FTC Guidelines and Managed Firewall Service
Last year, in the wake of the Facebook data leaks and the notorious Equifax breach, the FTC began imposing significant fines on organizations that failed to protect Personally Identifiable Information (PII). The Equifax settlement topped $575mm as Equifax was held accountable for their actions and inaction surrounding security system maintenance and threat detection. The FTC complaint includes:
- Equifax didn’t check to make sure employees followed through on the patching process;
- Equifax failed to detect that a patch was needed because the company used an automated scan that wasn’t properly configured to check all the places that could be using the vulnerable software;
- Equifax failed to segment its network to limit how much sensitive data an attacker could steal;
- Equifax stored admin credentials and passwords in unprotected plain-text files;
- Equifax failed to update security certificates that had expired 10 months earlier; and
- Equifax didn’t detect intrusions on “legacy” systems like ACIS.
Even Equifax with its vast IT and security resources fell victim to execution failure on some very basic security protocols such as verifying the security policy is actually being implemented. With a market cap of over $15bn, their negligence wasn’t from lack of resources but simply lack of follow-through. In the IT security realm, very basic mistakes in configuration or failure to verify can have serious consequences destroying a company’s reputation and equity. The FTC now has over 50 data security settlements on the books and some of the practical lessons businesses can take away from those investigations are:
“Update and patch third-party software.” Companies should treat a security warning from US-CERT with the utmost seriousness. Equifax’s 48-hour Patch Management Policy may have looked good on paper, but paper can’t patch a critical software vulnerability. Of course, you should tell your IT team to implement appropriate patches and fixes. But you also need a belt-and-suspenders system to make sure your company follows through effectively.
“Ensure proper configuration.” There’s nothing inherently wrong with using an automated vulnerability scan, but if it’s not set up to know where to look, it’s just another collection of zeros and ones. The complaint alleges that Equifax compounded the problem by not maintaining an accurate inventory of what systems ran what software – a fundamental practice that would have made it easier to find the vulnerability in the ACIS platform.
“Monitor activity on your network.” Who’s coming in and what’s going out? That’s what an effective intrusion detection tool asks when it senses unauthorized activity. An effective system of intrusion detection could have helped Equifax detect the vulnerability sooner, thereby reducing the number of affected consumers.
“Segment your network.” The idea behind ships’ watertight compartments is that even if one portion of the structure sustains damage, the entire vessel won’t go under. Segmenting your network – storing sensitive data in separate secure places on your system – can have a similar mitigating effect. Even if an attacker sneaks into one part of your system, an appropriately segmented network can help prevent a data oops from turning into a full-fledged OMG.
In preventing any attack, a sound security policy and properly configured network firewalls are your first line of defense. Selecting the right firewall architecture and fully understanding firewall security — including system monitoring, patching and verifying your security policy are all components of a managed firewall service. Integrating managed firewall services through a partnership with your Managed Security Service Provider (MSSP) eases the implementation and compliance burden by relying on firewall security experts. Your MSSP becomes an extension of your team guiding policy decisions and overseeing implementation so you can avoid the little mistakes that have serious security and even punitive consequences. At Verus we take protecting your systems and fending off cyberattacks seriously. If you store personally identifiable information on your network we’re here to help.