With unstinting focus on client objectives and capital preservation, Avems Investments provide high-touch investment expertise that centres on diversified solutions and a service-led approach to portfolio management. Our investment process is as disciplined as it is creative – ensuring tailored solutions with robust results.
Evolution - Security Watch - Equifax Breach Debrief & Discussion with Cal Leeming of Lyons Leeming | Avem Capital
As fears over cyber attacks grow, Over 80per cent of financial service companies intend to push their funds into cybersecurity this year, that represents almost double last years figure. That is a large increase on last year. The jump demonstrates that financial companies are waking up to the absolute necessity of cybersecurity, coming as Equifax saw a breach of their information which included names, Social Security numbers, birth dates, addresses and, even credit card numbers for over 200,000 U.S. consumers, and over 140,000 UK consumers.
Cal Leeming from Security firm Lyons Leeming, part of the technology portfolio of Avem Capital joined Kate Leaman following the Equifax breach.
Questions posed to Steve from Kate included –Cal what actually happened there?
- Should Equifax be held responsible?
- Why should users be worried about the Equifax breach?
- What are the possible impacts of this breach to consumers?
- What can consumers do to mitigate the risks of this breach?
- Could Equifax do more to protect consumers?
Avem Capital strongly advises anybody concerned about their privacy or security online, to make immediate contact with a security professional and / or your bank. Avem Clients should visit our security page a https://avemcapital.com/security/ Or call +44 207 760 7587 and speak to our fraud and security team.
Equifax breach reportedly started 4 months before detection; with a hack
A recent report has cited that first evidence of the hackers interacting with the Equifax systems occurred on March 10th 2017. The report states that a confidential note was dispatched from security house, FireEye, directly to a number of Equifax clients.
The exploitation was made during this time via a vulnerability in the Apache Struts web application framework, already noted to be an active hole on the internet. It is known that the Struts flaw was the conduit used by the attackers to gain initial access to the network infrastructure.
Questions are now being asked as to why Equifax was not publicizing the information, which again seems to be a corporation withholding information from the public, possibly in an attempt to hide certain aspects and footprint of the attack vector and scope.
Security Flaw in Apache Struts Web Framework Opens Door to Attackers
Attackers took advantage of a security flaw in the Apache Struts Web Framework, that allowed them to remotely execute code on Equifax’s systems. The bug was revealed in March, along with recommended patches to fix it – but evidently, Equifax didn’t move fast enough to prevent a rupture in their network, spilling names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and over 140,000 UK consumers, were accessed.
According to WSJ, the attackers simply entered the old shell command “whoami”, providing the compromised account name. It is not believed that the hack was a simple and fast breach, but more of a long term attempt to escalate privileges and penetrate further in to the Equifax network. The eventual result was access to credential files, and then the ability to query databases, gaining access to confidential information stored in a legacy environment.
Equifax's site used to set up credit account monitoring in the wake of last week's security breach is also vulnerable to hackers, ZDNet has learned.
Aftermath of the Equifax Attack
In the aftermath of the breach, a recommendation has been circulating, suggesting consumers setup alerts on any and all credit accounts. Countless numbers of people are thought to have flocked to the websites in order to protect themselves from breaches of their private data.
However, security researcher Martin Hall told ZDNet that the Equifax site used to set up alerts on individual's credit rating history can be easily spoofed. The site is vulnerable to a cross-site scripting (XSS) attack, which lets an attacker run malicious code on a legitimate website or web application, such as Equifax's site. In this case, a hacker may be able to fool a user into loading the site from a malicious link, which prompts for the consumer's social security number and other personal information.
The retrieved data could be harvested by a malicious person as soon as the information is submitted. As the malicious code is included in Equifax's web address, the malicious string is part of the Equifax domain, thus hard for users to identify. User browsers consider the site to be secure, displaying the "lock" icon in the browser window; even making this hard for the user to distinguish from a spam or phishing email.
Cal Leeming of Lyons Leeming (www.lyonsleeming.com) stated – “Just the sheer quantity of data that could have been compromised. What we're seeing at the moment is probably just the tip of the iceberg to be honest. A lot of the time these breaches are played down for obvious reasons. It's standard protocol to only disclose the absolute most that you have to. My gut feeling is there's probably a lot more that's happened and it's just another reminder that no one's data is safe. No one's personal information is safe.”
So, what or where next for Equifax?
Lost Trust & Credibility
Any data breach threatens to tarnish a company's reputation, but it is especially mortifying for Equifax, whose entire business revolves around providing a clear financial profile of consumers which lenders and other businesses utilise on a daily basis.
Leeming stated – “You have to ask yourself the CISO of Equifax, they would have delegated pretty much every aspect of that work to their team members. So, whose fault is it actually that these systems were left in an insecure manner? You look at the chain that would have had to have been followed for these tasks to have been done. It's as much the fault of people at the top, as it is the people actually doing the work down on the ground. So, there's a chain of responsibility and cutting off the heads at the top very rarely makes an impact as to what's happening on the ground”
Equifax Faces Multibillion-Dollar Lawsuit Over Breach
“In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect information from unauthorized access by hackers,” the complaint stated.
“Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.”
Equifax CEO Richard Smith has agreed to testify on Oct. 3 before a U.S. House of Representatives panel.
The Federal Bureau of Investigation has opened an investigation into the breach, and nearly 40 states have joined a probe of Equifax’s handling of the situation.
Transcript and References
Discussion Transcript and References
[Kate Leaman] - Hello and a warm welcome to this episode of Avem Evolution Security Watch. As fears over cyber attacks grow over 80% of financial service companies plan to pump their cash into cyber security this year. Now that represents almost double of last year's figure. That is a significant increase on last year as well. The jump suggests that financial firms are waking up to the global crackdown on cyber security. This comes as Equifax saw a breach of their information, which included names, social security numbers, birth dates, addresses, drivers licences, and also credit card numbers for around 209,000 US consumers. Today, Cal Leeming from security firm Lyons Leeming, which is part of the technology portfolio of Avem Capital, is joining us following us the Equifax breach. Hi Cal.
[Cal Leeming] - Hi, how are you?
[Kate Leaman] - Very good, thank you. So tell us, what actually happened there with Equifax?
[Cal Leeming] - Yeah, they discovered a breach within their systems and their network and it was disclosed eventually, and since then there's been revelations coming out but they may not have been keeping up on top of their security as much as they have done, although I do have to say what we've seen so far coming out to the public is pretty much no different to any other large corporate. The only difference is that this one just so happens to affect millions, and millions, and millions of people around the world.
[Cal Leeming] - But this I mean, they had a log in and a password of admin and admin. Surely from a company of this size, and with this much private data, you would expect a slightly more complicated security protocol? A lot of the time the most serious breaches into a corporate network and the most serious vulnerabilities are often the simplest ones, not the more advanced system threats that are sort of the new term being thrown around at the moment, the hype term being thrown around. Little things like having admin admin as your login credentials, not putting things behind VPN, not having separation of concern, not following a model of least privilege. All of these basic hygiene checklist that you should be following, typically just gets thrown out the window. And it doesn't matter if they're large corporate or a really small entity, it really comes down to what is the value of your data and your systems to an attacker, and quite often people don't realise what that value is.
[Kate Leaman] - So should Equifax be held responsible for the breach? Silly question perhaps.
[Cal Leeming] - I believe that people will need to be held responsible and that in every breach scenario, people do need to be held responsible, however, the wrong people are usually the ones held responsible. And it will be interesting to see who's head goes on the block as a result of this breach. And we've already started to see some stuff coming out in the news, but you have to ask yourself the CISO at Equifax, he or she would have, sorry, we're going to start that one again. You have to ask yourself the CISO of Equifax, they would have delegated pretty much every aspect of that work to their team members. So whose fault is it actually that these systems were left in an insecure manner? You look at the chain that would have had to have been followed for these tasks to have been done. It's as much the fault of people at the top, as it is the people actually doing the work down on the ground. So there's a chain of responsibility and cutting off the heads at the top very rarely makes an impact as to what's happening on the ground. There has to be a company wide systemic rethink of how security is approached in order to resolve those problems and firing the CISO isn't really going to make much change, unless the new person who comes in can actually say "No. This is what we're going to do, this is how we're going to do it, and you either like it, or you're out." Very few people will do that though.
[Kate Leaman] - So why should users actually be worried about the Equifax breach?
[Cal Leeming] - Just the sheer quantity of data that could have been compromised. What we're seeing at the moment is probably just the tip of the iceberg to be honest. A lot of the time these breaches are played down for obvious reasons. It's standard protocol to only disclose the absolute most that you have to. My gut feeling is there's probably a lot more that's happened and it's just another reminder that no one's data is safe. No one's personal information is safe. The moment you give that data to a third party whether it be a cloud service, whether it be your email provider, your bank, your local authority, anyone, that information is now considered no longer safe and secure. There's only one way to protect your information and that's to not tell anyone and keep your mouth shut. That's the only way.
[Kate Leaman] - So does that mean don't use online banking, don't buy tickets online, what does that mean then for consumers?
[Cal Leeming] - Practically it means that you have to have a compromise and a balance between how much security do you want, and how much productivity do you want? Using online banking, yeah there's some banks out there that I would not use in a thousand years because of the way that they believe security should be done. Mobile banking in particular, the one that comes on your cell phone is really, really bad right now and it's getting worse, that's the scary part. But then you also have to ask yourself well, okay that's just one aspect of that company's bank security. Then you have what's happening in the back office, what's happening with all the staff that have access to systems? This ties in nicely with some of the issues we're seeing at hedge funds. You take a single hedge fund an attacker could literally wipe out an entire hedge fund in about one second flat, unless there are clear isolations between different systems to stop an attack from escalating into a crisis.
[Kate Leaman] - So is there any true way to protect say a hedge fund, or banking, or credit company? Is there any true way to protect from cyber attacks, or are the cyber attackers always able to get one step ahead?
[Cal Leeming] - It's a good question. Every industry is different because the use cases are different. Hedge funds are surprisingly a little bit easier than most. There's a couple of valuable assets, but one of the most valuable assets is the funds within that fund. You have to be able to protect those and make sure that someone can't go and do bad trades. And you look at the different systems that you can set up to stop that happening, and it's actually very easy to make sure that if someone, even if it was an insider threat, even if the CTO and CEO have their family kidnapped and they were forced at gunpoint to go and type some things into the keyboard, even they couldn't go and self destruct their own company if you have these proper procedures in place. And I was quite relieved when I met Avem because I've been thinking about this for quite some time thinking "Why aren't hedge funds doing this?" And then I met Avem and it turns out they'd already implemented this model when they started and they did that because it works. But the only reason they did that, is because the owner of that fund understood security. He has a hacker's mentality, and he understands the basic principle of computers and technology and how to keep them secure. The majority of people don't have this. The skill sets as well, the people that have this kind of mindset is very limited. So trying to get those people, not only onboard full time, but people then that you trust, we're talking less than a handful in the world. It's definitely a problem.
[Kate Leaman] - Well, it's all quite chilling Cal, but thank you very much for giving us your insight into the world of cyber protection, and also the case of Equifax. Thanks for joining us.
[Cal Leeming] - Thank you.
[Kate Leaman] - And thank you, we'll see you again next time on another special edition of Avem Evolution.
This document is not investment advice or intended as a recommendation to buy or sell any instrument covered with it. Although the statements within this document are believed to be correct they have not been verified by the author, or Avem Capital Limited and should not be relied upon when considering the merits of any particular investment. A recipient should consider its own financial situation, investment objectives and seek independent advice, where appropriate, before making any investment. All presented data may be subject to slight variations. Your Capital is at Risk.
Avem Capital Limited is a company registered in England and Wales under number 10683565.
The company's registered office is 3 London Wall Buildings, London EC2M 5PD.