Equifax Breach: More avoidable than you thought?


Trevor Reschke Head of Threat Intelligence

There have been news headlines all over the place on the recent Equifax breach and I would like to paint a little color on the subject. This may not have been the largest breach based on an affected individual count, but it is potentially the most damaging breach in history. This breach has exposed PII of up to 143 MILLION PEOPLE! This includes stolen SSN’s, birthdates, addresses and driver’s licenses. Upwards of 200,000 credit card numbers were compromised as well. You look at breaches to date and although Yahoo, eBay and even Adult Friend Finder impacted more accounts, the type of information was far less critical than that taken in the Equifax breach.

A little on the technology of the breach: Based on what is in the news, this was not really a new vulnerability. The reality is, patching appears to be hard for both large and small companies. For a million different reasons, systems and the applications that run on them just don’t get patched in time to prevent breaches. This problem is as old as computers themselves.

Exploiting this vulnerability required the adversary to construct a specific request that is ordinarily not a valid submission. Specifically, the header type needed to be incorrectly set and a malicious payload submitted to the web application. The fundamental flaw of the application was the attempted translation of the payload due to the header setting, which resulted in the payload being executed prior to the web application processing it as a normal request.  An effectively deployed/managed WAF would have prevented the breach by ensuring submissions to the web application matched the intended resource, and more importantly did not contain obvious malicious payloads.

Trusted Knight’s WAF, Cloud-DMZ, stops these types of application attacks before they hit the server. Both recent vulnerabilities would have been prevented, even prior to the patches being available. That’s the whole point of having a WAF: it buys your organization time and creates a solid external perimeter that protects your origin server. Cloud-DMZ sets itself apart from the other available cloud based WAF’s by using multi-layered techniques for enterprise protection. This blends the best of both worlds, unlike our fellow cloud competitors who generally rely on a reverse proxy approach, which is watered down to suit all their customers universally.

CDMZ provides true enterprise grade WAF protection using both white and black list techniques and is designed for the modern Internet – no more old-fashioned on premise servers that do not scale. CDMZ uses a whitelist approach to all inbound requests; this prevents attacks from passing commands to the web application. Even if we purposely whitelisted the attack for testing purposes, our third layer of protection would identify the command string as malicious and stop the attack prior to it ever touching the Origin web application.

If you would like to take a more technical look at Cloud-DMZ please Contact Us and shoot me a note. I am happy to have a call.