It is now a matter of public record that the cause of the Equifax breach that led to disclosure of personally identifiable information of 148 million American citizens was that a system running an open-source software known as Apache Struts was not patched. This allowed hackers to leverage the un-patched systems and extract data from this and other systems for several months without detection.
Since the Equifax Data Breach, several investigations have been announced, and some concluded. Recently, the US House of Representative Committee on Oversight and Government Reform (hereafter referred to as the “Congressional Report”) released a detailed 96-page report on the Equifax Data Breach. I, among other former and current Equifax executives, provided testimony to the Committee.
To set the scene, on October 3, Mr Richard Smith, then recently retired Chairman and Chief Executive Officer at Equifax, testified to Congress:
“Americans want to know how this happened …it appears that the breach occurred because of both human error and technology failures. These mistakes – made in the same chain of security systems designed with redundancies – allowed criminals to access over 140 million Americans’ data.”
In responding to questions after reading his prepared testimony, Mr Smith “repeatedly mentioned an individual who had failed to act on a security warning”. He stated:
- “The human error was the individual who is responsible for communicating in the organization to apply the patch did not.”
- “Congressman, we get notifications routinely, the IT team and Security team do, to apply [patches]. This individual as I mentioned earlier did not communicate to the right level to apply the patch.”
- “I described it as a human error where an individual did not ensure communication got to the right person to manually patch the application. That was subsequently followed by a technological error where a piece of equipment we use which scans the environment looking for that vulnerability did not find it.”
So is security really that simple? Should the cybersecurity of a major corporation depend on whether an email (already sent to hundreds of employees notifying about the vulnerability) gets forwarded? Would this breach have been prevented if the email originally had been sent to the proper people responsible for patching in the first instance?
Patch management is the term used to generally describe the following process:
- An organization receives notice of a piece of code (“a patch”) to a system or application from a vendor or the open-source community
- The impacted systems are identified and information and instructions are provided on how to patch the system
- System owners test and install the patch
- Feedback is provided that the system is patched
In this series of articles I will explore this topic in more detail and provide you with some key questions to ask about how your organization manages patch management.
Patch management is not glamorous. It doesn’t generate revenue or delight customers. When it is working right no one really notices. However, when it fails, and something goes wrong, the results can be devastating. Executives can end up testifying before Congress and Regulators, not to mention the risk of litigation.
Next issue: Why is Patch Management Complex?
Contact Graeme to schedule a time to speak to your Board or Executive Team.