Tuesday, September 12, 2017

Equifax Data Breach: Laws - Framewors - Solutions


Equifax discovered unauthorized access on July 29th. 2 months later, the public was notified and the victims of breach (and potential victims of identity theft) are being offered monitoring services.
Each state has enacted Breach Notification statutes. California law, for example, requires notification at the most expedient time possible and without unreasonable delay. Notification can be delayed if law enforcement determines that notice would impede a criminal investigation (Cal. Civ. Code § 1798.82) But was a criminal investigation being impeded, and what factors were used to deem the determination reasonable?
An Amendment to the Breach Notification statute requires organizations to offer 12 months of monitoring services at no cost to the potential identity theft victim. (AB 1710)
It seems controversial that Equifax is offering their own monitoring service. If our homes are burglarized during use of a company’s home security system, should we accept a 12-month membership of home alert alarm system from the same company?
Anyone familiar with incident response will agree that it can be challenging to identify where to attribute the exploit, even after identifying how the exploit occurred. Equifax CEO, Richard Smith, believes that the Equifax exploit occurred via SQLI (structured query language injection). SQLI uses malicious code for backend database manipulation to access information that was not intended to be displayed. SQLI can be prevented or protected, should they occur.
WAF (web application firewalls) can prevent, but there is an issue with false-positive scripts getting blocked as well. However, this could impede operability of attractive functions of a company’s flagship product or service. The government generally does not insert itself into requiring this type of protective measure.
Data-Centric End-to-End Database Encryption can protect by making the data retrieved from SQLI valueless to the exploiter. Even in the event of a compromised Database Administrator’s account, the data viewable will still be encrypted. However, this can destroy data analytics and/or be cost prohibitive to implement in an organization. But the federal and state governments have inserted themselves by making encryption a legal requirement. FISMA (Federal Information Security Management Act) ratifies NIST (National Institute of Standards and Technology). NIST framework asks for encryption of data at rest, data in transit, and data in use (NIST 800-53 Rev.4 AC-3,4, MP-5(4), SC-8,28). HIPAA section 164.312(e)(I) is also federal law addressing encryption requirements as mandated technical safeguards.
What level of encryption was Equifax using, and what companies offer solutions that boast full compliance with the federal laws cited on encryption, or ability to eliminate the same threat for your organization that Equifax faced?