In September 2017, Equifax, a consumer credit reporting agency, has suffered a major data breach that exposed the personal data of 148 million American consumers. This data breach is related to the “critical vulnerability” in the Apache Struts software that was publicly disclosed in March 2017. According to a report by the U.S. House Committee on Oversight and Reform released in December of 2018, “Equifax used Apache Struts to run certain applications on legacy operating systems. The following day, the Department of Homeland Security alerted Equifax to this critical vulnerability.”
On March 9, the Global Threat and Vulnerability Management team of Equifax sent this alert via email to more than 400 individuals. They told anyone who had Apache Struts to apply the necessary patch within 48 hours.
Equifax, however, didn’t apply the necessary patch. This led to the exposure of their system and data for 76 days. The report implies the need for any business to reinforce, emphasize and enhance the vulnerability scanning and patch management processes and procedures.
Vulnerability scanning and patch management are two terms that are seemingly identical, but that is not the case. While they have a compatible relationship, they are not the same. It is important for a business to learn the difference between these terms or else it could suffer from a cybersecurity attack similar to that of Equifax.
Let’s define these two terms and see the difference.