Equifax is sharing its Security Controls Framework to anyone who wants it as a pay-it-forward for lessons learned from its 2017 data breach in which attackers exfiltrated hundreds of millions of customer records from the credit reporting agency.
"We put $1.5B into our security transformation. Our Controls Framework was maybe the most important investment of it all," Jamil Farshchi, CISO at Equifax, said in a recent LinkedIn post. "Today, we're making it available to everyone. For free. And it's not just a static list of security controls. It's interactive. It's dynamic. It's tailorable."
The Controls Framework is the blueprint for how a company protects its data and infrastructure. The full, interactive website is available at the link.
According to the site, the structure has "five core capabilities—cybersecurity, privacy, fraud prevention, crisis management, and physical security. NIST CSF and NIST PF were selected as the foundation for the security controls framework because it supports a comprehensive, defense-in-depth approach to security and privacy. Its flexible, risk-based structure can also be tailored to meet a company's specific needs."
[RELATED: How the NIST Cybersecurity Framework Maps to Cyber Attacks]
In his LinkedIn post, Farshchi further explains the reason for the company making its framework public: "With this, anyone can now easily develop and utilize a controls framework—based on your own organization's unique needs. This is crucial because far too many companies—especially SMBs and mid-markets—don't have the time, effort and expertise to make one. This should help. Why are we doing this? Plain and simple: To help the security community. It's the right thing to do, and it's what's necessary in order for businesses, government, and society to become more cyber secure. After all, a rising tide lifts all boats."
In addition to explaining how to use the framework, the site says the framework enables an organization to:
- Identify: Find risks and determine the severity
- Protect: Ensure your assets are prepared for potential attackers
- Detect: Discover vulnerabilities within your system
- Respond: When a vulnerability is found, act on it
- Recover: Assess what happened to help prevent future incident
A CSO article from February 2020 broke down the 2017 Equifax breach: "... the breach spawned a number of scandals and controversies: Equifax was criticized for everything ranging from their lax security posture to their bumbling response to the breach, and top executives were accused of corruption in the aftermath."
The article includes a detailed timeline of the mess made by the breach, which was made messier by inadequate response, and its assessment of lessons learned:
"If we wanted to make a case study of the Equifax breach, what lessons would we pull from it? These seem to be the big ones:
- Get the basics right. No network is invulnerable. But Equifax was breached because it failed to patch a basic vulnerability, despite having procedures in place to make sure such patches were applied promptly. And huge amounts of data was exfiltrated unnoticed because someone neglected to renew a security certificate. Equifax had spent millions on security gear, but it was poorly implemented and managed.
- Silos are defensible. Once the attackers were inside the perimeter, they were able to move from machine to machine and database to database. If they had been restricted to a single machine, the damage would've been much less.
- Data governance is key—especially if data is your business. Equifax's databases could've been stingier in giving up their contents. For instance, users should only be given access to database content on a 'need to know basis'; giving general access to any 'trusted' users means that an attacker can seize control of those user accounts and run wild. And systems need to keep an eye out for weird behavior; the attackers executed up to 9,000 database queries very rapidly, which should've been a red flag."
Farshchi was brought in by Equifax in February 2018 as EVP and CISO to help clean up the company's cybersecurity posture and damaged reputation. He came over from The Home Depot, also based in Atlanta, where he had served as CISO for nearly three years.
[RELATED: Equifax Has a Brand New CISO]
Equifax is making the framework available on GitHub so that users and interested parties can provide feedback and ask questions.
In a July 2018 interview with Cyberscoop, Farshchi explained his approach to not only rehabilitate Equifax but have the company be seen as a cybersecurity leader.
"My philosophy is always been about fundamentals. There's a lot of folks who look for the 'silver bullet' or gravitate toward emerging technologies. But I've seen it time and time again that the way to truly differentiate, the way to truly manage risk is to really focus on those fundamentals. These processes, the controls, they are things that aren't particularly sexy: Having a very stringent process for patch management. Having a very well-oiled machine, so that you can first identify whatever a vulnerability is on a continuous basis, figuring out what application that ties to, and where it ties to our infrastructure."
RELATED:
Day-by-Day Timeline of Equifax Breach from Former CEO
The 5 Warnings that Equifax Missed or Ignored
