The case can be used more generally to introduce course participants to current issues in cybersecurity, especially how companies manage and respond these issues and the role of regulation in determining company responses. The cybersecurity risks to which Equifax was exposed are not unique; they are shared by nearly every company that stores sensitive personal information.
As a paradigm case in what not to do, Equifax provides a useful example from which all can learn. Oct 21, Revised: Apr 25, Brought to you by:. Main Case Bestseller. What's included: Teaching Note Educator Copy. Not teaching at a university? Register as a student Register as an individual. Overview Included Materials Related. Learning Objectives The case is meant to introduce and analyze current issues in cybersecurity, including prevention, detection, and response. The initial investigation indicated that many files were breached.
Equifax had to create a separate domain and webpage to deal with all of the information that needed to be disseminated and to communicate with affected users and stakeholders Equifax, This potentially well-intentioned business maneuver demonstrates the complexity of dealing with the issue.
Other parties immediately initiated fake settlement sites and information sites creating additional opportunities for fraud and cybercrime as well as additional public confusion Atleson, As customers flocked to freeze their credit reports, they were given PINs with naming conventions based on the date the accounts which were frozen. This unfortunately made them easy for cyberattackers to intuit and attack — enabling once again more potential and devastating attacks. As the situation continued to worsen and spiral out of control, governments at virtually all levels begin to take notice and initiate inquiries and actions.
The federal government also took notice. Consequently, there are many lessons to be learned from this historic cybercrime. These lessons will be discussed here. However, in this case, it seems the most significant contributing factors were systems management procedures.
Specifically, the Equifax IT team did not apply the patch when it came out. This points to other potential IT systems management issues. As it is clearly known that the vulnerability did exist, another possibility is that the software used for scanning was ineffective or broken. It also appears there is possible negligence on the part of the Equifax IT and security teams.
Though a scan was conducted to see if the vulnerability was present. There specific guidance given on multiple occasions to apply the patch. Clearly the patch was not applied. Why did the team not simply look at the patches on the servers and verify that the patch was installed? Afterwards the firm seemed to act in a manner that was not consistent with quickly putting information about the attack or resolving the issue in an effective manner. These actions certainly seem to indicate that there were potential profit motives inherent in the responses of Equifax and its executive team members.
Executive incentives are commonly cited as motivators for executives to make decisions to preserve individual bonsu pay and company stock prices, rather than to preserve the interest of their customers or other stakeholders Thomas J. Problems Inherent with Credit Reporting Agencies At the time of this attack there were many risks that were generated by the inherent nature with the credit reporting agency process for the United States. Consumers are involuntary members of the systems and did not and do not have the option to opt into the system, their information is reported by companies they do business with.
This creates an unapproved and sometimes uninformed risk for most of the consumers in the United States.
After the attack there was much discussion about the need to be able to freeze credit reports. Since then credit reports have moved from being able to be frozen for minor cost to being able to be frozen at no cost Frost, Responses varied from chastising Equifax to seeking damages to creating new regulations regarding credit reporting agencies and privacy as well as specific sanctions against Equifax.
The breach was caused due to a known vulnerability that was published by the vendor and Equifax received several warnings to apply the patch that would prevent the vulnerability. The utilized an outside security firm to conduct forensics investigations.
In the wake of recent security incidents affecting several high-profile companies and government bodies, many are left wondering how they can protect their organizations. For these reasons, incidence response can take several weeks, months or even years which in turn, delays notifications of affected parties and the public.
Developing and implementing disaster recovery plans are critical in mitigating damages once a breach occurs, but the damage has already occurred. Developing a proactive, multi-layered security posture often involves regularly patching systems, testing for vulnerabilities, hardening systems and active monitoring, all of which can help minimize the risk of a breach occurring in the first place when done properly.
Here are 6 ways to make your website more secure. Sources: Wired. P: Email Us. Search Site. Thank you for contacting us. One of our expert consultants will review your inquiry.
Thank You We hope you find this resource helpful.
0コメント