In the wake of the Equifax data breach having exposed the sensitive information of over 140,000,000 Americans, many individuals are waking up to the dangers that come with our personal financial information being stored on computers owned by third parties such as credit bureaus.\u00a0 But the facts of the Equifax breach should raise alarm for other businesses, as well, about the security of their own systems and data.\u00a0 Fundamentally, the hack resulted from Equifax\u2019s reliance on open-source software as a component of its software solutions, and any company whose systems rely on open-source or customized software should take heed.<\/p>\n
Equifax says that its computer experts now understand how hackers were able to enter the company\u2019s system.\u00a0 They say that hackers exploited a vulnerability in an open-source software program called Apache Struts.\u00a0 That vulnerability, called \u201cCVE-2017-5638,\u201d was discovered as early as March 2017, months before the Equifax breach.\u00a0 Equifax has stated publicly that it took efforts to patch any vulnerable systems after learning of the risk, although there is ongoing debate about whether Equifax took all necessary and appropriate steps to mitigate the risk.<\/p>\n
The Equifax breach was massive, and will be the subject of legislative, regulatory, and litigation activity into the foreseeable future.\u00a0 Equifax is a large, sophisticated corporation, with teams of software engineers and other technical specialists, and still it could not manage its code sufficiently to avoid this disastrous hack.\u00a0 Other companies with far more limited resources face the same challenges, however, if their systems use open source or other customized software.<\/p>\n
Anyone who\u2019s used a computer or a smartphone has been prompted with messages about updates to software or apps.\u00a0 Typically, either on your phone or with off-the-shelf software, these updates are installed automatically, or perhaps after prompting the user for permission.\u00a0 Updates are generally accompanied by some sort of explanation such as addressing security issues or enhancing stability or adding some new functionality.\u00a0 Consistently applying available upgrades is not just a best practice, it is critical to maintaining the safety and security of a company\u2019s information systems.<\/p>\n
The process is more complicated with open source software.\u00a0 To be clear, open source does not necessarily mean less secure or stable.\u00a0 Both open source and off-the-shelf software have vulnerabilities, and there are processes to address those in both cases.\u00a0 In fact, open-source software, particularly types that are routinely used in software developer communities as components of broader systems, maybe just as closely monitored for vulnerabilities as off-the-shelf software, and the fixes might be just as effective and just as timely as they would be from a name-brand software company.\u00a0 However, at least generally speaking there is not the same organized rollout of fixes or advisories for an open source product that there would be for, for example, products from Microsoft or Oracle.<\/p>\n
Complicating matters, very frequently open source modules are included as components of larger systems, and patching a vulnerability might not be as simple as deploying a \u201cfix\u201d on each instance of the module.\u00a0 Addressing the vulnerability as it affects a given system may require skilled attention by one or more software engineers, as well as testing for effectiveness and against unintended side effects.\u00a0 To maintain security and stability, companies must be diligent in discovering identified vulnerabilities in their software components as well as implementing appropriate remedial measures.\u00a0 Both require time and effort.<\/p>\n
Of course, no list of \u201cknown vulnerabilities\u201d is of any use if the company does not know what components are actually contained in its software.\u00a0 It is vital for a company to have a complete understanding of its software system so that it can search publicly-available databases for new information about its components, including potential vulnerabilities, patches, and fixes.<\/p>\n
In the case of software systems developed internally, companies should develop procedures to document and maintain information about the various components of its software systems and to memorialize developments as software and\/or components are changed, retired, or added.\u00a0 Complete understanding of the current status of a company\u2019s overall systems is essential.\u00a0 As systems even at small- and medium-sized companies grow in complexity, simply maintaining a list of software on a spreadsheet may no longer be sufficient.<\/p>\n
Software that is developed by third parties can have similar problems. Companies should require providers to inventory the exact composition of the included code, ideally even before implementing the software in their systems.\u00a0 Without that information, the company cannot be confident that all components are safe, or that they can be maintained in the future.<\/p>\n","protected":false},"excerpt":{"rendered":"
In the wake of the Equifax data breach having exposed the sensitive information of over 140,000,000 Americans, many individuals are waking up to the dangers that come with our personal financial information being stored on computers owned by third parties such as…<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2,21,20,71],"tags":[35,72],"class_list":["post-144","post","type-post","status-publish","format-standard","hentry","category-business-law","category-contracts-law","category-intellectual-property","category-technology","tag-data-security","tag-equifax"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/posts\/144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/comments?post=144"}],"version-history":[{"count":0,"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/posts\/144\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/media?parent=144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/categories?post=144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.apslaw.com\/its-your-business\/wp-json\/wp\/v2\/tags?post=144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}