What Happened to Information Security Best Practices at Equifax?

Security wasn’t the problem at Equifax; the problem was unfettered access. Equifax, which announced a breach of records from 143 million people on September 7, had experienced numerous breaches, on a smaller scale, over the past 5 years.

In our view, Equifax disregarded the warnings signs of the smaller breaches. The company may have believed it was taking security seriously, but it avoided best practices in information security that are tied to smart information management.

Remember: It’s not if, but when. To understand the lessons of this Top 4 data breach, according to CSO, you have to look beyond “security.” We at Doculabs believe that Equifax failed because it created a data pool that was too large. Once the credit-rating company was breached, too much information became available.

A bank doesn’t have all its money in a single vault. Banks have lines of defense and processes that limit the amount of money a teller (or a robber) has access to.

The hackers who gained access to Equifax’s systems, it seems, had limitless amounts of data that they could steal. The information compromised affects nearly half the U.S. population!

The InfoSec Smoking Gun at Equifax

Given my background in data reduction and sensitive information identification, I saw a much larger failure than Equifax’ outdated systems and security technology. Equifax’s inability to identify, secure, and isolate risky data inside its firewalls is the true smoking gun here.

What can an organization do to protect information from being exposed during a breach? You need to understand much more about the information in repositories across the entire enterprise. You need to be sure that only the right people have access to the data they need. And you need to get rid of or isolate all data that has no business value.

We don’t know exactly what happened at Equifax, but given our experience, Doculabs assumes that one or a combination of these four conditions made the breach much worse:

Unnecessary Risk: It’s likely that a large volume of the data taken could have been considered redundant, obsolete or trivial, or ROT. Much of the information likely was old and well past its retention period. ROT serves no value to the business, and probably hadn’t done so at Equifax for years. For Doculabs’ clients, this is low-hanging fruit. The very existence of ROT in an organization’s repositories creates unnecessary risk.

Duplication: (Otherwise known as: “You can say that again,” “Ditto”, or “Same but different”). Organizations build vast, and often wasteful, repositories of content and storage when they retain too many duplicates. A typical scenario: corporate files saved to personal drives.

Some companies use one of the many free tools to help them identify duplicates. That’s not enough. Too many duplicates are indicative of broken processes. Only when a company provides better search, single-source documents, and stricter retention periods for files outside of designated repositories, does it even make sense to use such tools.

Poor Labeling. The problem with not having data under control is that you don’t know what’s where and who should have access to what. It’s important to have a data map to understand the contents of your data lake. A good data map helps tackle two key security problems: clustering data by security profile, and ensuring that the right people have access to documents.

If you have a basic security profile hierarchy of three to four levels, you get—maybe—90 percent of the way there. Many organizations tag information as low, medium or high risk. That’s OK, but instead we recommend using different data characterizations: Public, Private (or Internal), and Intellectual Property (IP, or “secret sauce”). These labels can be better accepted and understood.

The Threat from Within: Information security is as much about paying attention to behavior within the corporation as it is to building walls around the information. There are solid behavior analytics tools out there, but if your organization hasn’t addressed ROT and duplication, and assigned meaningful labels, it’s difficult to see the danger within the chaos.

Doculabs helps organizations identify the right behaviors and processes, providing a foundation where a company can use tools to identify when Person A is clicking somewhere he or she shouldn’t be, or when Person B is downloading thousands of documents above a normal daily average.

Granted, we haven’t conducted the forensics on what happened at Equifax. But given the large volume of data compromised, the very delayed public announcement, and what was likely a plethora of outdated programs and infrastructure, it’s likely that three or four of these all-too-common problems—ROT, duplication, poor labeling, and insufficient internal controls—were present at Equifax.

You can’t stop a breach even if you address all four of these risk areas. But working on these areas does limit or diminish the impact to your customers—and to your reputation.

For more on Doculabs’ services in information security, click here. We’ll be happy to discuss InfoSec best practices you can put in place in your own organization.





Rich Medina
Brian Johnson
I’m Doculabs' Midwest Area Sales Manager.