Equifax has now joined the growing list of mass credentials breaches that erode the trust we instinctively place in the service providers we rely on to access our connected world. Desktop, mobile and internet of things (IoT) systems are a growing part of our life, and we must be 100 percent confident that the convenience they deliver is secure.
The cost of how to balance security and usability always drives how enterprises manage identity, and the way they store customer data. Marketing intelligence may improve a service, but relying on centralized databases remains an Achilles' heel whose mark seems to get hit too often.
Using a centralized authentication model, a user logs in with a PIN, password or biometric template that is matched against a library of all users' information. This is the most common way enterprises manage identity. The biggest risk is that having to store all that personalized data means it has to be secured. Any central server containing such a large repository of information naturally becomes a target for hackers.
Making the shift from a centralized approach
Decentralized authentication inverts the process and provides a vastly more secure option for both the enterprise and the user. Instead, information is matched against an encrypted template locally stored on a user's device. That sensitive personal information is never transferred or stored. Instead the enterprise service provider only receives a "token" consisting of a random numeric string that assures the user is who they say they are. The enterprise, in turn, bears less risk of holding sensitive information.
Decentralized authentication places the power to manage one's identity back in the hands of those to whom it belongs, its owners. It also greatly modernizes the enterprise landscape and disrupts the hacker business model of exploiting large payloads of credentials to sell on the dark web. Forcing a hacker to go from device, to device, to device in the hopes of obtaining one user's credentials is a completely un-scalable economic model.
Moving to the decentralized model will greatly reduce the potential of a mass credentials breach like Equifax, Yahoo, Home Depot and the U.S. Office of Personnel. While not every solution is guaranteed, a fundamental shift in the authentication model can truly keep valuable information like personal credentials from walking out the door.
Why Equifax was unprepared for a breach
As for further details on Equifax, it looks like the attack was most likely due to an unpatched version of the open-source Struts web application framework, which enterprises use for creating web applications. A vulnerability was identified in this framework several years ago and fixed, but it doesn't look like Equifax applied that fix to its web application. Enterprises must do better to ensure their security practices include simple, but regular maintenance and timely updates of third-party libraries. Additional layers of security should also be deployed for web applications where proper separation of concerns is implemented. Subsets of critical data should only be made available to any particular web application service.
Furthermore, continuous monitoring needs to be the norm for security critical systems where remediation actions are automated. The attempt to suddenly export millions of data records should have been flagged and acted upon automatically to prevent such an attack, regardless of the fact that Equifax was using an un-patched version of the Struts framework. The Equifax hackers exported millions of user records in a very short period of time. Accessing such a large number of records is probably not a very uncommon event within that application. Therefore, it should have been flagged and automatically prevented by the firm's security tools (if it had them).
Proactive security solutions means rethinking the whole vulnerability model. A proper solution combines the most innovative, if unconventional, ways of approaching how services are provided, and the automation that comes from monitoring them. If enterprises like Equifax don't want to lose data that they don't have to hold, they need to work to ensure they no longer hold it. There's a better way to secure our connected world than having to hold information whose loss might harm the economy, individuals and our trust in the technology landscape we all love. It's a trend one would rather see, than hear about another mass credentials breach.