Earlier this month, consumer credit rating company Equifax notified consumers of a major theft of personally identifiable information (PII). The Equifax breach affected nearly 143 million Americans making Equifax the target of much scrutiny as analysts question their web application security.
What do we know so far?
The Equifax hack was caused by an unspecified web application vulnerability that gave cyberthieves access to their corporate network from May until the end of July. Intruders gained access to the social security numbers and other PII of unsuspecting U.S. consumers, as well as the 209,000 credit card numbers. In addition to the financial cost, Equifax is also facing a severe public relations backlash.
While Equifax’s response is scrutinized, the sad fact is that most companies have vulnerabilities when it comes to web application security.
Months before this attack was made public, IDG conducted a survey which found 83 percent of IT executives consider application security critical to their IT strategy. Here are three web application security lessons they - and you - can learn from the Equifax breach:
- Plan for an Attack.
HOW EQUIFAX FAILED: Hackers first breached Equifax’s network in May, but this wasn’t discovered until late July. What’s worse, it wasn’t made public until September.
WHAT YOU CAN DO: Make sure you have an outlined and tested response plan for when you are the victim of a cyberattack. Your plan should not only include steps your IT department will take to identify and close the vulnerability. It should also include how your public relations department will notify the public and how you will work with government agencies or private security consultants.
- Secure Your Web App Logins.
HOW EQUIFAX FAILED: Equifax has either not discovered or not made public the web application login that was used to gain access to their network.
WHAT YOU CAN DO: Understand that many web application security vulnerabilities come down to human error, weak passwords or poor login practices. Review your login practices to ensure they:
- Require strong, complex passwords.
- Protect logins with encryption.
- Perform vulnerability scans.
- Patch Holes in Your Security.
HOW EQUIFAX FAILED: Equifax says that they initially believed the intrusion was limited. This suggests major blind spots in their web application security.
WHAT YOU CAN DO: Choose a multi-layered web application security solution that monitors and prevents malicious activity at your network’s perimeter and in internal applications. Make sure you have:
- Real-time threat intelligence: Your web app security should take into account new security threats as they are released.
- Correlation engine: Sort through the noise with an application that can analyze and understand event data to learn which events pose real threats.
- Vulnerability scanning: Regularly scan your network security based on current threat intelligence to ensure it is always up to date.
The security of your business is the most important factor to consider for success. With more companies switching to a cloud based alternative, or another offsite option, it is important to choose the right company to back you and your network up.