CASE STUDY: THE EQUIFAX DATA BREACH

In

$2$

$0$

$1$

$7$

$,$

$$Equifax$,$ one of the largest credit reporting agencies in the United States,

experienced a massive data breach that exposed the personal and financial

information of nearly

$1$

$4$

$8$

$$million Americans. The breach resulted from a

vulnerability in the Apache Struts web application framework, which Equifax failed

to patch promptly despite available updates. The attackers exploited this

vulnerability to gain unauthorized access to Equifax's systems and exfiltrate

sensitive data over several weeks.

YOUR TASK

You are a cybersecurity consultant hired by Equifax to assess the situation and

recommend improvements to their cybersecurity program. Your task is to analyse

the data breach incident and develop a comprehensive report that addresses the

following questions:

$1$

$.$

$$Explain how the NIST Cybersecurity Framework

$($

CSF

$)$

$$could have been

used to identify and mitigate the risks associated with the Apache Struts

vulnerability. Which of the five core functions

$($

Identify

$,$

$$Protect$,$ Detect,

Respond, Recover

$)$

$$were most relevant in this scenario, and how could

they have been applied more effectively?

$2$

$.$

$$Discuss the role of the NIST SP

$8$

$0$

$0$

$-$

$5$

$3$

$$Security and Privacy Controls in

preventing or mitigating the Equifax data breach. Identify specific controls

that could have been implemented to address the vulnerability and

strengthen Equifax's overall security posture.

$3$

$.$

$$Analyse the Equifax incident in the context of the CIS Critical Security

Controls. Which of the CIS Controls were most relevant in this scenario,

and how could their implementation have helped prevent or minimize the

impact of the breach?

$4$

$.$

$$Discuss the importance of mapping security controls to organizational

requirements. How could Equifax have better aligned their security

controls with their specific risks, regulatory obligations, and business

objectives to prevent such a breach?

WORKSHOP INSTRUCTIONS

$1$

$.$

$$Carefully review the details of the Equifax data breach and understand

the sequence of events that led to the compromise.

$2$

$.$

$$Familiarize yourself with the NIST Cybersecurity Framework

$($

CSF

$)$

$,$

$$NIST SP

$8$

$0$

$0$

$-$

$5$

$3$

$$Security and Privacy Controls, and the CIS Critical Security

Controls.

$3$

$.$

$$Analyse the Equifax incident through the lens of these frameworks and

controls, identifying the key gaps and missed opportunities for mitigation.

$7$

$0$

$1$

$9$

ICT Cyber Security Risk Management

$1$

$0$

$4$

$.$

$$Develop a comprehensive report that addresses the questions outlined

above, providing clear explanations, supporting evidence, and actionable

recommendations for improvement.

WORKSHOP WRITE

$-$

UP STRUCTURE

Use the following structure for your report:

Introduction

$$

$$Briefly summarize the Equifax data breach and its impact.

NIST Cybersecurity Framework

$($

CSF

$)$

$$

$$Explain how the NIST CSF could have been used to identify and mitigate

risks.

$$

$$Identify the most relevant core functions and explain how they could have

been applied more effectively.

NIST SP

$8$

$0$

$0$

$-$

$5$

$3$

$$Security and Privacy Controls

$$

$$Discuss the role of NIST SP

$8$

$0$

$0$

$-$

$5$

$3$

$$controls in preventing or mitigating the

breach.

$$

$$Identify specific controls that could have been implemented.

CIS Critical Security Controls

$$

$$Analyse the Equifax incident in the context of the CIS Controls.

$$

$$Identify the most relevant controls and explain how they could have

helped.

Mapping Controls to Organizational Requirements

$$

$$Discuss the importance of mapping controls to organizational

requirements.

$$

$$Explain how Equifax could have better aligned their controls with their

specific needs.

Recommendations

$$

$$Provide actionable recommendations for Equifax to improve their

cybersecurity program and prevent future breaches.

Conclusion

$$

$$Summarize your findings and emphasize the importance of a

comprehensive and risk

$-$

based approach to cybersecurity.