Equifax has joined an increasing number of large-scale voucher disclosure lists that undermine the trust of service providers who instinctively rely on us to access the connected world. Desktop, mobile and Internet of Things (IoT) systems have become a growing part of our lives, and we need 100% to ensure that the convenience they provide is safe.
If you remember the data breaches of US Human Resources, LinkedIn, Yahoo, and now Equifax, one of the main things they share is to focus on sensitive customer data.
The cost of balancing security and ease of use always depends on how the company manages its identity and how it stores customer data. Marketing intelligence can improve services, but relying on a centralized database is still on the Achilles, and this trace seems to happen often.
Using a centralized authentication model, users log in using a PIN, password, or biometric template that matches all users’ repositories.
This is the most common way for a company to manage its identity. The biggest risk means that all personalized data must be stored and protected. A central server with such a large information repository is naturally the target of hackers.
Transition from a centralized approach
Distributed authentication reverses this process and provides a very secure choice for businesses and users. Instead, the information will be checked against the encryption template stored locally on the user device. Sensitive personal information will not be transmitted or stored.
Instead, an enterprise service provider will only receive a “token” consisting of a string of random numbers to ensure that the user is the principal. Therefore, companies are less likely to retain confidential information.
Distributed authentication gives you the right to return identity management to the owner. It also significantly modernizes the corporate landscape and confuses the hacker business model that uses a large number of credentials to sell on the dark. Forcing a hacker to move between devices to get the credentials of a single user is a fully scalable economic model.
Turning to the decentralized model has greatly reduced the likelihood of large-scale credential violations such as Equifax, Yahoo, Home Depot, and the US Human Resources Department. Not all solutions can be guaranteed, but fundamental changes in the authentication model can prevent valuable information (such as personal credentials) from leaving.
Why is Equifax not prepared for infringement?
The details of Equifax may be due to an unpatched version of the open source Struts web application framework that the company uses to create web applications.
The vulnerability was discovered and fixed in this framework a few years ago, but Equifax does not seem to apply the fix to web applications.
Businesses need to improve their security practices to include simple but regular maintenance and timely updates to third-party libraries. An additional layer of security must also be deployed for web applications that implement proper separation of concerns. Key data subsets should only be available for certain web application services.
In addition, continuous monitoring should be the standard for safety critical systems that automate remedial actions. Regardless of whether Equifax uses an unpatched version of the Struts framework, it will automatically flag attempts to suddenly export millions of data records to prevent such attacks. Have to deal with.
Equifax hackers exported millions of user records in a short amount of time. Accessing such a large number of records in an application may not be a very unusual event. Therefore, your company’s security tools (if any) must be tagged and automatically blocked.
The proactive security solution is to rethink the entire vulnerability model.
The right solution is unconventional, but it combines the automation provided by approaching and monitoring service delivery in the most innovative way.
If a company like Equifax does not want to lose data that it does not need to keep, it should not be retained. Protecting our connected world is better than retaining information (lost information can undermine our trust in the economic, personal and technological prospects that everyone loves). This is a tendency to see rather than hear another large-scale certificate leak.