The recently released congressional report on the 2017 theft of 148 million individual's data from Equifax has come out, and it turns out an expired certificate on an SSL Visibility Appliance is to blame. The report contains this summary,
"Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted personally identifiable information (PII) data 265 times. The attackers transferred this data out of the Equifax environment, unbeknownst to Equifax. Equifax did not see the data exfiltration because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic."
Coming on the heels of the well publicized Ericsson outage that took down mobile service for millions of customers of O2, Softbank, and others, the need for enterprise-wide automated certificate management becomes that much more clear. In either case, an expired certificate led to a catastrophic failure that cost the company greatly in terms of reputation, customer trust, and hard dollars. In either case, an automatic system to discover, track, and renew certificates would have prevented the problem.
One important thing to consider, of course, is prior to either of these problems occurring, the organization in question didn’t even realize it had a vulnerability. That is one of the dangers of certificates that are unknown or have gone forgotten. They are ticking timebombs ready to take down critical applications without warning. Every enterprise should ask itself which critical systems may be due for a similarly disastrous outage tomorrow – and how it’s going to discover these unknown certificates before they make themselves known the hard way.
[Update 12/13/18] Further down in the report we find this tidbit:
"At the time of the breach, however, Equifax had allowed at least 324 of its SSL certificates to expire. Seventy-nine of the expired certificates were for devices monitoring highly business critical domains."