The Equifax Data Breach, PCI, and You

How adhering to PCI-DSS principles could have prevented a data breach

The series of breaches recently publicly disclosed by Equifax could have been prevented by following PCI DSS guidelines.  PCI DSS is an internationally accepted standard of controls which, when applied at the most basic levels, can reduce the risk of a breach and guide ongoing risk mitigation.

In addition to millions of PII records stolen, a reported 200,000 credit card numbers were also compromised during the breach.  The information system(s) where those credit cards were being stored would generally be considered to be in-scope for PCI DSS and part of a Cardholder Data Environment (CDE).  All systems within a CDE should managed and maintained in a compliant manner to mitigate the exact risks that were exploited.

Equifax confirmed in a statement on their website, www.equifaxsecurity2017.com, that a vulnerability in the Apache Struts software, used by the compromised web server, was exploited.  The specific vulnerability is covered in CVE-2017-5638 and has an associated Common Vulnerability Scoring System (CVSS) risk rating of 10.0, which is the highest level of risk that can be associated with a vulnerability.

In a separate breach impacting an Equifax website in Argentina was also disclosed this week.  In that breach a group of security researchers determined that the administrative credentials used by Equifax to secure the compromised website were default credentials.  The username ‘admin’ and the password ‘admin’ were found to allow administrative access.

Below is an overview of what PCI DSS requirements could have prevented both disclosed breaches:

• Requirement 2.2 – mandates that all system components should be hardened using accepted system hardening standards. In the Argentina Equifax breach the default admin credentials were still active and used to compromise the web site. This would not be possible under any industry accepted system hardening standard.
• Requirement 3.4 – mandates that Primary Account Numbers (PAN) must be rendered unreadable anywhere it is stored.  Limited details are publicly known on how the compromised credit card numbers were stored, but in theory the proper application of encryption would have protected stored PAN from compromise.
• Requirement 6.2 – mandates that all system components and software should have critical security patches installed within one month of release.  Following this requirement would have ensured the patch was applied by about April 6^th, 2017.  Equifax has stated the attackers began the compromise in May 2017.  The CVSS score associated with this breach was 10.0, which is considered a critical flaw.
• Requirement 6.6 – mandates that a Web Application Firewall (WAF) can be used to detect and prevent threats to public facing web applications.  A WAF solution also typically uses definitions to detect/prevent newly disclosed flaws.  If a WAF was used and configured to send alerts as required elsewhere in PCI DSS, the attack could have been prevented or at least identified within a day of the definition update.  Companies can also use other code review techniques to meet this requirement.
• Requirement 10.6.1 – mandates that all security events should be reviewed at least daily.  If an IDS detected the exploitation of CVE-2017-5638 an alert should have been generated and reviewed within 24 hours of the initial breach.
• Requirement 11.4 – mandates the usage of intrusion prevention or detection capabilities at the perimeter of the CDE.  IDS/IPS should be configured by manufacturer recommendations.  Almost all IDS/IPS solutions receive updates to detect or block new threats.  An IDS/IPS configured with updates should have been able to detect or prevent the attack.  The patch was released for CVE-2017-5638 on March 6^th, 2017 and IDS/IPS definition updates should have contained a signature for this flaw very soon after this date.

CompliancePoint has not formed any opinion on the applicability or scope of PCI DSS to the specific information system(s) breached. We do believe that following the PCI DSS controls highlighted in this blog would have mitigated the risks that were exploited in these two Equifax breaches.

CompliancePoint has not formed any opinion on the applicability or scope of PCI DSS to the specific information system(s) breached. We do believe that following the PCI DSS controls highlighted in this blog would have mitigated the risks that were exploited in these two Equifax breaches.