This article published yesterday in Gizmodo -- and this one published this morning in the Wall Street Journal shed light on what Rick Smith, former Equifax CEO, will say today to Congress when he testifies on the series of cyber security missteps that led to their recent massive hack.
Mr. Smith will testify that employees did not respond properly to a public warning on March 8th about a new vulnerability in the Struts open source component. The story, according to Smith, is that Equifax employees failed to respond to the warning because the company was using a network "scanning tool" that should have detected the vulnerable version of Struts lurking inside of their production application, but failed to do so.
The truth, however, is that Equifax was blind to their exposure, not because their scanning tool "failed" -- but because it was not designed to identify this particular problem. To be clear, this is not an indictment of network scanning tools. Rather, this is an example of a perfectly good tool providing excellent visibility on a piece of the cyber landscape where the problem itself did not exist.
Simply stated, traditional scanning tools examine file names and look for network anomalies to identify and neutralize bad actors. They do not, however, identify vulnerable versions of open source components like Struts that exist way up high in the application layer.
Globally, companies like Equifax invest a whopping $130 billion per year on traditional cyber tools in an effort to build strong perimiter defenses to keep the bad guys out -- but only $8 billion per year (6% of their budget) to build software applications that are fundamentally secure from the start.
Hackers are generally lazy, but they are not stupid. They spend their time looking for three things:
- easy pay days that circumvent massive perimeter defenses
- big pay days that target massive amounts of application data, and
- economies of scale, where one successful hack leads to multiple pay days because of the reusable nature of third-party components.
In today's world, hackers are spending less time exploiting perimeter defenses and more time exploiting vulnerabilities at the application level. Given this reality, the challenge (and opportunity) for organizations like Equifax is to shift their perspective, and a portion of their budget, from building giant castle walls -- to automating open source governance and building applications that are secure by default.