Table of Contents
Introduction
Equifax Inc. refers to an international consumer credit reporting agency that deals with the collection and sampling of information on more than 800 million different consumers and exceeding 88 million businesses globally. Naughton (2017) claims that Equifax was hacked a period between May and July 2017 through a security flaw that existed in the Apache Struts software used by the company in building its web-based applications, leading to a data breach. A data breach is defined as an incidence where delicate, secure or confidential data has potentially been accessed by third parties, or unauthorised personnel. Grama (2015) further defines security breach in line with California law that it is an unauthorised gaining of access to computerised data, which must breach the security, confidentiality, or integrity of personal data held by an individual. The security flaw was an avenue exploited by the hackers in order to have easy entry into the system for full control of the delicate sites. However, Naughton (2017) reports that on 6th of March 2017, security patches were built and availed to every company that used Struts as a security update that shows the availability of requisite tools for Equifax’s IT department to fix the security flaw in time before the breach could occur. Unfortunately, the flaw was not fixed for some unclear reason.
A number of the information unlawfully accessed by the hackers include but not limited to customers’ names, Social Security numbers, dates of birth, personal addresses and a portion of data with driver’s license numbers of 143 million American clients. In addition, the breach allowed access to credit card details for several American customers and a section of clients from the United Kingdom. This reveals the magnitude of breach of customers’ personal data in the company’s database, presenting a good opportunity for hackers to reap in easy identity theft. In order to help bring back the trustworthiness of the people in the World, Equifax should implement tight security measures and various security checks done periodically for accurate system monitoring. These can be achieved by implementing the recommendations discussed in this essay and embracing measures such as educating the company on the need for an improved security of its systems to secure the confidential company data. Education should cover the need for checking of the company’s credit report every year, monitoring bank and credit card statements of customers. Equifax should also take internet subscription inventory and create a routine of checking customers’ accounts.
Discussion
All management levels within Equifax company such as the property or user level exploit computer networks for data access. As an international consumer credit reporting agency, authorized system users can log into the website and access information with regards to their clearance access levels to consumer credit information. This level of interaction within a network setting intensifies the susceptibility of computer systems to information breach and network security attacks since any form of unencrypted information communicated over a Transmission Control Protocol/Internet Protocol (TCP/IP) is subject to interception by unintended third parties (hackers) through sniffing. The following protocols can be given as some of the network and information security tools and protocols among others to help the breach in Equifax company;
Firstly, Equifax should implement Intrusion Detection System (IDS) such as Snort to prevent hacker attacks and other malicious access into the company’s computer systems. Bomey et al. (2017) argue that the process of unauthorised gain of access Equifax data stored in a database or information being relayed between two peers by hackers is referred to as intrusion. The Information Technology security challenge intensifies as most of the people in company use computer systems in accessing its data from the existing databases lacking intrusion detection systems. Gressin (2017) reveal the magnitude of attack, with hackers stealing personal information of customers along with credit card numbers for approximately 209,000 individuals. These included dispute documents bearing personal identifying information for nearly 182,000 individuals, cutting across both Canadians and the United Kingdom populace. Cyber security risk thus turns out to be a growing concern for several companies and businesses, including the credit reporting agency, as new developments in computer systems arise like the cloud computing technologies, social media, and big data management systems. Jabez and Muthukumar Dr. (2015) describe IDS as a software application or device that helps in monitoring the system or events of network to find if there are any policy violations or mischievous activities within a system and it automatically generates reports accessible to the existing management system. The system helps in analysis of activities within a computer system and the associated networks, that would possibly help Equifax in the detection of intrusions into the system or any unauthorised access by third party. These intrusive efforts aim at circumventing the integrity and confidentiality of the company’s computer data in its systems, and in the event of a denial of service attack, the attacks normally render the computer system inaccessible by the legitimate administrators. Hackers exploiting the denial of service attacks to intrude computer systems ensure the computers are made to look like ‘zombies’, leaving the system administrators with limited alternatives to salvaging the situation of attack. Intruders can explore external networks or the Internet as conduits to the target system, assigning administrative privileges for which they are not accredited and finally misuse and abuse of assigned privileges by authorized system users.
Moreover, intrusion can be prevented by encryption, a defence protocol against connection hijacking attacks and domain name service spoofing attacks. Alqahtani and Iftikhar (2013) state that encryption secures the traffic between two hosts, giving an opportunity to an attacker to see the traffic but cannot read the contents of the packets being transmitted. Encryption protocol used as a defence against IP Spoofing can be done by using an encrypted session in router in order to prevent spoofing attacks. Secure communication with the local hosts is enhanced among trusted hosts when encryption session in routers is used and enable, denying hackers the opportunity to read or spoof the data packets. In a nutshell, the enabled router encryption sessions facilitate secure communication between trusted hosts in the external network and the local hosts.
Secondly, Equifax should build strong firewall protection to protect the application software used by the company’s computer systems from hackers. Firewalls mainly help in controlling traffic traversing different network interfaces, this is achieved through filtering consistent with the criteria set by the network administrator. In keeping with Zhou (2017), firewall technology helps in controlling the external network data onto the internal network system, making the external data source audit control, and safeguarding the internal data structure. In a real life situation, a firewall is positioned between an existing private network and the Internet in order to prevent attacks. Firewall is one of the most important utility software used in shielding computer networks from external attacks, forming the first line of defence for computer systems and their users (Malpani, 2010). They normally have two zones, the trusted and non-trusted zones that help in authenticating system users in a private network and those attempting to access the network respectively. This simply involves two distinct processes of either allowing or denying access to the network traffic in line with the access rules prescribed in the network. Deferent exploits are used by hackers during cyber attacks to compromise firewall, such as phishing by sending malicious emails to targets, hacking weaker passwords used or exploiting other attack vectors based on the existing vulnerabilities of the web-based applications in use.
Furthermore, strong firewall protection should safeguard the network from the cited vulnerabilities like the external network attacks through the Internet and protection from any internal attacks within the network. It should also grant access to the users in relation to the access privilege level users have within the system and being able to stop unauthorised users to access the system resources. In this case, Equifax should consider using anti-phishing solutions to prevent data breach hackings like the Web Application Firewall (WAF). According to Malpani (2010), most WAF protocols can be found in the market and are able to be exploited as a cloud-based service as they are advantageous in detecting and preventing data interception. When hackers try to gain unauthorised accessed to the company’s database, the WAF tools will automatically detect and deny the access by blocking the hack.
Thirdly, the company subscribe to an active cyber insurance cover. Camillo (2017) maintains that one of the best approaches for companies like Equifax to use so as to secure themselves along with customers’ information from data breach or cyber-attack is by having cyber security insurance cover. Just like the medical insurance cover in healthcare, embracing the cyber insurance cover recommendation would give data security indemnity to the customers subscribed to Equifax. Cyber security insurance must be brought to the attention for any company owners as they have to know that data breaches and cyber-attacks on the computer systems are not incorporated in general liabilities policy (International Conference on Soft Computing for Problem Solving, In Pant, In Deep, In Bansal, In Nagar and In Das, 2016). As a result, Equifax should acquire insurance cover for any cyber claims made during a cyber-attack to restore the trust of the customers and build more confidence in the company business. In relation to their work policies, cyber security insurance providers offer cover to both the 1st and 3rd parties in the unlikely event of a hacking attack and data breach. The 1st party is obviously the company under attack, Equifax, while the 3rd parties can be regulatory agencies, customers, government, among others.
At present, the cyber insurance market has matured extensively and has become dedicated and pioneering. According to Camillo (2017), it is projected that reinsurance, which involves insurance for insurance companies, support will increase with respect to improving data and tools that give support to the general development of the market. Companies pursuing cyber insurance, like Equifax in this situation, will be in a position to access higher limits that entail broader insurance cover. These will help as the insurance firms will facilitate the transfer of some of their risk onto reinsurance corporations, and considerably to the capital markets through tools like catastrophe bonds. Over time, legislation will remain with the determination to demand for cyber insurance cover, especially surrounding data and privacy in Equifax and other related big data management organisations. Zhang, Zhu and Hayel (2017) adds that cyber insurance is a valued method to minimise further the cyber data breach risk and its loss along with the deployment of technological cyber defence remedies like the intrusion detection systems and firewalls discussed above.
Additionally, implementing an effective cyber insurance policy will help in minimising the frequency of successful data breach through cyber attacks if Equifax exploits incentivizing the implementation of preventative approaches and the use of best practices of the computer systems users. Governments, state corporations and shareholders bear the financial cost of major cases of cyber attacks where traditional or alternative methods of spreading the risks are not applicable. Weed and Air University (2017) discusses federal determinations to unite the public and private domestic sectors in the protection from cyber breaches on the industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems that support critical national infrastructure in the United States. The federal insurance cover additionally helps in giving policy recommendations for harmonising foreign and domestic cybersecurity determinations and achieve a robust and protected infrastructure. Nevertheless, it is highly expected that stakeholders and regulatory authorities will decree the acquisition of an inclusive cyber insurance in a bid to narrow the gap between economic damages and insured cyber losses.
We can do it today.
Fourthly, Equifax should implement the use of Biometric Identification Systems in authenticating authorised users while accessing the company credit database. Biometrics identification system refers to a technology used for authenticating a user in line with physical or communicative features like scanning fingerprints, using voice recognition features, and retina or iris identification that helps in eye detection. In keeping with Siddiqui (2015), biometric security solution helps in validating physical features of an individual such as fingerprints, eyes and hands for identification and verification of a person and the queries they make within the system that require fingerprint readers and retina scanners access clearance. Biometric systems together with the prevailing systems and technology in Equifax company can yield a very well secured system in which customers’ security concerns can be resolved. The level of security clearance ensures there are no incidences of identity theft or money loss from hacking. Siddiqui (2015) adds that biometric technology forms one of the most effective approaches to identity verification in modern-day computer systems. The systems work by making a comparison of the physical characteristics of a person with the documented characteristics in their computer databases in order to authenticate the user’s identity.
With the increasing cases of online hacking, identity theft, spamming and fraud, e-commerce websites or companies running live websites have to deal with serious security concerns. United States (2012) highlights the benefits of using biometric identification as a means of putting an end to stolen or forgotten passwords, conducting an automatic (without other procedure) positive identification of users and offering of an improved security measures. The technology for authentication also makes forging very difficult for intruders (hackers) and embraces the use of non-transferrable accounts. The safety of an online consumer credit reporting agency is not only important for the organisations to conduct business operations efficiently, but also more important for customers to have a secured location for their personal and financial records.
Aiming at offering a secure business platform for consumer credit reporting, Equifax has to use different approaches of authentication systems, and the use biometrics authentication is regarded as the most effective. Different from the conventional authentication methods, biometrics does not call for keeping of password, concealing it from third parties or even remembering the access codes as they physically authenticate identify biometrically. Online business is a growing industry in which the major concern of every business proprietor is to offer the maximum level of comfort to users and adequate security to the clients. In the case of Equinox company, the biometric authentication will help clients in retaining their identity rather than memorising passwords, access codes for access, or secret questions for account recovery. It is impossible to forge fingerprint authentication, as opposed to conventional methods that allow password usage exposing the codes to third parties in the neighbourhood. Biometric identification system has inflexibly grown beyond its greatly expert niche and reached the customer mainstream. It is projected that biometric procedure will become rampant in daily use as the technology get cheaper over time.
Lastly, Equifax should implement a Three-Factor Authentication Protocol to merge password and biometric login procedures for higher security controls. Modern day’s technological advance in the field of computer innovation accompanied by internet of things has resulted to massive difference in the change of human lives. Elementary computer structure and web client should to make substantial login imply using mail, extensive interpersonal communication, safe storage of money on the Internet, among others. Three-factor authentication is an improvement of the password use and biometric authentication as it merges the protocols (Vaithyasubramanian, Christy and Saravanan, 2016). Intended system users are authenticated through username and password, that automatically activates use of biometric authentication. After the customer provides their username, three steps of activities are available for the customers in accordance to their preference and needs. The major step is an autonomous method that is anything but challenging to exploit control and is conventional. The second method is picture-centred approach that is similarly easy to exploit and secure even though it necessitates system designs. The third, which is the last approach, is biometric authentication that prompts for use of biometrics like the fingerprints, eye recognition and palm print for access to the system.
In addition, the company’s management should consider making a deal with system re-designers as biometric authentication service providers to incorporate the need for using the technology in accessing its systems. Reveron (2012) discusses different strategies to improve and defend national interests in cyberspace. Following the data breach, heightened security levels need to be implemented and much time should be spent on such redesign. The three-element validation protocol prepares customers by providing adaptable and steady validation to extensive levels. This technological consideration is advantageous in a manner that it is easy to use and needs some access codes for further security that will help Equifax in restoring the trustworthiness, convenience, and security of the customer data locked to this method of access. The protocol could considerably reduce the incidences of online widespread fraud and other online hacking, considering the fact that hackers having phished customers’ passwords would still require additional biometric identification to access their personal data.
Conclusion
Most modern-day companies have frequently taken liberties with time when informing their respective clients of a hacking attack. This tact has been geared towards the companies escaping the trap of consequences of the breaches at the expense of customers’ risk. Such challenging circumstances demonstrate exactly how particular organisations can easily give priority their outcome over clients’ financial safety and privacy, particularly in circumstances where industry-wide principles for safety are essentially not adhered to or just missing as more private data becomes digitally accessible to third parties. Instances of serious comprise in hacking cases like in Equifax disaster reveals the degree to which most companies have control of people’s personal information, stuff meant to be kept private and secure. Despite the control by the digital world on how humans should be working, playing and living their lives, customers should be informed about the existence of their data in the cloud storage along with the possible risks expected. These companies lack the motivation to give priority to their customers, lacking in good faith and government regulators should chip in and do some oversight role for keeping the companies in the right track.
Meanwhile, different protocols can be implemented to minimise instances of cyber attacks and data breach. Implementation of an intrusion detection system helps in monitoring the system or events of network to find if there are any policy violations or mischievous activities within a system and it automatically generates reports accessible to the existing management system. Firewall protection is also an important fence Equifax can use in shielding computer networks from external attacks, forming the first line of defence for computer systems and their users. The discussed recommendations in this paper will help Equifax IT department to swiftly respond to data breach activities and the loss of customer and employee personal information to hackers. It is highly expected that stakeholders of Equifax and regulatory authorities will decree the acquisition of an inclusive cyber insurance cover in a bid to narrow the gap between economic damages and insured cyber losses. The three-factor authentication protocol would considerably help Equifax reduce the incidences of online widespread fraud and other online hacking by incorporating additional biometric identification to access their personal data.
- Alqahtani, A. H. & Iftikhar, M. (2013). TCP/IP attacks, defences and security tools. International Journal of Science and Modern Engineering (IJISME), 1(10), 42-47.
- Bomey, N. et al. (2017, September 15). Equifax data breach: what you need to know about hacking crisis. USA Today. Retrieved November 2, 2017 from https://www.usatoday.com/story/money/2017/09/15/equifax-data-breach-what-you-need-know-hacking-crisis/670166001/
- Camillo, M. (2017). Cyber risk and the changing role of insurance. Journal of Cyber Policy, 2(2017). http://dx.doi.org/10.1080/23738871.2017.1296878
- Grama, J. L. (2015). Legal issues in information security, second edition. Burlington, MA: Jones & Bartlett Learning.
- Gressin, S. (2017, September 8). The Equifax data breach: what to do. Retrieved November 1, 2017 from https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do
- International Conference on Soft Computing for Problem Solving, In Pant, M., In Deep, K., In Bansal, J. C., In Nagar, A. K., & In Das, K. N. (2016). Proceedings of fifth International Conference on Soft Computing for Problem Solving: SocProS 2015.
- Jabez, J., & Muthukumar Dr., B. (2015). Intrusion detection system (IDS): anomaly detection using outlier detection approach. Procedia Computer Science, 48(2015), 338-346. https://doi.org/10.1016/j.procs.2015.04.191
- Malpani, K. (2010). Usage of firewall technology in web application security. International Journal of Advanced Research in Computer Science, 1(4), 330-332.
- Naughton, J. (2017, September 17). It’s one rule for big data, another for its 143 million victims. The Guardian. Retrieved from https://www.theguardian.com/commentisfree/2017/sep/17/equifax-data-breach-one-rule-for-credit-agency-another-for-143-million-victims
- Reveron, D. S. (2012). Cyberspace and national security: Threats, opportunities, and power in a virtual world. Washington, DC: Georgetown University Press.
- Siddiqui, A. T. (2015). Biometric authentications to control ATM theft. Asian Journal of Technology & Management research, 5(1), 20-25.
- United States. (2012). Cybersecurity and data protection in the financial sector: Hearing before the Committee on Banking, Housing, and Urban Affairs, United States Senate, One Hundred Twelfth Congress, first session, on examining cybersecurity and data protection in the financial sector, June 21, 2011. Washington: U.S. G.P.O.
- Vaithyasubramanian, S., Christy, A., & Saravanan, D. (2016). Access to network login by three-factor authentication for effective information security. Scientific World Journal, 2016(2016). doi: 10.1155/2016/6105053
- Weed, S. A., & Air University (U.S.). (2017). US policy response to cyber attack on SCADA systems supporting critical national infrastructure.
- Zhang, R., Zhu, Q. & Hayel, Y. (2017). A bi-level game approach to attack-aware cyber insurance of computer networks. IEEE Journal on Selected Areas in Communications, 35(3), 779-794.
- Zhou, J. (2017). Discussion on the technology and method of computer network security management. Materials Science and Engineering, 242(2017). doi:10.1088/1757-899X/242/1/012089