Equifax... not just one thing but a theme...
The above article is a very good post mortem summary of what went wrong with the Equifax breach last year. I suggest you read through it, very enlightening. As I read through it I thought, wow, I wish I had some of these tools when I was fighting bad guys, of particular interest in some of my past lives would be the ability to inspect encrypted network traffic. But I digress. There are 5 (or 6) things the author of the article says went wrong.
Apache Struts - Vulnerability (patch available)
Network packet inspection - Digital Cert. expired 10 months previously
No network segmentation of databases
Unencrypted & shared administrator credentials across databases
No query limit on databases
The fact that they were using Apache Struts
I know there are some super technical folks out there who would say it is not this simple but the topic of hygiene and security basics screams to me when I read this. In fact, the only thing on this list that would be difficult, depending on environment, is network segmentation. The others are just a matter of paying attention and good governance. Although #4 is just horrible and unforgivable, it’s equivalent to writing your username and password on a post-it note and stick it on your computer monitor.
I have been complaining to folks lately that I am sick of talking about breaches because when you do the post mortem, i.e. root cause analysis, there are consistent themes that emerge. The theme of basics and hygiene still won’t go away.