Accelerite’s unified endpoint solutions – Sentient & Radia – provide everything you need for in-place remediation, from a 360-degree view and real-time information of your infrastructure to detailed analytics and visualization of its status; everything to keep your system safe at all times.
Accelerite Sentient users can detect key indicators in real time to assess the vulnerabilities and compliance status of your organization’s endpoints and servers. Sentient provides a comprehensive way for enterprises to spot any potential vulnerability – like the one announced by Apache for Struts through Security Bulletin S2-045 – in real-time. Apache released a fix for the Struts vulnerability on 10th March 2017. Radia would ensure that there was no delay in applying this update, making sure that all endpoints and servers were secure.
Detecting potential vulnerabilities
In order to be secure, it is imperative to be observant too. Few of the things to watch out for are abnormal periods of high site usage, suspicious files (in locations like web root or with unusual timestamps and references to keywords like cmd(dot)exe). Also, be wary of files generating unexpected network traffic or connections. Filter out login attempts showing DMZ servers in their path and suspicious shell commands from web server processes.
Security Patch Levels
The best way to stay safe is to ensure that all critical updates have been installed for OS and applications. Sentient provides script execution capability to check for all relevant patches required across all your endpoints in a matter of seconds.
Prevention and mitigation
Implementing least-privilege policies and secure configuration (restrict/block services and ports as relevant) of web servers is key to protecting a system. Changing default login credentials and validating all user input to restrict local and remote file inclusion is also important. A “known good” version of the relevant server should be established and an offline backup should be created for it. All this and more can easily be achieved by Sentient through the underlying operational tool e.g. Radia.
Information gathering and remediation solutions like Sentient, are the way that risks associated with security breaches can be mitigated. Through real-time visibility, coupled with quick action, Sentient will keep your infrastructure secure always.
Sentient is available for free trial at https://accelerite.com/products/sentient/.