Follow-up Advice from the Equifax Hack

Standard

Following up on my previous post about the giant Equifax hack, I wanted to share some additional recommendations from my friends at KnowBe4.

Equifax+Data+Breach

“Cyber criminals have stolen 143 million credit records in the recent hacking scandal at big-three credit bureau Equifax. At this point you have to assume that the bad guys have highly personal information that they can use to trick you. You need to watch out for the following things:

  • Phishing emails that claim to be from Equifax where you can check if your data was compromised.
  • Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information.
  • Calls from scammers that claim they are from your bank or credit union.
  • Fraudulent charges on any credit card because your identity was stolen.

Here are 5 things you can do to prevent identity theft:

  • First sign up for credit monitoring (there are many companies providing that service including Equifax but we cannot recommend that).
  • Check your bank and credit card statements for any unauthorized activity.
  • If you believe you may have been the victim of identity theft, here is a site where you can learn more about how to protect yourself: www.idtheftcenter.org. You can also call the center’s toll-free number (888-400-5530) for advice on how to resolve identify-theft issues. All of the center’s services are free.

And as always, Think Before You Click! “

Some additional things to keep in mind.  It’s still very early in the process of assessing the impact of this hack.  I’ll post more updates as I learn more.

For now, the above advice is good to consider.  This hack is unique because a credit bureau track just about every piece of information needed to compromise your credit and your identity.  You don’t have to be an actual customer of Equifax for them to have this data on your personal identity.  We have to assume that your personal information is now in the hackers hands and likely for sale on the Dark Web to those looking to steal identities.

It appears that Equifax was hacked due to a web-app vulnerability.  This is why it is critically important that your business scan for these types of vulnerabilities.  It’s not just about penetration testing and vulnerability scans.  Yes, they are important, but so are scans against any web facing systems you have that allow access to confidential information.  These web-apps need to be regularly scanned to be sure they are safe and most importantly, so is the information behind them.

If your business does not have a proactive cyber security scanning program in place, this should be a glaring warning that you need one.  If a company as large and technically savvy as Equifax can be hacked, so can your business.

2 thoughts on “Follow-up Advice from the Equifax Hack

  1. Mike Beuster

    Mr. M. J. Shoer, President and Virtual Chief Technology Officer at Jenaly Technology Group, Inc.

    Mr. Shoer:

    Thank you for the FOLLOW ON ADVICE FROM THE EQUIFAX HACK:

    We wish the US Government was equally as up to date

    We want to know what ‘Deep Panda’ and China’s main military intelligence service that has been linked to cyber attacks the Third Department of the General Staff, or 3PLA, which conducts cyber warfare have done with my March 1997- SF86, Nov 2001 – SF86, Sep 2006 – SF86 Security Clearance Background information in their OPM Hack along with 22+ million other Americans private? information. ”http://freebeacon.com/national-security/fbi-alert-reveals-groups-behind-opm-hack/
    Ex- President Obama, Attorney General Loretta E. Lynch and Department of Homeland Security Secretary Jeh Johnson, together with Chinese State Councilor and Minister of the Ministry of Public Security Guo Shengkun have tried to cover it up.
    Dan Tentler, founder of cybersecurity firm Phobos Group argued that the government’s obsession with compliance to appease lawmakers and auditors alike is lazy, and doesn’t fundamentally make their systems any more secure. His security firm, which has a business interest in penetration testing and red-teaming, preaches that best practices and security compliance tend to be bare-minimum efforts, and should not dictate how security operates.
    “The reason [the attack on] OPM happened is because people didn’t care about security. People did the barest minimum. And even when people aren’t qualified, they refuse to let qualified people in, and they don’t want to admit they have problems,” he said.
    Other government departments, he said, are heading in the same direction.
    “The Pentagon has created a circumstance where the good guys can’t find the problems because we’re not allowed to scan, or go out of scope, or find things on our own,” he said. “But the bad guys can scan whatever they want, for as long as they want, and exploit whatever they feel like.”
    “Well, Russia and China don’t care,” he added. “You can bet they’re scanning those networks.”

    Why didn’t OPM Head and her CIO go to jail instead of being allowed to retire?

    Why did the FBI not mention the OPM Hack when they arrested Yu Pingan?

    OPM HACK Girard Gibbs as Lead Counsel filed a complaint on March 14, 2016. The complaint is filed on behalf of “All current, former, and prospective employees of the federal government and its contractors, and their family members and cohabitants, whose sensitive personal information was compromised as a result of the breaches of OPM’s electronic information systems in 2014 and 2015 or the breach of KeyPoint’s electronic information systems in 2013 and 2014.

    Respectfully yours,

    Mike Beuster
    Blairsville, GA

    Like

  2. MJ Shoer

    Dear Mr. Beuster,

    I know several people who were also exposed due to the OPM hack. While I have not researched all the details of the hack, I do not believe there was any cover-up. Rather, some very specific steps were taken as a result, including moving custody of clearance information from OPM to DoD under Cyber Command, to help fortify the protection of the information. While I can appreciate the level of upset you have, the actions of OPM officials were not criminal. The primary thing that everyone needs to understand is that is impossible to guarantee 100% safety of data. That’s the reality that we presently live in. When the likes of OPM and Equifax get hacked, it should send a loud and clear message that absolute data security is not yet possible. Are there steps that can be taken to better secure data, of course. Are there more aggressive monitors that could be employed to detect breaches, most likely. At the end of the day, any organization that houses data has to assume they will be hacked. The question becomes, as I have heard numerous FBI cyber agents say, will you know when you have been hacked? I have attended numerous FBI briefings where they have been quite clear about who the Chinese actors are that have perpetrated these hacks. There are active warrants for their arrests, but as I’m sure you know, they can’t be arrested in China itself. It’s a complicated problem and the government does need to do better, as do companies from the local gas station to our largest multi-national corporations. It’s a very fluid situation. Thanks for taking the time to comment.

    Sincerely,

    MJ Shoer
    Director, Client Engagement & vCIO
    Onepath

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s