What the Equifax Breach Means for Government Cybersecurity
As government officials begin investigation of the Equifax breach that exposed the sensitive information of 143 million people, what does the breach mean for agencies themselves? After all, the U.S. government stores far more sensitive data than the private sector, and often stores it on older, more vulnerable systems.
This makes the government a top target by rogue nation states and threat actors, as exemplified by the OPM hack. Faced with a growing number of threats, and potentially devastating fallout, addressing the cybersecurity challenge while shrinking the gap between security investment and effectiveness, is something that keeps every CIO and CISO awake at night.
What can agencies do to protect government systems in the light of this latest hack on sensitive data?
Here’s some recommendations and considerations from our cybersecurity vendor partners:
Ensure you are PCI-DSS Compliant
Any agency that accepts credit or debit cards as a form of payment is responsible for protecting citizens’ sensitive card information. This means compliance with the Payment Card Industry Data Security Standard (PCI DSS) as well as OMB’s PII guidelines. DLT partner, BeyondTrust, writes that organizations are more likely to be breached if they can’t maintain PCI DSS standards on a quarterly basis. In his blog, Morey Haber, VP of Technology in the Office of the CTO at BeyondTrust, asks some honest questions about Equifax’s PCI DSS compliance. Gaining answers over the coming days and weeks will help all of us better understand what happened:
• Was the web application known, or was it a zero-day exploit. The security community needs to know so it can protect its own websites.
• PCI DSS requires File Integrity Monitoring (FIM)? Were sensitive files monitored? Is that how the breach was discovered? What about prevention?
• How was the breach determined and were the files within PCI scope?
Single Unique Identifiers Pose a Continued Risk
As the Equifax breach shows, reliance across government on the once-unique identifier, your Social Security Number (SSN), exposes a significant vulnerability, writes Gary Davis, a Chief Consumer Security Evangelist, with McAfee. For example, in 2016, there was a major incident at the U.S. Treasury where an attacker attempted to generate personal identification numbers based on stolen taxpayer information.
Steps towards remediating this problem are already underway. Informatica, reports that agencies have implemented extensive remediation initiatives to remove SSNs as the prime identifier or key, but SSNs continue to be collected and stored without a thorough understanding of the business requirements of tat data. Informatica recommends that:
“A comprehensive SSN remediation program must be part of an overall governance plan that includes removing and securing personally identifiable information, including SSNs, and a process review of all systems to determine the actual business requirements of SSNs.”
Read more about safeguarding sensitive data in the federal government.
For government employees who are concerned about the impact of the Equifax breach on their personal credit data, check out these articles from Symantec: