A couple of times per month, I like to pen a diatribe about security with some useful information, rather than just rake the usual story data about what happened, to whom and why. In this piece, I want to drill discuss a tangential issue – negligence.
One thing is as certain as death and taxes. If a device or system is connected to the Internet, it can be hacked – period. What is amazing is that people who should know that, somehow think they are either immune to hacking, don’t believe it will happen to them or just aren’t interested enough to implement the necessary firewalls. To me, this is utterly amazing, considering the vast amount of hacking going on.
In spite of best practices in security, some cyber-attacks cannot be prevented, but the vast majority can. However, they are not and for a reason that, in this day and age, is ludicrous – simple negligence. And, this seems to be the case with Equifax.
The reason they were hacked is common across many platforms, wireless or otherwise, a blasé attitude about security. To wit, they knew about, but failed to apply the patch to the Apache Struts, a Java application used to power front-end and back-end platforms. However, the pièce de résistance is that they knew the vulnerability was in their system and that a patch was available – they just hesitated – strike one. Then, according to Brian Krebs, a security expert, “an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: ‘admin/admin’” – strike two. I wonder if there is going to be a strike three. But the first two strikes can be chalked up to negligence.
This is the kind of stuff that gets a company buried in mounds of litigation, with the real possibility of ending its reign. The same is likely to stratify to individuals, as things get more complex and ubiquitous. So far, Equifax is looking at $70 billion in lawsuits; on top of the $20 billion it had to shell out to repair the damages from the breach (It probably would have cost them a few 10s of thousands to apply the patch promptly).
Now, Equifax is only one of the latest victims. Given the emergence of the Internet of Everything/Everyone (IoX), vigilence is going to have to become a top priority for everyone – from the home router to the cloud to mega-corporations. This act is wholly preventable.
With the ubiquity of the IoX, two things, education and the understanding of the ramifications of being negligent, become tantamount. Eventually, there will be a much larger attack surface than ever before. The bad guys know that and will seize every opportunity to capitalize on it. Negligence, whether gross or simple, costs money. It is incumbent upon all of us to get smart about it, and the damage being negligent can cause.
Ernest Worthman is the Executive Editor of Applied Wireless Technology magazine. A Life Member of the IEEE, his 20-plus years of editorial experience includes being the Editorial Director of Wireless Design and Development and Fiber Optic Technology, the Editor of RF Design, the Technical Editor of Communications Magazine, Cellular Business, Global Communications and a Contributing Technical Editor to Mobile Radio Technology, Satellite Communications, as well as computer-related periodicals such as Windows NT.