NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Equifax Data Breach and CVE Violations from 1999

September 14, 2017

  • Blog
  • Archive
Equifax Data Breach Last week, Equifax announced a data breach exposing more than 143 million records. Now, Equifax in Argentina is the latest victim to poor cybersecurity hygiene, web application assessments, and insufficient vulnerability management. As reported by BBC News and Krebs on Security, the Argentina based Equifax internal website was identified as having a default username of “admin” and password of “admin” exposed to internal employees and available to anyone within Equifax Argentina that could guess the basic, default combination. The data behind the portal was sensitive to say the least. It contained disputes and claims against Equifax lodged by Argentinians (regardless of email, phone, or fax) and their DNI number (documento nacional de identidad) — a non-private version of the United States Social Security Number (SSN). This raises high concerns around the policies and procedures Equifax used to store, process, and secure sensitive information internally as well as data lost during the breach earlier this month. Now that the facts are out, there are several really difficult concepts to deal with. First, the internal website at Equifax Argentina would have failed a PCI Assessment as early as 1999. As illustrated below from BeyondTrust’s Retina CS Enterprise Vulnerability Management, multiple CVE’s from 1999 covering NT Authentication for accounts and passwords are in violation of using default credentials, and accounts and usernames with the same string. How could this application have every passed an audit? In addition, CWE calls out audit CWE-521: Weak Password Requirements specifically for web applications if the username and password was form based and not NT challenge and response. This clearly demonstrates to me, in conjunction to the previous breach, that as a tier one PCI merchant, they could not even manage their own regulatory compliance initiatives internally but provided credit reporting services to everyone else. There is a second part to this finding in Argentina that is even more disturbing, the protection of privileged account access. This revelation of a default admin account and password combination violates multiple sections of the PCI DSS requirements. Bluntly speaking, and a very conservative approach finds violations in Sections 2, 3, 6, 7, 8 and 10. If this account was truly an admin, why wasn't privileged access management or even multi-factor authentication used to secure it? Monitoring privileged access is fundamental part of all cybersecurity programs and yet Equifax failed again. The threat from an insider attack or the leakage of sensitive information was huge and who knows how long the exposure has been present. Unfortunately, we have seen this time and time again. Organizations failing to practice basic cybersecurity hygiene even for the basics of vulnerability management and privileged access management. Maybe I expect more as a vendor in the cybersecurity market. I know no company is perfect. I know every business can improve. But to have security problems at this basic level of CVE’s from 1999 and default admin credentials is shameful. It's time for all organizations to make sure the basics are covered At BeyondTrust, we can help with the basics of cybersecurity including vulnerability management and privileged access management. Be sure to check back for more information on the Equifax data breach or contact us for a strategy session today.
Photograph of Morey J. Haber

Morey J. Haber, Chief Security Officer, BeyondTrust

Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.