FTC Guidelines and Managed Firewall Service

Posted April 21, 2020

Last year, in the wake of the Facebook data leaks and the notorious Equifax breach, the FTC began imposing significant fines on organizations that failed to protect Personally Identifiable Information (PII). The Equifax settlement topped $575mm as Equifax was held accountable for their actions and inaction surrounding security system maintenance and threat detection. The FTC complaint includes:

Equifax didn’t check to make sure employees followed through on the patching process;
Equifax failed to detect that a patch was needed because the company used an automated scan that wasn’t properly configured to check all the places that could be using the vulnerable software;
Equifax failed to segment its network to limit how much sensitive data an attacker could steal;
Equifax stored admin credentials and passwords in unprotected plain-text files;
Equifax failed to update security certificates that had expired 10 months earlier; and
Equifax didn’t detect intrusions on “legacy” systems like ACIS.

Even Equifax with its vast IT and security resources fell victim to execution failure on some very basic security protocols such as verifying the security policy is actually being implemented. With a market cap of over $15bn, their negligence wasn’t from lack of resources but simply lack of follow-through. In the IT security realm, very basic mistakes in configuration or failure to verify can have serious consequences destroying a company’s reputation and equity. The FTC now has over 50 data security settlements on the books and some of the practical lessons businesses can take away from those investigations are:

“Update and patch third-party software.” Companies should treat a security warning from US-CERT with the utmost seriousness. Equifax’s 48-hour Patch Management Policy may have looked good on paper, but paper can’t patch a critical software vulnerability. Of course, you should tell your IT team to implement appropriate patches and fixes. But you also need a belt-and-suspenders system to make sure your company follows through effectively.

“Ensure proper configuration.” There’s nothing inherently wrong with using an automated vulnerability scan, but if it’s not set up to know where to look, it’s just another collection of zeros and ones. The complaint alleges that Equifax compounded the problem by not maintaining an accurate inventory of what systems ran what software – a fundamental practice that would have made it easier to find the vulnerability in the ACIS platform.

“Monitor activity on your network.” Who’s coming in and what’s going out? That’s what an effective intrusion detection tool asks when it senses unauthorized activity. An effective system of intrusion detection could have helped Equifax detect the vulnerability sooner, thereby reducing the number of affected consumers.

“Segment your network.” The idea behind ships’ watertight compartments is that even if one portion of the structure sustains damage, the entire vessel won’t go under. Segmenting your network – storing sensitive data in separate secure places on your system – can have a similar mitigating effect. Even if an attacker sneaks into one part of your system, an appropriately segmented network can help prevent a data oops from turning into a full-fledged OMG.

In preventing any attack, a sound security policy and properly configured network firewalls are your first line of defense. Selecting the right firewall architecture and fully understanding firewall security — including system monitoring, patching and verifying your security policy are all components of a managed firewall service. Integrating managed firewall services through a partnership with your Managed Security Service Provider (MSSP) eases the implementation and compliance burden by relying on firewall security experts. Your MSSP becomes an extension of your team guiding policy decisions and overseeing implementation so you can avoid the little mistakes that have serious security and even punitive consequences. At Verus we take protecting your systems and fending off cyberattacks seriously. If you store personally identifiable information on your network we’re here to help.

Kyle Vinar

Kyle Vinar is Partner / President of Verus Corporation. He oversees all business operations and coaches Verus teams to continually improve on their solutions from client experience to product development and overall solution implementation. He works with all Verus resources to increase efficiencies and excellence in every aspect of their organizational roles. Kyle believes that people are the last real competitive edge that a company can have and constructing a rich culture is a vital step in running a world-class organization. Therefore he strives to create a culture within Verus that allows everyone to show up authentically and grow both personally and professionally, which in turn allows Verus Corp team members to provide clients with top-of-the-line service. Kyle helps balance strategy, capacity, and culture in such a way that has allowed Verus Corp to achieve exponential growth since he joined the company in 2013. One of Kyle’s greatest professional achievements has been in helping lay the foundation upon which Verus Corporation could be named the 2nd Best Place to Work by the Minneapolis/St. Paul Business Journal. Kyle holds a Bachelor of Science in Marketing from St. Cloud State University. He lives in Champlin with his wife and 3 children. He has enjoyed volunteering as a soccer coach for over 6 years and was the former Director of Coaching for Rebels Soccer Club. If Kyle isn’t on the sidelines of one of his children’s soccer games or in the audience of his eldest’s musicals, he can often be found cruising scenic routes on his Harley, in a deer stand, or on the golf course.