15. 5 Month Opportunity to Take Corrective Action
Large Scale Exploit
March 10
Equifax applications
breached through
Struts2 vulnerability
AprMar May Jun Jul Aug Sept
March 7
Apache Struts releases
updated version to
thwart vulnerability
CVE-2017-5638
July 29
Breach is discovered
by Equifax.
Sept 7
A new RCE vulnerability
is announced and fixed.
CVE-2017-9805
Probing Hack
Crisis Management
16. 3 DAYS BEFORE EXPLOIT
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 2011 2012 2013 2104 2015
10
20
30
40
50
0
AverageDaystoExploit
Average
45
15
2017
17. Struts vulnerability
announced
The
breach
Breach
discovered.
New Struts and
Spring vulnerabilities.
12 months since
Equifax breach.
0
20,000
40,000
60,000
80,000
100,000
120,000
Mar-17 Apr-17 May-17 Jun-17 Jul-17 Aug-17 Sep-17 Oct-17 Nov-17 Dec-17 Jan-18 Feb-18 Mar-18
Total
Breach
disclosed.
80% SHOW POOR CYBER HYGIENE
Number of vulnerable Struts component downloads per month
18. Source: Maven Central Repository, March 2018
VULNERABLE SPRING FRAMEWORK DOWNLOADS
CVE-2017-8046
25. Businesses decide where and how to invest in
cybersecurity based on a cost-benefit assessment
but they are ultimately liable for the security of
their data and systems.
U.K.’s National Cyber Security Strategy
2016 - 2021
26. “Emphasize performance of the entire system
and never pass a defect downstream.”
Gene Kim
The Phoenix Project
2013