Details of the recent EquifaxInc. breach are continuing to emerge. We
now know that the intrusion was accomplished by exploiting the Apache Struts web
vulnerability (CVE-2017-5638), which allows remote attackers to execute
arbitrary commands via a #cmd= string in a crafted
Content-Type HTTP header.
A security patch for the
flaw in the open source Apache Struts 2 framework was available as early as
March 6th, more than two months before the Equifax hack began. So far, Equifax representatives have declined
to answer questions about why this known vulnerability went unpatched for so
long. The fix is known to be complex and
labor intensive, which may have contributed to the delay in closing the
security hole in Equifax web servers and applications.
Difficulty aside, it
now seems clear that the Equifax breach—which impacted nearly half of the
adults in the United States—was entirely preventable.
On September 15th,
Equifax announced that the company’s Chief Security Officer, Susan Mauldin, and
its Chief Information Officer, David Webb, were retiring “effective
immediately.”
No comments:
Post a Comment