The difference between awareness and action
Do you remember Equifax? Maybe in combination with the word "hack"? The Equifax hack in September 2017 was one of the most momentous attacks in recent history. The hackers stole about 143 million records relating to customers in the US, Canada and the UK. The incident is particularly dramatic because Equifax, the largest credit agency in the United States, has extremely sensitive data at its disposal. It's reasonable to expect that Equifax would have made significant effort to protect this data. However, the hackers were able to gain access to various systems and remain undetected over several months while stealing social security numbers, birth dates, addresses, driver's license numbers, 290,000 credit card numbers and other data. It will never be possible to determine the exact consequences for those affected, but it can be assumed that the data records are still being traded and exploited online.
It's easy to wisely repeat "There is no such thing as 100% security", just like after the recent data breach in the German parliament. Sure, if you lock everything away and work in complete isolation you wouldn't be able to communicate or achieve much. However, the long-awaited forensic report of the incident was recently published. And it shows that there was still some room for improvement before reaching security overkill. Quite a lot of room, actually. The report clearly shows that the company were aware of security precautions they were not implemented properly. In part, the authors list hair-raising mistakes that had nothing to do with lack of financial resources or complex attack methods.
The hackers initially gained through unpatched Apache Struts code. The IT department had scanned for the vulnerability, but only in the root directory, not in the subdirectories. The hackers were able to exploit the vulnerability which gave them a way into the network. They had plenty of time to look around undisturbed as the intrusion detection system could not read the SSL-encrypted data because a certificate had expired and had not been renewed. For 19 months. The architecture was right, the hardware was there, but nobody had thought about setting up a process to monitor the expiration dates of the certificates. All alarm bells rang promptly when the certificate was finally renewed and the IDS reported huge amounts of unauthorized data.
It was also completely negligent and reckless not to segment an ancient database system that only required access to three other databases. Full access to the entire network gave the attackers access to 48 additional databases outside the system. The report describes numerous other omissions, which can roughly be summarized with the word "clueless".
Yes, there is no such thing as 100% security and anyone can make mistakes. But a mistake shouldn't have such fatal consequences, that's exactly what measures like segmentation, DMZ, firewalls and above all well thought-out and lived processes are for. Anyone who relies blindly on an IDS is left out in the rain when it fails. Equifax shows that effective IT security requires meaningful organization and process compliance before technical measures. The fact that the admin who overlooked the Struts gap was fired at the time, but CSO and CIO only left after public pressure, is telling. Equifax failed to see information security as a holistic construct, with meaningful guidelines from management leading to effective measures and processes that can be implemented under pressure in real business activities. Instead, a silo mentality and avoidance of unpleasant tasks combined with a lack of leadership led to a real disaster. That's a long way from 100%.