If you use Apache Struts, make sure that it has been updated to the most recent version.
As you might expect of a Java framework, many Apache Struts users are enterprise organizations: according to some estimates, up to 65% of Fortune 500 companies were vulnerable to the security flaw. It’s likely that many of those who were vulnerable have applied the patch, but I wouldn’t want to put money on everyone having updated even after the massive coverage the Equifax breach caused.
To say that Equifax handled the breach poorly is an understatement. Brian Krebs’ coverage of the story is particularly good. But, chilling as it is that a company handling hundreds of millions of social security and credit card numbers seem to knows less about online security than my grandmother, what interests me is that the whole farrago could have been avoided.
Patch management should loom large in any responsible company’s security strategy. Software vulnerabilities are part of the security landscape that anyone providing online services has to be prepared to deal with. The need to regularly update shouldn’t come as a surprise to anyone, and least of all to people whose business it is to keep customer data safe.
Although it’s not entirely clear which Struts vulnerability was used by the attackers, the suspicion is that it was a vulnerability that had been patched some time prior to the attack and that Equifax hadn’t updated.
In a post about the breach, René Gielen, Vice President of Apache Struts provides some useful advice for server admins. To me, the most important tip is the first: “understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this [sic] products and versions.”
The second tip advises users to establish a process to roll out security fixes when they’re needed. Companies need to know about software vulnerabilities when they’re disclosed, and then they need to do something about them. That seems like common sense to me, but we have seen too many breaches caused by outdated software in recent months to assume that common sense is as common as we’d like it to be.
The reasoning is the same whether you are running an enterprise web application dealing with millions of customers every week or a WordPress blog that gets a couple of hundred hits a month. Failing to update internet-facing software is like failing to brush your teeth — with a decent process in place, it doesn’t take long, and the longer you leave it the worse the outcome for you and everyone around you.