Little was revealed about the details of the cybersecurity breach, other than it stemmed from an exploited web application. Even without specifics, Equifax’s hacking illustrates a larger trend in tech companies — a clear lack of focus on software security.
Verizon’s data breach report, a comprehensive state-of-the-union for internet security, found that web applications are responsible for the most breaches across industries. “Although attacks on web applications account only for 8% of overall reported incidents, attacks on web applications accounted for over 40% of incidents resulting in data breach, and were the single-biggest source of data loss,” the 2016 report says.
A web application is essentially any web page that interacts with you, instead of simply giving you text or images. For example, a user might input a query and get something back. One way to launch a cyberattack would be to tweak that query so the information that comes back is more comprehensive. One popular attack like this is an SQL injection attack, which might confuse a database into providing a full dossier of information when just being asked for a name or address.
“It’s not a surprise given the low priority”
While it’s not a secret that vulnerabilities in web applications are a problem, there is curiously little defense against them.
“Application security is really not a top priority for most security groups,” Rohit Sethi, COO of Security Compass, an ethical hacking and software security firm, told Yahoo Finance. “From our perspective, it’s not a surprise given the low priority.”
Much of this low priority comes from industry “best practices,” Sethi said. Often when someone wants to design a security program, they consult these practices and for many, there is little to no mention of application security. “You could be compliant with best practices and have nothing by way of web application security,” he said.
Instead of software security to defend against this kind of attack, the focus is often wholly on network security instead, which is usually considered the frontline for cybersecurity. This leaves software security as a job for automated testing tools and scans rather than a duty for trained human beings. “It certainly doesn’t approximate what a human being can do,” Sethi said.
“There’s this willful ignorance to make a better ‘fire code’”
Today, companies view getting hacked like getting a cold, something that will inevitably happen. With that mindset, the focus shifts from the prevention to the response.
Sethi sees this issue in terms of fire safety, noting that people pay more attention to the fire trucks than the fire code. “What’s interesting is that there’s this willful ignorance to make a better ‘fire code’ as it relates to info security,” Sethi said. “Typically you have software developers rushed to get software out the door, without taking additional steps to build more secure software.”
In Sethi’s view, there’s a root cause that makes this a systematic issue: education. There’s very little training in software security for burgeoning programmers.
“If you receive a degree in programming, there’s a chance you don’t learn anything about security,” he said. “Programmers learn software development, but not how to do security. There’s a gap in training software developers.”
Any training that does happen likely comes on the job. “There’s no expertise, it’s hard, people don’t know what to do,” he said. “It’s much easier to just build the software and deal with issues later, rather than deal with it up front.”
For a company like Equifax, it wouldn’t necessarily be abnormal not to have a robust software security system. “Many companies like them do not build any level of security. [Instead,] they go through a light scanning process,” Sethi said. “We would advocate that this is something you’d change. A minimum standard should involve secure software.”
Whether this is negligence or not is a big question, and one that will drive the inevitable lawsuits against Equifax — one of which has already been filed. “The bar for negligence is really, really low in many cases,” Sethi said. There have been lawsuits in many cases, but not necessarily because of a specific law, he said.
Unlike health care providers or financial institutions, most companies are not legally required to maintain certain levels of security protocol with consumer data. Regardless of legal liability, however, this breach is sure to hit Equifax’s reputation — and its stock price.